stable

Policies -- Stable

Policies in this folder are supported by Red Hat Advanced Cluster Management for Kubernetes and organized by NIST Special Publication 800-53. NIST SP 800-53 Rev 4 also includes mapping to the ISO/IEC 27001 controls. For more information, read Appendix H in NIST.SP.800-53r4.

Security control catalog

• AC - Access Control
• AT - Awareness and Training
• AU - Audit and Accountability
• CA - Security Assessment and Authorization
• CM - Configuration Management
• CP - Contingency Planning
• IA - Identification and Authentication
• IR - Incident Response
• MA - Maintenance
• MP - Media Protection
• PE - Physical and Environmental Protection
• PL - Planning
• PS - Personnel Security
• RA - Risk Assessment
• SA - System and Services Acquisition
• SC - System and Communications Protection
• SI - System and Information Integrity

Access Control

Policy	Description	Prerequisites
policy-role	Ensures that a role exists with permissions as specified.
policy-rolebinding	Ensures that an entity is bound to a particular role.

Awareness and Training

Policy	Description	Prerequisites
No policies yet

Audit and Accountability

Policy	Description	Prerequisites
No policies yet

Security Assessment and Authorization

Policy	Description	Prerequisites
Install Red Hat Compliance Operator policy	Use the official and supported compliance operator installation, policy-comp-operator policy, to enable continuous compliance monitoring for your cluster. After you install this operator, you must select what benchmark you want to comply to, and create the appropriate objects for the scans to be run.	See Compliance Operator for more details.

Configuration Management

Policy	Description	Prerequisites
Scan your cluster with the E8 (Essential 8) security profile	This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the E8 benchmark.	See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy.
Install Red Hat Gatekeeper Operator policy	Use the Gatekeeper operator policy to install the official and supported version of Gatekeeper on a managed cluster.	See the Gatekeeper Operator.
policy-namespace	Ensures that a namespace exists as specified.
policy-pod	Ensures that a pod exists as specified.
policy-zts-cmc	This example deploys a replica of `zts-cmc-deployment`.	See the Zettaset README.stable to learn more about Zettaset CMC Deployment.
Scan your cluster with the OpenShift CIS security profile	This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the OpenShift CIS benchmark.	See the Compliance Operator repository to learn more about the operator. Note: The Compliance Operator must be installed to use this policy. See the Compliance operator policy to install the Compliance Operator with a policy.
Configure ArgoCD instances with Policy healthchecks	This policy configures healthchecks for open-cluster-management-io Policy kinds on any ArgoCD instances found on the cluster.	See the Red Hat OpenShift GitOps documentation for more information about this operator.

Contingency Planning

Policy	Description	Prerequisites
No policies yet

Identification and Authentication

Policy	Description	Prerequisites
No policies yet

Incident Response

Policy	Description	Prerequisites
No policies yet

Maintenance

Policy	Description	Prerequisites
No policies yet

Media Protection

Policy	Description	Prerequisites
No policies yet

Physical and Environmental Protection

Policy	Description	Prerequisites
No policies yet

Planning

Policy	Description	Prerequisites
No policies yet

Personnel Security

Policy	Description	Prerequisites
No policies yet

Risk Assessment

Policy	Description	Prerequisites
No policies yet

System and Services Acquisition

Policy	Description	Prerequisites
No policies yet

System and Communications Protection

Policy	Description	Prerequisites
policy-certificate	Ensure certificates are not expiring within a given minimum time frame.
policy-etcdencryption	Use an encryption policy to encrypt sensitive resources such as Secrets, ConfigMaps, Routes and OAuth access tokens in your cluster.	See the OpenShift Documentation to learn how to enable ETCD encryption post install.
policy-limitmemory	Ensures that resource limits are in place as specified.
policy-psp	Ensure a pod security policy exists as specified.
policy-scc	Ensure a Security Context Constraint exists as specified.

System and Information Integrity

Policy	Description	Prerequisites
policy-imagemanifestvuln	Detect vulnerabilities in container images. Leverages the Container Security Operator and installs it on the managed cluster if not already present.