This topic describes how to onboard the OpenShift connector. Using the OpenShift connector enables you to view real-time compliant or non-compliant data, and to integrate compliance into your DevOps pipeline.
Onboarding the OpenShift connector includes the following steps:
To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.
Understanding the OpenShift connector
The OpenShift connector enables you to collect data from Docker Containers, Docker Hosts & Docker Daemons and evaluate Docker content against the Center for Internet Security (CIS) Docker 1.12 Benchmark. This policy is created based on the recommended Docker Host, Docker Container, and Docker Daemon settings defined by CIS Docker 1.12.0 Benchmark Version 1.0.0, published on September 15th, 2016
This also supports CIS Docker 1.13.0 Benchmark Version 1.0.0, published on January 19th, 2017.
In addition, the OpenShift connector enables you to collect data from OpenShift Master & OpenShift Workers and evaluate OpenShift content against the Kubernetes CIS benchmark & OpenShift best practices.
BMC OpenShift Benchmark - Master & Worker policies are available as out-of-the-box content. Using this policies, you can evaluate OpenShift Master & OpenShift Workers against BMC security benchmark for OpenShift cluster. These policies cover security recommendations that you should follow to prepare the host or cluster that you plan to use for executing containerized workloads.
Securing the Docker host and OpenShift clustered environments and following your infrastructure security best practices helps build a solid and secure foundation for executing containerized workloads.
The OpenShift connector enables you to collect
Docker data (Docker Host, Docker Container, and Docker Daemon)
OpenShift data (OpenShift Master & OpenShift Worker)
The following resources consume a product license:
- OpenShift master
- OpenShift worker
Ensure that the computer on which the connector is downloaded meets the following prerequisites:
OpenShift Deployment requirements:
- Ensure that the computer on which the connector is downloaded has Java OpenJDK 11.0.2 installed on it.
- This release supports CIS Docker 1.12.0 and 1.13.0.
- The OS on the Docker host must be Ubuntu 16, Red Hat Enterprise Linux 7, or CentOS 7
- For this release, we support OKD 3.11 on CentOS 7
OpenShift connector Requirements:
- HTTPS (default 443) port is opened for outbound connectivity to internet. If URLs are whitelisted, provide access to the following URLs to communicate to BMC Helix Cloud Security
- Connector need minimum of 100 MB disk space
- sudo with no password must be configured for the user from which OpenShift connector needs to be run.
- The connector must be deployed on the Linux machine with SSH connectivity to the master and worker nodes.
- The connector machine should have kubectl & oc (OpenShift CLI)configured on it.
Onboarding the OpenShift connector
- Log in to Cloud Security with your registered credentials.
- Select Configure icon > Connectors.
- Click Add Connector.
- Under Connector Type > On Premise Connectors (Installable), click OpenShift Connector and then click Continue.
- In the connector name field, specify a name for the OpenShift connector.
This name must be unique and must not have already been created.
If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
Specify the credentials for OpenShift cluster to be evaluated:
Username: An user account on OpenShift host (Host from which OpenShift cluster has been created) that has access to the master and nodes of OpenShift cluster on which compliance check needs to be executed.
Private Key Location: The location of the pem key on the admin host (Host from which OpenShift cluster has been created). This key is used to communicate with the masters and minions of the cluster. e.g. /root/.ssh/id_rsa
Kubernetes kube config. The location of the Kubernetes kube configuration file used to configure access to Kubernetes when used in conjunction with the kubectl. e.g. /root/.kube/configClick here to view a sample Kubernetes configuration used as credentials for the cluster in BMC Policy Service.
username : ubuntu key location : ~/ubuntu/.ssh/id_rsa chmod -x run.sh =================================================== #To check the connectivity from connector machine to Master/worker, run the following command: ssh -i <key location> <UserName>@<Master/worker node>
Select the method for triggering collection cycles by choosing one of the following options from the Collection Mode menu:
- Select On Demand to enable on-demand scanning.
Select Scheduled and select the hours or minutes for which OpenShift resources will be periodically collected and evaluated.
- If the download does not start automatically, click Download Connector setup and unzip the OpenShift Connector.zip file using any standard compression tool.
The zip file will have the name that you specified for the connector in Step 3.
Execute the command
chmod +x run.shto grant execute permissions to the
run.shfile. Then run the connector using the
NoteThe time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.
- Clear the default compliance policies that you will not use to evaluate your OpenShift cluster.
To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears.
The connector is downloaded and available in Cloud Security and the policies can be evaluated on the schedule you have set.
As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.
Performing next steps
To manage connector configuration and settings, see Managing connectors.
To assess the resources including why a rule failed, see Managing resources.