Getting PC Report for Red Hat OpenShift Container Platform 4.x

Getting PC Report for Red Hat OpenShift Container Platform (RHOCP) 4.x

You can get the Policy Compliance (PC) report for Red Hat OpenShift Container Platform (RHOCP) 4.x using any one of the following two methods:

Scan one of the master/worker nodes in the RHOCP. You need to deploy Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS. Qualys Cloud Agent will run as a container in the RHOCP.
See Generating PC Report using Master/Worker Node.

Scan the bastion host that can connect to the RHOCP cluster API server. You can use Qualys Scanner or Qualys Linux Agent.
The PC scan relies on the oc commands and the /root/.kube/config file on the host.
See Generating PC Report using Bastion Host.

Generating PC Report using Master/Worker Node

For PC scans we neither need cluster-admin credentials nor do we need to generate a token. We create a custom role with the necessary permissions for executing all open-shift signatures and bind it to the qualys-agent service account.

Note: We are not creating a separate service account anymore. Instead, we are now using the qualys-agent service account (usually qualys-agent-sa).

This method works only with Qualys Cloud Agent.

The minimum privileges required to scan master/worker nodes are:

"create" for resources "pods/exec" and "localresourceaccessreviews".
"get", "list", "watch" for all other resources mentioned in the YAML file given below.

The steps for generating PC report for Master/Worker node are as follows:

Install the oc CLI client on the host.
Review the YAML file provided below:

kind: ClusterRole
apiVersion: authorization.openshift.io/v1
metadata:
name: qualys-agent-pc-scan-role
rules:
- apiGroups: [""]
resources: ["configmaps", "namespaces", "serviceaccounts", "nodes", "nodes/proxy", "services", "replicationcontrollers", "pods", "secrets", "pods/exec"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: ["*"]
resources: ["localresourceaccessreviews"]
verbs: ["create"]
- apiGroups: ["operator.openshift.io"]
resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "machineconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["machineconfiguration.openshift.io"]
resources: ["machineconfigs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["config.openshift.io"]
resources: ["clusteroperators", "images", "clusterversions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps.openshift.io"]
resources: ["deploymentconfigs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["build.openshift.io"]
resources: ["builds", "buildconfigs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["image.openshift.io"]
resources: ["imagestreams"]
verbs: ["get", "list", "watch"]
- apiGroups: ["route.openshift.io"]
resources: ["routes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["user.openshift.io"]
resources: ["users", "groups"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "roles"]
verbs: ["get", "list", "watch"]

---

kind: ClusterRoleBinding
apiVersion: authorization.openshift.io/v1
metadata:
name: qualys-agent-pc-scan-rolebinding
subjects:
- kind: ServiceAccount
name: qualys-agent-sa
namespace: qualys-agent
roleRef:
kind: ClusterRole
name: qualys-agent-pc-scan-role
apiGroup: authorization.openshift.io

3. Execute the below command to apply the YAML file settings:

#oc apply -f

Generating PC Report using Bastion Host

The steps for generating a PC Report using Bastion Host are as follows:

Install the oc CLI client on the host.
Create a service account and assign a cluster-reader role to this account.
The cluster-reader role grants users the ability to read all resources in the cluster. It is recommended that you use a Service account to launch the RHOCP scan. With the Service account, the session token associated with it will not expire. The regular account's Access Token default lifetime is 24 hours (86400 seconds).
Run the "oc login" command on the host using the created service account server IP and token with the "--server" and "--token" options.

Example: Executing "oc login" command

Provide the Server IP using "--server" option and the token with the "--token" option.

oc login --server=<server IP/URL> --token=<token>

Once the "oc login" command is successfully executed, it automatically makes an entry of your login details such as - server, user, and token details into its configuration file ".kube/config". The configuration file needs to be configured properly with server, user, and token details.

Example: /root/.kube/config Content

apiVersion: v1
clusters:
- cluster:
certificate-authority-data: >-
<data>
server: '<server>:6443'
name: '<name>:6443'
contexts:
- context:
cluster: '<cluster>:6443'
namespace: default
user: ahutest
name: ahutest
current-context: ahutest
kind: Config
preferences: {}
users:
- name: ahutest
user:
token: >-
<token>
Start the Qualys Scanner or Qualys Cloud Agent depending upon your requirement.

You can test the following commands on the host root account. Server Version 4.xxx is used as the flag of found RHOCP 4.x.

which oc
oc version

Example: Running "which oc" and "oc version" commands

[root@OSCP-Cent76 ~]# which oc
/openshift/oc
[root@OSCP-Cent76 ~]# oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867