Get up to 50% off on CKA, CKAD, CKS, KCNA, KCSA exams and courses!

Red Hat OpenShift Compliance Operator – Overview

Red Hat OpenShift Compliance Operator – Overview

Overview

Growth in digital services and faster time to market by various global and government organisations, Security has become one of the important aspect of any platform that runs sensitive or regulatory workloads. IT systems are often vulnerable targets from various attackers to steal confidential and user information. In order to protect their systems, organisations adopt industry standards to baseline security and resilience of their IT infrastructure platforms. Many governments have defined their own standards to protect their IT infrastructure from such attacks. Red Hat OpenShift container platform provides secure and scalable platform that enterprises can use to deploy their applications to production along with the required compliance and regulatory requirements. Compliance Operator provides assessment and remediation for various industry and government standards. It performs assessment for OpenShift/Kubernetes API and also the nodes part of the cluster. It uses OpenSCAP under the hood to perform the assessment and remediation. It can be installed on Red Hat OpenShift platform via the Operator Hub.

Profiles

Red Hat OpenShift Compliance operator comes with various industry and government standard profiles. These profiles have different rules of assessment based on the nature of their compliance. Each profile has a prefix in the name that represents the type of compliance rules it is associated with. For example, profile ocp4-cis is for centre for internet security and ocp4-pci-dss is for payment card industry data security standard. As of OpenShift 4.12, list of profiles supported by compliance operator are listed here . After the compliance operator has been installed on the OpenShift cluster, you can run the command oc get profiles -n openshift-compliance to list all the profiles available on the cluster.

Scans

In order to trigger and run a compliance scan on the OpenShift cluster, two custom objects scansetting and scansettingbinding has to be created. These object types are installed as part of the compliance operator installation.

Scansetting object role is to define the necessary schedule of the scans, storage required for the scan results and the subsequent scans you wish to store.

Scansettingbinding object role is to bind the schedule created by the scansetting object with that of a compliance profile, example ocp4-cis . Once scansettingbinding object is created, a compliance scan is triggered and pods are scheduled on the cluster nodes, depending upon the compliance profile and the results are saved on the persistent volume.

Results and Remediations

Once the scan is completed, compliance operator creates compliancecheckresults object for every compliance rule executed part of the compliance profile. Check the status of these rules and based on which further action needs to be taken to remediate the failed assessments.

If the compliance rule has an automated remediation, then an complianceremediation object with the same name as compliancecheckresult is created. Administrator can apply the automated remediation, to update the cluster configuration. If not, then administrators have to apply the remediation manually.

Compliance Operator Flow

Simple flow of the compliance operator that we discussed above.

Conclusion

In this post we discussed overview about how the Red Hat OpenShift compliance operator works. In the future posts we will discuss more in detail about the installation methods, scans, compliance checks and results.

Share :

Related Posts

Top 10 Kubernetes Monitoring Tools for 2023

Top 10 Kubernetes Monitoring Tools for 2023

Kubernetes is a powerful container orchestration system that can help you manage your applications and services with ease. However, monitoring your …

RHACM GitOps: Install Service Mesh Operator and Configure a default control plan

RHACM GitOps: Install Service Mesh Operator and Configure a default control plan

This blog shows how to use RHACM GitOps to install Service Mesh and configure the default control plan.

Kubernetes Networking Fundamentals

Kubernetes Networking Fundamentals

The Kubernetes Network Model specifies: Every Pod gets its own IP address. There should be no need to create links between pods and no need to map …

A DevOps Guide to Kubernetes Logging

A DevOps Guide to Kubernetes Logging

Learn tips and tricks to set up and use Kubernetes Logging to collect logs from all your applications and services deployed on the Kubernetes …

Kubernetes: What Is It and Its Importance in DevOps

Kubernetes: What Is It and Its Importance in DevOps

Image by Freepik Kubernetes is quickly becoming a critical part of many enterprise DevOps initiatives. But what exactly is Kubernetes? And more …

OpenShift 4: Pushing my cluster to the limit

When I involved in the design of Red Hat OpenShift 4 platform for customer deployment, the common question coming from the customer was how much my …