![]() The operator leverages OpenSCAP under the hood to perform the scans. The compliance operator is an OpenShift Operator that allows an administrator to run compliance scans and provide remediations for the issues found. Why is the Compliance Operator needed to validate the hardening and apply changes in the configuration of the operating system and the platform? The Compliance Operator is defined as follows: So, several questions may come to your mind, including: Are there any benchmarks for hardening how to check the validation how to fix the issues or apply for the recommended configurations how to automate a series of the process and who should prepare for the policy files? Why Compliance Operator? You can learn more about the Machine Config Operator at OpenShift Container Platform 4: How Does Machine Config Pool Work? or Machine Config and Machine Updates. But for clusters that use RHCOS for all machines, updating or upgrading are designed to become automatic events from the central control plane, because OpenShift completely controls the systems and services that run on each machine, including the operating system itself through the Machine Config Operator. It should validate if the API server has started with restrictive arguments regarding allowing specific admission plug-ins, enabling audit logging, applying etcd server and peer configurations, and restricting RBAC, among others. ![]() Then, hardening the control plane is specific to the Kubernetes services and includes the control plane components or the master configuration files. This applies even if the host OS uses RHCOS or RHEL, for instance, validating if the file has appropriately restrictive file permissions, if the file ownership is appropriately set, if required systemd services or processes are launched with appropriate arguments or parameters in the configuration, or if the appropriate kernel parameters are set. The basic approach to hardening the host OS is almost the same as the RHEL 8 Security Hardening. Understanding the OpenShift Container Platform control plane describes more about the control plane and its components. Both the CRI-O container engine and Kubelet run on the worker machines to initiate containers creation and running. Meanwhile the CRI-O container engine manages the containers, and Kubelet receives requests for managing containers from the API server. To secure your OpenShift cluster, it is mandatory to consider both platforms (Kubernetes) and host OS (RHCOS, RHEL) perspectives, because Kubernetes is composed of control plane machines (master) and worker machines (node), then the Kubernetes services such as API Server, etcd, or controller manager run on the control plane to manage the workload on the worker machines. For further security aspects, the Compliance Operator was released in OCP 4.6, so I would like to show you what is needed to secure or harden a Kubernetes cluster briefly, and then discuss the differences between Red Hat Advanced Cluster Management, the Compliance Operator, and Open Policy Agent (OPA) to help you understand how the Compliance Operator helps secure and harden your OpenShift cluster. OpenShift is secure by default as described in the OpenShift Security Guide Book and has several built-in security features from Host OS to container orchestration. As a result, the security of different Kubernetes platforms can vary.īesides, security considerations are varied by security vendors or security solutions in their own way, but one of the effective ways is system hardening because it can mitigate security risks by eliminating potential attack vectors and decreasing the system's attack surface. Kubernetes is a project that can run using different operating systems and add-on components that offer no guarantees of supportability from the project. One of the reasons is Kubernetes platforms can run on different operating systems. When it comes to container security, this is definitely food for thought for sys/infra admins or security engineers, and the basic approach for security is defense-in-depth, but it requires tremendous efforts in terms of both platform and application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |