Skip to content

CMP-4110: Implement CIS OpenShift version 1.9.0 #14431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rhmdnd wants to merge 7 commits into
base: master
Choose a base branch
from
Open

CMP-4110: Implement CIS OpenShift version 1.9.0 #14431

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fbc1506
Bump CIS OpenShift version from 1.7.0 to 1.9.0
rhmdnd Feb 19, 2026
dcdb508
Add CIS OpenShift 1.9.0 profile and controls
rhmdnd Feb 19, 2026
9644ce9
Implement CIS OpenShift v1.9.0 section 1
rhmdnd Feb 19, 2026
f28703a
Add CIS OpenShift v1.9.0 section 2
rhmdnd Feb 19, 2026
3fe7521
Implement CIS OpenShift v1.9.0 section 3
rhmdnd Feb 19, 2026
3349405
Implement CIS OpenShift v1.9.0 section 4
rhmdnd Feb 19, 2026
9be6c7c
Implement CIS OpenShift v1.9.0 section 5
rhmdnd Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions controls/cis_ocp_190.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
policy: CIS Red Hat OpenShift Container Platform 4 Benchmark
title: CIS Red Hat OpenShift Container Platform 4 Benchmark
id: cis_ocp_190
source: https://www.cisecurity.org/benchmark/kubernetes

levels:
- id: level_1
- id: level_2
inherits_from:
- level_1
506 changes: 506 additions & 0 deletions controls/cis_ocp_190/section-1.yml
View file
Open in desktop

Large diffs are not rendered by default.

58 changes: 58 additions & 0 deletions controls/cis_ocp_190/section-2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
controls:
- id: '2'
title: etcd
status: pending
rules: []
controls:
- id: '2.1'
title: Ensure that the --cert-file and --key-file arguments are set as appropriate
status: automated
rules:
- etcd_cert_file
- etcd_key_file
levels:
- level_1
- id: '2.2'
title: Ensure that the --client-cert-auth argument is set to true
status: automated
rules:
- etcd_client_cert_auth
levels:
- level_1
- id: '2.3'
title: Ensure that the --auto-tls argument is not set to true
status: automated
rules:
- etcd_auto_tls
levels:
- level_1
- id: '2.4'
title: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
status: automated
rules:
- etcd_peer_cert_file
- etcd_peer_key_file
levels:
- level_1
- id: '2.5'
title: Ensure that the --peer-client-cert-auth argument is set to true
status: automated
rules:
- etcd_peer_client_cert_auth
levels:
- level_1
- id: '2.6'
title: Ensure that the --peer-auto-tls argument is not set to true
status: automated
rules:
- etcd_peer_auto_tls
levels:
- level_1
- id: '2.7'
title: Ensure that a unique Certificate Authority is used for etcd
status: automated
rules:
- etcd_unique_ca
levels:
- level_2
39 changes: 39 additions & 0 deletions controls/cis_ocp_190/section-3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
controls:
- id: '3'
title: Control Plane Configuration
status: pending
rules: []
controls:
- id: '3.1'
title: Authentication and Authorization
status: automated
rules: []
controls:
- id: 3.1.1
title: Client certificate authentication should not be used for users
status: automated
rules:
- idp_is_configured
- kubeadmin_removed
levels:
- level_2
- id: '3.2'
title: Logging
status: automated
rules: []
controls:
- id: 3.2.1
title: Ensure that a minimal audit policy is created
status: automated
rules:
- audit_logging_enabled
levels:
- level_1
- id: 3.2.2
title: Ensure that the audit policy covers key security concerns
status: automated
rules:
- audit_profile_set
levels:
- level_2
191 changes: 191 additions & 0 deletions controls/cis_ocp_190/section-4.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
---
controls:
- id: '4'
title: Worker Nodes
status: pending
rules: []
controls:
- id: '4.1'
title: Worker Node Configuration Files
status: pending
rules: []
controls:
- id: 4.1.1
title: Ensure that the kubelet service file permissions are set to 644 or more restrictive
status: automated
rules:
- file_permissions_worker_service
levels:
- level_1
- id: 4.1.2
title: Ensure that the kubelet service file ownership is set to root:root
status: automated
rules:
- file_owner_worker_service
- file_groupowner_worker_service
levels:
- level_1
- id: 4.1.3
title: If proxy kube proxy configuration file exists ensure permissions are set to
644 or more restrictive
status: automated
rules:
- file_permissions_proxy_kubeconfig
levels:
- level_1
- id: 4.1.4
title: If proxy kubeconfig file exists ensure ownership is set to root:root
status: automated
rules:
- file_owner_proxy_kubeconfig
- file_groupowner_proxy_kubeconfig
levels:
- level_1
- id: 4.1.5
title: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or
more restrictive
status: automated
rules:
- file_permissions_kubelet_conf
levels:
- level_1
- id: 4.1.6
title: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
status: automated
rules:
- file_groupowner_kubelet_conf
- file_owner_kubelet_conf
#- file_groupowner_kubelet
- file_owner_kubelet
levels:
- level_1
- id: 4.1.7
title: Ensure that the certificate authorities file permissions are set to 644 or more
restrictive
status: automated
rules:
- file_permissions_worker_ca
levels:
- level_1
- id: 4.1.8
title: Ensure that the client certificate authorities file ownership is set to root:root
status: automated
rules:
- file_owner_worker_ca
- file_groupowner_worker_ca
levels:
- level_1
- id: 4.1.9
title: Ensure that the kubelet --config configuration file has permissions set to 600
or more restrictive
status: automated
rules:
- file_permissions_worker_kubeconfig
levels:
- level_1
- id: 4.1.10
title: Ensure that the kubelet configuration file ownership is set to root:root
status: automated
rules:
- file_owner_worker_kubeconfig
- file_groupowner_worker_kubeconfig
levels:
- level_1
- id: '4.2'
title: Kubelet
status: pending
rules: []
controls:
- id: 4.2.1
title: Activate Garbage collection in OpenShift Container Platform 4, as appropriate
status: automated
rules:
- kubelet_eviction_thresholds_set_hard_memory_available
- kubelet_eviction_thresholds_set_hard_nodefs_available
- kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
- kubelet_eviction_thresholds_set_hard_imagefs_available
levels:
- level_1
- id: 4.2.2
title: Ensure that the --anonymous-auth argument is set to false
status: automated
rules:
- kubelet_anonymous_auth
levels:
- level_1
- id: 4.2.3
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
status: automated
rules:
- kubelet_authorization_mode
levels:
- level_1
- id: 4.2.4
title: Ensure that the --client-ca-file argument is set as appropriate
status: automated
rules:
- kubelet_configure_client_ca
levels:
- level_1
- id: 4.2.5
title: Verify that the read only port is not used or is set to 0
status: automated
rules:
- kubelet_disable_readonly_port
levels:
- level_1
- id: 4.2.6
title: Ensure that the --streaming-connection-idle-timeout argument is not set to 0
status: automated
rules:
- kubelet_enable_streaming_connections
levels:
- level_1
- id: 4.2.7
title: Ensure that the --make-iptables-util-chains argument is set to true
status: automated
rules:
- kubelet_enable_iptables_util_chains
levels:
- level_1
- id: 4.2.8
title: Ensure that the kubeAPIQPS [--event-qps] argument is set to a level which
ensures appropriate event capture
status: automated
rules:
- kubelet_configure_event_creation
- var_event_record_qps=50
levels:
- level_2
- id: 4.2.9
title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate
status: automated
rules:
- kubelet_configure_tls_cert
- kubelet_configure_tls_key
levels:
- level_1
- id: 4.2.10
title: Ensure that the --rotate-certificates argument is not set to false
status: automated
rules:
- kubelet_enable_client_cert_rotation
- kubelet_enable_cert_rotation
levels:
- level_1
- id: 4.2.11
title: Verify that the RotateKubeletServerCertificate argument is set to true
status: automated
rules:
- kubelet_enable_server_cert_rotation
levels:
- level_1
- id: 4.2.12
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
status: automated
rules:
- kubelet_configure_tls_cipher_suites
- ingress_controller_tls_cipher_suites
levels:
- level_1
Loading
Loading