This is a cache of https://docs.openshift.com/acs/4.5/operating/compliance-operator-rhacs.html. It is a snapshot of the page at 2024-11-28T18:08:44.253+0000.
Using Compliance Operator with RHACS | Operating | Red Hat Advanced Cluster Security for Kubernetes 4.5
×

You can configure RHACS to use the Compliance Operator for compliance reporting and remediation with OpenShift Container Platform clusters. Results from the Compliance Operator are reported in the RHACS Compliance Dashboard.

The Compliance Operator automates the review of numerous technical implementations and compares them with certain aspects of industry standards, benchmarks, and baselines.

The Compliance Operator is not an auditor. To comply or certify to these various standards, you must engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry-recognized regulatory authority to assess your environment.

The Compliance Operator makes recommendations based on generally available information and practices that relate to such standards and can assist with remediation, but actual compliance is your responsibility. You are required to work with an authorized auditor to achieve compliance with a standard.

For the latest updates, see the Compliance Operator release notes.

Installing the Compliance Operator

Install the Compliance Operator by using the Operator Hub.

Procedure
  1. In the web console, go to the OperatorsOperatorHub page.

  2. Enter compliance operator into the Filter by keyword box to find the Compliance Operator.

  3. Select the Compliance Operator to view the details page.

  4. Read the information about the Operator, and then click Install.

  • If you use the compliance feature, you can schedule your scan by using RHACS to create a compliance scan schedule.

    For more information about scheduling a compliance scan by using the compliance feature, see "Customizing and automating your compliance scans".

  • If you create a scan schedule, you do not need to create the ScanSettingBinding on the Compliance Operator.

Configuring the ScanSettingBinding object

By creating a ScanSettingBinding object in the openshift-compliance namespace, you can scan your cluster by using the cis and cis-node profiles either from the command-line interface (cli) or user interface (UI).

This example uses ocp4-cis and ocp4-cis-node profiles, but OpenShift Container Platform provides additional profiles.

For more information, see "Understanding the Compliance Operator".

Prerequisites
  • You have installed the Compliance Operator.

Procedure
  • To create the ScanSettingBinding object from the cli, perform the following steps:

    1. Create a file named sscan.yaml by using the following content:

      apiVersion: compliance.openshift.io/v1alpha1
      kind: ScanSettingBinding
      metadata:
        name: cis-compliance
      profiles:
        - name: ocp4-cis-node
          kind: Profile
          apiGroup: compliance.openshift.io/v1alpha1
        - name: ocp4-cis
          kind: Profile
          apiGroup: compliance.openshift.io/v1alpha1
      settingsRef:
        name: default
        kind: ScanSetting
        apiGroup: compliance.openshift.io/v1alpha1
    2. Create the ScanSettingBinding object by running the following command:

      $ oc create -f sscan.yaml -n openshift-compliance

      If successful, the following message is displayed:

      $ scansettingbinding.compliance.openshift.io/cis-compliance created
  • To create the ScanSettingBinding object from the UI, perform the following steps:

    1. Change the active project to openshift-compliance.

    2. click + to open the Import YAML page.

    3. Paste the YAML from the previous example, and then click Create.

Verification
  1. Run a compliance scan in RHACS.

    For more information about how to run a compliance scan by using the compliance feature, see "Checking the compliance status of your infrastructure".

  2. Ensure that ocp4-cis and ocp4-cis-node results are displayed.

  • If you are using the cli, you can view the compliance scan results from the dashboard page.

    For more information about how to view the compliance scan results from the dashboard page, see "Viewing the compliance standards across your environment".

  • If you are using the UI, you can view the compliance scan results from both the dashboard and coverage page.

    For more information about how to view the compliance scan results from the coverage page, see "Assessing the profile compliance across clusters".