Advanced policies SHOULD limit container permissions.
By default, OpenShift blocks the containers' permissions (security-by-default).
Mandatory Access Control (MAC) or comparable technology SHOULD enforce these policies.
OpenShift already uses SELinux Mandatory Access Control to restrict permissions by default Using the Security Profiles Operator [SecurityProfile], workload-dependent SELinux and Seccomp profiles can be created and managed.
Policies SHOULD restrict at least the following access:
incoming and outgoing network connections,
file system accesses and
kernel requests (syscalls).
These permissions are managed in OpenShift and controlled via Security Context Constraints (SCCs). For tool-based policy management, ACS or Red Hat Advanced Cluster Management (ACM) (with Kyverno or Open Policy Agent) can be used.
The runtime SHOULD start the containers in such a way that the host system kernel prevents all activities of the containers that are not permitted by the policy (e.g. by setting up local packet filters or revoking permissions) or at least appropriately reports violations.
OpenShift already meets this requirement as standard (security-by-design).
sluetze
commented
1 month ago