Red Hat SummitChapter 3. Using the Compliance Operator
3.1. Using the Compliance Operator with Red Hat Advanced Cluster Security for Kubernetes
You can configure RHACS to use the Compliance Operator for compliance reporting and remediation with OpenShift Container Platform clusters. Results from the Compliance Operator are reported in the RHACS Compliance Dashboard.
The Compliance Operator automates the review of numerous technical implementations and compares them with certain aspects of industry standards, benchmarks, and baselines.
The Compliance Operator is not an auditor. To comply or certify to these various standards, you must engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry-recognized regulatory authority to assess your environment.
The Compliance Operator makes recommendations based on generally available information and practices that relate to such standards and can assist with remediation, but actual compliance is your responsibility. You are required to work with an authorized auditor to achieve compliance with a standard.
For the latest updates, see the Compliance Operator release notes.
3.1.1. Installing the Compliance Operator
Install the Compliance Operator using Operator Hub.
Procedure
Install the Operator by performing the following steps:
-
Navigate in the web console to the Operators
OperatorHub page. - Enter compliance operator into the Filter by keyword box to find the Compliance Operator.
- Select the Compliance Operator to view the details page.
- Read the information about the Operator, and then click Install.
3.1.2. Configuring the ScanSettingBinding object
Create a ScanSettingBinding object in the openshift-compliance namespace to scan the cluster by using the cis and cis-node profiles.
This example uses cis and cis-node profiles, but OpenShift Container Platform provides additional profiles. See "Understanding the Compliance Operator" in the "Additional resources" section for more information.
Procedure
Select one of the following options:
Use the CLI to create the YAML file and object. For example:
Create a file called
sscan.yamlusing the following text:apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: cis-compliance profiles: - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1Create the
ScanSettingBindingobject by running the following command:$ oc create -f sscan.yaml -n openshift-complianceIf successful, the following message is displayed:
$ scansettingbinding.compliance.openshift.io/cis-compliance created
Use the web console to create the object by performing the following steps:
-
Change the active project to
openshift-compliance. - Click + to open the Import YAML page.
- Paste the YAML from the previous example and then click Create.
-
Change the active project to
Additional resources
- Understanding the Compliance Operator
- Compliance Operator scans in OpenShift Container Platform
Optional: If you installed the Compliance Operator after installing RHACS, restart Sensor in the secured cluster by performing one of the following options:
Run the following command:
$ oc -n stackrox delete pod -lapp=sensorIn the OpenShift Container Platform web console, perform the following steps:
-
Change the active project to
stackrox. -
Navigate to Workloads
Pods. -
Locate the pod with the name starting with
sensor-, and then click ActionsDelete Pod.
-
Change the active project to
Verification
After performing these steps, run a compliance scan in RHACS and ensure that ocp4-cis and ocp4-cis-node results are displayed. See "Running a compliance scan" in the "Additional resources" section for more information.
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}