Containers, Kubernetes, OpenShift on Power

Containers, Kubernetes, OpenShift on Power

Connect, learn, share, and engage with IBM Power.

 View Only

Using the Compliance Operator to support PCI-DSS on OpenShift Container Platform on Power

By PAUL BASTIDE posted Thu December 14, 2023 08:56 PM

  

This post was originally posted to link

Hi Folks

If you’re processing Credit Card Payments, you ‘really’ care about security and following the PCI-DSS standard. I’ve got good news for you — the OpenShift Container Platform supports PCI-DSS v1.3. If you want to support PCI-DSS, you can use the OpenShift Compliance Operator to configure the built-in security to comply with the standard.

For those not familiar, PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to secure payment card processing.

The Compliance Operator is an optional operator that allows an administrator to run compliance scans and recommend remediations to bring the cluster into compliance. The Compliance Operator runs a profile of PCI-DSS checks that assesses the platform’s nodes and Kubernetes API resources. Each check is described in OpenSCAP, a NIST-certified tool, and describes how to scan and enforce security policies. You can see the content as it is described in opensource.

This post shows how to install, verify, check for the PCI DSS profile, create a Scan and check the PCI-DSS profiles for compliance.

Install

To install the Compliance Operator on your OpenShift 4.11 or higher system, go to the OperatorHub:

  1. Login with a user id that has cluster-admin user access
  2. In the OpenShift Container Platform web console, navigate to OperatorsOperatorHub.
  3. Search for the Compliance Operator, then click Install.
  4. Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-compliance namespace.
  5. Click Install.

Verify the Compliance Operator Installation Status

  1. Verify the installation succeeded by inspecting the CSV file:
$ oc project openshift-compliance 
Now using project "openshift-compliance" on server "https://****.****.****:6443". 
$ oc get csv 
NAME DISPLAY VERSION REPLACES PHASE 
compliance-operator.v0.1.59 Compliance Operator 0.1.59 Succeeded

2. Verify that the Compliance Operator is up and running:

$ oc get deploy -n openshift-compliance
NAME                           READY UP-TO-DATE AVAILABLE AGE
compliance-operator              1/1     1         1      3m25s
ocp4-openshift-compliance-pp     1/1     1         1      2m49s
rhcos4-openshift-compliance-pp   1/1     1         1      2m49s

3. Check the pods created for Compliance operator through CLI

$ oc get pods
NAME                                           READY  STATUS   RESTARTS     AGE
compliance-operator-866488784f-pkr9m            1/1   Running  1(3m8s ago) 3m34s
ocp4-openshift-compliance-pp-6f9bfc8997-mht76   1/1   Running  0           2m58s
rhcos4-openshift-compliance-pp-6bbf57cb79-pq82x 1/1   Running  0           2m58s

Check PCI-DSS Profile

$ oc get -n openshift-compliance profiles.compliance
NAME              AGE
ocp4-cis          5m14s
ocp4-cis-node     5m14s
ocp4-pci-dss      5m12s
ocp4-pci-dss-node 5m12s

As per above output you can see that PCI profile has been enabled for Power.

Create a PCI-DSS compliance Scan and Check the Scan Output

To make your OpenShift Cluster PCI Profile compliant, you need to check the status for all compliance check results and apply appropriate remediations.

To start scan, create ScanSettingBinding. Scan will be started immediately after creation.

  1. Use OpenShift Container Platform web console to create a ScanSettingBinding
  2. Add ocp4-pci-dss and ocp4-pci-dss-node for PCI-DSS compliance to ScanSettingBinding
apiVersion: compliance.openshift.io/v1alpha1 
profiles:   
  - apiGroup: compliance.openshift.io/v1alpha1     
    name: ocp4-pci-dss-node     
    kind: Profile   
  - apiGroup: compliance.openshift.io/v1alpha1     
    name: ocp4-pci-dss     
    kind: Profile  
settingsRef:   
  apiGroup: compliance.openshift.io/v1alpha1   
  name: default   
  kind: ScanSetting 
kind: ScanSettingBinding 
metadata:   
  name: pci-dss-profile   
  namespace: openshift-compliance

3. Use CLI to check the scan

$ oc get compliancescan -n openshift-compliance
NAME                      PHASE      RESULT
ocp4-cis                  RUNNING    NOT-AVAILABLE
ocp4-cis-node-master      RUNNING    NOT-AVAILABLE
ocp4-cis-node-worker      RUNNING    NOT-AVAILABLE
ocp4-pci-dss              RUNNING    NOT-AVAILABLE
ocp4-pci-dss-node-master  LAUNCHING  NOT-AVAILABLE
ocp4-pci-dss-node-worker  LAUNCHING  NOT-AVAILABLE

When compliance scan is completed

NAME                      PHASE  RESULT
ocp4-cis                  DONE   NON-COMPLIANT
ocp4-cis-node-master      DONE   NON-COMPLIANT
ocp4-cis-node-worker      DONE   NON-COMPLIANT
ocp4-pci-dss              DONE   NON-COMPLIANT
ocp4-pci-dss-node-master  DONE   NON-COMPLIANT
ocp4-pci-dss-node-worker  DONE   NON-COMPLIANT

4. To check the compliance check results, run below command:

$ oc get compliancecheckresult -n openshift-compliance | grep pci
ocp4-pci-dss-accounts-restrict-service-account-tokens   MANUAL medium
ocp4-pci-dss-accounts-unique-service-account            MANUAL medium

ocp4-pci-dss-kubelet-configure-tls-cert                 PASS medium
ocp4-pci-dss-kubelet-configure-tls-cipher-suites        FAIL medium
ocp4-pci-dss-kubelet-configure-tls-key                  PASS medium

This post you’ve seen how to use the PCI-DSS profile compliance checks. In the next post, I will be discussing more on how to solve the above failures by applying remediations.

Thanks for reading! I hope you found this helpful :)

0 comments
13 views

Permalink