Evaluate the compliance of your Red Hat OpenShift on IBM Cloud clusters
By using the OpenShift Compliance Operator (OSCO) through Security and Compliance Center, you can run scans to validate your level of compliance to a grouping of controls, also known as a profile. In this scenario, you configure your cluster to be able to run the OSCO scan.
Before you begin
Before you get started with this tutorial, be sure you have the prerequisites:
-
An IBM Cloud account
-
A Red Hat OpenShift on IBM Cloud cluster
-
The required permissions:
Required user permissions Service Required role Reason Security and Compliance Center Compliance Management Needed to enable a service-to-service authorization
To view this role, you must be assigned the Administrator role for the serviceRed Hat OpenShift on IBM Cloud Manager Required to install OSCO
Enable an authorization
To ensure that the services can talk with each other, create a service-to-service authorization between Security and Compliance Center and Kubernetes Service. To create this policy, you must have the Administrator platform role for the Security and Compliance Center service.
- In the IBM Cloud console, go to Manage > Access (IAM) and select Authorizations.
- Click Create.
- If you're working in an enterprise account, select the account which has the cluster with OSCO deployed in it as the Source account.
- Select Security and Compliance Center in the Source drop-down and choose All resources as the scope.
- Select Kubernetes Service in the Target drop-down. Optionally, you can narrow the focus by selecting specific resources that you want to target.
- Select Platform access as Compliance Management and click Authorize.
If you are scanning Satellite resources, you must also enable an authorization for Satellite.
Install the OSCO
Before you can start evaluating your resources, the OSCO must be installed to your cluster. For help with installing it, see the documentation. When you deploy the OSCO, a bundle of predefined profiles is automatically installed and available for you to scan your resources with. In the next section, you select the profile that you want to use.
Scan your resources
To scan your resources, you create an attachment between the resource that you want to evaluate and the profile that you want to use to run the evaluation. To create an attachment, you can use the following steps.
-
In Profiles section of the UI, select IBM Cloud Red Hat OpenShift Kubernetes OCP4. A details page opens.
Optionally, you can use the IBM Cloud Red Hat OpenShift Kubernetes OCP4 profile to create a custom profile with a subset of the controls.
-
In the Attachments tab, click Create.
-
Target your resources by selecting a Scope. Optionally, you can choose to exclude portions of your selected scope to ensure that they are not included in your scan.
-
Click Next.
-
Unless your profile contains additional controls, you can skip the Parameters tab by clicking Next.
-
Toggle Enable scan to On to ensure that the scan runs.
-
Select the frequency at which you want to evaluate your resource. Options include, Every day, Every 7 days, and Every 30 days.
-
Optionally, you can enable notifications.
-
Click Next. Review your selections and click Create.
Next steps
When the scan completes, your results become available in the Security and Compliance Center dashboard. Be sure to check back in a few hours to see what your results returned.