Policies in this folder are supported by Red Hat Advanced Cluster Management for Kubernetes and organized by NIST Special Publication 800-53. NIST SP 800-53 Rev 4 also includes mapping to the ISO/IEC 27001 controls. For more information, read Appendix H in NIST.SP.800-53r4.
- AC - Access Control
- AT - Awareness and Training
- AU - Audit and Accountability
- CA - Security Assessment and Authorization
- CM - Configuration Management
- CP - Contingency Planning
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PE - Physical and Environmental Protection
- PL - Planning
- PS - Personnel Security
- RA - Risk Assessment
- SA - System and Services Acquisition
- SC - System and Communications Protection
- SI - System and Information Integrity
| Policy | Description | Prerequisites |
|---|---|---|
| policy-limitclusteradmin | Limits the number of cluster administrator Openshift users. | |
| policy-role | Ensures that a role exists with permissions as specified. | |
| policy-rolebinding | Ensures that an entity is bound to a particular role. |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| Install Red Hat Compliance Operator policy | Use the official and supported compliance operator installation, policy-comp-operator policy, to enable continuous compliance monitoring for your cluster. After you install this operator, you must select what benchmark you want to comply to, and create the appropriate objects for the scans to be run. |
See Compliance Operator for more details. |
| Policy | Description | Prerequisites |
|---|---|---|
| Scan your cluster with the E8 (Essential 8) security profile | This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the E8 benchmark. | See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy. |
| Install Red Hat Gatekeeper Operator policy | Use the Gatekeeper operator policy to install the official and supported version of Gatekeeper on a managed cluster. | See the Gatekeeper Operator. |
| policy-namespace | Ensures that a namespace exists as specified. | |
| policy-pod | Ensures that a pod exists as specified. | |
| Scan your cluster with the OpenShift CIS security profile | This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the OpenShift CIS benchmark. | See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy. |
| Kyverno Generate Network Policies | Configures a new NetworkPolicy resource named default-deny which will deny all traffic anytime a new Namespace is created. |
See the Kyverno project. Note: Kyverno controller must be installed to use the kyverno policy. See the Policy to install Kyverno in the community folder. |
| Kyverno Generate Quota | Configures new ResourceQuota and LimitRange resources anytime a new Namespace is created. |
See the Kyverno project. Note: Kyverno controller must be installed to use the kyverno policy. See the Policy to install Kyverno in the community folder. |
| Kyverno Sync Secrets | This policy will copy a Secret called regcred which exists in the default Namespace to new Namespaces when they are created and it will keep the secret updated with changes. |
See the Kyverno project. Note: Kyverno controller must be installed to use the kyverno policy. See the Policy to install Kyverno in the community folder. |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| No policies yet |
| Policy | Description | Prerequisites |
|---|---|---|
| policy-certificate | Ensure certificates are not expiring within a given minimum time frame. | |
| policy-etcdencryption | Use an encryption policy to encrypt sensitive resources such as Secrets, ConfigMaps, Routes and OAuth access tokens in your cluster. | See the OpenShift Documentation to learn how to enable ETCD encryption post install. |
| policy-limitmemory | Ensures that resource limits are in place as specified. | |
| policy-psp | Ensure a pod security policy exists as specified. | |
| policy-scc | Ensure a Security Context Constraint exists as specified. |
| Policy | Description | Prerequisites |
|---|---|---|
| policy-imagemanifestvuln | Detect vulnerabilities in container images. Leverages the Container Security Operator and installs it on the managed cluster if not already present. |