None required. The default configuration should not be modified.
None required. –basic-auth-file cannot be configured on OpenShift.
None is required.
No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.
No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.
No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable.
None. RBAC is always on and the OpenShift API server does not use the values assigned to the flag authorization-mode.
No remediation is required.
None. It is not possible to disable RBAC.
No remediation is required
No remediation is required. The AlwaysAdmit admission controller cannot be enabled in OpenShift.
None required.
None required. The Security Context Constraint admission controller cannot be disabled in OpenShift 4.
None required. OpenShift is configured to use service accounts by default.
Ensure that the –disable-admission-plugins parameter does not include NamespaceLifecycle.
None required. Security Context Constraints are enabled by default in OpenShift and cannot be disabled.
The NodeRestriction plugin cannot be disabled.
None required.
None required. The configuration is managed by the API server operator.
None required.
None required as profiling data is protected by RBAC.
None required. This is managed by the cluster apiserver operator.
Follow the documentation for log forwarding. Forwarding logs to third party systems https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html
Set the maximumRetainedFiles parameter to 10 or as an appropriate number of files. maximumRetainedFiles: 10
Set the audit-log-maxsize parameter to 100 or as an appropriate number. maximumFileSizeMegabytes: 100
TBD
TBD
The OpenShift API server does not use the service-account-key-file argument. The ServiceAccount token authenticator is configured with serviceAccountConfig.publicKeyFiles. OpenShift does not reuse the apiserver TLS key. This is not configurable.
OpenShift automatically manages TLS and client certificate authentication for etcd. This is not configurable.
OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. You may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. Follow the directions in the OpenShift documentation User-provided certificates for the API server
OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. You may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients.
User-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate.
None required. OpenShift generates the etcd-cafile and sets the arguments appropriately in the API server. Communication with etcd is secured by the etcd serving CA.
Follow the OpenShift documentation for Encrypting etcd data | Authentication | OpenShift Container Platform 4.5 https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider.
Verify that the tlsSecurityProfile is set to the value you chose. Note: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2.