Getting PC Report for Red Hat OpenShift Container Platform 4.x

You can get the Policy Compliance report for Red Hat Openshift Container Platform 4.x using the following two methods:

• Scan the bastion host that can connect to Red Hat OpenShift Container Platform cluster API server. You can use Qualys Scanner or Qualys Linux Agent. 

• Scan one of the master/worker nodes in the Red Hat OpenShift Container Platform. You need to deploy Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS. Qualys Cloud Agent will run as a container in the Red Hat OpenShift Container Platform.

The PC scan relies on the oc command and the /root/.kube/config file on the host.

Prerequisites:

1.  Install the oc CLI client on the host.

2. Create a service account and assign a cluster-admin role to this account.
   The cluster-admin is a default cluster-wide role and can perform any action on any resource. It is recommended to provide a service account to launch the Red Hat OpenShift Container Platform scan, provided that the session token associated with this account will not expire. The default lifetime of a regular user account is 24 hours.

3. Run the "oc login --token=***  --server=https***" command by using host's root account.
   The command stores the server and access token information into /root/.kube/config. If you do not want to run "oc login --token=***  --server=https***", you can directly copy the oc profile config file to "/root/.kube/config". Ensure that the file permission is 600.

You can test the following commands on the host root account. Server Version: 4.xxx is used as the flag of found Red Hat OpenShift Container Platform 4.x.

• which oc

• oc version

Example: Running "which oc" and "oc version" Commands

[root@OSCP-Cent76 ~]# which oc
/openshift/oc
[root@OSCP-Cent76 ~]# oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867

Example: Testing "Copying Config File to /root/.kube/config"

[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$ cp config .kube/config
[root@OSCP-Cent76 ~]$ oc version
Client Version: 4.7.16
Server Version: 4.7.16
Kubernetes Version: v1.20.0+2817867
[root@OSCP-Cent76 ~]$
[root@OSCP-Cent76 ~]$ oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name
pod/openshift-kube-scheduler-ocp01-l2v9s-master-0
pod/openshift-kube-scheduler-ocp01-l2v9s-master-1
pod/openshift-kube-scheduler-ocp01-l2v9s-master-2

Example: Executing OC Login Command: Passing the Server IP with "--server" Option and the Token with the "--token" Option

oc login --server=https://api.ocp01.oscp.rdlab.qualys.dev:6443 --token=<token>

Example: /root/.kube/config Content

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: >-
        <data>
server: '<server>:6443'
name: '<name>:6443'
contexts:
  - context:
      cluster: '<cluster>:6443'
namespace: default
      user: ahutest
    name: ahutest
current-context: ahutest
kind: Config
preferences: {}
users:
  - name: ahutest
    user:
      token: >-
        <token>