You can get the Policy Compliance report for Red Hat Openshift Container Platform 4.x using the following two methods:
Scan the bastion host that can connect to Red Hat OpenShift Container Platform cluster API server. You can use Qualys Scanner or Qualys Linux Agent.
Scan one of the master/worker nodes in the Red Hat OpenShift Container Platform. You need to deploy Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS. Qualys Cloud Agent will run as a container in the Red Hat OpenShift Container Platform.
The PC scan relies on the oc command and the /root/.kube/config file on the host.
Prerequisites:
Install the oc CLI client on the host.
Create a service account and assign a cluster-admin role to this account.
The cluster-admin is a default cluster-wide role and can perform any action on any resource. It is recommended to provide a service account to launch the Red Hat OpenShift Container Platform scan, provided that the session token associated with this account will not expire. The default lifetime of a regular user account is 24 hours.
Run the "oc login --token=*** --server=https***" command by using host's root account.
The command stores the server and access token information into /root/.kube/config. If you do not want to run "oc login --token=*** --server=https***", you can directly copy the oc profile config file to "/root/.kube/config". Ensure that the file permission is 600.
You can test the following commands on the host root account. Server Version: 4.xxx is used as the flag of found Red Hat OpenShift Container Platform 4.x.
which oc
oc version
[root@OSCP-Cent76 ~]# which oc
/openshift/oc
[root@OSCP-Cent76 ~]# oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$ cp config .kube/config
[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$
[root@OSCP-Cent76 ~]$ oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name
pod/openshift-kube-scheduler-ocp01-l2v9s-master-0
pod/openshift-kube-scheduler-ocp01-l2v9s-master-1
pod/openshift-kube-scheduler-ocp01-l2v9s-master-2
oc login --server=https://api.ocp01.oscp.rdlab.qualys.dev:6443 --token=<token>
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: >-
<data>
server: '<server>:6443'
name: '<name>:6443'
contexts:
- context:
cluster: '<cluster>:6443'
namespace: default
user: ahutest
name: ahutest
current-context: ahutest
kind: Config
preferences: {}
users:
- name: ahutest
user:
token: >-
<token>