What can organizations who use RedHat OpenShift via IBM Cloud Paks do to ensure regulatory readiness, or compliance before they deploy into production?

Information Security (InfoSec)

Organizations have to report compliance to ensure security measures are adhered to based on industry regulations, CIS benchmarks or client contract requirements that will determine what is required. A few examples of these are GDPR, HiPAA & PCI.

For customers using RedHat Openshift via Cloud Paks for modernizing apps & workloads, there are a few solutions from RedHat that can assist with compliance. Support is included within RedHat subscription which in each Cloud Pak is an entitlement to Red Hat OpenShift Container Platform.

1. RedHat OpenShift Compliance Operator which gives admins ability to identify compliance issues, identify gaps & remediation options through a compliance scan & report. The primary focus is RHEL OS and OCP and Kubernetes for scanning and monitors at the node level using OpenSCAP-an NIST certified tool.

• When you first install , there are information & profiles available related to compliance benchmarks that can be accessed through commands:
• View Available Profiles: oc get -n <namespace> profiles.compliance
• Details of a Profile: oc get -n <namespace> -oyaml profiles.compliance <profile name>

Example Output:

2. File Operator continually runs file integrity checks on cluster nodes and provide a log of files that have been modified. It deploys a daemon set that initializes and runs privileged advanced intrusion detection environment (AIDE) containers on each node, providing a status object with a log of files that are modified during the initial run of the daemon set pods. Admin is required for this operation. This operator goes deeper as compliance operator does not look at files, it runs a trigger for file changes at the node level.

Sample installation commands:

• Create a Namespace object YAML file by running: $ oc create -f <file-name>.yaml
• Create the OperatorGroup object YAML file: $ oc create -f <file-name>.yaml
• Create the Subscription object YAML file: $ oc create -f <file-name>.yaml

Sample output from Subscription object YAML creation:

I hope this blog was informative & helped to demystify compliance for RedHat OpenShift.

Resources:

Installation: https://docs.openshift.com/container-platform/4.7/security/compliance_operator/compliance-operator-installation.html

Understanding RHCOP Compliance Operator: https://docs.openshift.com/container-platform/4.7/security/compliance_operator/compliance-operator-understanding.html

Installing File Integrity Operator: https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-installation.html

Understanding File Integrity Operator: https://docs.openshift.com/container-platform/4.7/security/file_integrity_operator/file-integrity-operator-understanding.html