accounts_restrict_service_account_tokensRestrict Automounting of Service Account Tokens
accounts_unique_service_accountEnsure Usage of Unique Service Accounts
api_server_admission_control_plugin_AlwaysAdmitDisable the AlwaysAdmit Admission Control Plugin
api_server_admission_control_plugin_AlwaysPullImagesEnsure that the Admission Control Plugin AlwaysPullImages is not set
api_server_admission_control_plugin_NamespaceLifecycleEnable the NamespaceLifecycle Admission Control Plugin
api_server_admission_control_plugin_NodeRestrictionEnable the NodeRestriction Admission Control Plugin
api_server_admission_control_plugin_SccEnable the SecurityContextConstraint Admission Control Plugin
api_server_admission_control_plugin_SecurityContextDenyEnsure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
api_server_admission_control_plugin_ServiceAccountEnable the ServiceAccount Admission Control Plugin
api_server_anonymous_authEnsure that anonymous requests to the API Server are authorized
api_server_api_priority_flowschema_catch_allEnsure catch-all FlowSchema object for API Priority and Fairness Exists
api_server_api_priority_gate_enabledEnable the APIPriorityAndFairness feature gate
api_server_api_priority_v1alpha1_flowschema_catch_allEnsure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
api_server_audit_log_maxbackupConfigure the Kubernetes API Server Maximum Retained Audit Logs
api_server_audit_log_maxsizeConfigure Kubernetes API Server Maximum Audit Log Size
api_server_audit_log_pathConfigure the Audit Log Path
api_server_auth_mode_no_aaThe authorization-mode cannot be AlwaysAllow
api_server_auth_mode_nodeEnsure authorization-mode Node is configured
api_server_auth_mode_rbacEnsure authorization-mode RBAC is configured
api_server_basic_authDisable basic-auth-file for the API Server
api_server_bind_addressEnsure that the bindAddress is set to a relevant secure port
api_server_etcd_certConfigure the etcd Certificate for the API Server
api_server_etcd_keyConfigure the etcd Certificate Key for the API Server
api_server_https_for_kubelet_connEnsure that the --kubelet-https argument is set to true
api_server_insecure_bind_addressDisable Use of the Insecure Bind Address
api_server_insecure_portPrevent Insecure Port Access
api_server_kubelet_certificate_authorityConfigure the kubelet Certificate Authority for the API Server
api_server_kubelet_client_certConfigure the kubelet Certificate File for the API Server
api_server_kubelet_client_keyConfigure the kubelet Certificate Key for the API Server
api_server_no_adm_ctrl_plugins_disabledEnsure all admission control plugins are enabled
api_server_oauth_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_openshift_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_profiling_protected_by_rbacProfiling is protected by RBAC
api_server_request_timeoutConfigure the API Server Minimum Request Timeout
api_server_service_account_lookupEnsure that the service-account-lookup argument is set to true
api_server_service_account_public_keyConfigure the Service Account Public Key for the API Server
api_server_tls_cipher_suitesUse Strong Cryptographic Ciphers on the API Server
api_server_token_authDisable Token-based Authentication
compliancesuite_existsEnsure that Compliance Operator is scanning the cluster
configure_network_policiesEnsure that the CNI in use supports Network Policies
configure_network_policies_namespacesEnsure that application Namespaces have Network Policies defined.
controller_insecure_port_disabledEnsure Controller insecure port argument is unset
controller_rotate_kubelet_server_certsEnsure that the RotateKubeletServerCertificate argument is set
controller_secure_portEnsure Controller secure-port argument is set
controller_service_account_caConfigure the Service Account Certificate Authority Key for the Controller Manager
controller_service_account_private_keyConfigure the Service Account Private Key for the Controller Manager
controller_use_service_accountEnsure that use-service-account-credentials is enabled
etcd_auto_tlsDisable etcd Self-Signed Certificates
etcd_cert_fileEnsure That The etcd Client Certificate Is Correctly Set
etcd_client_cert_authEnable The Client Certificate Authentication
etcd_key_fileEnsure That The etcd Key File Is Correctly Set
etcd_peer_auto_tlsDisable etcd Peer Self-Signed Certificates
etcd_peer_client_cert_authEnable The Peer Client Certificate Authentication
etcd_unique_caConfigure A Unique CA Certificate for etcd
file_groupowner_cni_confVerify Group Who Owns The OpenShift Container Network Interface Files
file_groupowner_controller_manager_kubeconfigVerify Group Who Owns The OpenShift Controller Manager Kubeconfig File
file_groupowner_etcd_data_dirVerify Group Who Owns The Etcd Database Directory
file_groupowner_etcd_data_filesVerify Group Who Owns The Etcd Write-Ahead-Log Files
file_groupowner_etcd_memberVerify Group Who Owns The etcd Member Pod Specification File
file_groupowner_etcd_pki_cert_filesVerify Group Who Owns The Etcd PKI Certificate Files
file_groupowner_ip_allocationsVerify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_groupowner_kube_apiserverVerify Group Who Owns The Kubernetes API Server Pod Specification File
file_groupowner_kube_controller_managerVerify Group Who Owns The Kubernetes Controller Manager Pod Specification File
file_groupowner_kube_schedulerVerify Group Who Owns The Kubernetes Scheduler Pod Specification File
file_groupowner_kubelet_confVerify Group Who Owns The Kubelet Configuration File
file_groupowner_master_admin_kubeconfigsVerify Group Who Owns The OpenShift Admin Kubeconfig Files
file_groupowner_multus_confVerify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
file_groupowner_openshift_pki_cert_filesVerify Group Who Owns The OpenShift PKI Certificate Files
file_groupowner_openshift_pki_key_filesVerify Group Who Owns The OpenShift PKI Private Key Files
file_groupowner_openshift_sdn_cniserver_configVerify Group Who Owns The OpenShift SDN CNI Server Config
file_groupowner_ovs_conf_dbVerify Group Who Owns The Open vSwitch Configuration Database
file_groupowner_ovs_conf_db_lockVerify Group Who Owns The Open vSwitch Configuration Database Lock
file_groupowner_ovs_pidVerify Group Who Owns The Open vSwitch Process ID File
file_groupowner_ovs_sys_id_confVerify Group Who Owns The Open vSwitch Persistent System ID
file_groupowner_ovs_vswitchd_pidVerify Group Who Owns The Open vSwitch Daemon PID File
file_groupowner_ovsdb_server_pidVerify Group Who Owns The Open vSwitch Database Server PID
file_groupowner_proxy_kubeconfigVerify Group Who Owns The Worker Proxy Kubeconfig File
file_groupowner_scheduler_kubeconfigVerify Group Who Owns The Kubernetes Scheduler Kubeconfig File
file_groupowner_worker_caVerify Group Who Owns the Worker Certificate Authority File
file_groupowner_worker_kubeconfigVerify Group Who Owns The Worker Kubeconfig File
file_groupowner_worker_serviceVerify Group Who Owns The OpenShift Node Service File
file_owner_cni_confVerify User Who Owns The OpenShift Container Network Interface Files
file_owner_controller_manager_kubeconfigVerify User Who Owns The OpenShift Controller Manager Kubeconfig File
file_owner_etcd_data_dirVerify User Who Owns The Etcd Database Directory
file_owner_etcd_data_filesVerify User Who Owns The Etcd Write-Ahead-Log Files
file_owner_etcd_memberVerify User Who Owns The Etcd Member Pod Specification File
file_owner_etcd_pki_cert_filesVerify User Who Owns The Etcd PKI Certificate Files
file_owner_ip_allocationsVerify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_owner_kube_apiserverVerify User Who Owns The Kubernetes API Server Pod Specification File
file_owner_kube_controller_managerVerify User Who Owns The Kubernetes Controller Manager Pod Specificiation File
file_owner_kube_schedulerVerify User Who Owns The Kubernetes Scheduler Pod Specification File
file_owner_kubelet_confVerify User Who Owns The Kubelet Configuration File
file_owner_master_admin_kubeconfigsVerify User Who Owns The OpenShift Admin Kubeconfig Files
file_owner_multus_confVerify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
file_owner_openshift_pki_cert_filesVerify User Who Owns The OpenShift PKI Certificate Files
file_owner_openshift_pki_key_filesVerify User Who Owns The OpenShift PKI Private Key Files
file_owner_openshift_sdn_cniserver_configVerify User Who Owns The OpenShift SDN CNI Server Config
file_owner_ovs_conf_dbVerify User Who Owns The Open vSwitch Configuration Database
file_owner_ovs_conf_db_lockVerify User Who Owns The Open vSwitch Configuration Database Lock
file_owner_ovs_pidVerify User Who Owns The Open vSwitch Process ID File
file_owner_ovs_sys_id_confVerify User Who Owns The Open vSwitch Persistent System ID
file_owner_ovs_vswitchd_pidVerify User Who Owns The Open vSwitch Daemon PID File
file_owner_ovsdb_server_pidVerify User Who Owns The Open vSwitch Database Server PID
file_owner_proxy_kubeconfigVerify User Who Owns The Worker Proxy Kubeconfig File
file_owner_scheduler_kubeconfigVerify User Who Owns The Kubernetes Scheduler Kubeconfig File
file_owner_worker_caVerify User Who Owns the Worker Certificate Authority File
file_owner_worker_kubeconfigVerify User Who Owns The Worker Kubeconfig File
file_owner_worker_serviceVerify User Who Owns The OpenShift Node Service File
file_permissions_cni_confVerify Permissions on the OpenShift Container Network Interface Files
file_permissions_controller_manager_kubeconfigVerify Permissions on the OpenShift Controller Manager Kubeconfig File
file_permissions_etcd_data_dirVerify Permissions on the Etcd Database Directory
file_permissions_etcd_data_filesVerify Permissions on the Etcd Write-Ahead-Log Files
file_permissions_etcd_memberVerify Permissions on the Etcd Member Pod Specification File
file_permissions_etcd_pki_cert_filesVerify Permissions on the Etcd PKI Certificate Files
file_permissions_ip_allocationsVerify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_permissions_kube_apiserverVerify Permissions on the Kubernetes API Server Pod Specification File
file_permissions_kube_controller_managerVerify Permissions on the Kubernetes Controller Manager Pod Specificiation File
file_permissions_kubelet_confVerify Permissions on The Kubelet Configuration File
file_permissions_master_admin_kubeconfigsVerify Permissions on the OpenShift Admin Kubeconfig Files
file_permissions_multus_confVerify Permissions on the OpenShift Multus Container Network Interface Plugin Files
file_permissions_openshift_pki_cert_filesVerify Permissions on the OpenShift PKI Certificate Files
file_permissions_openshift_pki_key_filesVerify Permissions on the OpenShift PKI Private Key Files
file_permissions_ovs_conf_dbVerify Permissions on the Open vSwitch Configuration Database
file_permissions_ovs_conf_db_lockVerify Permissions on the Open vSwitch Configuration Database Lock
file_permissions_ovs_pidVerify Permissions on the Open vSwitch Process ID File
file_permissions_ovs_sys_id_confVerify Permissions on the Open vSwitch Persistent System ID
file_permissions_ovs_vswitchd_pidVerify Permissions on the Open vSwitch Daemon PID File
file_permissions_ovsdb_server_pidVerify Permissions on the Open vSwitch Database Server PID
file_permissions_proxy_kubeconfigVerify Permissions on the Worker Proxy Kubeconfig File
file_permissions_schedulerVerify Permissions on the Kubernetes Scheduler Pod Specification File
file_permissions_scheduler_kubeconfigVerify Permissions on the Kubernetes Scheduler Kubeconfig File
file_permissions_worker_caVerify Permissions on the Worker Certificate Authority File
file_permissions_worker_kubeconfigVerify Permissions on the Worker Kubeconfig File
file_permissions_worker_serviceVerify Permissions on the OpenShift Node Service File
file_perms_openshift_sdn_cniserver_configVerify Permissions on the OpenShift SDN CNI Server Config
general_apply_sccApply Security Context to Your Pods and Containers
general_configure_imagepolicywebhookManage Image Provenance Using ImagePolicyWebhook
general_default_namespace_useThe default namespace should not be used
general_default_seccomp_profileEnsure Seccomp Profile Pod Definitions
general_namespaces_in_useCreate administrative boundaries between resources using namespaces
kubelet_anonymous_authDisable Anonymous Authentication to the Kubelet
kubelet_authorization_modeEnsure authorization is set to Webhook
kubelet_configure_client_cakubelet - Configure the Client CA Certificate
kubelet_configure_event_creationKubelet - Ensure Event Creation Is Configured
kubelet_configure_tls_cipher_suitesEnsure that the Kubelet only makes use of Strong Cryptographic Ciphers
kubelet_disable_hostname_overridekubelet - Hostname Override handling
kubelet_disable_readonly_portkubelet - Disable the Read-Only Port
kubelet_enable_cert_rotationkubelet - Enable Certificate Rotation
kubelet_enable_client_cert_rotationkubelet - Enable Client Certificate Rotation
kubelet_enable_iptables_util_chainskubelet - Allow Automatic Firewall Configuration
kubelet_enable_protect_kernel_defaultskubelet - Enable Protect Kernel Defaults
kubelet_enable_protect_kernel_sysctlkubelet - Set Up Sysctl to Enable Protect Kernel Defaults
kubelet_enable_protect_kernel_sysctl_file_existkubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist
kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbyteskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes
kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeyskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys
kubelet_enable_protect_kernel_sysctl_kernel_panickubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic
kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oopskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops
kubelet_enable_protect_kernel_sysctl_vm_overcommit_memorykubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory
kubelet_enable_protect_kernel_sysctl_vm_panic_on_oomkubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom
kubelet_enable_server_cert_rotationkubelet - Enable Server Certificate Rotation
kubelet_enable_streaming_connectionskubelet - Do Not Disable Streaming Timeouts
kubelet_eviction_thresholds_set_hard_imagefs_availableEnsure Eviction threshold Settings Are Set - evictionHard: imagefs.available
kubelet_eviction_thresholds_set_hard_imagefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
kubelet_eviction_thresholds_set_hard_memory_availableEnsure Eviction threshold Settings Are Set - evictionHard: memory.available
kubelet_eviction_thresholds_set_hard_nodefs_availableEnsure Eviction threshold Settings Are Set - evictionHard: nodefs.available
kubelet_eviction_thresholds_set_hard_nodefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
kubelet_eviction_thresholds_set_soft_imagefs_availableEnsure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
kubelet_eviction_thresholds_set_soft_imagefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
kubelet_eviction_thresholds_set_soft_memory_availableEnsure Eviction threshold Settings Are Set - evictionSoft: memory.available
kubelet_eviction_thresholds_set_soft_nodefs_availableEnsure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
kubelet_eviction_thresholds_set_soft_nodefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
kubelet_read_only_port_securedkubelet - Ensure that the --read-only-port is secured
ocp_api_server_audit_log_maxbackupConfigure the OpenShift API Server Maximum Retained Audit Logs
ocp_api_server_audit_log_maxsizeConfigure OpenShift API Server Maximum Audit Log Size
openshift_api_server_audit_log_pathConfigure the Audit Log Path
rbac_debug_role_protects_pprofProfiling is protected by RBAC
rbac_limit_cluster_adminEnsure that the cluster-admin role is only used where required
rbac_limit_secrets_accessLimit Access to Kubernetes Secrets
rbac_pod_creation_accessMinimize Access to Pod Creation
rbac_wildcard_useMinimize Wildcard Usage in Cluster and Local Roles
scc_drop_container_capabilitiesDrop Container Capabilities
scc_limit_container_allowed_capabilitiesLimit Container Capabilities
scc_limit_ipc_namespaceLimit Access to the Host IPC Namespace
scc_limit_net_raw_capabilityLimit Use of the CAP_NET_RAW
scc_limit_network_namespaceLimit Access to the Host Network Namespace
scc_limit_privilege_escalationLimit Containers Ability to Escalate Privileges
scc_limit_privileged_containersLimit Privileged Container Use
scc_limit_process_id_namespaceLimit Access to the Host Process ID Namespace
scc_limit_root_containersLimit Container Running As Root User
scheduler_no_bind_addressEnsure that the bind-address parameter is not used
secrets_consider_external_storageConsider external secret storage
secrets_no_environment_variablesDo Not Use Environment Variables with Secrets
accounts_restrict_service_account_tokensRestrict Automounting of Service Account Tokens
accounts_unique_service_accountEnsure Usage of Unique Service Accounts
api_server_admission_control_plugin_AlwaysAdmitDisable the AlwaysAdmit Admission Control Plugin
api_server_admission_control_plugin_AlwaysPullImagesEnsure that the Admission Control Plugin AlwaysPullImages is not set
api_server_admission_control_plugin_NamespaceLifecycleEnable the NamespaceLifecycle Admission Control Plugin
api_server_admission_control_plugin_NodeRestrictionEnable the NodeRestriction Admission Control Plugin
api_server_admission_control_plugin_SccEnable the SecurityContextConstraint Admission Control Plugin
api_server_admission_control_plugin_SecurityContextDenyEnsure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used
api_server_admission_control_plugin_ServiceAccountEnable the ServiceAccount Admission Control Plugin
api_server_anonymous_authEnsure that anonymous requests to the API Server are authorized
api_server_api_priority_flowschema_catch_allEnsure catch-all FlowSchema object for API Priority and Fairness Exists
api_server_api_priority_gate_enabledEnable the APIPriorityAndFairness feature gate
api_server_api_priority_v1alpha1_flowschema_catch_allEnsure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)
api_server_audit_log_maxbackupConfigure the Kubernetes API Server Maximum Retained Audit Logs
api_server_audit_log_maxsizeConfigure Kubernetes API Server Maximum Audit Log Size
api_server_audit_log_pathConfigure the Audit Log Path
api_server_auth_mode_no_aaThe authorization-mode cannot be AlwaysAllow
api_server_auth_mode_nodeEnsure authorization-mode Node is configured
api_server_auth_mode_rbacEnsure authorization-mode RBAC is configured
api_server_basic_authDisable basic-auth-file for the API Server
api_server_bind_addressEnsure that the bindAddress is set to a relevant secure port
api_server_etcd_certConfigure the etcd Certificate for the API Server
api_server_etcd_keyConfigure the etcd Certificate Key for the API Server
api_server_https_for_kubelet_connEnsure that the --kubelet-https argument is set to true
api_server_insecure_bind_addressDisable Use of the Insecure Bind Address
api_server_insecure_portPrevent Insecure Port Access
api_server_kubelet_certificate_authorityConfigure the kubelet Certificate Authority for the API Server
api_server_kubelet_client_certConfigure the kubelet Certificate File for the API Server
api_server_kubelet_client_keyConfigure the kubelet Certificate Key for the API Server
api_server_no_adm_ctrl_plugins_disabledEnsure all admission control plugins are enabled
api_server_oauth_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_openshift_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_profiling_protected_by_rbacProfiling is protected by RBAC
api_server_request_timeoutConfigure the API Server Minimum Request Timeout
api_server_service_account_lookupEnsure that the service-account-lookup argument is set to true
api_server_service_account_public_keyConfigure the Service Account Public Key for the API Server
api_server_token_authDisable Token-based Authentication
compliancesuite_existsEnsure that Compliance Operator is scanning the cluster
configure_network_policiesEnsure that the CNI in use supports Network Policies
configure_network_policies_namespacesEnsure that application Namespaces have Network Policies defined.
controller_insecure_port_disabledEnsure Controller insecure port argument is unset
controller_rotate_kubelet_server_certsEnsure that the RotateKubeletServerCertificate argument is set
controller_secure_portEnsure Controller secure-port argument is set
controller_service_account_caConfigure the Service Account Certificate Authority Key for the Controller Manager
controller_service_account_private_keyConfigure the Service Account Private Key for the Controller Manager
controller_use_service_accountEnsure that use-service-account-credentials is enabled
etcd_auto_tlsDisable etcd Self-Signed Certificates
etcd_cert_fileEnsure That The etcd Client Certificate Is Correctly Set
etcd_client_cert_authEnable The Client Certificate Authentication
etcd_key_fileEnsure That The etcd Key File Is Correctly Set
etcd_peer_auto_tlsDisable etcd Peer Self-Signed Certificates
etcd_peer_client_cert_authEnable The Peer Client Certificate Authentication
etcd_unique_caConfigure A Unique CA Certificate for etcd
file_groupowner_cni_confVerify Group Who Owns The OpenShift Container Network Interface Files
file_groupowner_controller_manager_kubeconfigVerify Group Who Owns The OpenShift Controller Manager Kubeconfig File
file_groupowner_etcd_data_dirVerify Group Who Owns The Etcd Database Directory
file_groupowner_etcd_data_filesVerify Group Who Owns The Etcd Write-Ahead-Log Files
file_groupowner_etcd_memberVerify Group Who Owns The etcd Member Pod Specification File
file_groupowner_etcd_pki_cert_filesVerify Group Who Owns The Etcd PKI Certificate Files
file_groupowner_ip_allocationsVerify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_groupowner_kube_apiserverVerify Group Who Owns The Kubernetes API Server Pod Specification File
file_groupowner_kube_controller_managerVerify Group Who Owns The Kubernetes Controller Manager Pod Specification File
file_groupowner_kube_schedulerVerify Group Who Owns The Kubernetes Scheduler Pod Specification File
file_groupowner_kubelet_confVerify Group Who Owns The Kubelet Configuration File
file_groupowner_master_admin_kubeconfigsVerify Group Who Owns The OpenShift Admin Kubeconfig Files
file_groupowner_multus_confVerify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
file_groupowner_openshift_pki_cert_filesVerify Group Who Owns The OpenShift PKI Certificate Files
file_groupowner_openshift_pki_key_filesVerify Group Who Owns The OpenShift PKI Private Key Files
file_groupowner_openshift_sdn_cniserver_configVerify Group Who Owns The OpenShift SDN CNI Server Config
file_groupowner_ovs_conf_dbVerify Group Who Owns The Open vSwitch Configuration Database
file_groupowner_ovs_conf_db_lockVerify Group Who Owns The Open vSwitch Configuration Database Lock
file_groupowner_ovs_pidVerify Group Who Owns The Open vSwitch Process ID File
file_groupowner_ovs_sys_id_confVerify Group Who Owns The Open vSwitch Persistent System ID
file_groupowner_ovs_vswitchd_pidVerify Group Who Owns The Open vSwitch Daemon PID File
file_groupowner_ovsdb_server_pidVerify Group Who Owns The Open vSwitch Database Server PID
file_groupowner_proxy_kubeconfigVerify Group Who Owns The Worker Proxy Kubeconfig File
file_groupowner_scheduler_kubeconfigVerify Group Who Owns The Kubernetes Scheduler Kubeconfig File
file_groupowner_worker_caVerify Group Who Owns the Worker Certificate Authority File
file_groupowner_worker_kubeconfigVerify Group Who Owns The Worker Kubeconfig File
file_groupowner_worker_serviceVerify Group Who Owns The OpenShift Node Service File
file_owner_cni_confVerify User Who Owns The OpenShift Container Network Interface Files
file_owner_controller_manager_kubeconfigVerify User Who Owns The OpenShift Controller Manager Kubeconfig File
file_owner_etcd_data_dirVerify User Who Owns The Etcd Database Directory
file_owner_etcd_data_filesVerify User Who Owns The Etcd Write-Ahead-Log Files
file_owner_etcd_memberVerify User Who Owns The Etcd Member Pod Specification File
file_owner_etcd_pki_cert_filesVerify User Who Owns The Etcd PKI Certificate Files
file_owner_ip_allocationsVerify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_owner_kube_apiserverVerify User Who Owns The Kubernetes API Server Pod Specification File
file_owner_kube_controller_managerVerify User Who Owns The Kubernetes Controller Manager Pod Specificiation File
file_owner_kube_schedulerVerify User Who Owns The Kubernetes Scheduler Pod Specification File
file_owner_kubelet_confVerify User Who Owns The Kubelet Configuration File
file_owner_master_admin_kubeconfigsVerify User Who Owns The OpenShift Admin Kubeconfig Files
file_owner_multus_confVerify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
file_owner_openshift_pki_cert_filesVerify User Who Owns The OpenShift PKI Certificate Files
file_owner_openshift_pki_key_filesVerify User Who Owns The OpenShift PKI Private Key Files
file_owner_openshift_sdn_cniserver_configVerify User Who Owns The OpenShift SDN CNI Server Config
file_owner_ovs_conf_dbVerify User Who Owns The Open vSwitch Configuration Database
file_owner_ovs_conf_db_lockVerify User Who Owns The Open vSwitch Configuration Database Lock
file_owner_ovs_pidVerify User Who Owns The Open vSwitch Process ID File
file_owner_ovs_sys_id_confVerify User Who Owns The Open vSwitch Persistent System ID
file_owner_ovs_vswitchd_pidVerify User Who Owns The Open vSwitch Daemon PID File
file_owner_ovsdb_server_pidVerify User Who Owns The Open vSwitch Database Server PID
file_owner_proxy_kubeconfigVerify User Who Owns The Worker Proxy Kubeconfig File
file_owner_scheduler_kubeconfigVerify User Who Owns The Kubernetes Scheduler Kubeconfig File
file_owner_worker_caVerify User Who Owns the Worker Certificate Authority File
file_owner_worker_kubeconfigVerify User Who Owns The Worker Kubeconfig File
file_owner_worker_serviceVerify User Who Owns The OpenShift Node Service File
file_permissions_cni_confVerify Permissions on the OpenShift Container Network Interface Files
file_permissions_controller_manager_kubeconfigVerify Permissions on the OpenShift Controller Manager Kubeconfig File
file_permissions_etcd_data_dirVerify Permissions on the Etcd Database Directory
file_permissions_etcd_data_filesVerify Permissions on the Etcd Write-Ahead-Log Files
file_permissions_etcd_memberVerify Permissions on the Etcd Member Pod Specification File
file_permissions_etcd_pki_cert_filesVerify Permissions on the Etcd PKI Certificate Files
file_permissions_ip_allocationsVerify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
file_permissions_kube_apiserverVerify Permissions on the Kubernetes API Server Pod Specification File
file_permissions_kube_controller_managerVerify Permissions on the Kubernetes Controller Manager Pod Specificiation File
file_permissions_kubelet_confVerify Permissions on The Kubelet Configuration File
file_permissions_master_admin_kubeconfigsVerify Permissions on the OpenShift Admin Kubeconfig Files
file_permissions_multus_confVerify Permissions on the OpenShift Multus Container Network Interface Plugin Files
file_permissions_openshift_pki_cert_filesVerify Permissions on the OpenShift PKI Certificate Files
file_permissions_openshift_pki_key_filesVerify Permissions on the OpenShift PKI Private Key Files
file_permissions_ovs_conf_dbVerify Permissions on the Open vSwitch Configuration Database
file_permissions_ovs_conf_db_lockVerify Permissions on the Open vSwitch Configuration Database Lock
file_permissions_ovs_pidVerify Permissions on the Open vSwitch Process ID File
file_permissions_ovs_sys_id_confVerify Permissions on the Open vSwitch Persistent System ID
file_permissions_ovs_vswitchd_pidVerify Permissions on the Open vSwitch Daemon PID File
file_permissions_ovsdb_server_pidVerify Permissions on the Open vSwitch Database Server PID
file_permissions_proxy_kubeconfigVerify Permissions on the Worker Proxy Kubeconfig File
file_permissions_schedulerVerify Permissions on the Kubernetes Scheduler Pod Specification File
file_permissions_scheduler_kubeconfigVerify Permissions on the Kubernetes Scheduler Kubeconfig File
file_permissions_worker_caVerify Permissions on the Worker Certificate Authority File
file_permissions_worker_kubeconfigVerify Permissions on the Worker Kubeconfig File
file_permissions_worker_serviceVerify Permissions on the OpenShift Node Service File
file_perms_openshift_sdn_cniserver_configVerify Permissions on the OpenShift SDN CNI Server Config
general_apply_sccApply Security Context to Your Pods and Containers
general_configure_imagepolicywebhookManage Image Provenance Using ImagePolicyWebhook
general_default_namespace_useThe default namespace should not be used
general_default_seccomp_profileEnsure Seccomp Profile Pod Definitions
general_namespaces_in_useCreate administrative boundaries between resources using namespaces
kubelet_anonymous_authDisable Anonymous Authentication to the Kubelet
kubelet_authorization_modeEnsure authorization is set to Webhook
kubelet_configure_client_cakubelet - Configure the Client CA Certificate
kubelet_configure_event_creationKubelet - Ensure Event Creation Is Configured
kubelet_configure_tls_cipher_suitesEnsure that the Kubelet only makes use of Strong Cryptographic Ciphers
kubelet_disable_hostname_overridekubelet - Hostname Override handling
kubelet_disable_readonly_portkubelet - Disable the Read-Only Port
kubelet_enable_cert_rotationkubelet - Enable Certificate Rotation
kubelet_enable_client_cert_rotationkubelet - Enable Client Certificate Rotation
kubelet_enable_iptables_util_chainskubelet - Allow Automatic Firewall Configuration
kubelet_enable_protect_kernel_defaultskubelet - Enable Protect Kernel Defaults
kubelet_enable_protect_kernel_sysctlkubelet - Set Up Sysctl to Enable Protect Kernel Defaults
kubelet_enable_protect_kernel_sysctl_file_existkubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist
kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbyteskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes
kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeyskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys
kubelet_enable_protect_kernel_sysctl_kernel_panickubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic
kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oopskubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops
kubelet_enable_protect_kernel_sysctl_vm_overcommit_memorykubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory
kubelet_enable_protect_kernel_sysctl_vm_panic_on_oomkubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom
kubelet_enable_server_cert_rotationkubelet - Enable Server Certificate Rotation
kubelet_enable_streaming_connectionskubelet - Do Not Disable Streaming Timeouts
kubelet_eviction_thresholds_set_hard_imagefs_availableEnsure Eviction threshold Settings Are Set - evictionHard: imagefs.available
kubelet_eviction_thresholds_set_hard_imagefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree
kubelet_eviction_thresholds_set_hard_memory_availableEnsure Eviction threshold Settings Are Set - evictionHard: memory.available
kubelet_eviction_thresholds_set_hard_nodefs_availableEnsure Eviction threshold Settings Are Set - evictionHard: nodefs.available
kubelet_eviction_thresholds_set_hard_nodefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
kubelet_eviction_thresholds_set_soft_imagefs_availableEnsure Eviction threshold Settings Are Set - evictionSoft: imagefs.available
kubelet_eviction_thresholds_set_soft_imagefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree
kubelet_eviction_thresholds_set_soft_memory_availableEnsure Eviction threshold Settings Are Set - evictionSoft: memory.available
kubelet_eviction_thresholds_set_soft_nodefs_availableEnsure Eviction threshold Settings Are Set - evictionSoft: nodefs.available
kubelet_eviction_thresholds_set_soft_nodefs_inodesfreeEnsure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree
kubelet_read_only_port_securedkubelet - Ensure that the --read-only-port is secured
ocp_api_server_audit_log_maxbackupConfigure the OpenShift API Server Maximum Retained Audit Logs
ocp_api_server_audit_log_maxsizeConfigure OpenShift API Server Maximum Audit Log Size
openshift_api_server_audit_log_pathConfigure the Audit Log Path
rbac_debug_role_protects_pprofProfiling is protected by RBAC
rbac_limit_cluster_adminEnsure that the cluster-admin role is only used where required
rbac_limit_secrets_accessLimit Access to Kubernetes Secrets
rbac_pod_creation_accessMinimize Access to Pod Creation
rbac_wildcard_useMinimize Wildcard Usage in Cluster and Local Roles
scc_drop_container_capabilitiesDrop Container Capabilities
scc_limit_container_allowed_capabilitiesLimit Container Capabilities
scc_limit_ipc_namespaceLimit Access to the Host IPC Namespace
scc_limit_net_raw_capabilityLimit Use of the CAP_NET_RAW
scc_limit_network_namespaceLimit Access to the Host Network Namespace
scc_limit_privilege_escalationLimit Containers Ability to Escalate Privileges
scc_limit_privileged_containersLimit Privileged Container Use
scc_limit_process_id_namespaceLimit Access to the Host Process ID Namespace
scc_limit_root_containersLimit Container Running As Root User
scheduler_no_bind_addressEnsure that the bind-address parameter is not used
secrets_consider_external_storageConsider external secret storage
secrets_no_environment_variablesDo Not Use Environment Variables with Secrets
api_server_client_caConfigure the Client Certificate Authority for the API Server
api_server_etcd_caConfigure the etcd Certificate Authority for the API Server
api_server_etcd_certConfigure the etcd Certificate for the API Server
api_server_etcd_keyConfigure the etcd Certificate Key for the API Server
api_server_https_for_kubelet_connEnsure that the --kubelet-https argument is set to true
api_server_kubelet_certificate_authorityConfigure the kubelet Certificate Authority for the API Server
api_server_kubelet_client_certConfigure the kubelet Certificate File for the API Server
api_server_kubelet_client_keyConfigure the kubelet Certificate Key for the API Server
api_server_oauth_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_openshift_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_tls_certConfigure the Certificate for the API Server
api_server_tls_private_keyConfigure the Certificate Key for the API Server
controller_insecure_port_disabledEnsure Controller insecure port argument is unset
controller_rotate_kubelet_server_certsEnsure that the RotateKubeletServerCertificate argument is set
controller_secure_portEnsure Controller secure-port argument is set
controller_service_account_caConfigure the Service Account Certificate Authority Key for the Controller Manager
controller_service_account_private_keyConfigure the Service Account Private Key for the Controller Manager
etcd_auto_tlsDisable etcd Self-Signed Certificates
etcd_cert_fileEnsure That The etcd Client Certificate Is Correctly Set
etcd_client_cert_authEnable The Client Certificate Authentication
etcd_key_fileEnsure That The etcd Key File Is Correctly Set
etcd_peer_auto_tlsDisable etcd Peer Self-Signed Certificates
etcd_peer_cert_fileEnsure That The etcd Peer Client Certificate Is Correctly Set
etcd_peer_client_cert_authEnable The Peer Client Certificate Authentication
etcd_peer_key_fileEnsure That The etcd Peer Key File Is Correctly Set
kubelet_configure_tls_certEnsure That The kubelet Client Certificate Is Correctly Set
kubelet_configure_tls_keyEnsure That The kubelet Server Key Is Correctly Set
ocp_no_ldap_insecureOnly Use LDAP-based IdPs with TLS
routes_protected_by_tlsEnsure that all OpenShift Routes prefer TLS
scheduler_no_bind_addressEnsure that the bind-address parameter is not used
api_server_client_caConfigure the Client Certificate Authority for the API Server
api_server_etcd_caConfigure the etcd Certificate Authority for the API Server
api_server_etcd_certConfigure the etcd Certificate for the API Server
api_server_etcd_keyConfigure the etcd Certificate Key for the API Server
api_server_https_for_kubelet_connEnsure that the --kubelet-https argument is set to true
api_server_kubelet_certificate_authorityConfigure the kubelet Certificate Authority for the API Server
api_server_kubelet_client_certConfigure the kubelet Certificate File for the API Server
api_server_kubelet_client_keyConfigure the kubelet Certificate Key for the API Server
api_server_oauth_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_openshift_https_serving_certEnsure the openshift-oauth-apiserver service uses TLS
api_server_tls_certConfigure the Certificate for the API Server
api_server_tls_private_keyConfigure the Certificate Key for the API Server
controller_insecure_port_disabledEnsure Controller insecure port argument is unset
controller_rotate_kubelet_server_certsEnsure that the RotateKubeletServerCertificate argument is set
controller_secure_portEnsure Controller secure-port argument is set
controller_service_account_caConfigure the Service Account Certificate Authority Key for the Controller Manager
controller_service_account_private_keyConfigure the Service Account Private Key for the Controller Manager
etcd_auto_tlsDisable etcd Self-Signed Certificates
etcd_cert_fileEnsure That The etcd Client Certificate Is Correctly Set
etcd_client_cert_authEnable The Client Certificate Authentication
etcd_key_fileEnsure That The etcd Key File Is Correctly Set
etcd_peer_auto_tlsDisable etcd Peer Self-Signed Certificates
etcd_peer_cert_fileEnsure That The etcd Peer Client Certificate Is Correctly Set
etcd_peer_client_cert_authEnable The Peer Client Certificate Authentication
etcd_peer_key_fileEnsure That The etcd Peer Key File Is Correctly Set
kubelet_configure_tls_certEnsure That The kubelet Client Certificate Is Correctly Set
kubelet_configure_tls_keyEnsure That The kubelet Server Key Is Correctly Set
routes_protected_by_tlsEnsure that all OpenShift Routes prefer TLS
scheduler_no_bind_addressEnsure that the bind-address parameter is not used