A Guide to OpenShift Compliance Operator Best Practices

Red Hat OpenShift is the leading application development platform for building and modernizing cloud-native applications. The platform addresses use cases for DevOps, DevSecOps, and hybrid cloud administration for cloud-native workloads running in any environment – on-prem, public or private cloud, at the edge, or a hybrid mix of all. Security and compliance is one of the core use cases for cloud-native application development, and Red Hat OpenShift has several capabilities to address the security challenges you will face when building, deploying, and running cloud-native apps. In addition to providing Advanced Cluster Security add-ons, Red Hat OpenShift has several built-in capabilities to ensure customers meet their security and compliance requirements. The Compliance Operator is one such capability that serves a critical function in Red Hat OpenShift.

The Compliance Operator allows administrators to describe the required compliance state of a cluster and provides them with an overview of gaps and ways to remediate them. By assessing the compliance of both the Kubernetes API resources of OpenShift, as well as the nodes running the cluster, the Compliance Operator is able to paint a full picture of the state of the cluster. The Compliance Operator uses OpenSCAP to scan and enforce security policies provided by the content. Backed by the compliance-as-code community, OpenSCAP is an open-source framework that helps organizations automate compliance assessments and achieve stronger security posture. 

Why compliance:

Compliance is critical for today’s businesses. Compliance is often a competitive advantage for organizations, as it leads to fewer regulatory fines, penalties, and negative headlines. Following these standards is often synonymous with having a product that is trusted, of high quality, and safe. That is on top of whatever reputational damages could befall the company if a security breach were to occur because it failed to adhere to the required compliance standards. 

Implementing the security controls outlined by a compliance standard is also just a good practice because it can help protect against data breaches. A good example for this is in 2017, an unpatched Apache Struts framework vulnerability allowed attackers to gain access to personal and financial information of millions of people. This eventually cost the company over $575 million dollars in fines and settlements. FTC Chairman Joe Simons said “[the company] failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”

The cost of non-compliance is nearly three times as high as the cost of compliance. As far back as 2018, the average cost of noncompliance was approximately $15 million dollars, with many facing hundreds of millions of dollars in fines, settlements, and legal fees, all because they were found non compliant with required standards.

Automating compliance auditing and reporting is critical in part due to the sheer number of compliance standards and potential for violations. There are industry specific standards to consider as well general frameworks and best practices mandated by various organizations for specific technologies. Below is a small sampling of these.

Compliance Operator best practices

Installation is easier when using the OperatorHub 

The Compliance Operator is easily installed through the OperatorHub using the web console, and is our recommended way for you to get started with the Compliance Operator. For a more manual process, the command line can also be used. For information on this method, check out the documentation

Use pre-built profiles to get started quickly

As mentioned previously, the Compliance Operator allows administrators to use profiles to make sure their deployments adhere to standards. As such, several profiles are available as part of the Compliance Operator installation. These profiles represent different compliance benchmarks. The naming conventions of these profiles reflect the product name that it applies to and the standard applied. For example, ocp4-CIS applies to the CIS Benchmark for OpenShift Container Platform 4.0 product, while ocp4-high applies the NIST 800-53 High-Impact Baseline for Red Hat OpenShift Container Platform 4.0.

Other profiles are also available for different benchmarks, such as the CIS benchmark, NERC CIP (the US and Canadian standards for power grids), and PCI DSS for Payment Cards. Equally important is that you can create a custom profile tailored to the needs of the business or environment, making this tool highly flexible. Like just about everything in Kubernetes, the Compliance Operator profiles are written in YAML, but the scans themselves require XCCDF. As such, the custom profiles need to be compiled into a Docker image. 

Customize pre-existing profiles to tailor them to your needs

While the Compliance Operator does come with predefined profiles, it may be necessary to create custom profiles to adhere to requirements of certain environments. This process is called “tailoring”. Any profile can be used as a base for a tailored profile, however the TailoredProfile object can be used to create a profile from scratch. Not only that, but if an organization has been using OpenSCAP in the past, they may already have some XCCDF profiles. These profiles can be reused with the Compliance Operator. The TailoringConfigMapattribute, found within the ComplianceSuite, can be configured to point to a config map which should have a key named tailoring.xml. This key value will be the tailoring content.

The Compliance Operator has a few different ways to see the results of scans. The first is inspecting the contents of the compliancecheckresults object using the oc get compliancecheckresults command. Most results will state either PASS or FAIL, however there may be results showing NOT APPLICABLE. This result will appear when a node does not run the workload this compliance scan is looking for and can be safely ignored. Another way of accessing the results is by way of the Advanced Cluster Security web console. More on this is mentioned later in this article. 

Consider using the auto remediation option when setting up a scan

Of course, scanning and being aware of compliance issues is not enough as the whole point is to rectify any issues encountered. This can be done easily with the Compliance Operator. The oc get complianceremediations is used to list the available remediations. If the option default-auto-apply was designated in the ScanSettings, the remediations will be automatically applied. If that option was not designated, the Compliance Operator will wait to be explicitly directed to apply the remediations. This can be done with the oc patch command. Please refer to the documentation for detailed instructions on remediation using the Compliance Operator. 

The CO’s subscription includes a specified update channel to track updates for the Operator. This value can be modified to track and receive updates from a newer channel. By default, the Compliance Operator will update automatically, however this can be modified to require manual approval before updating. This is most easily done within the OpenShift console in Operators -> Installed Operators -> Compliance Operator -> Subscription. 

Advanced Cluster Security makes Compliance Operator better

The Compliance Operator can be used in conjunction with other OpenShift tools, such as Red Hat Advanced Cluster Security (ACS). Compliance scans can be initiated via the ACS console where the results can be seen in a graphical format. By default, ACS will scan using all the default profiles that come with the Compliance Operator. By and large, using ACS can make compliance scanning and remediation much easier to the user. 

The Compliance Operator allows the checking of compliance status in a declarative way. Whether it be directly from the command line, or using the ACS web console, a cluster can be made compliant much more easily using the Compliance Operator than doing manual checks. As the Compliance Operator is available free of cost with all versions of OpenShift, it should be considered a must-have for all organizations working with containers. For a full-feature OpenShift implementation with multi-cluster security and management, you can get started with OpenShift Platform Plus, which includes OpenShift Container Platform and Advanced Cluster Security, as well as Advanced Cluster Management (ACM), Red Hat Quay, and Red Hat Data Foundations. 

Author avatar