The right way to customise the OpenShift Compliance Operator through the use of a tailor-made profile – IBM Developer



Builders now not simply construct purposes, but in addition play important roles for infrastructure operations in DevOps and infrastructure as code (IaC) areas. In these conditions, you may additionally be accountable for the operation of take a look at infrastructure that runs on a managed service equivalent to Crimson Hat OpenShift on IBM Cloud. Guaranteeing its safety and regulatory compliance can also be vital and chances are you’ll wish to automate such work. That automation may be facilitated by an OpenShift Operator known as Compliance Operator, which is a compliance standing verify engine for OpenShift clusters.

Nonetheless, it’s not simple to make use of Compliance Operator for an OpenShift cluster operating on IBM Cloud as a result of its set up is personalized to offer it as managed service. In consequence, a few of default guidelines and parameters don’t match the precise state and such mismatches trigger false positives. Subsequently, you will need to create a tailor-made profile to align the personalized set up.

Half 1: Introduction of guidelines, variables, profiles, and tailor-made profiles

Guidelines and variables

All the principles verified by the Compliance Operator are outlined within the ComplianceAsCode/content material challenge repository. For instance, think about the rule with the kubelet_eviction_thresholds_set_hard_imagefs_available ID as follows:

git clone material
cd content material
tree purposes/openshift/kubelet
├── kubelet_eviction_thresholds_set_hard_imagefs_available
│   ├── rule.yml
│   └── checks
├── var_kubelet_evictionhard_imagefs_available.var

The rule ID is represented by the listing identify, whereas the precise rule is outlined in rule.yml below the rule listing:

title: 'Guarantee Eviction threshold Settings Are Set - evictionHard: imagefs.accessible'
  identify: yamlfile_value
    filepath: /and so on/kubernetes/kubelet.conf
    yamlpath: ".evictionHard['imagefs.available']"
    xccdf_variable: var_kubelet_evictionhard_imagefs_available

For this rule, the anticipated parameter worth within the /and so on/kubernetes/kubelet.conf YAML file is specified at yamlpath with a JSONPath expression known as .evictionHard['imagefs.available'], and it ought to match the worth of the var_kubelet_evictionhard_imagefs_available configuration variable. The configuration variable worth is saved in a distinct file; on this case, the file is var_kubelet_evictionhard_imagefs_available.var below the kubelet listing:

title: 'Configure Kubelet EvictonHard Picture FS Avilable'
kind: string
operator: equals
  default: "10%"
  5pc: "5%"
  10pc: "10%"
  15pc: "15%"
  20pc: "20%"

With the variable values illustrated above, the results of this rule evaluation is a PASS if .evictionHard['imagefs.available'] is the same as "10%" (the default worth).


In a typical use case, an inner compliance officer or an exterior auditor requests validation towards trade regulation baselines or finest practices equivalent to NIST SP 800-53 reasonable or CIS Benchmarks. These regulation baselines and finest practices are represented within the ComplianceAsCode challenge as a profile. For instance, yow will discover the NIST 800-53 Reasonable-Affect Baseline for Crimson Hat OpenShift outlined in ocp4/profiles/reasonable.profile, and the CIS Crimson Hat OpenShift Container Platform 4 Benchmark outlined in ocp4/profiles/cis-node.profile as follows:

title: 'CIS Crimson Hat OpenShift Container Platform 4 Benchmark'
    - kubelet_eviction_thresholds_set_hard_imagefs_available

Every profile comprises its particular algorithm. The next diagram illustrates the relationships between the principles and the profiles.

Illustration of profiles and rules

Within the ComplianceAsCode/content material repository, many profiles are already outlined for well-known, trade rules. See the Compliance Operator Customized Useful resource Definitions documentation for particulars on how admins and compliance engineers can specify a profile for his or her Compliance Operator scans through the use of ComplianceScan or ComplianceSuite objects.

Examine outcomes

The verify outcomes for every profile are registered as compliancecheckresult assets. Its identify consists of the next three elements:


  • profile_name is the identify of the Profile or TailoredProfile specified within the ScanSettingBinding, ComplianceScan, or ComplianceSuite useful resource.
  • role_name is the .roles within the ScanSetting useful resource.
  • rule_name is the rule ID the place its underscores (_) have been changed with hyphens (-).

Subsequently, for instance, a compliancecheckresult useful resource named ocp-worker-kubelet-eviction-thresholds-set-hard-imagefs-available is the results of a rule wherein the rule_id is kubelet_eviction_thresholds_set_hard_imagefs_available.

You possibly can specify a number of profiles (and tailor-made profiles) for a single cluster. For instance, if you configure the profiles named profile1 and profile2 for a rule known as rule1, you will notice two compliancecheckresult assets with names which can be profile1_rule1 and profile2_rule1 for every profile. The outcomes could differ as a result of every profile has its personal customized variables, which we are going to focus on in Half 3.


As you’ll have observed, the Compliance Operator guidelines and profiles are written in YAML format. Nonetheless, the Compliance Operator scans are executed in a Kubernetes cluster and its nodes with the oscap command, which solely accepts guidelines and profiles outlined in XCCDF format. Subsequently, you will need to compile the principles and the profiles which can be in YAML format into an XCCDF knowledge stream file previous to utilizing Compliance Operator, and package deal the compiled contents as a Docker picture, which is sometimes called the content material picture. Once you try to customise the principles and the profiles, you will need to rebuild the XCCDF knowledge stream recordsdata as a content material picture along with modifying the contents.

To mitigate the customization workload, you may customise the profile and the variables through the use of a Compliance Operator mechanism known as TailoredProfile, which takes much less work than constructing your individual content material picture. With a tailor-made profile, you may disable guidelines chosen in predefined profiles and set customized values for XCCDF variables. The next diagram describes the relationships between a predefined profile, a tailor-made profile, guidelines, and variables. On this instance, solely rule3 and the var1 = Y customized variable are utilized if you use this tailor-made profile for the Compliance Operator scan.

Illustration of a tailored profile

A tailor-made profile may be utilized utilizing ScanSetting and ScanSettingBinding assets. Be taught extra within the TailoredProfile part and ScanSetting and ScanSettingBinding part of the Customized Useful resource Definitions documentation for Compliance Operator.

Half 2: Tailoring course of

The precise tailoring course of consists of the next steps:

  1. Choose a predefined (also referred to as a base) profile (for instance, cis-node), and carry out a scan with that profile.
  2. Get the FAIL rule names with the next command:

    oc get compliancecheckresult | grep FAIL

    It’s best to see outcomes just like the next:

    ocp-master-kubelet-eviction-thresholds-set-hard-imagefs-available    FAIL     medium
    ocp-worker-kubelet-eviction-thresholds-set-hard-imagefs-available    FAIL     medium

  3. For every FAIL rule, when the remediation isn’t an choice, think about disabling the rule itself or customizing the variables of the rule in a tailor-made profile.

    On this step, you will need to first discover the precise verify logic of a rule. As we described earlier within the Examine outcomes part, you may extract rule_id from the identify of a compliancecheckresult useful resource. Through the use of the rule_id, now you can discover rule.yml, which comprises the precise verify logic for that rule. To take action, use the next command:

     cd content material  # go to ComplianceAsCode/content material listing
     discover . -name kubelet_eviction_thresholds_set_hard_imagefs_available./purposes/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available
     cat ./purposes/openshift/kubelet/kubelet_eviction_thresholds_set_hard_imagefs_available/rule.yml
     title: 'Guarantee Eviction threshold Settings Are Set - evictionHard: imagefs.accessible'
       identify: yamlfile_value
         filepath: /and so on/kubernetes/kubelet.conf
         yamlpath: ".evictionHard['imagefs.available']"
         xccdf_variable: var_kubelet_evictionhard_imagefs_available

    If a verify logic comprises references to a variable, yow will discover the file that defines the variable by linking collectively the xccdf_variable string with the .var suffix. For instance, the XCCDF variable known as var_kubelet_evictionhard_imagefs_available may be discovered within the var_kubelet_evictionhard_imagefs_available.var file:

     cd content material  # go to ComplianceAsCode/content material listing
     discover . -name var_kubelet_evictionhard_imagefs_available.var./purposes/openshift/kubelet/var_kubelet_evictionhard_imagefs_available.var

    Lastly, create the tailor-made profile useful resource by specifying the disabled guidelines and new anticipated values. The rule identify conference is ${profile_bundle_name}-${rule_name}:

    • ${profile_bundle_name} is often ocp4as a result of OpenShift guidelines are owned by an ocp4 profile bundle by default.
    • ${rule_name} is a hyphen-joined identify (for instance,kubelet-eviction-thresholds-set-hard-imagefs-available), whereas a rule ID is a underscore-joined identify (for instance, kubelet_eviction_thresholds_set_hard_imagefs_available).

      The next TailoredProfile instance exhibits learn how to specify a customized worth for the var_kubelet_evictionhard_imagefs_available variable and learn how to disable the file_permissions_kube_apiserver rule. Be aware that the rule and variable names begin with ocp4-, whereas the underscores (_) within the names are changed with hyphens (-).

      form: TailoredProfile
      identify: my-tailored-profile
        - identify: ocp4-var-kubelet-evictionhard-imagefs-available
          rationale: "stricter than default"
          worth: "5%"
        - identify: ocp4-file-permissions-kube-apiserver
          rationale: Goal file is hidden and no must verify
      extends: ocp4-cis-node
      title: CIS Benchmark for OpenShift on IBM Cloud

Half 3: Executing concurrent scans of tailor-made profiles of the identical base profile

Assume that two compliance engineers tailor-made the identical base profile, cis-node.profile, as mycis-node-tailored-profile1 and mycis-node-tailored-profile2 with totally different values for the ocp4-var-kubelet-evictionhard-imagefs-available variable. The Compliance Operator checks the principles in each tailor-made profiles based on the set anticipated variable values, and shops two outcomes for one rule as ComplianceCheckResults assets.

For instance, the verify outcomes for the kubelet-eviction-thresholds-set-hard-imagefs-available rule are saved as follows (be aware that the naming conference of ComplianceCheckResults is ${profile_name}-${role_name}-${rule_name} as described above):

NAME                                                                                         STATUS   SEVERITY
mycis-node-tailored-profile1-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   PASS     medium
mycis-node-tailored-profile2-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium


The OpenShift Compliance Operator offers an adaptive manner for an infrastructure operator to run compliance scans and confirm whether or not a Kubernetes cluster and its underlying nodes adjust to a number of specified regulatory profiles.

Our subsequent step is to facilitate the mixing of Compliance Operator into the IBM Cloud Safety and Compliance Middle for a compliance officer to handle safety and compliance controls and regulatory profiles throughout the IBM Cloud platform, together with Kubernetes, from a unified dashboard.


Please enter your comment!
Please enter your name here