Containers, Kubernetes, OpenShift on Power

Containers, Kubernetes, OpenShift on Power

Connect, learn, share, and engage with IBM Power.

 View Only

Using the Compliance Operator to support PCI-DSS on OpenShift Container Platform on Power

By PAUL BASTIDE posted Thu December 14, 2023 08:56 PM

  

This post was originally posted to link

Hi Folks

If you’re processing Credit Card Payments, you ‘really’ care about security and following the PCI-DSS standard. I’ve got good news for you — the OpenShift Container Platform supports PCI-DSS v1.3. If you want to support PCI-DSS, you can use the OpenShift Compliance Operator to configure the built-in security to comply with the standard.

For those not familiar, PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to secure payment card processing.

The Compliance Operator is an optional operator that allows an administrator to run compliance scans and recommend remediations to bring the cluster into compliance. The Compliance Operator runs a profile of PCI-DSS checks that assesses the platform’s nodes and Kubernetes API resources. Each check is described in OpenSCAP, a NIST-certified tool, and describes how to scan and enforce security policies. You can see the content as it is described in opensource.

This post shows how to install, verify, check for the PCI DSS profile, create a Scan and check the PCI-DSS profiles for compliance.

Install

To install the Compliance Operator on your OpenShift 4.11 or higher system, go to the OperatorHub:

  1. Login with a user id that has cluster-admin user access
  2. In the OpenShift Container Platform web console, navigate to OperatorsOperatorHub.
  3. Search for the Compliance Operator, then click Install.
  4. Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-compliance namespace.
  5. Click Install.

Verify the Compliance Operator Installation Status

  1. Verify the installation succeeded by inspecting the CSV file:
$ oc project openshift-compliance 
Now using project "openshift-compliance" on server "https://****.****.****:6443".
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.59 Compliance Operator 0.1.59 Succeeded

2. Verify that the Compliance Operator is up and running:

$ oc get deploy -n openshift-compliance
NAME READY UP-TO-DATE AVAILABLE AGE
compliance-operator 1/1 1 1 3m25s
ocp4-openshift-compliance-pp 1/1 1 1 2m49s
rhcos4-openshift-compliance-pp 1/1 1 1 2m49s

3. Check the pods created for Compliance operator through CLI

$ oc get pods
NAME READY STATUS RESTARTS AGE
compliance-operator-866488784f-pkr9m 1/1 Running 1(3m8s ago) 3m34s
ocp4-openshift-compliance-pp-6f9bfc8997-mht76 1/1 Running 0 2m58s
rhcos4-openshift-compliance-pp-6bbf57cb79-pq82x 1/1 Running 0 2m58s

Check PCI-DSS Profile

$ oc get -n openshift-compliance profiles.compliance
NAME AGE
ocp4-cis 5m14s
ocp4-cis-node 5m14s
ocp4-pci-dss 5m12s
ocp4-pci-dss-node 5m12s

As per above output you can see that PCI profile has been enabled for Power.

Create a PCI-DSS compliance Scan and Check the Scan Output

To make your OpenShift Cluster PCI Profile compliant, you need to check the status for all compliance check results and apply appropriate remediations.

To start scan, create ScanSettingBinding. Scan will be started immediately after creation.

  1. Use OpenShift Container Platform web console to create a ScanSettingBinding
  2. Add ocp4-pci-dss and ocp4-pci-dss-node for PCI-DSS compliance to ScanSettingBinding
apiVersion: compliance.openshift.io/v1alpha1 
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
name: ocp4-pci-dss-node
kind: Profile
- apiGroup: compliance.openshift.io/v1alpha1
name: ocp4-pci-dss
kind: Profile
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
name: default
kind: ScanSetting
kind: ScanSettingBinding
metadata:
name: pci-dss-profile
namespace: openshift-compliance

3. Use CLI to check the scan

$ oc get compliancescan -n openshift-compliance
NAME PHASE RESULT
ocp4-cis RUNNING NOT-AVAILABLE
ocp4-cis-node-master RUNNING NOT-AVAILABLE
ocp4-cis-node-worker RUNNING NOT-AVAILABLE
ocp4-pci-dss RUNNING NOT-AVAILABLE
ocp4-pci-dss-node-master LAUNCHING NOT-AVAILABLE
ocp4-pci-dss-node-worker LAUNCHING NOT-AVAILABLE

When compliance scan is completed

NAME                      PHASE  RESULT
ocp4-cis DONE NON-COMPLIANT
ocp4-cis-node-master DONE NON-COMPLIANT
ocp4-cis-node-worker DONE NON-COMPLIANT
ocp4-pci-dss DONE NON-COMPLIANT
ocp4-pci-dss-node-master DONE NON-COMPLIANT
ocp4-pci-dss-node-worker DONE NON-COMPLIANT

4. To check the compliance check results, run below command:

$ oc get compliancecheckresult -n openshift-compliance | grep pci
ocp4-pci-dss-accounts-restrict-service-account-tokens MANUAL medium
ocp4-pci-dss-accounts-unique-service-account MANUAL medium

ocp4-pci-dss-kubelet-configure-tls-cert PASS medium
ocp4-pci-dss-kubelet-configure-tls-cipher-suites FAIL medium
ocp4-pci-dss-kubelet-configure-tls-key PASS medium

This post you’ve seen how to use the PCI-DSS profile compliance checks. In the next post, I will be discussing more on how to solve the above failures by applying remediations.

Thanks for reading! I hope you found this helpful :)

0 comments
13 views

Permalink