Configure the OpenShift Container Platform
The Tenable integration for the Red Hat OpenShift Container Platform requires a service account configured with appropriate permissions. Complete the following steps to create the service account, and configure access:
-
Create a service account:
$ oc create sa <service-account-name>
serviceaccount "audit" created
-
Describe the service account to list the tokens:
$ oc describe sa <service-account-name>
Name: audit
Tokens: audit-token-f4khf audit-token-z8h44
-
Retrieve the token for API authentication. The token value is used as the Token in the OpenShift Container Platform Nessus credential.
$ oc describe secret <service-account-name>-token-z8h44
Name: robot-token-uzkbh
Labels: <none>
Annotations:
kubernetes.io/service-account.name=audit,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe
Type: kubernetes.io/service-account-token
Data token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
-
Grant the service account appropriate permissions by logging in to your OpenShift cluster console: https://console-openshift-console.apps.openshift.<your-domain>
-
Grant the service account GET access to the following API endpoints:
* getAuthentications: /apis/config.openshift.io/v1/authentications
* getClusterOperators: /apis/config.openshift.io/v1/clusteroperators
* getClusterRoleBindings:
/apis/rbac.authorization.k8s.io/v1/clusterrolebindings
* getClusterRoles: /apis/rbac.authorization.k8s.io/v1/clusterroles
* getClusterVersions: /apis/config.openshift.io/v1/clusterversions
* getConfigMaps_openshift-apiserver:
/api/v1/namespaces/openshift-apiserver/configmaps
* getConfigMaps_openshift-authentication:
/api/v1/namespaces/openshift-authentication/configmaps
* getConfigMaps_openshift-kube-apiserver:
/api/v1/namespaces/openshift-kube-apiserver/configmaps
* getConfigMaps_openshift-kube-controller-manager:
/api/v1/namespaces/openshift-kube-controller-manager/configmaps
* getEndpoints: /api/v1/endpoints
* getIdentities: /apis/user.openshift.io/v1/identities
* getIngressControllers_openshift-ingress-operator:
/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers
* getKubeApiServers: /apis/operator.openshift.io/v1/kubeapiservers
* getMachineConfigPools:
/apis/machineconfiguration.openshift.io/v1/machineconfigpools
* getMachineConfigs:
/apis/machineconfiguration.openshift.io/v1/machineconfigs
* getNamespaces: /api/v1/namespaces
* getNetworkPolicies: /apis/networking.k8s.io/v1/networkpolicies
* getNodeLogs_kube-apiserver:
/api/v1/nodes/openshift/proxy/logs/kube-apiserver/
* getNodeLogs_openshift-apiserver:
/api/v1/nodes/openshift/proxy/logs/openshift-apiserver/
* getOpenShiftApiServers: /apis/operator.openshift.io/v1/openshiftapiservers
* getPods: /api/v1/pods
* getPods_openshift-kube-apiserver:
/api/v1/namespaces/openshift-kube-apiserver/pods
* getRoleBindings:
/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings
* getRoles: /apis/rbac.authorization.k8s.io/v1/roles
* getSecrets_kubeadmin_kube-system:
/api/v1/namespaces/kube-system/secrets/kubeadmin
* getSecrets_serving-cert_openshift-apiserver:
/api/v1/namespaces/openshift-apiserver/secrets/serving-cert
* getSecurityContextConstraints:
/apis/security.openshift.io/v1/securitycontextconstraints
* getServiceAccounts: /api/v1/serviceaccounts