1. Documentation
    2. history bug_report picture_as_pdf
×

Using the Compliance Operator with Red Hat Advanced Cluster Security for Kubernetes

You can configure RHACS to use the Compliance Operator for compliance reporting and remediation with OpenShift Container Platform clusters. Results from the Compliance Operator can be reported in the RHACS Compliance Dashboard.

Installing the Compliance Operator

Install the Compliance Operator using Operator Hub.

If you install the Compliance Operator after Sensor is fully operational, you must restart Sensor in the secured cluster.

For more information about restarting Sensor, see "Restarting Sensor in the secured cluster" in the "Additional resources" section.
Procedure

  1. In the web console, go to the OperatorsOperatorHub page.

  2. Enter compliance operator into the Filter by keyword box to find the Compliance Operator.

  3. Select the Compliance Operator to view the details page.

  4. Read the information about the Operator, and then click Install.

Next steps
Additional resources

Restarting Sensor in the secured cluster

If you installed the Compliance Operator before installing RHACS, you need to restart Sensor in the secured cluster either by using the command-line interface (CLI) or the user interface (UI).

Procedure

  • To restart Sensor from the CLI, run the following command:

    $ oc -n stackrox delete pod -lapp=sensor

  • To restart Sensor from the UI, perform the following steps:

    1. Change the active project to stackrox.

    2. Go to Workloads → Pods.

    3. Locate the pod with the name starting with sensor-, and then click Actions → Delete Pod.

Configuring the ScanSettingBinding object

Create a ScanSettingBinding object in the openshift-compliance namespace to scan the cluster by using the cis and cis-node profiles.

  • If you are using the compliance 2.0 feature, you can schedule your scan by using RHACS to create a compliance scan schedule instead of creating the ScanSettingBinding on the Compliance Operator.

    For more information about scheduling a compliance scan by using the compliance 2.0 feature, see "Creating a compliance scan schedule" in the "Additional resources” section.

  • This example uses ocp4-cis and ocp4-cis-node profiles, but OpenShift Container Platform provides additional profiles. See "Understanding the Compliance Operator" in the "Additional resources" section for more information.

Compliance 2.0 is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Procedure

Select one of the following options:

  • Use the CLI to create the YAML file and object. For example:

    1. Create a file called sscan.yaml using the following text:

      apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
profiles:
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

    2. Create the ScanSettingBinding object by running the following command:

      $ oc create -f sscan.yaml -n openshift-compliance

      If successful, the following message is displayed:

      $ scansettingbinding.compliance.openshift.io/cis-compliance created

  • Use the web console to create the object by performing the following steps:

    1. Change the active project to openshift-compliance.

    2. Click + to open the Import YAML page.

    3. Paste the YAML from the previous example and then click Create.

Verification

  1. Run a compliance scan in RHACS.

    For more information about running a compliance scan by using the compliance 1.0 feature, see "Running a compliance scan" in the "Additional resources" section.

  2. Ensure that ocp4-cis and ocp4-cis-node results are displayed.

Additional resources