| 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true | IDENTIFICATION AND AUTHENTICATION |
| 2.7 Ensure that a unique Certificate Authority is used for etcd | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Encrypt etc | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Client certificate authentication should not be used for users - Authentications | CONFIGURATION MANAGEMENT |
| 3.1.1 Client certificate authentication should not be used for users - ClusterRoleBindings | CONFIGURATION MANAGEMENT |
| 3.1.1 Client certificate authentication should not be used for users - Identities | CONFIGURATION MANAGEMENT |
| 3.1.1 Client certificate authentication should not be used for users - Secrets | CONFIGURATION MANAGEMENT |
| 3.2.2 Ensure that the audit policy covers key security concerns - openshift-apiserver | AUDIT AND ACCOUNTABILITY |
| 3.2.2 Ensure that the audit policy covers key security concerns - openshift-kube-apiserver | AUDIT AND ACCOUNTABILITY |
| 4.2.9 Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture | AUDIT AND ACCOUNTABILITY |
| 5.2.6 Minimize the admission of root containers | ACCESS CONTROL |
| 5.2.9 Minimize the admission of containers with capabilities assigned | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure that all Namespaces have Network Policies defined - Namespaces | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.2 Ensure that all Namespaces have Network Policies defined - NetworkPolicies | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.2 Consider external secret storage | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5.1 Configure Image Provenance using image controller configuration parameters | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 5.7.3 Apply Security Context to Your Pods and Containers | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.7.4 The default namespace should not be used - BuildConfigs | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Builds | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - CronJobs | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - DaemonSets | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - DeploymentConfigs | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Deployments | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - HorizontalPodAutoScalers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - ImageStreams | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Jobs | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Pods | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - ReplicaSets | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - ReplicationControllers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Routes | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - Services | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used - StatefulSets | SYSTEM AND COMMUNICATIONS PROTECTION |
