By using Red Hat Advanced Cluster Security for Kubernetes you can assess, check, and report on the compliance status of your containerized infrastructure. You can run out-of-the-box compliance scans based on industry standards including:

  • CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes

  • HIPAA (Health Insurance Portability and Accountability Act)

  • NIST Special Publication 800-190 and 800-53 (National Institute of Standards and Technology)

  • PCI DSS (Payment Card Industry Data Security Standard)

By scanning your environment based on these standards you can:

  • Evaluate your infrastructure for regulatory compliance.

  • Harden your Docker Engine and Kubernetes orchestrator.

  • Understand and manage the overall security posture of your environment.

  • Get a detailed view of compliance status for clusters, namespaces, and nodes.

Viewing the compliance dashboard

The compliance dashboard provides a high-level view of the compliance standards across all clusters, namespaces, and nodes in your environment.

The compliance dashboard includes charts and provides options to investigate a potential problem with compliance mandates. You can navigate to compliance scan results for a single cluster, namespace, or a node. Moreover, you can generate reports on the state of compliance within your containerized environment.

Procedure
  • On the RHACS portal, select Compliance from the navigation menu.

The first time you open the Compliance dashboard you will see a blank dashboard. You must run a compliance scan to populate the dashboard.

Running a compliance scan

Running a compliance scan checks the compliance status for your entire infrastructure across all compliance standards. When you run a compliance scan, Red Hat Advanced Cluster Security for Kubernetes takes a data snapshot of your environment. The data snapshot includes alerts, images, network policies, deployments, and related host-based data. Central collects the host-based data from the Sensors running in your clusters. After that, Central collects more data from the compliance container running in each collector pod. The compliance container collects the following data about your environment:

  • Configurations for Docker Daemon, Docker image, and Docker container.

  • Information about Docker networks.

  • Command-line arguments and processes for Docker, Kubernetes, and OpenShift Container Platform.

  • Permissions of specific file paths.

  • Configuration files for the core Kubernetes and OpenShift Container Platform services.

After the data collection is complete, Central performs checks on the data to determine results. You can view the results from the compliance dashboard and also generate compliance reports based on the results.

In a compliance scan:

  • Control describes a single line item in an industry or regulatory compliance standard against which an auditor evaluates an information system for compliance with said standard. Red Hat Advanced Cluster Security for Kubernetes checks the evidence of compliance with a single control by completing one or more checks.

  • Check is the single test performed during a single control assessment.

  • Some controls have multiple checks associated with them. If any of the associated check fails for a control, the entire control state is marked as Fail.

Procedure
  1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

  2. Click Scan environment.

    Scanning the entire environment takes about 2 minutes to complete. This time might vary depending on the number of clusters and nodes in your environment.

Viewing compliance scan results

After you run a compliance scan, the compliance dashboard displays the results as the compliance status for your environment. You can view compliance violations directly from the dashboard, filter the details view, and drill down compliance standards to understand if your environment is compliant against specific benchmarks. This section explains how to view and filter compliance scan results.

You can use shortcuts to check the compliance status of clusters, namespaces, and nodes. Look for these shortcuts on the top of your compliance dashboard. By clicking these shortcuts you can view the compliance snapshot and generate reports on the overall compliance of your clusters, namespaces, or nodes.

Compliance status

Status Description

Fail

The compliance check failed.

Pass

The compliance check passed.

N/A

Red Hat Advanced Cluster Security for Kubernetes skipped the check because it was not applicable.

Info

The compliance check gathered data, but Red Hat Advanced Cluster Security for Kubernetes could not make a Pass or Fail determination.

Error

The compliance check failed due to a technical issue.

Viewing compliance status for clusters

You can view compliance status for all clusters or a single cluster from the compliance dashboard.

Procedure
  • To view compliance status for all clusters in your environment:

    1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

    2. Click Clusters on the compliance dashboard.

  • To view compliance status for a specific cluster in your environment:

    1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

    2. On the compliance dashboard, look for the Passing standards by cluster widget.

    3. In this widget, click on a cluster name to view its compliance status.

Viewing compliance status for namespaces

You can view compliance status for all namespaces or a single namespace from the compliance dashboard.

Procedure
  • To view compliance status for all namespaces in your environment:

    1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

    2. Click Namespaces on the compliance dashboard.

  • To view compliance status for a specific namespace in your environment:

    1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

    2. Click Namespaces to open the namespaces details page.

    3. From the Namespaces table, click on a namespace. A side panel opens on the right.

    4. In the side panel, click on the name of the namespace to view its compliance status.

Viewing compliance status for a specific standard

Red Hat Advanced Cluster Security for Kubernetes supports NIST, PCI DSS, NIST, HIPAA, CIS for Kubernetes and CIS for Docker compliance standards. You can view all the compliance controls for a single compliance standard.

Procedure
  1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

  2. On the compliance dashboard, look for the Passing standards by cluster widget.

  3. In this widget, click on a standard to view information about all the controls associated with that standard.

Viewing compliance status for a specific control

You can view compliance status for a specific control for a selected standard.

Procedure
  1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

  2. On the compliance dashboard, look for the Passing standards by cluster widget.

  3. In this widget, click on a standard to view information about all the controls associated with that standard.

  4. From the Controls table, click on a control. A side panel opens on the right.

  5. In the side panel, click on the name of the control to view its details.

Filtering compliance status

Red Hat Advanced Cluster Security for Kubernetes search makes it easy to filter different combinations of data from the compliance dashboard. To focus your attention on a subset of clusters, industry standards, passing or failing controls, you can narrow the scope of the data visible on the compliance dashboard.

Procedure
  1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

  2. On the compliance dashboard, select either Clusters, or Namespaces, or Nodes to open the details page.

  3. Enter your filtering criteria in the search bar and then press Enter.

Generating compliance reports

Red Hat Advanced Cluster Security for Kubernetes enables you to generate reports to keep track of the compliance status of your environment. You can use these reports to convey compliance status across various industry mandates to other stakeholders.

You can generate:

  • Executive reports that focuses on the business aspect and includes charts and summary of compliance status in PDF format.

  • Evidence reports that focuses on the technical aspect and includes detailed information in CSV format.

Procedure
  1. Navigate to the RHACS portal and open the compliance dashboard by selecting Compliance from the navigation menu.

  2. On the compliance dashboard, click Export on the top right side.

    • To generate an executive report, select Download page as PDF.

    • To generate an evidence report, select Download Evidence as CSV.

The Export option appears on all compliance pages and filtered views.

Evidence reports

You can export comprehensive compliance-related data from Red Hat Advanced Cluster Security for Kubernetes in CSV format as an evidence report. This evidence report contains detailed information about the compliance assessment, and it is tailored towards technical roles, such as compliance auditors, DevOps engineers, or security practitioners.

An evidence report contains the following information:

CSV field Description

Standard

The compliance standard, for example, CIS Kubernetes.

Cluster

The name of the assessed cluster.

Namespace

The name of the namespace or project where the deployment exists.

Object Type

The Kubernetes entity type of the object. For example, node, cluster, DaemonSet, Deployment, or StaticPod.

Object Name

The name of the object which is a Kubernetes systems-generated string that uniquely identify objects. For example, gke-setup-dev21380-default-pool-8e086a77-1jfq.

Control

The control number as it appears in the compliance standard.

Control Description

Description about the compliance check that the control carries out.

State

Whether the compliance check passed or failed. For example, Pass or Fail.

Evidence

The explanation about why a specific compliance check failed or passed.

Assessment Time

The time and date when you ran the compliance scan.

Supported benchmark versions

Red Hat Advanced Cluster Security for Kubernetes supports compliance checks against the following industry standards and regulatory frameworks:

Benchmark Supported version

CIS Benchmarks (Center for Internet Security) for Docker and Kubernetes

CIS Kubernetes v1.5.0 and CIS Docker v1.2.0

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA 164

NIST (National Institute of Standards and Technology)

NIST Special Publication 800-190 and 800-53 Rev. 4

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS 3.2.1