IBM Cloud Docs
4.16 compliance operator benchmark

4.16 compliance operator benchmark

Review the compliance operator benchmark results for Red Hat OpenShift on IBM Cloud version 4.16.

1 Control plane components

1.1 Master node configuration files

The master node configuration is not stored as a set of files; therefore, rules in section 1.1 are out of the scope of the automated check by the compliance operator.

1.2 API server

Section 1.2 Benchmarks for api server.
Section Recommendation Manual/Automated Level Result
1.2.1 Ensure that anonymous requests are authorized. Manual 1 Pass
1.2.2 Ensure that the --basic-auth-file argument is not set. Automated 1 Pass
1.2.3 Ensure that the --token-auth-file parameter is not set. Automated 1 Pass
1.2.4 Use https for kubelet connections. Automated 1 Pass
1.2.5 Ensure that the kubelet uses certificates to authenticate. Automated 1 Not checked
1.2.6 Verify that the kubelet certificate authority is set as appropriate. Automated 1 Pass
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow. Automated 1 Pass
1.2.8 Verify that the Node authorizer is enabled. Automated 1 Pass
1.2.9 Verify that RBAC is enabled. Automated 1 Pass
1.2.10 Ensure that the APIPriorityAndFairness feature gate is enabled. Manual 1 Pass
1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set. Automated 1 Pass
1.2.12 Ensure that the admission control plugin AlwaysPullImages is not set. Manual 1 Pass
1.2.13 Ensure that the admission control plugin SecurityContextDeny is not set. Manual 1 Pass
1.2.14 Ensure that the admission control plugin ServiceAccount is set. Automated 1 Pass
1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set. Automated 1 Pass
1.2.16 Ensure that the admission control plugin SecurityContextConstraint is set. Automated 1 Pass
1.2.17 Ensure that the admission control plugin NodeRestriction is set. Automated 1 Pass
1.2.18 Ensure that the --insecure-bind-address argument is not set. Automated 1 Pass
1.2.19 Ensure that the --insecure-port argument is set to 0. Automated 1 Not checked
1.2.20 Ensure that the --secure-port argument is not set to 0. Automated 1 Pass
1.2.21 Ensure that the healthz endpoint is protected by RBAC. Automated 1 Pass
1.2.22 Ensure that the --audit-log-path argument is set. Automated 1 Pass
1.2.23 Ensure that the audit logs are forwarded off the cluster for retention. Automated 1 Not checked
1.2.24 Ensure that the maximumRetainedFiles argument is set to 10 or as appropriate. Automated 1 Not checked
1.2.25 Ensure that the maximumFileSizeMegabytes argument is set to 100 or as appropriate. Automated 1 Not checked
1.2.26 Ensure that the --request-timeout argument is set as appropriate. Automated 1 Pass
1.2.27 Ensure that the --service-account-lookup argument is set to true. Automated 1 Pass
1.2.28 Ensure that the --service-account-key-file argument is set as appropriate. Automated 1 Pass
1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate. Automated 1 Pass
1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate. Automated 1 Pass
1.2.31 Ensure that the --client-ca-file argument is set as appropriate. Automated 1 Pass
1.2.32 Ensure that the --etcd-cafile argument is set as appropriate. Automated 1 Pass
1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate. Manual 1 Not checked
1.2.34 Ensure that encryption providers are appropriately configured. Manual 1 Not checked
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers. Manual 1 Pass

1.3 Controller manager

Section 1.3 Benchmarks for controller manager.
Section Recommendation Manual/Automated Level Result
1.3.1 Ensure that garbage collection is configured as appropriate. Manual 1 Not checked
1.3.2 Ensure that controller manager healthz endpoints are protected by RBAC. Automated 1 Pass
1.3.3 Ensure that the --use-service-account-credentials argument is set to true. Automated 1 Pass
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate. Automated 1 Pass
1.3.5 Ensure that the --root-ca-file argument is set as appropriate. Automated 1 Pass
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true. Automated 2 Pass
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1. Automated 1 Pass

1.4 Scheduler

Section 1.4 Benchmarks for scheduler.
Section Recommendation Manual/Automated Level Result
1.4.1 Ensure that the healthz endpoints for the scheduler are protected by RBAC. Automated 1 Pass
1.4.2 Verify that the scheduler API service is protected by authentication and authorization. Automated 1 Pass

2 etcd

Section 2 Benchmarks for etcd.
Section Recommendation Manual/Automated Level Result
2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate. Automated 1 Pass
2.2 Ensure that the --client-cert-auth argument is set to true. Automated 1 Pass
2.3 Ensure that the --auto-tls argument is not set to true. Automated 1 Pass
2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate. Automated 1 Pass
2.5 Ensure that the --peer-client-cert-auth argument is set to true. Automated 1 Pass
2.6 Ensure that the --peer-auto-tls argument is not set to true. Automated 1 Pass
2.7 Ensure that a unique Certificate Authority is used for etcd. Manual 2 Not checked

3 Control plane configuration

3.1 Authentication and authorization

Section 3.1 Benchmarks for authentication and authorization.
Section Recommendation Manual/Automated Level Result
3.1.1 Client certificate authentication should not be used for users. Manual 2 Pass

3.2 Logging

Section 3.2 Benchmarks for logging.
Section Recommendation Manual/Automated Level Result
3.2.1 Ensure that a minimal audit policy is created. Automated 1 Pass
3.2.2 Ensure that the audit policy covers key security concerns. Manual 2 Pass

4 Worker nodes

Please follow the instruction in Using the compliance operator to perform automated check for worker node configuration.

5 Policies

5.1 RBAC and service accounts

Section 5.1 Benchmarks for rbac and service accounts.
Section Recommendation Manual/Automated Level Result
5.1.1 Ensure that the cluster-admin role is only used where required. Manual 1 Pass
5.1.2 Minimize access to secrets. Manual 1 Not checked
5.1.3 Minimize wildcard use in Roles and ClusterRoles. Manual 1 Not checked
5.1.4 Minimize access to create pods. Manual 1 Not checked
5.1.5 Ensure that default service accounts are not actively used. Automated 1 Not checked
5.1.6 Ensure that Service Account Tokens are only mounted where necessary. Manual 1 Not checked

5.2 Pod security policies

Section 5.2 Benchmarks for pod security policies.
Section Recommendation Manual/Automated Level Result
5.2.1 Minimize the admission of privileged containers. Manual 1 Not checked
5.2.2 Minimize the admission of containers wishing to share the host process ID namespace. Automated 1 Not checked
5.2.3 Minimize the admission of containers wishing to share the host IPC namespace. Automated 1 Not checked
5.2.4 Minimize the admission of containers wishing to share the host network namespace. Automated 1 Not checked
5.2.5 Minimize the admission of containers with allowPrivilegeEscalation. Automated 1 Not checked
5.2.6 Minimize the admission of root containers. Manual 2 Not checked
5.2.7 Minimize the admission of containers with the NET_RAW capability. Manual 1 Not checked
5.2.8 Minimize the admission of containers with added capabilities. Manual 1 Not checked
5.2.9 Minimize the admission of containers with capabilities assigned. Manual 2 Not checked

5.3 Network policies and CNI

Section 5.3 Benchmarks for network policies and cni.
Section Recommendation Manual/Automated Level Result
5.3.1 Ensure that the CNI in use supports Network Policies. Manual 1 Pass
5.3.2 Ensure that all Namespaces have Network Policies define. Automated 2 Not checked

5.4 Secrets management

Section 5.4 Benchmarks for secrets management.
Section Recommendation Manual/Automated Level Result
5.4.1 Prefer using secrets as files over secrets as environment variable. Manual 1 Not checked
5.4.2 Consider external secret storage. Manual 2 Not checked

5.5 Extensible admission control

Section 5.5 Benchmarks for extensible admission control.
Section Recommendation Manual/Automated Level Result
5.5.1 Configure Image Provenance using image controller configuration parameter. Manual 2 Not checked

5.7 General policies

Section 5.7 Benchmarks for general policies.
Section Recommendation Manual/Automated Level Result
5.7.1 Create administrative boundaries between resources using namespace. Manual 1 Not checked
5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definition. Manual 2 Not checked
5.7.3 Apply Security Context to Your Pods and Container. Manual 2 Not checked
5.7.4 The default namespace should not be use. Automated 2 Not checked

Remediations and explanations

Review information from IBM on the CIS Benchmark results.

Remediations and explanations.
Section Recommendation/Explanation
1.2.23 Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing.
1.2.24 Red Hat OpenShift on IBM Cloud sets the maximumRetainedFiles argument to 1.
1.2.25 Red Hat OpenShift on IBM Cloud sets the maximumFileSizeMegabytes argument to 10.
1.2.33 Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider.
1.2.34 Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider.
2.7 Red Hat OpenShift on IBM Cloud configures a unique Certificate Authority for etcd.
5.2.8 Red Hat OpenShift on IBM Cloud installs custom SCCs.
5.3.2 Red Hat OpenShift on IBM Cloud has a set of default Calico network policies defined and additional network policies can optionally be added.