Containers, Kubernetes, OpenShift on Power

 View Only

Configuring a PCI-DSS compliant OpenShift Container Platform cluster on IBM Power

By PAUL BASTIDE posted Tue November 21, 2023 04:05 PM


This article was originally posted to Medium by Gaurav Bankar and has been updated.

Hi Folks

If you’re processing Credit Card Payments, you 'really' care about security and following the PCI-DSS standard. Once you have the OpenShift Compliance Operator installed on the OpenShift Container Platform (OCP) cluster and the PCI-DSS v1.3 profile enabled, you want to configure a compliant cluster.

If you want to learn how to install and setup the Compliance Operator with PCI-DSS, you can see my colleague’s post.

This document outlines how to verify the profiles, check for the scan results, and configure a compliant cluster.

  1. Verify the Profiles

After installing the compliance operator, you can see the PCI-DSS profiles are enabled using below command.

# oc get -n openshift-compliance profiles.compliance NAME AGE ocp4-cis 5m14s ocp4-cis-node 5m14s ocp4-pci-dss 5m12s ocp4-pci-dss-node 5m12s

You see the ocp4-pci-dss and ocp4-pci-dss-node profiles are listed.

  1. Check the Scan Results

Once your first scan completes, setup and run in the prior blog post from my colleague, you should be able to list and filter on issues with regards to the compliancecheckresult.

# oc get compliancecheckresult -n openshift-compliance | grep pci | grep FAIL
  1. Configure the Compliant Cluster

To configure a PCI-DSS compliant cluster, I’ve included several recipes:

  1. The ocp4-pci-dss-machine-volume-encryption Recipe

To apply above compliance check you need to enable FIPS and LUKS encryptions in the OCP cluster to setup a cluster, you can refer this post in which you can configure an external Tang cluster, setting up OCP cluster and verification of FIPS and LUKS encryption.

Note, you need to setup FIPS on the initial creation of the cluster, and for LUKS you can configure post creation. Once these are configured, the compliancecheckresult is marked PASS.

  1. The ocp4-pci-dss-audit-log-forwarding-enabled Recipe

To apply above compliance check related to audit log forwarding you need to install ElasticSearch and the OpenShift Logging Operators from the OperatorHub and setup cluster log forwarding.

i. Install Elasticsearch and logging operator from operator hub (from web console)

ii. In the OpenShift Container Platform web console, click Operators → OperatorHub.

iii. Choose OpenShift Elasticsearch Operator and logging operator from the list of available Operators and click Install.

iv. Configure the Operator using the documentation

  1. Create the YAML for forwarding cluster log — ClusterLogForwarder.yaml

# cat ClusterLogForwarder.yaml apiVersion: "" kind: ClusterLogForwarder metadata: name: instance namespace: openshift-logging spec: outputs: - name: elasticsearch-secure type: "elasticsearch" url: secret: name: es-secret pipelines: - name: application-logs inputRefs: - application - audit outputRefs: - elasticsearch-secure - default labels: myLabel: "myValue" - name: infrastructure-audit-logs inputRefs: - infrastructure outputRefs: - elasticsearch-insecure labels: logs: "audit-infra"
  1. Create ClusterLogForwarder object using below command:

# oc create -f ClusterLogForwarder.yaml

Once you perform these steps, the ocp4-pci-dss-audit-log-forwarding-enabled compliance check is marked PASS.

Note, it is best practice for the logs to be outside of the cluster.

  1. The ocp4-pci-dss-configure-network-policies-namespaces Recipe

To apply above compliance check related to network policy namespaces you need to create namespace and need to create Network policy on same namespace and to achieve this you use below steps:

i. Create a namespace named as test1.

# oc create ns test1

ii. Create yaml file with below configuration:

apiVersion: kind: NetworkPolicy metadata: name: test-network-policy namespace: test1 spec: podSelector: {} policyTypes: - Ingress - Egress

iii. Create above network policy using below command.

# oc create -f file1.yaml

Once you perform above steps, The ocp4-pci-dss-configure-network-policies-namespaces compliance check will be passed.

  1. The idp-dss configuration Recipe

The default identity provider included in OpenShift is not approved for the PCI-DSS profile. To configure an alternative identity provider, such as the GitHub identity provider for OpenShift or one of the many other supported iDPs. You can configure the GitHub iDP as described Configuring a GitHub or GitHub Enterprise identity provider.

Once you configure an alternative identity provider, the idp-dss configuration compliance check is passed.

  1. The ocp4-pci-dss-kubeadmin-removed Recipe

The kubeadmin is a default superuser. As a best practice, you should remove this default superuser from your OpenShift cluster. The OpenShift documentation describes the process of Removing the kubeadmin user.

Once you complete the process outlined in the documentation, the ocp4-pci-dss-kubeadmin-removed check is marked PASS.

  1. The ocp4-pci-dss-file-integrity-exists and ocp4-pci-dss-file-integrity-notification Recipe

The File Integrity Operator acts on the FileIntegrity resource which can be used to continually runs file integrity checks on the cluster nodes. It deploys a DaemonSet that initializes and runs privileged AIDE (Advanced Intrusion Detection Environment) containers on each node, providing a log of files that have been modified since the initial run of the DaemonSet pods.

i. Install the File Integrity Operator

ii. Create file-object yaml file using below configuration.

apiVersion: kind: FileIntegrity metadata: name: example-fileintegrity namespace: openshift-file-integrity spec: nodeSelector: "ip-10-10-10-1" tolerations: - key: "myNode" operator: "Exists" effect: "NoSchedule" config: name: "myconfig" namespace: "openshift-file-integrity" key: "config" gracePeriod: 20 maxBackups: 5 debug: false status: phase: Active
  1. Create FileIntegrity object by using below command.

# oc apply -f file-object.yaml

Once you apply both recipes, the ocp4-pci-dss-file-integrity-exists and ocp4-pci-dss-file-integrity-notification-enabled check will be passed.

Once all recipes are the cluster will be PCI-DSS compliant. This post you’ve seen how to setup the profiles, check for the scan results, and successfully configure the cluster.

Thanks for reading! I hope you found this helpful :)