Compliance Service
  • 简体中文

    • Compliance Service

    目录

    Overview

    Compliance Service 为 Kubernetes 集群和 MicroOS 系统提供全面的安全合规扫描能力。本指南演示如何创建扫描配置文件、监控扫描结果以及导出合规报告。

    Creating Scan Profiles

    扫描配置文件定义了合规扫描操作的范围和配置。Compliance Service 支持 Kubernetes 和 MicroOS 环境的 STIG(Security Technical Implementation Guide)配置文件。

    STIG Kubernetes Profiles

    以下示例展示了如何为不同的 Kubernetes 组件创建 STIG 合规扫描配置文件:

    API Server Scan Profile

    apiVersion: compliance-operator.alauda.io/v1alpha1
kind: Scan
metadata:
  name: scan-stig-k8s-v2r2-api-server
  namespace: compliance-system
  annotations:
    compliance-operator.alauda.io/force-scan: "true"
    compliance-operator.alauda.io/job-mode: "aggregated"
spec:
  nodeScopeStrategy: auto
  scanType: node
  targetNodeRoles:
    - control-plane
    - worker
  profile: stig-k8s-v2r2-api-server
  nodeSelector: {}
  maxHistoricalResults: 3
  schedule: "0 2 * * *"

    Control Plane Scan Profile

    apiVersion: compliance-operator.alauda.io/v1alpha1
kind: Scan
metadata:
  name: scan-stig-k8s-v2r2-control-plane
  namespace: compliance-system
spec:
  profile: stig-k8s-v2r2-control-plane
  nodeScopeStrategy: auto
  scanType: node
  targetNodeRoles:
    - control-plane
    - worker

    General Kubernetes Scan Profile

    apiVersion: compliance-operator.alauda.io/v1alpha1
kind: Scan
metadata:
  name: scan-stig-k8s-v2r2-general
  namespace: compliance-system
spec:
  nodeScopeStrategy: auto
  scanType: all
  targetNodeRoles:
    - control-plane
    - worker
  profile: stig-k8s-v2r2-general

    Kubelet Scan Profile

    apiVersion: compliance-operator.alauda.io/v1alpha1
kind: Scan
metadata:
  name: scan-stig-k8s-v2r2-kubelet
  namespace: compliance-system
spec:
  nodeScopeStrategy: auto
  scanType: node
  targetNodeRoles:
    - control-plane
    - worker
  profile: stig-k8s-v2r2-kubelet

    MicroOS Scan Profile

    针对 MicroOS 操作系统的合规扫描:

    apiVersion: compliance-operator.alauda.io/v1alpha1
kind: Scan
metadata:
  name: scan-stig-os-microos
  namespace: compliance-system
spec:
  profile: stig-os-microos
  scanType: node

    Scan Configuration Parameters

    下表描述了扫描配置文件中可用的关键配置参数:

    ParameterTypeScopeDescription
    spec.scanTypestringk8s,os支持 platformnodeall。在 platform 模式下,系统仅扫描 Kubernetes 资源;在 node 模式下,系统仅扫描节点文件。
    spec.nodeScopeStrategystringk8s节点选择模式。支持 automanual 模式。auto 模式下,节点根据规则特定的范围定义自动选择;manual 模式下,所有规则均在指定节点上执行。
    spec.targetNodeRolesarrayk8s, os可选。限制节点角色。有效值包括 control-planeworker。配置后参与节点过滤,并与 nodeScopeStrategy 模式取交集。
    spec.nodeSelectorobjectk8s, os可选。使用节点标签进行选择。配置后参与节点过滤,并与 nodeScopeStrategy 模式取交集。
    spec.schedulestringk8s, os可选。使用 cron 语法配置定时任务。例如 "0 2 * * *" 表示每天凌晨 2 点执行。
    spec.maxHistoricalResultsintk8s, os可选。保留的历史结果数量(默认:5)。例如 2 表示仅保留最近的 2 条结果。

    Scan Annotations

    以下注解可用于控制扫描行为:

    AnnotationScopeDescription
    compliance-operator.alauda.io/force-scan: "true"k8s, os手动触发立即执行扫描。扫描完成后自动重置为 false。
    compliance-operator.alauda.io/job-mode: "aggregated"k8s启用聚合扫描模式。Profile 中定义的所有规则将在单个 Scan Job 中执行,节点依次扫描。此模式仅对 Kubernetes 扫描有效。

    Monitoring Scan Results

    检查合规扫描状态和结果:

    # Check scan status and results
kubectl get scan <scan-name> -n compliance-system -o jsonpath='{.status.phase}{"\t"}{.status.result}'

    示例输出:

    Done NON-COMPLIANT

    Exporting Compliance Reports

    Compliance Service 生成详细的 HTML 报告,可导出用于分析和合规文档。

    Export Current Scan Reports

    STIG Report Export

    # View all scans
kubectl get scan -A

# Export STIG report
SCAN_NAME="<scan-name>" && \
kubectl get cm $(kubectl get scan $SCAN_NAME -n compliance-system -o jsonpath='{.status.latestResult.reportName}') -n compliance-system -o jsonpath='{.data.report\.html}' > report-$SCAN_NAME.html

    MicroOS Report Export

    # Export MicroOS report
SCAN_NAME="scan-stig-os-microos" && \
kubectl get scan $SCAN_NAME -n compliance-system -o jsonpath='{.status.latestResult.scanID}' | \
xargs -I {} kubectl cp compliance-system/$(kubectl get pods -n compliance-system -l app=openscap-report-service -o jsonpath='{.items[0].metadata.name}'):/reports/{} ./reports-{}

    Export Historical Reports

    访问历史扫描结果和报告:

    # View all check results
kubectl get checkresult -A

# Export historical STIG report
CHECKRESULT_NAME="<checkresult-name>" && kubectl get cm -n compliance-system -l "compliance-operator.alauda.io/scan-id=$(kubectl get checkresult $CHECKRESULT_NAME -n compliance-system -o jsonpath='{.metadata.labels.compliance-operator\.alauda\.io/scan-id}'),compliance-operator.alauda.io/resource-type=report" -o jsonpath='{.items[0].data.report\.html}' > report-$CHECKRESULT_NAME.html

# Export historical MicroOS report
CHECKRESULT_NAME="<checkresult-name>" && kubectl cp compliance-system/$(kubectl get pods -n compliance-system -l app=openscap-report-service -o jsonpath='{.items[0].metadata.name}'):/reports/$(kubectl get checkresult $CHECKRESULT_NAME -n compliance-system -o jsonpath='{.metadata.labels.compliance-operator\.alauda\.io/scan-id}') ./reports-$(kubectl get checkresult $CHECKRESULT_NAME -n compliance-system -o jsonpath='{.metadata.labels.compliance-operator\.alauda\.io/scan-id}')

    Best Practices

    1. Scheduled Scanning:使用 schedule 参数实现定期自动合规检查
    2. Resource Management:配置 maxHistoricalResults 以管理存储使用
    3. Node Targeting:使用 targetNodeRolesnodeSelector 聚焦特定基础设施组件的扫描
    4. Aggregated Mode:对大型集群使用聚合作业模式,减少 Kubernetes API 负载
    5. Report Retention:定期导出并归档合规报告以满足审计需求