Detections
Analytics

CIS Red Hat OpenShift Container Platform v1.8.0 L2 OpenShift

Audit Details

Name: CIS Red Hat OpenShift Container Platform v1.8.0 L2 OpenShift

Updated: 9/16/2025

Authority: CIS

Plugin: OpenShift

Revision: 1.0

Estimated Item Count: 16

File Details

Filename: CIS_Red_Hat_OpenShift_Container_Platform_v1.8.0_L2.audit

Size: 49.8 kB

MD5: 437403a8fae684b1f0d5535773a642bc
SHA256: 26ef920420bfc68be7b3345e836c48c1e9e2f558cc7eb70a11a1250821237a61

Audit Items

DescriptionCategories
2.7 Ensure that a unique Certificate Authority is used for etcd

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.1.1 Client certificate authentication should not be used for users

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

3.2.2 Ensure that the audit policy covers key security concerns

AUDIT AND ACCOUNTABILITY

4.2.8 Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture

AUDIT AND ACCOUNTABILITY

4.2.10 Ensure that the --rotate-certificates argument is not set to false

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.2.6 Minimize the admission of root containers

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

5.2.9 Minimize the admission of containers with capabilities assigned

CONFIGURATION MANAGEMENT

5.2.10 Minimize access to privileged Security Context Constraints

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.3.2 Ensure that all Namespaces have Network Policies defined

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.1 Prefer using secrets as files over secrets as environment variables

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.2 Consider external secret storage

SYSTEM AND COMMUNICATIONS PROTECTION

5.5.1 Configure Image Provenance using image controller configuration parameters

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

5.7.3 Apply Security Context to Your Pods and Containers

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.7.4 The default namespace should not be used

SYSTEM AND COMMUNICATIONS PROTECTION