Skip to content

Commit 9be6c7c

Browse files
rhmdndrhmdnd
committed
Implement CIS OpenShift v1.9.0 section 5
This section remains the same as version 1.7.0. Assisted-By: Claude Opus 4.6
1 parent 3349405 commit 9be6c7c

1 file changed

Lines changed: 216 additions & 0 deletions

File tree

controls/cis_ocp_190/section-5.yml

Lines changed: 216 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,216 @@
1+
---
2+
controls:
3+
- id: '5'
4+
title: Policies
5+
status: partial
6+
rules: []
7+
controls:
8+
- id: '5.1'
9+
title: RBAC and Service Accounts
10+
status: manual
11+
rules: []
12+
controls:
13+
- id: 5.1.1
14+
title: Ensure that the cluster-admin role is only used where required
15+
status: manual
16+
rules:
17+
- rbac_limit_cluster_admin
18+
levels:
19+
- level_1
20+
- id: 5.1.2
21+
title: Minimize access to secrets
22+
status: manual
23+
rules:
24+
- rbac_limit_secrets_access
25+
levels:
26+
- level_1
27+
- id: 5.1.3
28+
title: Minimize wildcard use in Roles and ClusterRoles
29+
status: manual
30+
rules:
31+
- rbac_wildcard_use
32+
levels:
33+
- level_1
34+
- id: 5.1.4
35+
title: Minimize access to create pods
36+
status: manual
37+
rules:
38+
- rbac_pod_creation_access
39+
levels:
40+
- level_1
41+
- id: 5.1.5
42+
title: Ensure that default service accounts are not actively used.
43+
status: manual
44+
rules:
45+
- accounts_unique_service_account
46+
levels:
47+
- level_1
48+
- id: 5.1.6
49+
title: Ensure that Service Account Tokens are only mounted where necessary
50+
status: manual
51+
rules:
52+
- accounts_restrict_service_account_tokens
53+
levels:
54+
- level_1
55+
- id: '5.2'
56+
title: Security Context Constraints
57+
status: partial
58+
rules: []
59+
controls:
60+
- id: 5.2.1
61+
title: Minimize the admission of privileged containers
62+
status: manual
63+
rules:
64+
- scc_limit_privileged_containers
65+
levels:
66+
- level_1
67+
- id: 5.2.2
68+
title: Minimize the admission of containers wishing to share the host process ID namespace
69+
status: manual
70+
rules:
71+
- scc_limit_process_id_namespace
72+
levels:
73+
- level_1
74+
- id: 5.2.3
75+
title: Minimize the admission of containers wishing to share the host IPC namespace
76+
status: manual
77+
rules:
78+
- scc_limit_ipc_namespace
79+
levels:
80+
- level_1
81+
- id: 5.2.4
82+
title: Minimize the admission of containers wishing to share the host network namespace
83+
status: manual
84+
rules:
85+
- scc_limit_network_namespace
86+
levels:
87+
- level_1
88+
- id: 5.2.5
89+
title: Minimize the admission of containers with allowPrivilegeEscalation
90+
status: manual
91+
rules:
92+
- scc_limit_privilege_escalation
93+
levels:
94+
- level_1
95+
- id: 5.2.6
96+
title: Minimize the admission of root containers
97+
status: manual
98+
rules:
99+
- scc_limit_root_containers
100+
levels:
101+
- level_2
102+
- id: 5.2.7
103+
title: Minimize the admission of containers with the NET_RAW capability
104+
status: manual
105+
rules:
106+
- scc_limit_net_raw_capability
107+
levels:
108+
- level_1
109+
- id: 5.2.8
110+
title: Minimize the admission of containers with added capabilities
111+
status: automated
112+
rules:
113+
- scc_limit_container_allowed_capabilities
114+
levels:
115+
- level_1
116+
- id: 5.2.9
117+
title: Minimize the admission of containers with capabilities assigned
118+
status: manual
119+
rules:
120+
- scc_drop_container_capabilities
121+
levels:
122+
- level_2
123+
- id: 5.2.10
124+
title: Minimize access to privileged Security Context Constraints
125+
status: manual
126+
rules:
127+
- rbac_least_privilege
128+
levels:
129+
- level_2
130+
- id: '5.3'
131+
title: Network Policies and CNI
132+
status: partial
133+
rules: []
134+
controls:
135+
- id: 5.3.1
136+
title: Ensure that the CNI in use supports Network Policies
137+
status: automated
138+
rules:
139+
- configure_network_policies
140+
levels:
141+
- level_1
142+
- id: 5.3.2
143+
title: Ensure that all Namespaces have Network Policies defined
144+
status: partial
145+
rules:
146+
- configure_network_policies_namespaces
147+
- configure_network_policies_hypershift_hosted
148+
levels:
149+
- level_2
150+
- id: '5.4'
151+
title: Secrets Management
152+
status: manual
153+
rules: []
154+
controls:
155+
- id: 5.4.1
156+
title: Prefer using secrets as files over secrets as environment variables
157+
status: manual
158+
rules:
159+
- secrets_no_environment_variables
160+
levels:
161+
- level_1
162+
- id: 5.4.2
163+
title: Consider external secret storage
164+
status: manual
165+
rules:
166+
- secrets_consider_external_storage
167+
levels:
168+
- level_2
169+
- id: '5.5'
170+
title: Extensible Admission Control
171+
status: automated
172+
rules: []
173+
controls:
174+
- id: 5.5.1
175+
title: Configure Image Provenance using image controller configuration parameters
176+
status: automated
177+
rules:
178+
- ocp_allowed_registries
179+
- ocp_allowed_registries_for_import
180+
- ocp_insecure_registries
181+
- ocp_insecure_allowed_registries_for_import
182+
levels:
183+
- level_2
184+
- id: '5.7'
185+
title: General Policies
186+
status: manual
187+
rules: []
188+
controls:
189+
- id: 5.7.1
190+
title: Create administrative boundaries between resources using namespaces
191+
status: manual
192+
rules:
193+
- general_namespaces_in_use
194+
levels:
195+
- level_1
196+
- id: 5.7.2
197+
title: Ensure that the seccomp profile is set to docker/default in your pod definitions
198+
status: manual
199+
rules:
200+
- general_default_seccomp_profile
201+
levels:
202+
- level_2
203+
- id: 5.7.3
204+
title: Apply Security Context to Your Pods and Containers
205+
status: manual
206+
rules:
207+
- general_apply_scc
208+
levels:
209+
- level_2
210+
- id: 5.7.4
211+
title: The default namespace should not be used
212+
status: manual
213+
rules:
214+
- general_default_namespace_use
215+
levels:
216+
- level_2

0 commit comments

Comments
 (0)