Make sure the Container Security Operator is installed

An XCCDF Rule

Description

Using the Red Hat Quay Container Security Operator, you can access vulnerability scan results from the OpenShift Container Platform web console for container images used in active pods on the cluster. The Red Hat Quay Container Security Operator:

Watches containers associated with pods on all or specified namespaces
Queries the container registry where the containers came from for vulnerability information, provided an image’s registry is running image scanning (such as Quay.io or a Red Hat Quay registry with Clair scanning)
Exposes vulnerabilities via the ImageManifestVuln object in the Kubernetes API

For more information on the Container Security Operator, follow the OpenShift documentation: https://docs.openshift.com/container-platform/latest/security/pod-vulnerability-scan.html

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operators.coreos.com/v1alpha1/namespaces/openshift-operators/subscriptions/container-security-operator API endpoint to the local /apis/operators.coreos.com/v1alpha1/namespaces/openshift-operators/subscriptions/container-security-operator file.

Rationale

Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to resources.

ID: xccdf_org.ssgproject.content_rule_container_security_operator_exists
Severity: Medium
References: CM-6(b)

SRG-APP-000516-CTR-001335

CCE-90613-1
Updated: about 1 year ago