CIS Benchmark for Red Hat OpenShift Container Platform v4

The CIS Benchmarks, from the Center for Internet Security, are a set of best practices that help security practitioners implement and maintain cybersecurity defenses.

CIS Benchmarks for Red Hat OpenShift Container Platform

The Kubernetes CIS Benchmark includes configuration guidelines for Red Hat OpenShift Container Platform v4.

The OpenShift Compliance Operator runs scans and provides remediation strategies for compliance issues. The OpenShift Compliance Operator includes the following profiles for the CIS Red Hat OpenShift Container Platform 4 Benchmark:

ocp4-cis
ocp4-cis-node

The IBM Cloud Pak® for Data control plane and many of the services are tested against these profiles.

The compliance statements in the following sections assume that you have a hardened cluster. Specifically, that you completed the following tasks:

Installing the OpenShift Compliance Operator.
Running the CIS control tests that are included with the OpenShift Compliance Operator.
Adjusting your cluster configuration to address the identified issues.

The information in the following sections indicates any exceptions that you need to allow in order for the Cloud Pak for Data software to install on your cluster.

Cluster-wide components

Cluster-wide components are installed exactly once on the cluster.

Software	Automated control test	Manual control test	Gaps
IBM® Certificate manager	This information is not currently available.	This information is not currently available.	This information is not currently available.
License Service	This information is not currently available.	This information is not currently available.	This information is not currently available.
Scheduling service	All checks passed	Partial	`ocp4-cis-rbac-wildcard-use` The Operator Lifecycle Manager (OLM) creates roles with wildcards. `ocp4-cis-rbac-pod-creation-access` The parallel job controller needs pod creation RBAC.

Required components

The software in the following table is installed with each instance of IBM Cloud Pak for Data on the cluster.

Software	Automated control test	Manual control test	Gaps
IBM Cloud Pak foundational services	This information is not currently available.	This information is not currently available.	This information is not currently available.
IBM Cloud Pak for Data platform operator	All checks passed	Partial	`ocp4-cis-rbac-wildcard-use` The Operator Lifecycle Manager (OLM) creates roles with wildcards.
IBM Cloud Pak for Data control plane	All checks passed	Partial	`ocp4-cis-rbac-wildcard-use` The Operator Lifecycle Manager (OLM) creates roles with wildcards. `ocp4-cis-general-default-seccomp-profile` This exception is required on Red Hat OpenShift Container Platform Version 4.10 environments only.

Services

You can choose which services are installed in an instance of IBM Cloud Pak for Data.

Any violations that are introduced by the IBM Cloud Pak for Data control plane automatically affect the services that are installed on top of the control plane. The statements in this section specify whether the individual services introduce additional violations.

Software	Automated control test	Manual control test	Gaps
AI Factsheets	All checks passed	All checks passed
Analytics Engine powered by Apache Spark	All checks passed	Partial	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
Cognos® Analytics	All checks passed	All checks passed
Cognos Dashboards	This information is not currently available.	This information is not currently available.
Data Privacy	All checks passed	All checks passed
Data Refinery	All checks passed	All checks passed
Data Replication	This information is not currently available.	This information is not currently available.	This information is not currently available.
DataStage®	All checks passed	All checks passed
Db2®	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Db2 Big SQL	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Db2 Data Gate	All checks passed	All checks passed
Db2 Data Management Console	All checks passed	All checks passed
Db2 Warehouse	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Decision Optimization	All checks passed	All checks passed
EDB Postgres	This information is not currently available.	This information is not currently available.
Execution Engine for Apache Hadoop	All checks passed	Partial	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
IBM Match 360 with Watson™	All checks passed	All checks passed	If you enable FIPS on your cluster, you must allow an exception for the following compliance issue: `ocp4-cis-api-server-tls-cipher-suites` The TLS ciphers are required by clients that use IBM Java Semeru to talk to `kube-apiserver` in FIPS mode.
Informix®	All checks passed	All checks passed
MANTA Automated Data Lineage	Partial	This information is not currently available.	`ocp4-cis-secrets-no-environment-variables` The service has secrets in environment variables.
OpenPages®	All checks passed	All checks passed	All checks pass when you use an external database. If you use an embedded Db2 database, you must allow an exception for the following compliance issues: `ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Planning Analytics	All checks passed	All checks passed
Product Master	This information is not currently available.	This information is not currently available.	This information is not currently available.
RStudio® Server Runtimes	All checks passed	All checks passed
SPSS® Modeler	All checks passed	All checks passed
Voice Gateway	This information is not currently available.	This information is not currently available.	This information is not currently available.
Watson Assistant	Partial	Partial	This information is not currently available.
Watson Discovery	This information is not currently available.	All checks passed	This information is not currently available.
Watson Knowledge Catalog	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Watson Knowledge Studio	This information is not currently available.	All checks passed	This information is not currently available.
Watson Machine Learning	All checks passed	Partial	`ocp4-cis-accounts-restrict-service-account-tokens`
Watson Machine Learning Accelerator	All checks passed	All checks passed	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
Watson OpenScale	All checks passed	All checks passed	All checks pass when you use an external database. If you use an embedded Db2 database, you must allow exceptions for: `ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Watson Pipelines	All checks passed	Partial	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
Watson Query	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The service has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The service has a dependency on Db2U, which interacts with various kernel parameters.
Watson Speech services	This information is not currently available.	This information is not currently available.
Watson Studio	Partial	Partial	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
Watson Studio Runtimes	All checks passed	All checks passed
watsonx.data	All checks passed	This information is not currently available.

Automatically installed dependencies

Software	Automated control test	Manual control test	Gaps
Common core services	Partial	Partial	`ocp4-cis-accounts-restrict-service-account-tokens` Some of the pods for this service need to make API calls to the Red Hat OpenShift Container Platform API server.
Db2 as a service	Partial	Partial	`ocp4-cis-scc-limit-container-allowed-capabilities` The component has a dependency on Db2U, which uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` The component has a dependency on Db2U, which interacts with various kernel parameters.
Db2U	Partial	Partial	`ocp4-cis-rbac-wildcard-use` The Operator Lifecycle Manager (OLM) creates roles with wildcards. `ocp4-cis-scc-limit-container-allowed-capabilities` Db2U uses a custom security context constraint (SCC). `ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults` Db2U interacts with various kernel parameters.