Skip to content

Commit 3349405

Browse files
rhmdndrhmdnd
committed
Implement CIS OpenShift v1.9.0 section 4
This section is largely the same as version 1.7.0 with one minor wording change to control 4.2.8, otherwise the technical controls are the same. Assisted-By: Claude Opus 4.6
1 parent 3fe7521 commit 3349405

1 file changed

Lines changed: 191 additions & 0 deletions

File tree

controls/cis_ocp_190/section-4.yml

Lines changed: 191 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,191 @@
1+
---
2+
controls:
3+
- id: '4'
4+
title: Worker Nodes
5+
status: pending
6+
rules: []
7+
controls:
8+
- id: '4.1'
9+
title: Worker Node Configuration Files
10+
status: pending
11+
rules: []
12+
controls:
13+
- id: 4.1.1
14+
title: Ensure that the kubelet service file permissions are set to 644 or more restrictive
15+
status: automated
16+
rules:
17+
- file_permissions_worker_service
18+
levels:
19+
- level_1
20+
- id: 4.1.2
21+
title: Ensure that the kubelet service file ownership is set to root:root
22+
status: automated
23+
rules:
24+
- file_owner_worker_service
25+
- file_groupowner_worker_service
26+
levels:
27+
- level_1
28+
- id: 4.1.3
29+
title: If proxy kube proxy configuration file exists ensure permissions are set to
30+
644 or more restrictive
31+
status: automated
32+
rules:
33+
- file_permissions_proxy_kubeconfig
34+
levels:
35+
- level_1
36+
- id: 4.1.4
37+
title: If proxy kubeconfig file exists ensure ownership is set to root:root
38+
status: automated
39+
rules:
40+
- file_owner_proxy_kubeconfig
41+
- file_groupowner_proxy_kubeconfig
42+
levels:
43+
- level_1
44+
- id: 4.1.5
45+
title: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or
46+
more restrictive
47+
status: automated
48+
rules:
49+
- file_permissions_kubelet_conf
50+
levels:
51+
- level_1
52+
- id: 4.1.6
53+
title: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
54+
status: automated
55+
rules:
56+
- file_groupowner_kubelet_conf
57+
- file_owner_kubelet_conf
58+
#- file_groupowner_kubelet
59+
- file_owner_kubelet
60+
levels:
61+
- level_1
62+
- id: 4.1.7
63+
title: Ensure that the certificate authorities file permissions are set to 644 or more
64+
restrictive
65+
status: automated
66+
rules:
67+
- file_permissions_worker_ca
68+
levels:
69+
- level_1
70+
- id: 4.1.8
71+
title: Ensure that the client certificate authorities file ownership is set to root:root
72+
status: automated
73+
rules:
74+
- file_owner_worker_ca
75+
- file_groupowner_worker_ca
76+
levels:
77+
- level_1
78+
- id: 4.1.9
79+
title: Ensure that the kubelet --config configuration file has permissions set to 600
80+
or more restrictive
81+
status: automated
82+
rules:
83+
- file_permissions_worker_kubeconfig
84+
levels:
85+
- level_1
86+
- id: 4.1.10
87+
title: Ensure that the kubelet configuration file ownership is set to root:root
88+
status: automated
89+
rules:
90+
- file_owner_worker_kubeconfig
91+
- file_groupowner_worker_kubeconfig
92+
levels:
93+
- level_1
94+
- id: '4.2'
95+
title: Kubelet
96+
status: pending
97+
rules: []
98+
controls:
99+
- id: 4.2.1
100+
title: Activate Garbage collection in OpenShift Container Platform 4, as appropriate
101+
status: automated
102+
rules:
103+
- kubelet_eviction_thresholds_set_hard_memory_available
104+
- kubelet_eviction_thresholds_set_hard_nodefs_available
105+
- kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
106+
- kubelet_eviction_thresholds_set_hard_imagefs_available
107+
levels:
108+
- level_1
109+
- id: 4.2.2
110+
title: Ensure that the --anonymous-auth argument is set to false
111+
status: automated
112+
rules:
113+
- kubelet_anonymous_auth
114+
levels:
115+
- level_1
116+
- id: 4.2.3
117+
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
118+
status: automated
119+
rules:
120+
- kubelet_authorization_mode
121+
levels:
122+
- level_1
123+
- id: 4.2.4
124+
title: Ensure that the --client-ca-file argument is set as appropriate
125+
status: automated
126+
rules:
127+
- kubelet_configure_client_ca
128+
levels:
129+
- level_1
130+
- id: 4.2.5
131+
title: Verify that the read only port is not used or is set to 0
132+
status: automated
133+
rules:
134+
- kubelet_disable_readonly_port
135+
levels:
136+
- level_1
137+
- id: 4.2.6
138+
title: Ensure that the --streaming-connection-idle-timeout argument is not set to 0
139+
status: automated
140+
rules:
141+
- kubelet_enable_streaming_connections
142+
levels:
143+
- level_1
144+
- id: 4.2.7
145+
title: Ensure that the --make-iptables-util-chains argument is set to true
146+
status: automated
147+
rules:
148+
- kubelet_enable_iptables_util_chains
149+
levels:
150+
- level_1
151+
- id: 4.2.8
152+
title: Ensure that the kubeAPIQPS [--event-qps] argument is set to a level which
153+
ensures appropriate event capture
154+
status: automated
155+
rules:
156+
- kubelet_configure_event_creation
157+
- var_event_record_qps=50
158+
levels:
159+
- level_2
160+
- id: 4.2.9
161+
title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
162+
as appropriate
163+
status: automated
164+
rules:
165+
- kubelet_configure_tls_cert
166+
- kubelet_configure_tls_key
167+
levels:
168+
- level_1
169+
- id: 4.2.10
170+
title: Ensure that the --rotate-certificates argument is not set to false
171+
status: automated
172+
rules:
173+
- kubelet_enable_client_cert_rotation
174+
- kubelet_enable_cert_rotation
175+
levels:
176+
- level_1
177+
- id: 4.2.11
178+
title: Verify that the RotateKubeletServerCertificate argument is set to true
179+
status: automated
180+
rules:
181+
- kubelet_enable_server_cert_rotation
182+
levels:
183+
- level_1
184+
- id: 4.2.12
185+
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
186+
status: automated
187+
rules:
188+
- kubelet_configure_tls_cipher_suites
189+
- ingress_controller_tls_cipher_suites
190+
levels:
191+
- level_1

0 commit comments

Comments
 (0)