Overview
In my previous posts, I have shared the overview, installation procedure, how to trigger compliance scans and remediations using the Red Hat OpenShift compliance operator. In this post, I will discuss how to generate a HTML report for the scan results.
Pre-requirements
In order to generate a report:
- Compliance scan should be completed and the results are stored on a persistent volume (PV).
- Sudo or root access to install openscap utilities package on the bastion host.
Report
After the compliance scan is completed, results are stored in the underlying persistent storage used using a PV object. Create a pod to extract the results from the PV to jump host. In order to do this, we mount the same PVC used by the compliance pods in our pod.
In the below example, I have mounted each individual PVC’s used for ocp4-cis, ocp4-cis-master-node and ocp4-cis-worker-node scan results.
$ vi results-extract.yaml
apiVersion: "v1"
kind: Pod
metadata:
name: pv-extract
spec:
containers:
- name: pv-extract-pod
image: registry.access.redhat.com/ubi9/ubi
command: ["sleep", "3000"]
volumeMounts:
- mountPath: "/workers-scan-results"
name: workers-scan-vol
- mountPath: "/masters-scan-results"
name: masters-scan-vol
- mountPath: "/cis-scan-results"
name: cis-scan-vol
volumes:
- name: workers-scan-vol
persistentVolumeClaim:
claimName: ocp4-cis-node-worker
- name: masters-scan-vol
persistentVolumeClaim:
claimName: ocp4-cis-node-master
- name: cis-scan-vol
persistentVolumeClaim:
claimName: ocp4-cis
Create the pod and wait for it to start.
$ oc create -f results-extract.yaml -n openshift-compliance
$ oc get pods -n openshift-compliance
Once the pod is in running state, create three directories to store the scan results locally on the jump host. Run the “oc cp” command to copy the results from the PVs to the local host.
$ mkdir master-scan-results worker-scan-results cis-scan-results
$ oc cp pv-extract:/masters-scan-results -n openshift-compliance ./master-scan-results
tar: Removing leading `/' from member names
$ oc cp pv-extract:/workers-scan-results -n openshift-compliance ./worker-scan-results
tar: Removing leading `/' from member names
$ oc cp pv-extract:/cis-scan-results -n openshift-compliance ./cis-scan-results
tar: Removing leading `/' from member names
$ ls *-scan-results/*/
cis-scan-results/0/:
ocp4-cis-api-checks-pod.xml.bzip2
master-scan-results/0/:
ocp4-cis-node-master-master1-pod.xml.bzip2 ocp4-cis-node-master-master2-pod.xml.bzip2 ocp4-cis-node-master-master3-pod.xml.bzip2
worker-scan-results/0/:
ocp4-cis-node-worker-master1-pod.xml.bzip2 ocp4-cis-node-worker-master2-pod.xml.bzip2 ocp4-cis-node-worker-master3-pod.xml.bzip2
Once the results are extracted, install the openscap utils package on the jump host to generate the host.
$ yum install -y openscap-utils
$ oscap xccdf generate report ./cis-scan-results/0/ocp4-cis-api-checks-pod.xml.bzip2 >> ./cis-scan-results/0/cis-scan-results.htmlReview the HTML report and verify the results.
NOTE: Once the report is generated, delete the pod. If you leave the pod running then operator won’t be able to start the scan and store the results as the PV is in bound state with other pod.
Conclusion
In this post, I have shared how to generate a HTML report for the compliance scan performed on the OpenShift cluster.
I hope this series on Red Hat OpenShift compliance operator would help you to better understand the operator, scan and keep the cluster compliant. Feel free to leave your comments/feedback.