1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
documentation_complete: true
title: 'Enable the SecurityContextConstraint Admission Control Plugin'
{{% set default_jqfilter = '.data."config.yaml" | fromjson' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '.data."config.json" | fromjson' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
To ensure pod permissions are managed, make sure that the
<tt>SecurityContextConstraint</tt> admission control plugin is used.
rationale: |-
A Security Context Constraint is a cluster-level resource that controls the actions
which a pod can perform and what the pod may access. The
<tt>SecurityContextConstraint</tt> objects define a set of conditions that a pod
must run with in order to be accepted into the system. Security Context Constraints
are comprised of settings and strategies that control the security features
a pod has access to and hence this must be used to control pod access
permissions.
identifiers:
cce@ocp4: CCE-83602-3
severity: medium
references:
cis@ocp4: 1.2.14
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325
platform: not ocp4-on-hypershift-hosted
ocil_clause: 'the list of enabled admission plugins contains <tt>SecurityContextConstraint</tt>'
ocil: |-
The SecurityContextConstraint plugin should be enabled in the list of enabled plugins in
the apiserver configuration:
<pre>$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '.data."config.yaml"' | jq '.apiServerArguments."enable-admission-plugins"'</pre>
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
entity_check: "at least one"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.apiServerArguments["enable-admission-plugins"][:]'
values:
- value: '^security.openshift.io/SecurityContextConstraint$'
operation: "pattern match"
entity_check: "at least one"
|
