4.11. E8 扫描策略
一个 Essential 8(E8)扫描策略会部署一个扫描,检查 master 和 worker 节点是否满足 E8 安全配置集。您必须安装 Compliance Operator 以应用 E8 扫描策略。
E8 扫描策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 支持 E8 扫描策略。如需更多信息,请参阅 OpenShift Container Platform 文档中的管理 Compliance Operator 部分以了解更多详细信息。
4.11.1. E8 扫描策略资源
当您创建 E8 扫描策略时,会创建以下资源:
ScanSettingBinding资源 (e8) 用于识别要扫描的配置集:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-e8 spec: remediationAction: inform severity: high object-templates: - complianceType: musthave # this template checks if scan has completed by checking the status field objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: e8 namespace: openshift-compliance profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-e8 - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: rhcos4-e8 settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default一个
ComplianceSuite资源 (compliance-suite-e8),用于通过检查status字段来验证扫描是否已完成:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-e8 spec: remediationAction: inform severity: high object-templates: - complianceType: musthave # this template checks if scan has completed by checking the status field objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: e8 namespace: openshift-compliance status: phase: DONE一个
ComplianceCheckResult资源 (compliance-suite-e8-results),它通过检查ComplianceCheckResult自定义资源 (CR) 来报告扫描套件的结果:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-e8-results spec: remediationAction: inform severity: high object-templates: - complianceType: mustnothave # this template reports the results for scan suite: e8 by looking at ComplianceCheckResult CRs objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceCheckResult metadata: namespace: openshift-compliance labels: compliance.openshift.io/check-status: FAIL compliance.openshift.io/suite: e8
注: 支持自动补救。将补救操作设置为 enforce 以创建 ScanSettingBinding 资源。
请参阅 policy-compliance-operator-e8-scan.yaml 示例。如需更多信息,请参阅管理安全策略。注: 删除 E8 策略后,它会从目标集群或集群中移除。
