4.16 CIS Kubernetes Benchmark
1 Master Node Security Configuration
1.1 Master Node Configuration Files
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 1.1.1 | Ensure that the API server pod specification file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.2 | Ensure that the API server pod specification file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.3 | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.4 | Ensure that the controller manager pod specification file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.5 | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.6 | Ensure that the scheduler pod specification file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.7 | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.8 | Ensure that the etcd pod specification file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.9 | Ensure that the Container Network Interface file permissions are set to 644 or more restrictive | Not Scored | 1 | Pass | IBM |
| 1.1.10 | Ensure that the Container Network Interface file ownership is set to root:root | Not Scored | 1 | Pass | IBM |
| 1.1.11 | Ensure that the etcd data directory permissions are set to 700 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.12 | Ensure that the etcd data directory ownership is set to etcd:etcd | Scored | 1 | Pass | IBM |
| 1.1.13 | Ensure that the admin.conf file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.14 | Ensure that the admin.conf file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.15 | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.16 | Ensure that the scheduler.conf file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.17 | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.18 | Ensure that the controller-manager.conf file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.19 | Ensure that the Kubernetes PKI directory and file ownership is set to root:root | Scored | 1 | Pass | IBM |
| 1.1.20 | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive | Scored | 1 | Pass | IBM |
| 1.1.21 | Ensure that the Kubernetes PKI key file permissions are set to 600 | Scored | 1 | Pass | IBM |
1.2 API Server
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 1.2.1 | Ensure that the --anonymous-auth argument is set to false |
Not Scored | 1 | Fail | IBM |
| 1.2.2 | Ensure that the --basic-auth-file argument is not set |
Scored | 1 | Pass | IBM |
| 1.2.3 | Ensure that the --token-auth-file parameter is not set |
Scored | 1 | Pass | IBM |
| 1.2.4 | Ensure that the --kubelet-https argument is set to true |
Scored | 1 | Pass | IBM |
| 1.2.5 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.6 | Ensure that the --kubelet-certificate-authority argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.7 | Ensure that the --authorization-mode argument is not set to AlwaysAllow. |
Scored | 1 | Pass | IBM |
| 1.2.8 | Ensure that the --authorization-mode argument includes Node. |
Scored | 1 | Pass | IBM |
| 1.2.9 | Ensure that the --authorization-mode argument includes RBAC. |
Scored | 1 | Pass | IBM |
| 1.2.10 | Ensure that the admission control plugin EventRateLimit is set. | Not Scored | 1 | Fail | IBM |
| 1.2.11 | Ensure that the admission control plugin AlwaysAdmit is not set. | Scored | 1 | Pass | IBM |
| 1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set. | Not Scored | 1 | Fail | IBM |
| 1.2.13 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used. | Not Scored | 1 | Pass | IBM |
| 1.2.14 | Ensure that the admission control plugin ServiceAccount is set. | Scored | 1 | Pass | IBM |
| 1.2.15 | Ensure that the admission control plugin NamespaceLifecycle is set. | Scored | 1 | Pass | IBM |
| 1.2.16 | Ensure that the admission control plugin PodSecurityPolicy is set. | Scored | 1 | Pass | IBM |
| 1.2.17 | Ensure that the admission control plugin NodeRestriction is set. | Scored | 1 | Pass | IBM |
| 1.2.18 | Ensure that the --insecure-bind-address argument is not set. |
Scored | 1 | Pass | IBM |
| 1.2.19 | Ensure that the --insecure-port argument is set to 0. |
Scored | 1 | Pass | IBM |
| 1.2.20 | Ensure that the --secure-port argument is not set to 0. |
Scored | 1 | Pass | IBM |
| 1.2.21 | Ensure that the --profiling argument is set to false. |
Scored | 1 | Pass | IBM |
| 1.2.22 | Ensure that the --audit-log-path argument is set. |
Scored | 1 | Fail | Shared |
| 1.2.23 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate. |
Scored | 1 | Fail | Shared |
| 1.2.24 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate. |
Scored | 1 | Fail | Shared |
| 1.2.25 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate. |
Scored | 1 | Fail | Shared |
| 1.2.26 | Ensure that the --request-timeout argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.27 | Ensure that the --service-account-lookup argument is set to true. |
Scored | 1 | Pass | IBM |
| 1.2.28 | Ensure that the --service-account-key-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.29 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.30 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.31 | Ensure that the --client-ca-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.32 | Ensure that the --etcd-cafile argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.2.33 | Ensure that the --encryption-provider-config argument is set as appropriate. |
Scored | 1 | Fail | Shared |
| 1.2.34 | Ensure that encryption providers are appropriately configured. | Scored | 1 | Fail | Shared |
| 1.2.35 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers. | Not Scored | 1 | Pass | IBM |
1.3 Controller Manager
| Section | Recommendation | Scored / Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 1.3.1 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.3.2 | Ensure that the --profiling argument is set to false. |
Scored | 1 | Pass | IBM |
| 1.3.3 | Ensure that the --use-service-account-credentials argument is set to true. |
Scored | 1 | Pass | IBM |
| 1.3.4 | Ensure that the --service-account-private-key-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.3.5 | Ensure that the --root-ca-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true. | Scored | 2 | Pass | IBM |
| 1.3.7 | Ensure that the --bind-address argument is set to 127.0.0.1. |
Scored | 1 | Pass | IBM |
1.4 Scheduler
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 1.4.1 | Ensure that the --profiling argument is set to false. |
Scored | 1 | Pass | IBM |
| 1.4.2 | Ensure that the --bind-address argument is set to 127.0.0.1. |
Scored | 1 | Pass | IBM |
2 Etcd Node Configuration
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 2.1 | Ensure that the --cert-file and --key-file arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 2.2 | Ensure that the --client-cert-auth argument is set to true. |
Scored | 1 | Pass | IBM |
| 2.3 | Ensure that the --auto-tls argument is not set to true. |
Scored | 1 | Pass | IBM |
| 2.4 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 2.5 | Ensure that the --peer-client-cert-auth argument is set to true. |
Scored | 1 | Pass | IBM |
| 2.6 | Ensure that the --peer-auto-tls argument is not set to true. |
Scored | 1 | Pass | IBM |
| 2.7 | Ensure that a unique Certificate Authority is used for etcd. | Not Scored | 2 | Pass | IBM |
3 Control Plane Configuration
3.1 Authentication and Authorization
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 3.1.1 | Client certificate authentication should not be used for users. | Not Scored | 2 | Pass | Shared |
3.2 Logging
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 3.2.1 | Ensure that a minimal audit policy is created. | Scored | 1 | Fail | Shared |
| 3.2.2 | Ensure that the audit policy covers key security concerns. | Not Scored | 2 | Fail | Shared |
4 Worker Node Security Configuration (REDHAT_8_64)
4.1 Worker Node Configuration Files
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 4.1.1 | Ensure that the kubelet service file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.2 | Ensure that the kubelet service file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.3 | Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.4 | Ensure that the proxy kubeconfig file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.5 | Ensure that the kubelet.conf file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.6 | Ensure that the kubelet.conf file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.7 | Ensure that the certificate authorities file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.8 | Ensure that the client certificate authorities file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.9 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.10 | Ensure that the kubelet configuration file ownership is set to root:root. | Scored | 1 | Pass | IBM |
4.2 Kubelet
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 4.2.1 | Ensure that the --anonymous-auth argument is set to false. |
Scored | 1 | Pass | IBM |
| 4.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow. |
Scored | 1 | Pass | IBM |
| 4.2.3 | Ensure that the --client-ca-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 4.2.4 | Ensure that the --read-only-port argument is set to 0. |
Scored | 1 | Pass | IBM |
| 4.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0. |
Scored | 1 | Pass | IBM |
| 4.2.6 | Ensure that the --protect-kernel-defaults argument is set to true. |
Scored | 1 | Fail | IBM |
| 4.2.7 | Ensure that the --make-iptables-util-chains argument is set to true. |
Scored | 1 | Pass | IBM |
| 4.2.8 | Ensure that the --hostname-override argument is not set. |
Not Scored | 1 | Fail | IBM |
| 4.2.9 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture. |
Not Scored | 2 | Pass | IBM |
| 4.2.10 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 4.2.11 | Ensure that the --rotate-certificates argument is not set to false. |
Scored | 1 | Pass | IBM |
| 4.2.12 | Ensure that the RotateKubeletServerCertificate argument is set to true. | Scored | 1 | Pass | IBM |
| 4.2.13 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers. | Not Scored | 1 | Pass | IBM |
4 Worker Node Security Configuration (RHCOS)
4.1 Worker Node Configuration Files
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 4.1.1 | Ensure that the kubelet service file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.2 | Ensure that the kubelet service file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.3 | Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.4 | Ensure that the proxy kubeconfig file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.5 | Ensure that the kubelet.conf file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.6 | Ensure that the kubelet.conf file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.7 | Ensure that the certificate authorities file permissions are set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.8 | Ensure that the client certificate authorities file ownership is set to root:root. | Scored | 1 | Pass | IBM |
| 4.1.9 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive. | Scored | 1 | Pass | IBM |
| 4.1.10 | Ensure that the kubelet configuration file ownership is set to root:root. | Scored | 1 | Pass | IBM |
4.2 Kubelet
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 4.2.1 | Ensure that the --anonymous-auth argument is set to false. |
Scored | 1 | Pass | IBM |
| 4.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow. |
Scored | 1 | Pass | IBM |
| 4.2.3 | Ensure that the --client-ca-file argument is set as appropriate. |
Scored | 1 | Pass | IBM |
| 4.2.4 | Ensure that the --read-only-port argument is set to 0. |
Scored | 1 | Pass | IBM |
| 4.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0. |
Scored | 1 | Pass | IBM |
| 4.2.6 | Ensure that the --protect-kernel-defaults argument is set to true. |
Scored | 1 | Pass | IBM |
| 4.2.7 | Ensure that the --make-iptables-util-chains argument is set to true. |
Scored | 1 | Pass | IBM |
| 4.2.8 | Ensure that the --hostname-override argument is not set. |
Not Scored | 1 | Fail | IBM |
| 4.2.9 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture. |
Not Scored | 2 | Pass | IBM |
| 4.2.10 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate. |
Scored | 1 | Pass | IBM |
| 4.2.11 | Ensure that the --rotate-certificates argument is not set to false. |
Scored | 1 | Pass | IBM |
| 4.2.12 | Ensure that the RotateKubeletServerCertificate argument is set to true. | Scored | 1 | Pass | IBM |
| 4.2.13 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers. | Not Scored | 1 | Pass | IBM |
5 Kubernetes Policies
5.1 RBAC and Service Accounts
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.1.1 | Ensure that the cluster-admin role is only used where required. | Not Scored | 1 | Pass | Shared |
| 5.1.2 | Minimize access to secrets. | Not Scored | 1 | Fail | Shared |
| 5.1.3 | Minimize wildcard use in Roles and ClusterRoles. | Not Scored | 1 | Fail | Shared |
| 5.1.4 | Minimize access to create pods. | Not Scored | 1 | Pass | Shared |
| 5.1.5 | Ensure that default service accounts are not actively used.. | Scored | 1 | Fail | Shared |
| 5.1.6 | Ensure that Service Account Tokens are only mounted where necessary. | Not Scored | 1 | Fail | Shared |
5.2 Pod Security Policies
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.2.1 | Minimize the admission of privileged containers. | Not Scored | 1 | Pass | Shared |
| 5.2.2 | Minimize the admission of containers wishing to share the host process ID namespace. | Scored | 1 | Pass | Shared |
| 5.2.3 | Minimize the admission of containers wishing to share the host IPC namespace. | Scored | 1 | Pass | Shared |
| 5.2.4 | Minimize the admission of containers wishing to share the host network namespace. | Scored | 1 | Pass | Shared |
| 5.2.5 | Minimize the admission of containers with allowPrivilegeEscalation. | Scored | 1 | Pass | Shared |
| 5.2.6 | Minimize the admission of root containers. | Not Scored | 2 | Pass | Shared |
| 5.2.7 | Minimize the admission of containers with the NET_RAW capability. | Not Scored | 1 | Pass | Shared |
| 5.2.8 | Minimize the admission of containers with added capabilities. | Not Scored | 1 | Pass | Shared |
| 5.2.9 | Minimize the admission of containers with capabilities assigned. | Not Scored | 2 | Pass | Shared |
5.3 Network Policies and CNI
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.3.1 | Ensure that the CNI in use supports Network Policies. | Not Scored | 1 | Pass | IBM |
| 5.3.2 | Ensure that all Namespaces have Network Policies defined. | Scored | 2 | Fail | Shared |
5.4 Secrets Management
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.4.1 | Prefer using secrets as files over secrets as environment variables. | Not Scored | 1 | Fail | Shared |
| 5.4.2 | Consider external secret storage. | Not Scored | 2 | Fail | Shared |
5.5 Extensible Admission Control
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller. | Not Scored | 2 | Fail | Shared |
5.7 General Policies
| Section | Recommendation | Scored/Not Scored | Level | Result | Responsibility |
|---|---|---|---|---|---|
| 5.7.1 | Create administrative boundaries between resources using namespaces. | Not Scored | 1 | Pass | Shared |
| 5.7.2 | Ensure that the seccomp profile is set to docker/default in your pod definitions. | Not Scored | 2 | Fail | Shared |
| 5.7.3 | Apply Security Context to Your Pods and Containers. | Not Scored | 2 | Fail | Shared |
| 5.7.4 | The default namespace should not be used. | Scored | 2 | Pass | Shared |
IBM remediations and explanations
| Section | Remediation/Explanation |
|---|---|
| 1.2.1 | Red Hat OpenShift on IBM Cloud utilizes RBAC for cluster protection, but allows anonymous discovery, which is considered reasonable per CIS Kubernetes Benchmark. |
| 1.2.10 | Red Hat OpenShift on IBM Cloud does not enable the EventRateLimit admission controller since it is a Kubernetes alpha feature. |
| 1.2.12 | Red Hat OpenShift on IBM Cloud does not enable the AlwaysPullImages admission controller since it overrides a container's imagePullPolicy and may impact performance. |
| 1.2.13 | Red Hat OpenShift on IBM Cloud supports OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 1.2.16 | Red Hat OpenShift on IBM Cloud supports OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 1.2.22 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 1.2.23 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 1.2.24 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 1.2.25 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 1.2.33 | Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider. |
| 1.2.34 | Red Hat OpenShift on IBM Cloud can optionally enable a Kubernetes Key Management Service (KMS) provider. |
| 3.2.1 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 3.2.2 | Red Hat OpenShift on IBM Cloud can optionally enable Kubernetes API server auditing. |
| 4.2.6 | Red Hat OpenShift on IBM Cloud does not protect kernel defaults in order to allow customers to tune kernel parameters. |
| 4.2.8 | Red Hat OpenShift on IBM Cloud ensures that the hostname matches the name issued by the infrastructure. |
| 5.1.2 | Red Hat OpenShift on IBM Cloud deploys some system components that could have their Kubernetes secret access further restricted. |
| 5.1.3 | Red Hat OpenShift on IBM Cloud deploys some system components that could have their Kubernetes resource access further restricted. |
| 5.1.5 | Red Hat OpenShift on IBM Cloud does not set automountServiceAccountToken: false for each default service account. |
| 5.1.6 | Red Hat OpenShift on IBM Cloud deploys some system components that could set automountServiceAccountToken: false. |
| 5.2.1 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.2 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.3 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.4 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.5 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.6 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.7 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.8 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.2.9 | Red Hat OpenShift on IBM Cloud can optionally configure OpenShift security context constraints and Kubernetes pod security admission which are similar to the deprecated Kubernetes pod security policies. |
| 5.3.2 | Red Hat OpenShift on IBM Cloud has a set of default Calico network policies defined and additional network policies can optionally be added. |
| 5.4.1 | Red Hat OpenShift on IBM Cloud deploys some system components that could prefer using secrets as files over secrets as environment variables. |
| 5.4.2 | Red Hat OpenShift on IBM Cloud can optionally enable Secrets Manager service. |
| 5.5.1 | Red Hat OpenShift on IBM Cloud can optionally enable image security enforcement. |
| 5.7.2 | Red Hat OpenShift on IBM Cloud does not annotate all pods with seccomp profiles. |
| 5.7.3 | Red Hat OpenShift on IBM Cloud deploys some system components that do not set a pod or container securityContext. |