This article was originally posted to Medium by Gaurav Bankar and has been updated.
If you’re processing Credit Card Payments, you 'really' care about security and following the PCI-DSS standard. Once you have the OpenShift Compliance Operator installed on the OpenShift Container Platform (OCP) cluster and the PCI-DSS v1.3 profile enabled, you want to configure a compliant cluster.
If you want to learn how to install and setup the Compliance Operator with PCI-DSS, you can see my colleague’s post.
This document outlines how to verify the profiles, check for the scan results, and configure a compliant cluster.
- Verify the Profiles
After installing the compliance operator, you can see the PCI-DSS profiles are enabled using below command.
# oc get -n openshift-compliance profiles.compliance
You see the
ocp4-pci-dss-node profiles are listed.
- Check the Scan Results
Once your first scan completes, setup and run in the prior blog post from my colleague, you should be able to list and filter on issues with regards to the compliancecheckresult.
# oc get compliancecheckresult -n openshift-compliance | grep pci | grep FAIL
- Configure the Compliant Cluster
To configure a PCI-DSS compliant cluster, I’ve included several recipes:
To apply above compliance check you need to enable FIPS and LUKS encryptions in the OCP cluster to setup a cluster, you can refer this post in which you can configure an external Tang cluster, setting up OCP cluster and verification of FIPS and LUKS encryption.
Note, you need to setup FIPS on the initial creation of the cluster, and for LUKS you can configure post creation. Once these are configured, the compliancecheckresult is marked PASS.
To apply above compliance check related to audit log forwarding you need to install ElasticSearch and the OpenShift Logging Operators from the OperatorHub and setup cluster log forwarding.
i. Install Elasticsearch and logging operator from operator hub (from web console)
ii. In the OpenShift Container Platform web console, click Operators → OperatorHub.
iii. Choose OpenShift Elasticsearch Operator and logging operator from the list of available Operators and click Install.
iv. Configure the Operator using the documentation
- Create the YAML for forwarding cluster log — ClusterLogForwarder.yaml
# cat ClusterLogForwarder.yaml
- name: elasticsearch-secure
- name: application-logs
- name: infrastructure-audit-logs
ClusterLogForwarder object using below command:
# oc create -f ClusterLogForwarder.yaml
Once you perform these steps, the
ocp4-pci-dss-audit-log-forwarding-enabled compliance check is marked PASS.
Note, it is best practice for the logs to be outside of the cluster.
To apply above compliance check related to network policy namespaces you need to create namespace and need to create Network policy on same namespace and to achieve this you use below steps:
i. Create a namespace named as test1.
# oc create ns test1
ii. Create yaml file with below configuration:
iii. Create above network policy using below command.
# oc create -f file1.yaml
Once you perform above steps, The
ocp4-pci-dss-configure-network-policies-namespaces compliance check will be passed.
idp-dss configuration Recipe
The default identity provider included in OpenShift is not approved for the PCI-DSS profile. To configure an alternative identity provider, such as the GitHub identity provider for OpenShift or one of the many other supported iDPs. You can configure the GitHub iDP as described Configuring a GitHub or GitHub Enterprise identity provider.
Once you configure an alternative identity provider, the idp-dss configuration compliance check is passed.
The kubeadmin is a default superuser. As a best practice, you should remove this default superuser from your OpenShift cluster. The OpenShift documentation describes the process of Removing the kubeadmin user.
Once you complete the process outlined in the documentation, the ocp4-pci-dss-kubeadmin-removed check is marked PASS.
The File Integrity Operator acts on the FileIntegrity resource which can be used to continually runs file integrity checks on the cluster nodes. It deploys a DaemonSet that initializes and runs privileged AIDE (Advanced Intrusion Detection Environment) containers on each node, providing a log of files that have been modified since the initial run of the DaemonSet pods.
i. Install the File Integrity Operator
ii. Create file-object yaml file using below configuration.
- key: "myNode"
- Create FileIntegrity object by using below command.
# oc apply -f file-object.yaml
Once you apply both recipes, the
ocp4-pci-dss-file-integrity-notification-enabled check will be passed.
Once all recipes are the cluster will be PCI-DSS compliant. This post you’ve seen how to setup the profiles, check for the scan results, and successfully configure the cluster.
Thanks for reading! I hope you found this helpful :)