Learn how to use the Configuration Management view and understand the correlation between various entities in your cluster to manage your cluster configuration efficiently.

Every OpenShift Container Platform cluster includes many different entities distributed throughout the cluster, which makes it more challenging to understand and act on the available information.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides efficient configuration management that combines all these distributed entities on a single page. It brings together information about all your clusters, namespaces, nodes, deployments, images, secrets, users, groups, service accounts, and roles in a single Configuration Management view, helping you visualize different entities and the connections between them.

Using the Configuration Management view

To open the Configuration Management view, select Configuration Management from the left-hand navigation menu. Similar to the Dashboard, it displays some useful widgets.

These widgets are interactive and show the following information:

  • Security policy violations by severity

  • The state of CIS (Center for Information Security) Docker and Kubernetes benchmark controls

  • Users with administrator rights in the most clusters

  • Secrets used most widely in your clusters

The header in the Configuration Management view shows you the number of policies and CIS controls in your cluster. The header includes drop-down menus that allow you to switch between entities. For example, you can:

  • Click Policies to view all policies and their severity, or select CIS Controls to view detailed information about all controls.

  • Click Application and Infrastructure and select clusters, namespaces, nodes, deployments, images, and secrets to view detailed information.

  • Click RBAC Visibility and Configuration and select users and groups, service accounts, and roles to view detailed information.

Identifying misconfigurations in Kubernetes roles

You can use the Configuration Management view to identify potential misconfigurations, such as users, groups, or service accounts granted the cluster-admin role, or roles that are not granted to anyone.

Finding Kubernetes roles are their assignment

Use the Configuration Management view to get information about which Kubernetes roles are assigned to specific users and groups.

Procedure
  1. Navigate to the RHACS portal and click Configuration Management from the left-hand navigation menu.

  2. Select RBAC Visibility and ConfigurationUsers and Groups from the header in the Configuration Management view. The Users and Groups view displays a list of Kubernetes users and groups, their assigned roles, and whether the cluster-admin role is enabled for each of them.

  3. Select a user or group to view more details about the associated cluster and namespace permissions.

Finding service accounts and their permissions

Use the Configuration Management view to find out where service accounts are in use and their permissions.

Procedure
  1. Navigate to the RHACS portal and click Configuration Management from the left-hand navigation menu.

  2. Select RBAC Visibility and ConfigurationService Accounts from the header in the Configuration Management view. The Service Accounts view displays a list of Kubernetes service accounts across your clusters, their assigned roles, whether the cluster-admin role is enabled, and which deployments use them.

  3. Select a row or an underlined link to view more details, including which cluster and namespace permissions are granted to the selected service account.

Finding unused Kubernetes roles

Use the Configuration Management view to get more information about your Kubernetes roles and find unused roles.

Procedure
  1. Navigate to the RHACS portal and click Configuration Management from the left-hand navigation menu.

  2. Select RBAC Visibility and ConfigurationRoles from the header in the Configuration Management view. The Roles view displays a list of Kubernetes roles across your clusters, the permissions they grant, and where they are used.

  3. Select a row or an underlined link to view more details about the role.

  4. To find roles not granted to any users, groups, or service accounts, select the Users & Groups column header. Then select the Service Account column header while holding the Shift key. The list shows the roles that are not granted to any users, groups, or service accounts.

Viewing Kubernetes secrets

View Kubernetes secrets in use in your environment and identify deployments using those secrets.

Procedure
  1. Navigate to the RHACS portal and click Configuration Management from the left-hand navigation menu.

  2. On the Secrets Most Used Across Deployments widget, select View All. The Secrets view displays a list of Kubernetes secrets.

  3. Select a row to view more details.

Use the available information to identify if the secrets are in use in deployments where they are not needed.

Finding policy violations

The Policy Violations by Severity widget in the Configuration Management view displays policy violations in a sunburst chart. Each level of the chart is represented by one ring or circle.

  • The innermost circle represents the total number of violations.

  • The next ring represents the Low, Medium, High, and Critical policy categories.

  • The outermost ring represents individual policies in a particular category.

The Configuration Management view only shows the information about policies that have the Lifecycle Stage set to Deploy. It does not include policies that address runtime behavior or those configured for assessment in the Build stage.

Procedure
  1. Navigate to the RHACS portal and click Configuration Management from the left-hand navigation menu.

  2. On the Policy Violations by Severity widget, move your mouse over the sunburst chart to view details about policy violations.

  3. Select n rated as high, where n is a number, to view detailed information about high-priority policy violations. The Policies view displays a list of policy violations filtered on the selected category.

  4. Select a row to view more details, including policy description, remediation, deployments with violations, and more. The details are visible in a panel.

  5. The Policy Findings section in the information panel lists deployments where these violations occurred.

  6. Select a deployment under the Policy Findings section to view related details including Kubernetes labels, annotations, service account, and violation comments and tags.

You can use the detailed information to plan a remediation for violations.

Commenting and tagging on policy violations

You can use comments and tags to specify what is happening with violations to keep your team up to date. Comments allow you to add text notes to violations and tags allow you to categorize your violations.

Adding comments

Comments allow you to add text notes to violations, so that everyone in the team can check what is happening with a violation.

Prerequisites
  • To add and remove comments, you need a role with write permission for the resource you are modifying. For example, to add comments on violations, your role must have write permission for the Alert resource.

  • To delete comments from other users, you need a role with write permission for the AllComments resource.

    You can edit and delete your own comments.

Procedure
  1. Click New in the Violations Comments section header.

  2. Enter your comment in the comment editor. You can also add links in the comment editor. When someone clicks on the link in a comment, the linked resource opens in a new tab in their browser.

  3. Click Save.

All comments are visible under the Violations Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.

Adding tags

You can use custom tags to categorize your violations. Then you can filter the Violations view to show violations for selected tags (Tag attribute).

Prerequisites
  • To add and remove tags, you need a role with write permission for the resource you are modifying. For example, to add tags on violations, your role must have write permission for the Alert resource.

  • To delete tags from other users, you need a role with write permission for the AllComments resource.

    You can edit and delete your own tags.

Procedure
  1. Select the drop-down menu in the Violation Tags section. Existing tags appear as a list (up to 10).

  2. Click on an existing tag or enter a new tag and then press Enter. As you enter your query, Red Hat Advanced Cluster Security for Kubernetes automatically displays relevant suggestions for the existing tags that match.

You can add more than one tag for a violation. All tags are visible under the Violation Tags section and you can remove tags by clicking on the Remove icon for a specific tag.

Finding failing CIS controls

Similar to the Policy Violations sunburst chart in the Configuration Management view, the CIS controls widget provides information about failing Center for Information Security (CIS) controls.

Each level of the chart is represented by one ring or circle.

  • The innermost circle represents the percentage of failing controls.

  • The next ring represents the control categories.

  • The outermost ring represents individual controls in a particular category.

Procedure
  1. Select CIS Docker v1.2.0 from the header of the CIS controls widget. Use this to switch between CIS Docker and Kubernetes controls.

  2. Hover over the sunburst chart to view details about failing controls.

  3. Select n controls failing, where n is a number, to view detailed information about failing controls. The Controls view displays a list of failing controls filtered based on the compliance state.

  4. Select a row to view more details, including control descriptions and nodes where the controls are failing.

  5. The Control Findings section in the information panel lists nodes where the controls are failing. Select a row to view more details, including Kubernetes labels, annotations, and other metadata.

You can use the detailed information to focus on a subset of nodes, industry standards, or failing controls. You can also assess, check, and report on the compliance status of your containerized infrastructure.