1. Documentation
    2. history bug_report picture_as_pdf
×

Monitoring workload and cluster compliance

By performing compliance scans, you can check the compliance status of your entire infrastructure in RHACS. You can view the results in the compliance dashboard, where you can filter data and monitor compliance status across clusters, namespaces and nodes.

By generating detailed compliance reports and focusing on specific standards, controls and industry benchmarks, you can track and share the compliance status of your environment, and ensure that your infrastructure meets the required compliance standards.

Checking the compliance status of your infrastructure

By performing a compliance scan, you can check the compliance status of your entire infrastructure for all compliance standards. When you run a compliance scan, Red Hat Advanced Cluster Security for Kubernetes (RHACS) creates a data snapshot of your environment. The data snapshot includes alerts, images, network policies, deployments, and related host-based data.

Central collects the host-based data from Sensors running in your clusters. Central then collects further data from the compliance container running in each Collector pod.

The compliance container collects the following data about your environment:

  • Configurations for the container daemon, container runtime and container image.

  • Information about container networks.

  • Command-line arguments and processes for the container runtime, Kubernetes, and OpenShift Container Platform.

  • Permissions for specific file paths.

  • Configuration files for Kubernetes and OpenShift Container Platform core services.

  • After data collection is complete, Central checks the data to determine the results. You can view the results in the compliance dashboard and create compliance reports based on the results.

  • The following terms are associated with a compliance scan:

    • Control describes a single line item in an industry or regulatory standard that an auditor uses to evaluate an information system for compliance with that standard. RHACS verifies evidence of compliance with a single control by performing one or more checks.

    • Check is the single test performed during a single control assessment.

  • Some controls have multiple checks associated with them. If one of the associated checks for a control fails, the entire control state is marked as Fail.
Procedure

  1. In the RHACS portal, click Compliance → Dashboard.

  2. Optional: By default, information on all standards is displayed in the compliance results.

    To display information about specific standards only, perform the following steps:

    1. Click Manage standards.

    2. By default, all standards are selected. Clear the checkbox for any specific standard that you do not want to display.

    3. Click Save.

      Standards that are not selected do not appear in the dashboard display, including the widgets, in the compliance results tables accessible from the dashboard, and in the PDF files created by using the Export button. However, when exporting the results as a CSV file, all default standards are included.

  3. Click Scan environment.

    Scanning the entire environment takes about 2 minutes to complete. This time might vary depending on the number of clusters and nodes in your environment.
Verification

  1. In the RHACS portal, click Configuration Management.

  2. In the CIS Kubernetes v1.5 widget, click Scan.

  3. RHACS displays a message which indicates that a compliance scan is in progress.

Viewing the compliance standards across your environment

The compliance dashboard gives you an overview of the compliance standards in all clusters, namespaces, and nodes in your environment, including charts and options to investigate potential compliance issues.

You can view the compliance scan results for an individual cluster, namespace, or node. You can also generate reports on the compliance status of your containerized environment.

Procedure

  • In the RHACS portal, click Compliance → Dashboard.

    When you open the compliance dashboard for the first time, you see the dashboard is empty. Perform a compliance scan to fill the dashboard with data.

Compliance dashboard overview

After you have performed a compliance scan, the compliance dashboard displays the results as the compliance status for your environment. You can view compliance violations directly from the dashboard. To find out if your environment is compliant against specific benchmarks, filter the detailed view and drill down into the compliance standards.

You can use shortcuts to check the compliance status of clusters, namespaces, and nodes, which are located at the upper right of your compliance dashboard. Clicking these shortcuts, you can view the compliance snapshot and generate reports on the overall compliance of your clusters, namespaces, or nodes.

Viewing the compliance status for clusters

By viewing the compliance status for clusters, you can monitor and ensure that your clusters adhere to the required compliance standards.

You can view the compliance status for all clusters or an individual cluster in the compliance dashboard.

Procedure

  • To view the compliance status for all clusters in your environment:

    • In the RHACS portal, click Compliance → Dashboardclusters tab.

  • To view the compliance status for a specific cluster in your environment, perform the following steps:

    • In the RHACS portal, click Compliance → Dashboard.

    • Look for the Passing standards by cluster widget.

    • In this widget, click a cluster name to view its compliance status.

Viewing the compliance status for namespaces

By viewing the compliance status for namespaces, you can monitor and ensure that each namespace adheres to the required compliance standards.

You can view the compliance status for all namespaces or a single namespace in the compliance dashboard.

Procedure

  • To view the compliance status for all namespaces in your environment:

    • In the RHACS portal, click Compliance → Dashboard → namespaces tab.

  • To view the compliance status for a specific namespace in your environment, perform the following steps:

    • In the RHACS portal, click Compliance → Dashboard → namespaces tab.

    • In the Namespaces table, click a namespace. A side panel opens, which is located on the right side.

    • In the side panel, click the name of the namespace to view its compliance status.

Viewing the compliance status for a specific standard

By viewing the compliance status for a specific standard, you can ensure that your environment adheres to industry and regulatory compliance requirements.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports NIST, PCI DSS, NIST, HIPAA, CIS for Kubernetes, and CIS for Docker compliance standards. You can view all the compliance controls for a single compliance standard.

Procedure

  1. In the RHACS portal, click Compliance → Dashboard.

  2. Look for the Passing standards across clusters widget.

  3. Click a standard to view information about all the controls associated with that standard.

    Many of the controls in CIS Docker refer to the configuration of the Docker engine on each Kubernetes node. Many CIS Docker controls are also best practices for building and using containers, and RHACS has policies to enforce their use.

    For more information, see "Managing security policies".
Additional resources

Viewing the compliance status for a specific control

By viewing the compliance status for a specific control, you can ensure that your environment meets detailed compliance requirements.

You can view the compliance status for a specific control for a selected standard.

Procedure

  1. In the RHACS portal, click Compliance → Dashboard.

  2. Look for the Passing standards by cluster widget.

  3. Click a standard to view information about all the controls associated with that standard.

  4. In the Controls table, click a control. A side panel opens, which is located on the right side.

  5. In the side panel, click the name of the control to view its details.

Limiting the amount of data visible in the compliance dashboard

By filtering the compliance data, you can focus your attention on a subset of clusters, industry standards, passed or failed controls, and limit the amount of data visible in the compliance dashboard.

Procedure

  1. In the RHACS portal, click Compliance → Dashboard.

  2. Click either the clusters, namespaces, or nodes tab to open the details page.

  3. Enter your filtering criteria in the search bar, and then click Enter.

Tracking the compliance status of your environment

By generating compliance reports, you can keep a track of the compliance status of your environment. You can use these reports to convey compliance status across various industry mandates to other stakeholders.

You can generate the following reports:

  • Executive reports that focus on the business aspect and include charts and a summary of the compliance status in PDF format.

  • Evidence reports that focus on the technical aspect and contain detailed information in CSV format.

Procedure

  1. In the RHACS portal, click Compliance → Dashboard.

  2. Click the Export tab to do any of the following tasks:

    • To generate an executive report, select Download Page as PDF.

    • To generate an evidence report, select Download Evidence as CSV.

      The Export option appears on all compliance pages and filtered views.

Evidence reports

You can export comprehensive compliance-related data from Red Hat Advanced Cluster Security for Kubernetes (RHACS) in CSV format as an evidence report. This evidence report contains detailed information about the compliance assessment, and is tailored for technical roles, such as compliance auditors, DevOps engineers, or security practitioners.

An evidence report contains the following information:

CSV field Description

Standard

The compliance standard, for example, CIS Kubernetes.

Cluster

The name of the assessed cluster.

Namespace

The name of the namespace or project where the deployment exists.

Object Type

The Kubernetes entity type of the object. For example, node, cluster, DaemonSet, Deployment, or StaticPod.

Object Name

The name of the object, which is a Kubernetes systems-generated string that uniquely identify objects. For example, gke-setup-dev21380-default-pool-8e086a77-1jfq.

Control

The control number as it appears in the compliance standard.

Control Description

Description about the compliance check that the control carries out.

State

Whether the compliance check passed or failed.

Evidence

The explanation about why a specific compliance check failed or passed.

Assessment Time

The time and date when you ran the compliance scan.

Supported benchmark versions

Red Hat Advanced Cluster Security for Kubernetes (RHACS) supports compliance checks against the following industry standards and regulatory frameworks:

Benchmark Supported version

CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes

CIS Kubernetes v1.5.0 and CIS Docker v1.2.0

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA 164

NIST (National Institute of Standards and Technology)

NIST Special Publication 800-190 and 800-53 Rev. 4

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS 3.2.1