Configure the OpenShift Container Platform

The Tenable integration for the Red Hat OpenShift Container Platform requires a service account configured with appropriate permissions. Complete the following steps to create the service account, and configure access:

  1. Create a service account:

    $ oc create sa <service-account-name>

    serviceaccount "audit" created

  2. Describe the service account to list the tokens:

    $ oc describe sa <service-account-name>

    Name: audit

    Tokens: audit-token-f4khf audit-token-z8h44

  3. Retrieve the token for API authentication. The token value is used as the Token in the OpenShift Container Platform Nessus credential.

    $ oc describe secret <service-account-name>-token-z8h44

    Name: robot-token-uzkbh

    Labels: <none>

    Annotations:

    kubernetes.io/service-account.name=audit,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe

    Type: kubernetes.io/service-account-token

    Data token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

  4. Grant the service account appropriate permissions by logging in to your OpenShift cluster console: https://console-openshift-console.apps.openshift.<your-domain>

  1. Grant the service account GET access to the following API endpoints:

    * getAuthentications: /apis/config.openshift.io/v1/authentications

    * getClusterOperators: /apis/config.openshift.io/v1/clusteroperators

    * getClusterRoleBindings:

    /apis/rbac.authorization.k8s.io/v1/clusterrolebindings

    * getClusterRoles: /apis/rbac.authorization.k8s.io/v1/clusterroles

    * getClusterVersions: /apis/config.openshift.io/v1/clusterversions

    * getConfigMaps_openshift-apiserver:

    /api/v1/namespaces/openshift-apiserver/configmaps

    * getConfigMaps_openshift-authentication:

    /api/v1/namespaces/openshift-authentication/configmaps

    * getConfigMaps_openshift-kube-apiserver:

    /api/v1/namespaces/openshift-kube-apiserver/configmaps

    * getConfigMaps_openshift-kube-controller-manager:

    /api/v1/namespaces/openshift-kube-controller-manager/configmaps

    * getEndpoints: /api/v1/endpoints

    * getIdentities: /apis/user.openshift.io/v1/identities

    * getIngressControllers_openshift-ingress-operator:

    /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers

    * getKubeApiServers: /apis/operator.openshift.io/v1/kubeapiservers

    * getMachineConfigPools:

    /apis/machineconfiguration.openshift.io/v1/machineconfigpools

    * getMachineConfigs:

    /apis/machineconfiguration.openshift.io/v1/machineconfigs

    * getNamespaces: /api/v1/namespaces

    * getNetworkPolicies: /apis/networking.k8s.io/v1/networkpolicies

    * getNodeLogs_kube-apiserver:

    /api/v1/nodes/openshift/proxy/logs/kube-apiserver/

    * getNodeLogs_openshift-apiserver:

    /api/v1/nodes/openshift/proxy/logs/openshift-apiserver/

    * getOpenShiftApiServers: /apis/operator.openshift.io/v1/openshiftapiservers

    * getPods: /api/v1/pods

    * getPods_openshift-kube-apiserver:

    /api/v1/namespaces/openshift-kube-apiserver/pods

    * getRoleBindings:

    /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings

    * getRoles: /apis/rbac.authorization.k8s.io/v1/roles

    * getSecrets_kubeadmin_kube-system:

    /api/v1/namespaces/kube-system/secrets/kubeadmin

    * getSecrets_serving-cert_openshift-apiserver:

    /api/v1/namespaces/openshift-apiserver/secrets/serving-cert

    * getSecurityContextConstraints:

    /apis/security.openshift.io/v1/securitycontextconstraints

    * getServiceAccounts: /api/v1/serviceaccounts