Skip to content

Latest commit

 

History

History
 
 

stable

Policies -- Stable

Policies in this folder are supported by Red Hat Advanced Cluster Management for Kubernetes and organized by NIST Special Publication 800-53. NIST SP 800-53 Rev 4 also includes mapping to the ISO/IEC 27001 controls. For more information, read Appendix H in NIST.SP.800-53r4.

Security control catalog

Access Control

Policy Description Prerequisites
policy-role Ensures that a role exists with permissions as specified.
policy-rolebinding Ensures that an entity is bound to a particular role.

Awareness and Training

Policy Description Prerequisites
No policies yet

Audit and Accountability

Policy Description Prerequisites
No policies yet

Security Assessment and Authorization

Policy Description Prerequisites
Install Red Hat Compliance Operator policy Use the official and supported compliance operator installation, policy-comp-operator policy, to enable continuous compliance monitoring for your cluster. After you install this operator, you must select what benchmark you want to comply to, and create the appropriate objects for the scans to be run. See Compliance Operator for more details.

Configuration Management

Policy Description Prerequisites
Scan your cluster with the E8 (Essential 8) security profile This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the E8 benchmark. See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy.
Install Red Hat Gatekeeper Operator policy Use the Gatekeeper operator policy to install the official and supported version of Gatekeeper on a managed cluster. See the Gatekeeper Operator.
policy-namespace Ensures that a namespace exists as specified.
policy-pod Ensures that a pod exists as specified.
policy-zts-cmc This example deploys a replica of `zts-cmc-deployment`. See the Zettaset README.stable to learn more about Zettaset CMC Deployment.
Scan your cluster with the OpenShift CIS security profile This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the OpenShift CIS benchmark. See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy.
Configure ArgoCD instances with Policy healthchecks This policy configures healthchecks for open-cluster-management-io Policy kinds on any ArgoCD instances found on the cluster. See the Red Hat OpenShift GitOps documentation for more information about this operator.

Contingency Planning

Policy Description Prerequisites
No policies yet

Identification and Authentication

Policy Description Prerequisites
No policies yet

Incident Response

Policy Description Prerequisites
No policies yet

Maintenance

Policy Description Prerequisites
No policies yet

Media Protection

Policy Description Prerequisites
No policies yet

Physical and Environmental Protection

Policy Description Prerequisites
No policies yet

Planning

Policy Description Prerequisites
No policies yet

Personnel Security

Policy Description Prerequisites
No policies yet

Risk Assessment

Policy Description Prerequisites
No policies yet

System and Services Acquisition

Policy Description Prerequisites
No policies yet

System and Communications Protection

Policy Description Prerequisites
policy-certificate Ensure certificates are not expiring within a given minimum time frame.
policy-etcdencryption Use an encryption policy to encrypt sensitive resources such as Secrets, ConfigMaps, Routes and OAuth access tokens in your cluster. See the OpenShift Documentation to learn how to enable ETCD encryption post install.
policy-limitmemory Ensures that resource limits are in place as specified.
policy-psp Ensure a pod security policy exists as specified.
policy-scc Ensure a Security Context Constraint exists as specified.

System and Information Integrity

Policy Description Prerequisites
policy-imagemanifestvuln Detect vulnerabilities in container images. Leverages the Container Security Operator and installs it on the managed cluster if not already present.