You can get the Policy Compliance report for Red Hat OpenShift Container Platform (RHOCP) 4.x using any one of the following two methods:
Scan one of the master/worker nodes in the RHOCP. You need to deploy Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS. Qualys Cloud Agent will run as a container in the RHOCP.
See Generating PC Report using Master/Worker Node.
OR
Scan the bastion host that can connect to the RHOCP cluster API server. You can use Qualys Scanner or Qualys Linux Agent.
The PC scan relies on the oc commands and the /root/.kube/config file on the host.
See Generating PC Report using Bastion Host.
This method works only with Qualys Cloud Agent.
Minimum privileges required to scan master/worker nodes are:
The steps for generating PC report for Master/Worker node are as follows:
Install the oc CLI client on the host.
Download the Qualys Cloud Agent for CoreOS in case you haven't downloaded it.
Create a service account “qualys-pc-op-serv”(refer steps given below). It is recommended that you use a Service account to launch the RHOCP scan. With the Service account, the session token associated with it will not expire. The regular account's Access Token default lifetime is 24 hours (86400 seconds). Following are steps to create a service account with the name “qualys-pc-op-serv”:
Review the YAML file provided below and make the required updates.
Execute the command to apply the YAML file settings:
#oc apply -f <following file>.
Execute the command to get the secret token value for the service account and copy the value:
#oc describe secrets qualys-pc-op-serv-token -n qualys-agent
Example: YAML file.
apiVersion: v1
kind: ServiceAccount
metadata:
name: qualys-pc-op-serv
namespace: qualys-agent
secrets:
- name: qualys-pc-op-serv-token
---
apiVersion: v1
kind: Secret
metadata:
name: qualys-pc-op-serv-token
namespace: qualys-agent
annotations:
kubernetes.io/service-account.name: "qualys-pc-op-serv"
type: kubernetes.io/service-account-token
duration: 99999h
---
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
name: qualys-pc-op-scan-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]
---
apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
name: rolebinding-qualys-pc-op-scan-role
subjects:
- kind: ServiceAccount
name: qualys-pc-op-serv
namespace: qualys-agent
roleRef:
kind: ClusterRole
name: qualys-pc-op-scan-role
Extract the package file of the Qualys Cloud Agent container image and access Qualys Cloud Agent.
Ensure that the agent deployment file lxa-openshift-crio-ds.yml is present in the container package.
Add the environment variable name 'QTOKEN' under the 'env' section of the file. It represents the created service account 'token' value, which will be used by Qualys in the discovery code of RHOCP along with 'oc login' command to log into the OpenShift cluster. Following are steps for adding the token value needed for authentication:
Update the QTOKEN (env variable) value in lxa-openshift-crio-ds.yml file with the token you got from the previous command “oc describe secrets qualys-pc-op-serv-token -n qualys-agent".
env:
- name: QTOKEN
value: <service account token>
Execute the command to deploy the changes for Agent:
#oc apply -f <path to file>lxa-openshift-crio-ds.yml
This will deploy Qualys Cloud Agent using the deployment file "lxa-openshift-crio-ds.yml" with the newly added environment variable "QTOKEN" to run the Agent as a container on the host.
To generate a PC Report using Bastion Host, follow the steps mentioned below.
Install the oc CLI client on the host.
Create a service account and assign a cluster-reader role to this account.
The cluster-reader role grants users the ability to read all resources in the cluster. It is recommended that you use a Service account to launch the RHOCP scan. With the Service account, the session token associated with it will not expire. The regular account's Access Token default lifetime is 24 hours (86400 seconds).
Run the "oc login" command on the host using the created service account server IP and token with the "--server" and "--token" options.
Example: Executing "oc login" command
Provide the Server IP using "--server" option and the token with the "--token" option.
oc login --server=<server IP/URL> --token=<token>
Once the "oc login" command is successfully executed, it automatically makes an entry of your login details such as - server, user, and token details into its configuration file ".kube/config". The configuration file needs to be configured properly with server, user, and token details.
Example: /root/.kube/config Content
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: >-
<data>
server: '<server>:6443'
name: '<name>:6443'
contexts:
- context:
cluster: '<cluster>:6443'
namespace: default
user: ahutest
name: ahutest
current-context: ahutest
kind: Config
preferences: {}
users:
- name: ahutest
user:
token: >-
<token>
Start the Qualys Scanner or Qualys Cloud Agent depending upon your requirement.
You can test the following commands on the host root account. Server Version 4.xxx is used as the flag of found RHOCP 4.x.
which oc
oc version
Example: Running "which oc" and "oc version" commands
[root@OSCP-Cent76 ~]# which oc
/openshift/oc
[root@OSCP-Cent76 ~]# oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867