This article was originally posted to Medium by Gaurav Bankar and has been updated.
Hi Folks
If you’re processing Credit Card Payments, you 'really' care about security and following the PCI-DSS standard. Once you have the OpenShift Compliance Operator installed on the OpenShift Container Platform (OCP) cluster and the PCI-DSS v1.3 profile enabled, you want to configure a compliant cluster.
If you want to learn how to install and setup the Compliance Operator with PCI-DSS, you can see my colleague’s post.
This document outlines how to verify the profiles, check for the scan results, and configure a compliant cluster.
- Verify the Profiles
After installing the compliance operator, you can see the PCI-DSS profiles are enabled using below command.
# oc get -n openshift-compliance profiles.compliance
NAME AGE
ocp4-cis 5m14s
ocp4-cis-node 5m14s
ocp4-pci-dss 5m12s
ocp4-pci-dss-node 5m12s
You see the ocp4-pci-dss and ocp4-pci-dss-node profiles are listed.
- Check the Scan Results
Once your first scan completes, setup and run in the prior blog post from my colleague, you should be able to list and filter on issues with regards to the compliancecheckresult.
# oc get compliancecheckresult -n openshift-compliance | grep pci | grep FAIL
- Configure the Compliant Cluster
To configure a PCI-DSS compliant cluster, I’ve included several recipes:
- The
ocp4-pci-dss-machine-volume-encryption Recipe
To apply above compliance check you need to enable FIPS and LUKS encryptions in the OCP cluster to setup a cluster, you can refer this post in which you can configure an external Tang cluster, setting up OCP cluster and verification of FIPS and LUKS encryption.
Note, you need to setup FIPS on the initial creation of the cluster, and for LUKS you can configure post creation. Once these are configured, the compliancecheckresult is marked PASS.
- The
ocp4-pci-dss-audit-log-forwarding-enabled Recipe
To apply above compliance check related to audit log forwarding you need to install ElasticSearch and the OpenShift Logging Operators from the OperatorHub and setup cluster log forwarding.
i. Install Elasticsearch and logging operator from operator hub (from web console)
ii. In the OpenShift Container Platform web console, click Operators → OperatorHub.
iii. Choose OpenShift Elasticsearch Operator and logging operator from the list of available Operators and click Install.
iv. Configure the Operator using the documentation
- Create the YAML for forwarding cluster log — ClusterLogForwarder.yaml
# cat ClusterLogForwarder.yaml
apiVersion: "logging.openshift.io/v1"
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
outputs:
- name: elasticsearch-secure
type: "elasticsearch"
url: https://elasticsearch.secure.com:9200
secret:
name: es-secret
pipelines:
- name: application-logs
inputRefs:
- application
- audit
outputRefs:
- elasticsearch-secure
- default
labels:
myLabel: "myValue"
- name: infrastructure-audit-logs
inputRefs:
- infrastructure
outputRefs:
- elasticsearch-insecure
labels:
logs: "audit-infra"
- Create
ClusterLogForwarder object using below command:
# oc create -f ClusterLogForwarder.yaml
Once you perform these steps, the ocp4-pci-dss-audit-log-forwarding-enabled compliance check is marked PASS.
Note, it is best practice for the logs to be outside of the cluster.
- The
ocp4-pci-dss-configure-network-policies-namespaces Recipe
To apply above compliance check related to network policy namespaces you need to create namespace and need to create Network policy on same namespace and to achieve this you use below steps:
i. Create a namespace named as test1.
# oc create ns test1
ii. Create yaml file with below configuration:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: test1
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
iii. Create above network policy using below command.
# oc create -f file1.yaml
Once you perform above steps, The ocp4-pci-dss-configure-network-policies-namespaces compliance check will be passed.
- The
idp-dss configuration Recipe
The default identity provider included in OpenShift is not approved for the PCI-DSS profile. To configure an alternative identity provider, such as the GitHub identity provider for OpenShift or one of the many other supported iDPs. You can configure the GitHub iDP as described Configuring a GitHub or GitHub Enterprise identity provider.
Once you configure an alternative identity provider, the idp-dss configuration compliance check is passed.
- The
ocp4-pci-dss-kubeadmin-removed Recipe
The kubeadmin is a default superuser. As a best practice, you should remove this default superuser from your OpenShift cluster. The OpenShift documentation describes the process of Removing the kubeadmin user.
Once you complete the process outlined in the documentation, the ocp4-pci-dss-kubeadmin-removed check is marked PASS.
- The
ocp4-pci-dss-file-integrity-exists and ocp4-pci-dss-file-integrity-notification Recipe
The File Integrity Operator acts on the FileIntegrity resource which can be used to continually runs file integrity checks on the cluster nodes. It deploys a DaemonSet that initializes and runs privileged AIDE (Advanced Intrusion Detection Environment) containers on each node, providing a log of files that have been modified since the initial run of the DaemonSet pods.
i. Install the File Integrity Operator
ii. Create file-object yaml file using below configuration.
apiVersion: fileintegrity.openshift.io/v1alpha1
kind: FileIntegrity
metadata:
name: example-fileintegrity
namespace: openshift-file-integrity
spec:
nodeSelector:
kubernetes.io/hostname: "ip-10-10-10-1"
tolerations:
- key: "myNode"
operator: "Exists"
effect: "NoSchedule"
config:
name: "myconfig"
namespace: "openshift-file-integrity"
key: "config"
gracePeriod: 20
maxBackups: 5
debug: false
status:
phase: Active
- Create FileIntegrity object by using below command.
# oc apply -f file-object.yaml
Once you apply both recipes, the ocp4-pci-dss-file-integrity-exists and ocp4-pci-dss-file-integrity-notification-enabled check will be passed.
Once all recipes are the cluster will be PCI-DSS compliant. This post you’ve seen how to setup the profiles, check for the scan results, and successfully configure the cluster.
Thanks for reading! I hope you found this helpful :)