Search

Chapter 3. Managing Compliance

download PDF

3.1. Managing the compliance 1.0 feature

By using Red Hat Advanced Cluster Security for Kubernetes you can assess, check, and report on the compliance status of your containerized infrastructure. You can run out-of-the-box compliance scans based on industry standards including:

  • CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes
  • HIPAA (Health Insurance Portability and Accountability Act)
  • NIST Special Publication 800-190 and 800-53 (National Institute of Standards and Technology)
  • PCI DSS (Payment Card Industry Data Security Standard)
  • OpenSCAP (Open Security Content Automation Protocol): Available in RHACS for OpenShift Container Platform clusters when the Compliance Operator is installed and configured to provide results to RHACS

By scanning your environment based on these standards you can:

  • Evaluate your infrastructure for regulatory compliance.
  • Harden your Docker Engine and Kubernetes orchestrator.
  • Understand and manage the overall security posture of your environment.
  • Get a detailed view of compliance status for clusters, namespaces, and nodes.

3.1.1. Viewing the compliance dashboard

The compliance dashboard provides a high-level view of the compliance standards across all clusters, namespaces, and nodes in your environment.

The compliance dashboard includes charts and provides options to investigate a potential problem with compliance mandates. You can go to compliance scan results for a single cluster, namespace, or a node. Moreover, you can generate reports on the state of compliance within your containerized environment.

Procedure

  • In the RHACS portal, select Compliance (1.0) from the navigation menu.
Note

The first time you open the Compliance dashboard you will see a blank dashboard. You must run a compliance scan to populate the dashboard.

3.1.2. Running a compliance scan

Running a compliance scan checks the compliance status for your entire infrastructure across all compliance standards. When you run a compliance scan, Red Hat Advanced Cluster Security for Kubernetes takes a data snapshot of your environment. The data snapshot includes alerts, images, network policies, deployments, and related host-based data. Central collects the host-based data from the Sensors running in your clusters. After that, Central collects more data from the compliance container running in each collector pod. The compliance container collects the following data about your environment:

  • Configurations for Docker Daemon, Docker image, and Docker container.
  • Information about Docker networks.
  • Command-line arguments and processes for Docker, Kubernetes, and OpenShift Container Platform.
  • Permissions of specific file paths.
  • Configuration files for the core Kubernetes and OpenShift Container Platform services.

After the data collection is complete, Central performs checks on the data to determine results. You can view the results from the compliance dashboard and also generate compliance reports based on the results.

Note

In a compliance scan:

  • Control describes a single line item in an industry or regulatory compliance standard against which an auditor evaluates an information system for compliance with said standard. Red Hat Advanced Cluster Security for Kubernetes checks the evidence of compliance with a single control by completing one or more checks.
  • Check is the single test performed during a single control assessment.
  • Some controls have multiple checks associated with them. If any of the associated check fails for a control, the entire control state is marked as Fail.

Procedure

  1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
  2. Optional: By default, information under all standards is displayed in the compliance results. To view only information from specific standards, perform the following steps:

    1. Click Manage standards.
    2. By default, all standards are selected. Clear the checkbox for any specific standard that you do not want to display, and then click Save. Standards that are not selected do not appear in the dashboard display (including widgets), compliance results tables that are accessed from the dashboard, and PDF files created using the Export button. However, all default standards are included when results are exported as a CSV file.
  3. Click Scan environment.

    Note

    Scanning the entire environment takes about 2 minutes to complete. This time might vary depending on the number of clusters and nodes in your environment.

Verification

  1. In the RHACS portal, go to Configuration Management.
  2. In the CIS Kubernetes v1.5 widget, click Scan.
  3. RHACS displays a message which indicates that a compliance scan is in progress.

3.1.3. Viewing compliance scan results

After you run a compliance scan, the compliance dashboard displays the results as the compliance status for your environment. You can view compliance violations directly from the dashboard, filter the details view, and drill down compliance standards to understand if your environment is compliant against specific benchmarks. This section explains how to view and filter compliance scan results.

You can use shortcuts to check the compliance status of clusters, namespaces, and nodes. Look for these shortcuts on the top of your compliance dashboard. By clicking these shortcuts you can view the compliance snapshot and generate reports on the overall compliance of your clusters, namespaces, or nodes.

Compliance status
StatusDescription

Fail

The compliance check failed.

Pass

The compliance check passed.

N/A

Red Hat Advanced Cluster Security for Kubernetes skipped the check because it was not applicable.

Info

The compliance check gathered data, but Red Hat Advanced Cluster Security for Kubernetes could not make a Pass or Fail determination.

Error

The compliance check failed due to a technical issue.

3.1.3.1. Viewing compliance status for clusters

You can view compliance status for all clusters or a single cluster from the compliance dashboard.

Procedure

  • To view compliance status for all clusters in your environment:

    1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
    2. Click Clusters on the compliance dashboard.
  • To view compliance status for a specific cluster in your environment:

    1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
    2. On the compliance dashboard, look for the Passing standards by cluster widget.
    3. In this widget, click on a cluster name to view its compliance status.

3.1.3.2. Viewing compliance status for namespaces

You can view compliance status for all namespaces or a single namespace from the compliance dashboard.

Procedure

  • To view compliance status for all namespaces in your environment:

    1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
    2. Click Namespaces on the compliance dashboard.
  • To view compliance status for a specific namespace in your environment:

    1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
    2. Click Namespaces to open the namespaces details page.
    3. From the Namespaces table, click on a namespace. A side panel opens on the right.
    4. In the side panel, click on the name of the namespace to view its compliance status.

3.1.3.3. Viewing compliance status for a specific standard

Red Hat Advanced Cluster Security for Kubernetes supports NIST, PCI DSS, NIST, HIPAA, CIS for Kubernetes and CIS for Docker compliance standards. You can view all the compliance controls for a single compliance standard.

Procedure

  1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
  2. On the compliance dashboard, look for the Passing standards across clusters cluster widget.
  3. In this widget, click on a standard to view information about all the controls associated with that standard.
Note

Many of the controls in CIS Docker refer to the configuration of the Docker engine on each Kubernetes node. Many CIS Docker controls are also best practices for building and using containers, and RHACS has policies to enforce their use. See "Managing security policies" in "Additional resources" for more information.

Additional resources

3.1.3.4. Viewing compliance status for a specific control

You can view compliance status for a specific control for a selected standard.

Procedure

  1. In the RHACS portal, go to Compliance (1.0).
  2. On the compliance dashboard, look for the Passing standards by cluster widget.
  3. In this widget, click on a standard to view information about all the controls associated with that standard.
  4. From the Controls table, click on a control. A side panel opens on the right.
  5. In the side panel, click on the name of the control to view its details.

3.1.4. Filtering compliance status

Red Hat Advanced Cluster Security for Kubernetes search makes it easy to filter different combinations of data from the compliance dashboard. To focus your attention on a subset of clusters, industry standards, passing or failing controls, you can narrow the scope of the data visible on the compliance dashboard.

Procedure

  1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
  2. On the compliance dashboard, select either Clusters, or Namespaces, or Nodes to open the details page.
  3. Enter your filtering criteria in the search bar and then press Enter.

3.1.5. Generating compliance reports

Red Hat Advanced Cluster Security for Kubernetes enables you to generate reports to keep track of the compliance status of your environment. You can use these reports to convey compliance status across various industry mandates to other stakeholders.

You can generate:

  • Executive reports that focuses on the business aspect and includes charts and summary of compliance status in PDF format.
  • Evidence reports that focuses on the technical aspect and includes detailed information in CSV format.

Procedure

  1. Go to the RHACS portal and open the compliance dashboard by selecting Compliance (1.0) from the navigation menu.
  2. On the compliance dashboard, click Export.

    • To generate an executive report, select Download page as PDF.
    • To generate an evidence report, select Download Evidence as CSV.
Tip

The Export option appears on all compliance pages and filtered views.

3.1.5.1. Evidence reports

You can export comprehensive compliance-related data from Red Hat Advanced Cluster Security for Kubernetes in CSV format as an evidence report. This evidence report contains detailed information about the compliance assessment, and it is tailored towards technical roles, such as compliance auditors, DevOps engineers, or security practitioners.

An evidence report contains the following information:

CSV fieldDescription

Standard

The compliance standard, for example, CIS Kubernetes.

Cluster

The name of the assessed cluster.

Namespace

The name of the namespace or project where the deployment exists.

Object Type

The Kubernetes entity type of the object. For example, node, cluster, DaemonSet, Deployment, or StaticPod.

Object Name

The name of the object which is a Kubernetes systems-generated string that uniquely identify objects. For example, gke-setup-dev21380-default-pool-8e086a77-1jfq.

Control

The control number as it appears in the compliance standard.

Control Description

Description about the compliance check that the control carries out.

State

Whether the compliance check passed or failed. For example, Pass or Fail.

Evidence

The explanation about why a specific compliance check failed or passed.

Assessment Time

The time and date when you ran the compliance scan.

3.1.6. Supported benchmark versions

Red Hat Advanced Cluster Security for Kubernetes supports compliance checks against the following industry standards and regulatory frameworks:

BenchmarkSupported version

CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes

CIS Kubernetes v1.5.0 and CIS Docker v1.2.0

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA 164

NIST (National Institute of Standards and Technology)

NIST Special Publication 800-190 and 800-53 Rev. 4

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS 3.2.1

3.2. Managing the compliance 2.0 feature (Technology Preview)

Important

Compliance 2.0 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

You can view the compliance results associated with your cluster by using the compliance 2.0 feature in the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal. The feature collects compliance information gathered by the Compliance Operator into a single interface.

For more information about using the Compliance Operator, see Using the Compliance Operator with Red Hat Advanced Cluster Security for Kubernetes.

Note

Currently, the compliance 2.0 feature and the Compliance Operator evaluate only infrastructure and platform compliance.

3.2.1. Viewing the compliance status of your clusters

By viewing the cluster compliance page, you can get a comprehensive overview of the compliance status of your clusters.

Procedure

  • In the RHACS portal, go to the Compliance (2.0) Cluster Compliance Coverage tab.

3.2.2. Cluster compliance page overview

The cluster compliance page organizes information in the following groups:

  • Cluster: Gives the details of your cluster and provides a snapshot of its current state and configurations.
  • Operator status: Assesses the health and operational status of the Compliance Operator instance within your cluster and ensures that the Operator is running optimally and functioning seamlessly.
  • Compliance: Shows the percentage of checks that have been passed for the scanned profiles.

3.2.3. Customizing and automating your compliance scans

By creating a compliance scan schedule, you can customize and automate your compliance scans to align with your operational requirements.

Procedure

  1. In the RHACS portal, go to the Compliance (2.0) Cluster Compliance Schedules tab.
  2. Click Create scan schedule.
  3. In the Configuration options page, provide the following information:

    • Name: Enter a name to identify different compliance scans.
    • Description: Specify the reason for each compliance scan.
    • Configure schedule: Adjust the scan schedule to fit your required schedule:

      • Frequency: From the drop-down list, select how often you want to perform the scan.

        The following values are supported:

        • Daily
        • Weekly
        • Monthly
      • On day(s): From the list, select one or more days of the week on which you want to perform the scan.

        The following values are supported:

        • Monday
        • Tuesday
        • Wednesday
        • Thursday
        • Friday
        • Saturday
        • Sunday
        • The first of the month
        • The middle of the month

          Note

          These values are only applicable if you specify the frequency of scan as Weekly or Monthly.

      • Time: Start to type the time in hh:mm at which you want to run the scan. From the list that is displayed, select a time.
  4. Click Next.
  5. In the Clusters page, select one or more clusters that you want to include in the scan.
  6. Click Next.
  7. In the Profiles page, select one or more profiles that you want to include in the scan.
  8. Click Next.
  9. Review your scan configuration, and then click Create.

Verification

  1. In the RHACS portal, go to the Compliance (2.0) Cluster Compliance Schedules tab.
  2. Select the compliance scan you have created.
  3. In the Clusters section, verify that the operator status is healthy.
  4. Optional: To edit the scan schedule, click Edit scan schedule, make your changes, and then click Save.

3.2.4. Monitoring and analyzing the health of your clusters

By viewing the status of a compliance scan, you can efficiently monitor and analyze the health of your clusters.

Important

Wait until the Compliance Operator returns the scan results. It might take a few minutes.

Procedure

  1. In the RHACS portal, go to the Compliance (2.0) Cluster Compliance Coverage tab.
  2. Select a cluster to view the details of the individual scans.
  3. Optional: Enter the name of the compliance check in the Filter by keyword box to view the status.
  4. Optional: From the Compliance status drop-down list, select one or more statuses by using which you want to filter the scan details.

    The following values are supported:

    • Pass
    • Fail
    • Error
    • Info
    • Manual
    • Not Applicable
    • Inconsistent

3.2.5. Compliance scan status overview

By understanding the compliance scan status, you can manage the overall security posture of your environment.

StatusDescription

Fail

The compliance check failed.

Pass

The compliance check passed.

Not Applicable

Skipped the compliance check because it was not applicable.

Info

The compliance check gathered data, but RHACS could not make a pass or fail determination.

Error

The compliance check failed due to a technical issue.

Manual

Manual intervention is required to ensure compliance.

Inconsistent

The compliance scan data is inconsistent, and requires closer inspection and targeted resolution.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.