An error occurred:

Red Hat OpenShift Container Platform 4.x STIG Version Comparison

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Comparison

There are 1 differences between versions v2 r2 (Jan. 30, 2025) (the "left" version) and v2 r4 (Oct. 1, 2025) (the "right" version).

Check CNTR-OS-000630 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

OpenShift must restrict individuals individuals' the ability to launch organizational-defined organization-defined Denial-of-Service denial-of-service (DOS) attacks against other information systems by rate-limiting.

Check Content

Verify that all namespaces except those that start with kube-* or openshift-* use the rate-limiting annotation by executing the following: oc get routes --all-namespaces -o json | jq '[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]' If the above command returns any namespaces, this is a finding.

Discussion

By setting rate limits, OpenShift can control the number of requests or connections allowed from a single source within a specific period. This prevents an excessive influx of requests that can overwhelm the application and degrade its performance or availability. Setting rate limits also ensures fair resource allocation, prevents service degradation, protects backend systems, and enhances overall security. Along with, helping It also helps to maintain the availability, performance, and security of the applications hosted on the platform, contributing to a reliable and robust application infrastructure. OpenShift has an option to set the rate limit for Routes routes (refer to link below) when creating new Routes. routes. All routes outside the OpenShift namespaces and the kube namespaces must use the rate-limiting annotations. https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration

Fix

Add the haproxy.router.openshift.io/rate-limit-connections "haproxy.router.openshift.io/rate-limit-connections= true" annotation to any routes outside the kube-* or openshift-* namespaces oc namespaces. oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/timeout=2s" https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html