Getting PC Report for Red Hat OpenShift Container Platform 4.x

You can get the Policy Compliance report for Red Hat Openshift Container Platform 4.x using the following two methods:

The PC scan relies on the oc command and the /root/.kube/config file on the host.

Prerequisites:

  1.  Install the oc CLI client on the host.

  2. Create a service account and assign a cluster-admin role to this account.
    The cluster-admin is a default cluster-wide role and can perform any action on any resource. It is recommended to provide a service account to launch the Red Hat OpenShift Container Platform scan, provided that the session token associated with this account will not expire. The default lifetime of a regular user account is 24 hours.

  3. Run the "oc login --token=***  --server=https***" command by using host's root account.
    The command stores the server and access token information into /root/.kube/config. If you do not want to run "oc login --token=***  --server=https***", you can directly copy the oc profile config file to "/root/.kube/config". Ensure that the file permission is 600.

You can test the following commands on the host root account. Server Version: 4.xxx is used as the flag of found Red Hat OpenShift Container Platform 4.x.

Example: Running "which oc" and "oc version" Commands

[root@OSCP-Cent76 ~]# which oc
/openshift/oc
[root@OSCP-Cent76 ~]# oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867

Example: Testing "Copying Config File to /root/.kube/config"

[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$ cp config .kube/config
[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$
[root@OSCP-Cent76 ~]$ oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name
pod/openshift-kube-scheduler-ocp01-l2v9s-master-0
pod/openshift-kube-scheduler-ocp01-l2v9s-master-1
pod/openshift-kube-scheduler-ocp01-l2v9s-master-2

Example: Executing OC Login Command: Passing the Server IP with "--server" Option and the Token with the "--token" Option

oc login --server=https://api.ocp01.oscp.rdlab.qualys.dev:6443 --token=<token>

Example: /root/.kube/config Content

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: >-
        <data>
server: '<server>:6443'
name: '<name>:6443'
contexts:
  - context:
      cluster: '<cluster>:6443'
namespace: default
      user: ahutest
    name: ahutest
current-context: ahutest
kind: Config
preferences: {}
users:
  - name: ahutest
    user:
      token: >-
        <token>