Containers, Kubernetes, OpenShift on Power

 View Only

Using the oc-compliance plugin on the OpenShift Container Platform on Power

By Aditi Jadhav posted Wed June 07, 2023 05:13 AM


Hi Folks,

You may be aware that I am writing a series of blogs related to Security and Compliance on the OpenShift Container Platform (OCP) on IBM Power Systems. 

As part of this series, I have written a blog PCI-DSS and the Compliance Operator to have a secure and compliant cluster. The blog shows how to use the Compliance Operator. 

My team has added support for oc-compliance on OpenShift Container Platform on IBM Power, and in this post, I’m sharing the download, the setup, and using the tool in the cluster. 

Download Pull secret 

To download the tools, you must retrieve the Red Hat pull-secret. 

1. Navigate to 
2. If Prompted, Login with your Red Hat Network id. 
3. Under Tokens, select Pull secret, then click Download. 
4. Copy the pull-secret to your working directory. It may be named pull-secret.dms 
Setup oc-compliance plugin

To setup the plugin and use it you should use the latest Compliance Operator (v0.1.59 or later) that’s installed in your OCP cluster. 

1. Login to your Bastion vm. 

2. Make the .local/bin directory to drop the plugin.  

$ mkdir -p ~/.local/bin 

3. Run the oc-compliance-rhel8 container image.      

$ podman run --authfile pull-secret --rm -v ~/.local/bin:/mnt/out:Z --arch ppc64le /bin/cp /usr/bin/oc-compliance /mnt/out/ 
Trying to pull 
Getting image source signatures 
Checking if image destination supports signatures 
Copying blob 847f634e7f1e done 
Copying blob 7643f185b5d8 done 
Copying blob d6050ae37df3 done 
Copying config 2f0afdf522 done 
Writing manifest to image destination 
Storing signatures


4. Check the oc-compliance plugin matches your intended architecture.     

$ file ~/.local/bin/oc-compliance 
/root/.local/bin/oc-compliance: ELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/, for 
GNU/Linux 2.6.32, BuildID[sha1]=d5bff511ee48b6cbc6afce6420e780da2f0eacdc, not stripped

    If it doesn’t work, you can always verify your architecture of the machine podman is running on:        

$ arch  

    It should say ppc64le. 
5. Once oc-compliance plugin is installed at directory ~/.local/bin, add it in PATH variable to access the plugin. 

$ export PATH=~/.local/bin:$PATH 

 Once the path is setup you can use oc-compliance and oc compliance interchangeably.  


Use the oc-compliance plugin 

Once oc-compliance plugin is installed successfully on power, you can use the utilities to manage your compliance with a specific profile, such as PCI-DSS. 

You create a ScanSettingBinding to generate a compliance scan. 

$ oc-compliance bind -N binding profile/ocp4-pci-dss 
Creating ScanSettingBinding binding 

Once the binding is created and the scan is complete you can fetch-raw, which helps download the raw compliance results from the Persistent Volume that the operator stores them.

# oc-compliance fetch-raw scansettingbinding binding 
Fetching results for binding scans: ocp4-pci-dss 
Fetching raw compliance results for scan 'ocp4-pci-dss'........ 

The raw compliance results are available in the following directory: ocp4-pci-dss 

$ cd ocp4-pci-dss/ 
$ ls 
$ bunzip2 -c ocp4-pci-dss-api-checks-pod.xml.bzip2 > ocp4-pci-dss-api-checks-pod.xml 
$ ls 
ocp4-pci-dss-api-checks-pod.xml  ocp4-pci-dss-api-checks-pod.xml.bzip2 


If your cluster is out of compliance, then you can fetch-fixes, which helps download the remediations the Compliance Operator recommends. These are stored as YAML files in the filesystem, so one would then be able to apply them to a cluster. 

$ mkdir tmp 
$ oc compliance fetch-fixes profile ocp4-pci-dss -o tmp/ 
No fixes to persist for rule 'ocp4-api-server-audit-log-maxbackup' 
Persisted rule fix to tmp/ocp4-api-server-audit-log-maxsize.yaml 


Not all rules have fixes pre-defined, however, for those that are pre-defined, you can view the YAML file. You can see it’s in the form of a YAML with a specification for the resource related to the fix. 

kind: APIServer 
  name: cluster 
  maximumFileSizeMegabytes: 100 


When you need more details for the profile and rules, you can use the controls verb to display the rules and controls for the profile and learn why a control/profile or rule is required. 

$ oc-compliance controls profile ocp4-pci-dss > ocp4-pci-dss-controls.txt 
|  FRAMEWORK  |     CONTROLS     | 
| CIS-OCP     | 1.2.1            | 
+             +------------------+ 
|             | 1.2.10           | 
+             +------------------+ 
|             | 1.2.11           | 
+             +------------------+ 
|             | 1.2.12           | 
+             +------------------+ 
|             | 1.2.13           | 
+             +------------------+ 
|             | 1.2.14           | 
+             +------------------+ 
|             | 1.2.15           | 
+             +------------------+ 
|             | 1.2.16           | 

Sometimes these scans fail, the oc-compliance plugin enables the rerun-now verb, which forces the scan or set of scans to re-run on command instead of waiting for them to be scheduled. 

$ oc-compliance rerun-now scansettingbinding binding 
Rerunning scans from 'binding': ocp4-pci-dss 
Re-running scan 'openshift-compliance/ocp4-pci-dss' 


A very handy verb is the view-result, which gathers information in one place about a specific compliance result, below is an abbreviated example: 

$ oc-compliance view-result ocp4-pci-dss-scc-limit-ipc-namespace 
|         KEY              |                VALUE             | 
| Title                    | Limit Access to the Host IPC     | 
|                          | Namespace                        | 
| Status                   | MANUAL                           | 
| Severity                 | medium                           | 
| Description              | Containers should not be         | 
|                          |  allowed access to the host's    | 
|                          | Interprocess Commication         | 
|                          | (IPC) namespace. To prevent      | 
|                          | containers from getting access   | 
|                          | to a host's IPC namespace, the   | 
|                          | appropriate Security Context     | 
|                          | Constraints (SCCs) should set    | 
|                          | allowHostIPC to false.           | 
| Rationale                | A container running in           | 
|                          | the host's IPC namespace         | 
|                          | can to exploit other             | 
|                          | services.                        | 
| Instructions             | Inspect each SCC returned from   | 
|                          | running the following command    | 
| CIS-OCP Controls         | 5.2.3                            | 
| NERC-CIP Controls        | CIP-003-8 R6, CIP-004-6 R3,      | 
|                          | CIP-007-3 R6.1                   | 
| NIST-800-53 Controls     | CM-6, CM-6(1)                    | 
| PCI-DSS Controls         | Req-2.2                          | 
| Available Fix            | No                               | 
| Result Object Name       | ocp4-pci-dss-scc-limit-ipc-namespace | 
| Rule Object Name         | ocp4-scc-limit-ipc-namespace     | 
| Remediation Created      | No                               | 


 This post you’ve seen how to download and setup the oc-compliance plugin and use the oc-compliance plugin to fetch raw compliance check results for the PCI-DSS profile. 
Thanks for reading! I hope you found this helpful :)