Policies in this folder are supported by Red Hat Advanced Cluster Management for Kubernetes and organized by NIST Special Publication 800-53. NIST SP 800-53 Rev 4 also includes mapping to the ISO/IEC 27001 controls. For more information, read Appendix H in NIST.SP.800-53r4.
- AC - Access Control
- AT - Awareness and Training
- AU - Audit and Accountability
- CA - Security Assessment and Authorization
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PE - Physical and Environmental Protection
- PL - Planning
- PS - Personnel Security
- RA - Risk Assessment
- SA - System and Services Acquisition
- SC - System and Communications Protection
- SI - System and Information Integrity
| Policy | Description | Prerequisites |
|---|---|---|
| policy-limitclusteradmin | Limit the number of cluster administrator Openshift users | |
| policy-role | Ensure a role exists with permissions as specified | |
| policy-rolebinding | Ensure an entity is bound to a particular role |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| Install Red Hat Compliance Operator policy | Use the official and supported compliance operator installation, policy-comp-operator policy, to enable continuous compliance monitoring for your cluster. After you install this operator, you must select what benchmark you want to comply to, and create the appropriate objects for the scans to be run. |
See Compliance Operator for more details. |
| Policy | Description | Prerequisites |
|---|---|---|
| Scan your cluster with the E8 (Essential 8) security profile | This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the E8 benchmark. | See the Compliance Operator repo to learn more about the operator. Note: Compliance operator must be installed to use this policy. See the Compliance operator policy. |
| policy-etcdencryption | Use an encryption policy to encrypt sensitive resources such as Secrets, ConfigMaps, Routes and OAuth access tokens in your cluster. | See the OpenShift Documentation to learn how to enable ETCD encryption post install. |
| policy-limitmemory | Ensure resource limits are in place as specified | |
| policy-namespace | Ensure a namespace exists as specified | |
| policy-pod | Ensure a pod exists as specified |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| policy-certificate | Ensure certificates are not expiring within a given minimum timeframe |
| Policy | Description | Prerequisites |
|---|---|---|
| policy-imagemanifestvuln | Detect vulnerabilities in container images. Leverages the Container Security Operator and installs it on the managed cluster if not already present. | |
| policy-psp | Ensure a Pod Security Policy exists as specified | |
| policy-scc | Ensure a Security Context Constraint exists as specified |