OpenShift role-based access controls (RBAC) must be enforced.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-257513	SRG-APP-000033-CTR-000090	CNTR-OS-000090	SV-257513r1156752_rule	2025-12-04	2

Description
Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. OpenShift provides a robust RBAC policy system that allows for authorization policies to be as detailed as needed. Additionally, there are two layers of RBAC policies. The first is Cluster RBAC policies which administrators can control who has what access to cluster level services. The other is Local RBAC policies, which allow project developers/administrators to control what level of access users have to a given project or namespace. OpenShift provides a set of default roles out of the box, and additional roles may be added as needed. Each role has a set of rules controlling what access that role may have, and users and/or groups may be bound to one or more roles. The cluster-admin cluster level RBAC role has complete super admin privileges and it is a required role for select cluster administrators to have. The OpenShift Container Platform includes a built-in image registry. The primary purpose is to allow users to create, import, and generally manage images running in the cluster. This registry is integrated with the authentication and authorization (RBAC) services on the cluster. Restricting access permissions and providing access only to the necessary components and resources within the OpenShift environment reduces the potential impact of security breaches and unauthorized activities. Satisfies: SRG-APP-000033-CTR-000090, SRG-APP-000033-CTR-000095, SRG-APP-000033-CTR-000100, SRG-APP-000133-CTR-000290, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000350, SRG-APP-000153-CTR-000375, SRG-APP-000340-CTR-000770, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000386-CTR-000920

Description

Controlling and limiting users access to system services and resources is key to securing the platform and limiting the intentional or unintentional compromising of the system and its services. OpenShift provides a robust RBAC policy system that allows for authorization policies to be as detailed as needed. Additionally, there are two layers of RBAC policies. The first is Cluster RBAC policies which administrators can control who has what access to cluster level services. The other is Local RBAC policies, which allow project developers/administrators to control what level of access users have to a given project or namespace. OpenShift provides a set of default roles out of the box, and additional roles may be added as needed. Each role has a set of rules controlling what access that role may have, and users and/or groups may be bound to one or more roles. The cluster-admin cluster level RBAC role has complete super admin privileges and it is a required role for select cluster administrators to have. The OpenShift Container Platform includes a built-in image registry. The primary purpose is to allow users to create, import, and generally manage images running in the cluster. This registry is integrated with the authentication and authorization (RBAC) services on the cluster. Restricting access permissions and providing access only to the necessary components and resources within the OpenShift environment reduces the potential impact of security breaches and unauthorized activities. Satisfies: SRG-APP-000033-CTR-000090, SRG-APP-000033-CTR-000095, SRG-APP-000033-CTR-000100, SRG-APP-000133-CTR-000290, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310, SRG-APP-000148-CTR-000350, SRG-APP-000153-CTR-000375, SRG-APP-000340-CTR-000770, SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885, SRG-APP-000378-CTR-000890, SRG-APP-000380-CTR-000900, SRG-APP-000386-CTR-000920

ℹ️ Check
The administrator must verify OpenShift is configured with the necessary RBAC access controls. Review the RBAC configuration. As the cluster-admin, view the cluster roles and their associated rule sets by executing the following: oc describe clusterrole.rbac View the current set of cluster role bindings, which shows the users and groups that are bound to various roles, by executing the following: oc describe clusterrolebinding.rbac Determine local roles and bindings by executing the following: oc describe rolebinding.rbac If these results show users with privileged access that do not require that access, this is a finding. Where OpenShift Virtualization is enabled: 1. Execute the following: $ for pod in $(oc get pod -n openshift-cnv -l kubevirt.io=virt-handler --no-headers -o custom-columns="":metadata.name""); do oc exec -ti -n openshift-cnv $pod -c virt-handler -- stat -c %a /proc/1/root/var/lib/kubelet/seccomp/kubevirt/kubevirt.json done If the permissions are set to anything less restrictive than "700", this is a finding. 2. Execute the following: $ for pod in $(oc get po -n openshift-cnv -l kubevirt.io=virt-handler --no-headers -o custom-columns="":metadata.name""); do oc exec $pod -ti -n openshift-cnv -- stat -c %a /var/run/kubevirt-private ;done If the permissions are set to anything less restrictive than "755", this is a finding. 3. Execute the following: $oc adm policy who-can create vmim $ oc adm policy who-can create migrationpolicy If these results show users with privileged access that do not require that access, this is a finding. 4. Use the following command to find users, service accounts, and groups who are allowed to create VirtualMachineInterfaceMigration and MigrationPolicy resources: $ oc adm policy who-can create vmim $ oc adm policy who-can create migrationpolicy If these list users not authorized to perform namespace admin migration functions, this is a finding. 5. Execute the following: cat /sys/module/kvm_intel/parameters/nested If the result is "1", this is a finding.

ℹ️ Check

The administrator must verify OpenShift is configured with the necessary RBAC access controls. Review the RBAC configuration. As the cluster-admin, view the cluster roles and their associated rule sets by executing the following: oc describe clusterrole.rbac View the current set of cluster role bindings, which shows the users and groups that are bound to various roles, by executing the following: oc describe clusterrolebinding.rbac Determine local roles and bindings by executing the following: oc describe rolebinding.rbac If these results show users with privileged access that do not require that access, this is a finding. Where OpenShift Virtualization is enabled: 1. Execute the following: $ for pod in $(oc get pod -n openshift-cnv -l kubevirt.io=virt-handler --no-headers -o custom-columns="":metadata.name""); do oc exec -ti -n openshift-cnv $pod -c virt-handler -- stat -c %a /proc/1/root/var/lib/kubelet/seccomp/kubevirt/kubevirt.json done If the permissions are set to anything less restrictive than "700", this is a finding. 2. Execute the following: $ for pod in $(oc get po -n openshift-cnv -l kubevirt.io=virt-handler --no-headers -o custom-columns="":metadata.name""); do oc exec $pod -ti -n openshift-cnv -- stat -c %a /var/run/kubevirt-private ;done If the permissions are set to anything less restrictive than "755", this is a finding. 3. Execute the following: $oc adm policy who-can create vmim $ oc adm policy who-can create migrationpolicy If these results show users with privileged access that do not require that access, this is a finding. 4. Use the following command to find users, service accounts, and groups who are allowed to create VirtualMachineInterfaceMigration and MigrationPolicy resources: $ oc adm policy who-can create vmim $ oc adm policy who-can create migrationpolicy If these list users not authorized to perform namespace admin migration functions, this is a finding. 5. Execute the following: cat /sys/module/kvm_intel/parameters/nested If the result is "1", this is a finding.

✔️ Fix
If users or groups exist that are bound to roles they must not have, modify the user or group permissions using the following cluster and local role binding commands: Remove a user from a Cluster RBAC role by executing the following: oc adm policy remove-cluster-role-from-user <role> <username> Remove a group from a Cluster RBAC role by executing the following: oc adm policy remove-cluster-role-from-group <role> <groupname> Remove a user from a Local RBAC role by executing the following: oc adm policy remove-role-from-user <role> <username> Remove a group from a Local RBAC role by executing the following: oc adm policy remove-role-from-group <role> <groupname> Note: For additional information, refer to https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html. Where OpenShift Virtualization is enabled: 1. Ensure kubevirt seccomp profile file permission is set to "700" or more restrictive: $ oc exec <virt-handler-pod> -ti -n openshift-cnv -- chmod 700 /proc/1/root/var/lib/kubelet/seccomp/kubevirt/kubevirt.json Ensure kubevirt cache directory permission is set to "755" or more restrictive: $ oc exec <virt-handler-pod> -ti -n openshift-cnv -- chmod 755 /var/run/kubevirt-private 2. Remove create access to virtualmachineinstancemigration and migrationpolicy objects in the cluster. Example: Remove create access given by the clusterRoleBinding for the migrationpolicy for the test user. # Get all the users and service accounts who can create migrationpolicies $ oc adm policy who-can create migrationpolicy Users: system:admin .. Test # Verify that the test user can create the migrationpolicy $ oc auth can-i create migrationpolicies --as test Warning: resource 'migrationpolicies' is not namespace scoped in group 'migrations.kubevirt.io' yes # Find out which rolebinding or clusterrolbinding associated to the test user $ oc get rolebindings,clusterrolebindings --all-namespaces -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.n ame,SERVICE_ACCOUNTS:subjects[?(@.kind=="User")].name' \|grep test ClusterRoleBinding <none> migration-creator test # Inspect the cluster role binding $ oc get clusterrolebindings migration-creator -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: \| {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBindin g","metadata":{"annotations":{},"name":"migration-creator"},"roleRef": {"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"m igration-creator"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io" ,"kind":"User","name":"test"},{"kind":"ServiceAccount","name":"test"," namespace":"default"}]} creationTimestamp: "2025-03-06T14:05:04Z" name: migration-creator resourceVersion: "1093678" uid: 96be5dc2-2b30-4734-b5ef-16d9342bbdbf roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: migration-creator subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test - kind: ServiceAccount name: test namespace: default # Remove the cluster role binding $ oc delete clusterrolebindings migration-creator clusterrolebinding.rbac.authorization.k8s.io "migration-creator" deleted # Re-verify that the test user cannot create the migrationpolicy $ oc auth can-i create migrationpolicies --as test Warning: resource 'migrationpolicies' is not namespace scoped in group 'migrations.kubevirt.io' no 3. Add the appropriate kernel arguments to the MachineConfigPools of the workers nodes and reboot them. Refer to https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/installation_configuration/installing-customizing#installation-special-config-kargs_installing-customizing Default Value: OpenShift does not enable nested virtualization by default.

✔️ Fix

If users or groups exist that are bound to roles they must not have, modify the user or group permissions using the following cluster and local role binding commands: Remove a user from a Cluster RBAC role by executing the following: oc adm policy remove-cluster-role-from-user <role> <username> Remove a group from a Cluster RBAC role by executing the following: oc adm policy remove-cluster-role-from-group <role> <groupname> Remove a user from a Local RBAC role by executing the following: oc adm policy remove-role-from-user <role> <username> Remove a group from a Local RBAC role by executing the following: oc adm policy remove-role-from-group <role> <groupname> Note: For additional information, refer to https://docs.openshift.com/container-platform/4.8/authentication/using-rbac.html. Where OpenShift Virtualization is enabled: 1. Ensure kubevirt seccomp profile file permission is set to "700" or more restrictive: $ oc exec <virt-handler-pod> -ti -n openshift-cnv -- chmod 700 /proc/1/root/var/lib/kubelet/seccomp/kubevirt/kubevirt.json Ensure kubevirt cache directory permission is set to "755" or more restrictive: $ oc exec <virt-handler-pod> -ti -n openshift-cnv -- chmod 755 /var/run/kubevirt-private 2. Remove create access to virtualmachineinstancemigration and migrationpolicy objects in the cluster. Example: Remove create access given by the clusterRoleBinding for the migrationpolicy for the test user. # Get all the users and service accounts who can create migrationpolicies $ oc adm policy who-can create migrationpolicy Users: system:admin .. Test # Verify that the test user can create the migrationpolicy $ oc auth can-i create migrationpolicies --as test Warning: resource 'migrationpolicies' is not namespace scoped in group 'migrations.kubevirt.io' yes # Find out which rolebinding or clusterrolbinding associated to the test user $ oc get rolebindings,clusterrolebindings --all-namespaces -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.n ame,SERVICE_ACCOUNTS:subjects[?(@.kind=="User")].name' |grep test ClusterRoleBinding <none> migration-creator test # Inspect the cluster role binding $ oc get clusterrolebindings migration-creator -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBindin g","metadata":{"annotations":{},"name":"migration-creator"},"roleRef": {"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"m igration-creator"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io" ,"kind":"User","name":"test"},{"kind":"ServiceAccount","name":"test"," namespace":"default"}]} creationTimestamp: "2025-03-06T14:05:04Z" name: migration-creator resourceVersion: "1093678" uid: 96be5dc2-2b30-4734-b5ef-16d9342bbdbf roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: migration-creator subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: test - kind: ServiceAccount name: test namespace: default # Remove the cluster role binding $ oc delete clusterrolebindings migration-creator clusterrolebinding.rbac.authorization.k8s.io "migration-creator" deleted # Re-verify that the test user cannot create the migrationpolicy $ oc auth can-i create migrationpolicies --as test Warning: resource 'migrationpolicies' is not namespace scoped in group 'migrations.kubevirt.io' no 3. Add the appropriate kernel arguments to the MachineConfigPools of the workers nodes and reboot them. Refer to https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/installation_configuration/installing-customizing#installation-special-config-kargs_installing-customizing Default Value: OpenShift does not enable nested virtualization by default.