Policies in this folder are based on Red Hat Advanced Cluster Management for Kubernetes. The policies in this folder are based on security controls from the OCP 4.x Platform &Infrastructure Security Best Practices compliance document. Each security control will be represented by its own directory.
The solution presented in this directory is designed to provide compliance accross a multi cluster Red Hat OpenShift environment. Note that some policies can be applied out of the box, while other policies may require changes according to organization regulations.
- authentication-user-management
- authorization
- etcd-security
- infrastructure-general
- monitoring-observability
- networking
- resource-exhaustion
- storage
- trusted-image-sources
| Policy | Description | Prerequisites |
|---|---|---|
| kubeadmin-policy | Validates the removal of the kubeadmin temporary user | |
| group-policy | Ensures that a group is created with the defined users in it | |
| gatekeeper-shorten-tokens | Ensure that authentication tokens have a restricted lifespan | |
| gatekeeper-disallow-anonymous-auth | Ensures there are no anonymous users associated with any ClusterRole | The GateKeeper operator needs to be installed |
| Policy | Description | Prerequisites |
|---|---|---|
| disallowed-role-policy | Ensures that the defined role pattern does not exist in the cluster | |
| role-policy | Ensures that a role exists in the cluster | |
| role-binding-policy | Ensures that a role is bound to a user / group | |
| gatekeeper-disalllow-privileged-scc-usage | Ensures that privilged scc is not being used by unlisted service accounts, users and groups | |
| default-scc-validation-policy | Ensures that the defaults SCC's are not modified | |
| prevent-default-serviceaccount-usage | Ensures that the default serviceaccount is not usable by any pod |
The GateKeeper operator needs to be installed |
| gatekeeper-disallow-host-namespaces | Ensures that HostIPC and HostPID are not set in the pod's definition |
The GateKeeper operator needs to be installed |
| gatekeeper-disallow-host-network | Ensures that HostNetwork and HostPort are not set in the pod's definition |
The GateKeeper operator needs to be installed |
| gatekeeper-disallow-cluster-admin | Raise an alert once the cluster-admin ClusterRole is being granted to unapproved entity in the environment | The GateKeeper operator needs to be installed |
| serviceaccount-automounttoken-prevention | Ensures that serviceaccount's token is not mountable by default | The GateKeeper operator needs to be installed |
| gatekeeper-disallow-scc-runasany | Requires custom SCCs to not have the RunAsAny type for the runAsUser attribute. |
The GateKeeper operator needs to be installed |
| Policy | Description | Prerequisites |
|---|---|---|
| etcdencryption-policy | Ensures that the etcd database is encrypted | |
| etcd-backup-policy | Backup the etcd data on a weekly basis into a PersistentVolume and rotate the backups to avoid over consumption |
| Policy | Description | Prerequisites |
|---|---|---|
| gatekeeper-operator-policy | Ensures that the Gatekeeper operator is running | |
| certificate-expiry-alert | Raise an alert once a system certificate is about to expire | |
| check-fips-compliance-policy | Raise an alert if FIPS is not enabled on a managed cluster |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| deny-all-networkpolicy-policy | Ensures that all traffic to a namespace is denied by default | |
| allow-port-from-namespace-networkpolicy-policy | Ensures that a custom NetworkPolicy is available in a namespace | |
| gatekeeper-allow-httpsonly | Ensures that there are no http routes | The GateKeeper operator needs to be installed |
| gatekeeper-disallow-external-ip-services | Ensures that there are no external ip services configured | The GateKeeper operator needs to be installed |
| gatekeeper-disallow-nodeport | Ensures that there are no node port services configured | The GateKeeper operator needs to be installed |
| Policy | Description | Prerequisites |
|---|---|---|
| gatekeeper-disallow-self-provisioner-policy | Ensures that users are not able to provision new namespaces by disabling any ClusterRoleBinding that associates with the self-provisioner ClusterRole |
The GateKeeper operator needs to be installed |
| limitrange-policy | Ensures that a Limitrange resource is present in a namespace | |
| resourcequota-policy | Ensures that a ResourceQuota resource is present in a namespace | |
| pod-resource-limits | Ensures that all pods have a resource request / limit associated with them |
| Policy | Description | Prerequisites |
|---|---|---|
| gatekeeper-disallow-emptydir | Ensures that containers are not associated with emptyDir volumes | The GateKeeper operator needs to be installed |
| Policy | Description | Prerequisites |
|---|---|---|
| gatekeeper-disallow-image-tags | Ensures that images do not contain a pre-defined tag (by default, the policy disables the latest tag) |
The GateKeeper operator needs to be installed |
| disallowed-registries | Requires setting up allowed image sources (registries). Any other image source is disallowed. | The GateKeeper operator needs to be installed |
The policies can be applied to the Advanced Cluster Management hub cluster. By default all policies take effect on all managed clusters with the environment=dev label. To apply a policy from the collection, run the next command -
<hub cluster> $ oc apply -f https://raw.githubusercontent.com/michaelkotelnikov/openshift-4-compliance-automation/master/redhat-acm/authorization/disallowed-role-policy.yml
To deploy policies using the GitOps approach, please refer to the next article - Contributing and deploying community policies with Red Hat Advanced Cluster Management and GitOps.