2.5.13. OpenShift CIS 扫描策略
OpenShift CIS 扫描策略会部署一个扫描来检查 master 和 worker 节点是否与 OpenShift CIS 安全基准相符。您必须安装 Compliance operator 以应用 OpenShift CIS 策略。
OpenShift CIS 扫描策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 4.8、4.7 和 4.6 支持 OpenShift CIS 扫描策略。如需更多信息,请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator 部分以了解更多详细信息。
2.5.13.1. OpenShift CIS 资源
创建 OpenShift CIS 扫描策略时,会创建以下资源:
用于识别要扫描的配置集的
ScanSettingBinding
资源 (cis
):apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-cis-scan spec: remediationAction: inform severity: high object-templates: - complianceType: musthave # this template creates ScanSettingBinding:cis objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: cis namespace: openshift-compliance profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default
一个
ComplianceSuite
资源 (compliance-suite-cis
),用于通过检查status
字段来验证扫描是否已完成:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-cis spec: remediationAction: inform severity: high object-templates: - complianceType: musthave # this template checks if scan has completed by checking the status field objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: cis namespace: openshift-compliance status: phase: DONE
一个
ComplianceCheckResult
资源 (compliance-suite-cis-results
),它通过检查ComplianceCheckResult
自定义资源 (CR) 来报告扫描套件的结果:apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-cis-results spec: remediationAction: inform severity: high object-templates: - complianceType: mustnothave # this template reports the results for scan suite: cis by looking at ComplianceCheckResult CRs objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceCheckResult metadata: namespace: openshift-compliance labels: compliance.openshift.io/check-status: FAIL compliance.openshift.io/suite: cis
请参阅 policy-compliance-operator-cis-scan.yaml
文件示例。如需有关创建 OpenShift Container Platform CIS 策略的更多信息,请参阅管理 OpenShift CIS 扫描策略。