Red Hat OpenShift policies in DevOps Config

  • Release version: Xanadu
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Red Hat OpenShift policies in DevOps Config

    The DevOps Config Policy content pack includes a predefined set of policies designed to validate Red Hat OpenShift configurations. These policies help ensure that your OpenShift environment is configured securely and according to best practices. Note that starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation—it will no longer be activated on new instances, but existing support remains. While default policies cannot be modified directly, you can create copies for customization to fit your organizational needs.

    Show full answer Show less

    Key Policies and Their Practical Use

    The policies cover critical configuration areas such as audit logging, authentication, container privileges, namespace management, and security settings. Each policy checks specific OpenShift parameters and flags non-compliance when settings deviate from recommended values. Examples include:

    • Audit Log Maximum Backup Is Set: Ensures the maximum number of retained audit log files is properly configured, helping maintain audit trail integrity.
    • Audit Log Maximum File Size Is Set: Verifies rollover thresholds for audit log file sizes are set to prevent log file overloads.
    • Audit Log Path Isn't Set: Confirms that audit logging is enabled with correct file paths to capture API server activities.
    • Basic Auth File Isn’t Set: Checks that basic authentication is not used, enhancing security by discouraging less secure auth methods.
    • Containers Run Without Privilege Access: Validates that containers do not run with privileged access to limit potential security risks.
    • Host PID Namespace Is Disabled: Warns if security context constraints permit sharing the host PID namespace, which can pose security concerns.
    • NamespaceLifecycle Plugin Is Enabled: Ensures critical admission control plugins like NamespaceLifecycle are active for resource lifecycle management.
    • Read-Only Port Is Disabled: Confirms that Kubelet’s read-only port is disabled to prevent unauthorized access.
    • Request Timeout Is Set: Checks that request timeouts are configured to avoid resource exhaustion from hanging requests.
    • Streaming Connections Timeout Isn't Disabled: Validates timeout settings on streaming connections to protect against denial-of-service attacks.
    • Token Auth File Isn’t Set: Ensures static token authentication files are not used, promoting more secure authentication methods.

    Applying These Policies

    By using or customizing these policies, ServiceNow customers can audit and enforce compliance within their Red Hat OpenShift environments. This helps maintain security posture, operational stability, and adherence to best practices. You can tailor copies of policies to match specific organizational requirements while leveraging the comprehensive checks included in the default set.

    By default, the DevOps Config Policy content pack contains a set of policies to validate your Red Hat OpenShift configuration.

    Important:
    Starting with the Washington D.C. release, DevOps Config is being prepared for future deprecation. It will be hidden and no longer activated on new instances but will continue to be supported.
    You can use or customize these default DevOps Config policies to validate that your configuration data content is conformable, or administrate the full life cycle of PaCE policies.
    Note:
    You can’t modify the default policies. However, you can make a copy of the policy and customize your copy.
    Table 1. First-letter navigation for policies on this page

    A | B | C | H | N | R | S | T

    Audit Log Maximum Backup Is Set (openshift_audit_log_maxbackup_is_set)

    Checks whether the maximum number of old audit log files to be retained for API servers is set.

    Results into a non-compliant status when the --audit-log-maxbackup argument is either not set or not within the specified limits.

    Input arguments
    • lowerLimit
      • The lower limit of the --audit-log-maxbackup argument.
      • Type: Integer
      • Mandatory: False
    • upperLimit
      • The upper limit of the --audit-log-maxbackup argument.
      • Type: Integer
      • Mandatory: False

    Audit Log Maximum File Size Is Set (openshift_audit_log_maxsize_is_set)

    Checks whether the maximum file size specified as the rollover threshold for audit log files is set. After an audit log file reaches the maximum file size, the original audit log file is renamed and a new log file with the original name is created.

    Results into a non-compliant status when the --audit-log-maxsize argument is either not set or not within the specified limits.

    Input arguments
    • lowerLimit
      • The lower memory limit of the --audit-log-maxsize argument.
      • Type: Integer
      • Mandatory: True
    • upperLimit
      • The upper memory limit of the --audit-log-maxsize argument.
      • Type: Integer
      • Mandatory: True

    Audit Log Path Isn't Set (openshift_audit_log_path_is_not_set)

    Checks whether the auditing is enabled in OpenShift and the audit log file path is set.

    Results into a non-compliant status when either the --audit-log-path argument for openshift-kube-apiserver isn’t set to /var/log/kube-apiserver/audit.log or the --audit-log-path argument for openshift-apiserver isn’t set to /var/log/openshift-apiserver/audit.log.

    Basic Auth File Isn’t Set (openshift_basic_auth_file_is_not_set)

    Checks whether OpenShift doesn’t use the basic authentication mechanism to authenticate requests to the API server.

    Results into a non-compliant status when the --basic-auth-file argument is set.

    Containers Run Without Privilege Access (openshift_container_is_not_privileged)

    Checks whether the containers within an OpenShift pod are run without privileged access.

    Results into a non-compliant status when the privileged field for a container is set to true.

    Host PID Namespace Is Disabled (openshift_scc_with_hostPID_namespace_disabled)

    Checks whether there is at least one security context constraint (SCC) is defined that doesn’t allow containers to share the host PID namespace.

    Results into a warning when there’s an SCC defined with the allowHostPID field set to true.

    NamespaceLifecycle Plugin Is Enabled (openshift_namespacelifecycle_plugin_is_enabled)

    Checks whether the admission control plugin NamespaceLifecycle is enabled.

    Results into a non-compliant status when the NamespaceLifecycle plugin is disabled.

    Read-Only Port Is Disabled (openshift_read_only_port_disabled)

    Checks whether the Kubelet API server isn’t using the read-only port or the read-only port is set to 0.

    Results into a non-compliant status when the kubelet-read-only-port argument isn’t set to 0.

    Request Timeout Is Set (openshift_request_timeout_is_set)

    Checks whether the global request timeout for API servers is set.

    Results into a non-compliant status when the --min-request-timeout argument is either not set or not within the specified limits.

    Input arguments
    • lowerLimit
      • The lower limit of the --min-request-timeout argument.
      • Type: Integer
      • Mandatory: False
    • upperLimit
      • The upper limit of the --min-request-timeout argument.
      • Type: Integer
      • Mandatory: False

    Streaming Connections Timeout Isn't Disabled (openshift_streaming_connections_timeout_not_disabled)

    Checks whether the timeouts are set on streaming connections to ensure protection against denial-of-service attacks, inactive connections, and ephemeral ports exhaustion.

    Results into a non-compliant status when the streamingConnectionIdleTimeout argument is set to 0 in the Kubelet config file.

    Token Auth File Isn’t Set (openshift_token_auth_file_is_not_set)

    Checks whether OpenShift doesn't use a static token file to authenticate requests to the API server.

    Results into a non-compliant status when the --token-auth-file argument is set.