CyberSecurity / Kubernetes / OpenShift

Red Hat OpenShift Compliance Operator – Installation

Overview

Red Hat OpenShift compliance operator is available under Red Hat operators inside the operator hub. It can be installed via the web console or CLI. In this post, In this post, we will install the operator using both the methods.

For overview of compliance operator check my previous post here: Red Hat OpenShift Compliance Operator – Overview

Pre-requirements

In order to install Red Hat OpenShift compliance operator, you will need to have admin access to an OpenShift cluster. If you are running a cluster in connected mode, operator hub will connect to Red Hat registry to download and install the operator.

NOTE: Not all operators are supported in disconnected mode. You can refer to the link: Red Hat Operators Supported in Disconnected Mode or check the Red Hat software catalog for the list of operators supported in disconnected mode.

For disconnected clusters, this operator should be available in operator hub based on how you mirror the catalog source. If the operator isn’t available under operator hub, refer to this link: Mirroring images for a disconnected installation using the oc-mirror plugin to mirror/update the catalog.

General flow of Operators

In OpenShift, all the user installed operators are managed by OLM (operator lifecycle manager). For every operator to be installed, a subscription object has to be created under the operator namespace, which then downloads and install the operator. Simple flow of the operator objects created:

Installation using web console

In order to install the operator using web console, follow the below steps:

• Login to the OpenShift container platform web console and navigate to Operators -> OperatorHub
• In the filter by keyword search box, type compliance to search for the operator
• Click on the compliance operator search result, and click install
• In the install operator page, select the below values:
  • Update channel – release-0.1
  • Installation mode – A specific namespace on the cluster
  • Installed Namespace – Operator recommended namespace
  • Update approval – Automatic
• Click install

If the operator is successfully installed, you see below image:

You can also check the installation status by navigating to the compliance operator under Operators -> Installed Operators

Installation using CLI

In order to install the operator using CLI, you will have to create subscription object required to install the operator manually using YAML file. To create the subscription object, you will need to create a namespace and operatorgroup for the subscrption.

$ vi compliance-operator.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-compliance
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  targetNamespaces:
  - openshift-compliance
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator-sub
  namespace: openshift-compliance
spec:
  channel: "release-0.1"
  installPlanApproval: Automatic
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

Create the resources using the below command:

$ oc create -f compliance-operator.yaml

NOTE: If you are running in disconnected mode, in the above YAML, change source from redhat-operators to the name of catalogsource in your environment for the subscription object.

To verify if the operator is installed successfully, check the status of installplan object and verify if the operator pod is successfully started.

$ oc get installplan -n openshift-compliance

NAME            CSV                           APPROVAL    APPROVED
install-mr6nc   compliance-operator.v0.1.48   Automatic   true

$ oc get csv -n openshift-compliance

NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.48   Compliance Operator   0.1.48               Succeeded

$ oc get pods -n openshift-compliance

NAME                                            READY   STATUS    RESTARTS        AGE
compliance-operator-85f955b5f-6t8gr             1/1     Running   1 (5m44s ago)   6m27s
ocp4-openshift-compliance-pp-7785bff67c-2pmsz   1/1     Running   0               5m3s
rhcos4-openshift-compliance-pp-c84d79c7-86dps   1/1     Running   0               5m3s

Debugging

Incase, you run into issues during the installation, where in the compliance operator pods don’t come up, you can check the status of installplan and csv objects by running the command:

$ oc get installplan, csv -n openshift-compliance

If the output of phase in CSV is not shown as succeeded, then run the oc describe command on these object to check the events for any issues reported.

Conclusion

In this post we have successfully installed the compliance operator. In the next post, we will see how to trigger a scan and view the results.

Disclaimer:

The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Tags: compliance operator · compliance scans · Devops · openscap · openshift container platform · openshift4

Comments