OpenShift 4 - 用Compliance Operator对OpenShift进行安全合规扫描
2024-05-15 16:56:11
《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.7环境中验证
文章目录
- 安装Compliance Operator
- 查看Compliance Operator相关对象
- 合规扫描
- 配置定时合规扫描
- 获取扫描结果文件
- 通过辅助 Pod 获取扫描结果
- 通过 oc-compliance 命令插件获取扫描结果
- 查看扫描结果
- 查看扫描结果
- 查看扫描报告
- 参考
安装Compliance Operator
- 进入OpenShift控制台OperatorHub,找到“Compliance Operator”点击进入。
- 接受缺省配置,安装“Compliance Operator”。缺省会将“Compliance Operator”安装到“openshift-compliance”项目中。
- 安装完进入“Compliance Operator”。
查看Compliance Operator相关对象
- 查看profilebundle对象,说明profile有以下2类,可以通过label区分它们。
$ oc get profilebundle.compliance -n openshift-compliance
NAME CONTENTIMAGE CONTENTFILE STATUS
ocp4 registry.redhat.io/openshift4/compliance-content-rhel8@sha256:4529b9bb32c1846a38e38363fa872713b1c1e6b26b34d887813432f97cff368c ssg-ocp4-ds.xml VALID
rhcos4 registry.redhat.io/openshift4/compliance-content-rhel8@sha256:4529b9bb32c1846a38e38363fa872713b1c1e6b26b34d887813432f97cff368c ssg-rhcos4-ds.xml VALID
- 查看所有profile对象。
$ oc get profile.compliance -n openshift-compliance
NAME AGE
ocp4-cis 24s
ocp4-cis-node 24s
ocp4-e8 24s
ocp4-moderate 23s
ocp4-moderate-node 24s
ocp4-nerc-cip 23s
ocp4-nerc-cip-node 23s
ocp4-pci-dss 23s
ocp4-pci-dss-node 23s
rhcos4-e8 17s
rhcos4-moderate 17s
rhcos4-nerc-cip 17s
- 通过label只查看和“rhcos4”相关的profile。
$ oc get profile.compliance -l compliance.openshift.io/profile-bundle=rhcos4 -n openshift-compliance
rhcos4-e8 3m20s
rhcos4-moderate 3m20s
rhcos4-nerc-cip 3m20s
- 查看名为“rhcos4-e8”的profile包含的rule。
$ oc get profile.compliance rhcos4-e8 -n openshift-compliance -o json | jq .rules
["rhcos4-accounts-no-uid-except-zero","rhcos4-audit-rules-dac-modification-chmod","rhcos4-audit-rules-dac-modification-chown","rhcos4-audit-rules-execution-chcon","rhcos4-audit-rules-execution-restorecon","rhcos4-audit-rules-execution-semanage","rhcos4-audit-rules-execution-setfiles","rhcos4-audit-rules-execution-setsebool","rhcos4-audit-rules-execution-seunshare","rhcos4-audit-rules-kernel-module-loading-delete","rhcos4-audit-rules-kernel-module-loading-finit","rhcos4-audit-rules-kernel-module-loading-init","rhcos4-audit-rules-login-events","rhcos4-audit-rules-login-events-faillock","rhcos4-audit-rules-login-events-lastlog","rhcos4-audit-rules-login-events-tallylog","rhcos4-audit-rules-networkconfig-modification","rhcos4-audit-rules-sysadmin-actions","rhcos4-audit-rules-time-adjtimex","rhcos4-audit-rules-time-clock-settime","rhcos4-audit-rules-time-settimeofday","rhcos4-audit-rules-time-stime","rhcos4-audit-rules-time-watch-localtime","rhcos4-audit-rules-usergroup-modification","rhcos4-auditd-data-retention-flush","rhcos4-auditd-freq","rhcos4-auditd-local-events","rhcos4-auditd-log-format","rhcos4-auditd-name-format","rhcos4-auditd-write-logs","rhcos4-configure-crypto-policy","rhcos4-configure-ssh-crypto-policy","rhcos4-no-empty-passwords","rhcos4-selinux-policytype","rhcos4-selinux-state","rhcos4-service-auditd-enabled","rhcos4-sshd-disable-empty-passwords","rhcos4-sshd-disable-gssapi-auth","rhcos4-sshd-disable-rhosts","rhcos4-sshd-disable-root-login","rhcos4-sshd-disable-user-known-hosts","rhcos4-sshd-do-not-permit-user-env","rhcos4-sshd-enable-strictmodes","rhcos4-sshd-print-last-log","rhcos4-sshd-set-loglevel-info","rhcos4-sysctl-kernel-dmesg-restrict","rhcos4-sysctl-kernel-kptr-restrict","rhcos4-sysctl-kernel-randomize-va-space","rhcos4-sysctl-kernel-unprivileged-bpf-disabled","rhcos4-sysctl-kernel-yama-ptrace-scope","rhcos4-sysctl-net-core-bpf-jit-harden"
]
- 查看所有的rule。
$ oc get rule.compliance -n openshift-compliance
NAME AGE
ocp4-accounts-restrict-service-account-tokens 11m
ocp4-accounts-unique-service-account 11m
ocp4-api-server-admission-control-plugin-alwaysadmit 11m
ocp4-api-server-admission-control-plugin-alwayspullimages 11m
ocp4-api-server-admission-control-plugin-namespacelifecycle 11m
ocp4-api-server-admission-control-plugin-noderestriction 11m
ocp4-api-server-admission-control-plugin-scc 11m
ocp4-api-server-admission-control-plugin-securitycontextdeny 11m
ocp4-api-server-admission-control-plugin-serviceaccount 11m
ocp4-api-server-anonymous-auth 11m
ocp4-api-server-api-priority-flowschema-catch-all 11m
ocp4-api-server-api-priority-gate-enabled 11m
ocp4-api-server-api-priority-v1alpha1-flowschema-catch-all 11m
ocp4-api-server-audit-log-maxbackup 11m
ocp4-api-server-audit-log-maxsize 11m
ocp4-api-server-audit-log-path 11m
ocp4-api-server-auth-mode-no-aa 11m
ocp4-api-server-auth-mode-node 11m
ocp4-api-server-auth-mode-rbac 11m
ocp4-api-server-basic-auth 11m
ocp4-api-server-bind-address 11m
ocp4-api-server-client-ca 11m
。。。。
- 查看一个rule的配置。
$ oc get rule.compliance rhcos4-accounts-no-uid-except-zero -n openshift-compliance -oyaml
apiVersion: compliance.openshift.io/v1alpha1
description: If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.<html:br></html:br>If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned.
id: xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
kind: Rule
metadata:annotations:compliance.openshift.io/image-digest: pb-rhcos4z4pqhcompliance.openshift.io/rule: accounts-no-uid-except-zerocontrol.compliance.openshift.io/NIST-800-53: IA-2;AC-6(5);IA-4(b)policies.open-cluster-management.io/controls: IA-2,AC-6(5),IA-4(b)policies.open-cluster-management.io/standards: NIST-800-53creationTimestamp: "2021-06-13T03:23:01Z"generation: 1labels:compliance.openshift.io/profile-bundle: rhcos4name: rhcos4-accounts-no-uid-except-zeronamespace: openshift-complianceownerReferences:- apiVersion: compliance.openshift.io/v1alpha1blockOwnerDeletion: truecontroller: truekind: ProfileBundlename: rhcos4uid: e38773a2-bee3-4e50-b1c6-bcced0233c18resourceVersion: "3186523"selfLink: /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/rules/rhcos4-accounts-no-uid-except-zerouid: c9662df3-497a-4fbe-ade5-08bd2521cf97
rationale: An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
severity: high
title: Verify Only Root Has UID 0
- 查看当前已有的 ScanSetting。
$ oc get ScanSetting
NAME AGE
default 4h18m
default-auto-apply 4h18m
- 其中上面两者的差异为 default 只做扫描,而 default-auto-apply 会自动修复发现的问题。查看两者的 YAML,主要是以下 2 行的区别。
autoUpdateRemediations: true
autoApplyRemediations: true
合规扫描
配置定时合规扫描
- 创建1个文件,ScanSetting定义了每10分钟对master和worker节点进行一次扫描。为每个节点分配2G空间保留扫描结果,循环保留最后5个扫描结果。
$ cat << EOF > periodic-setting.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:name: periodic-settingnamespace: openshift-compliance
schedule: "0/10 0 * * *"
rawResultStorage:size: "2Gi"rotation: 5
roles:- worker- master
EOF$ oc create -f periodic-setting.yaml
- 创建1个文件,ScanSettingBinding定义了扫描使用“rhcos4-e8”和“ocp4-e8”两个profile,并且使用名为“periodic-setting”的ScanSetting配置。
$ cat << EOF > periodic-e8.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:name: periodic-e8namespace: openshift-compliance
profiles:# Node checks- name: rhcos4-e8kind: ProfileapiGroup: compliance.openshift.io/v1alpha1# Platform checks- name: ocp4-e8kind: ProfileapiGroup: compliance.openshift.io/v1alpha1
settingsRef:name: periodic-settingkind: ScanSettingapiGroup: compliance.openshift.io/v1alpha1
EOF$ oc create -f periodic-e8.yaml
- 查看合规扫描compliancescan。由于需要持续运行一段时间,直到 PHASE 显示 DONE 即运行完成。
$ oc get compliancesuite -n openshift-compliance -w
NAME PHASE RESULT
periodic-e8 PENDING NOT-AVAILABLE
periodic-e8 LAUNCHING NOT-AVAILABLE
periodic-e8 RUNNING NOT-AVAILABLE
periodic-e8 RUNNING NOT-AVAILABLE
periodic-e8 RUNNING NOT-AVAILABLE
periodic-e8 RUNNING NOT-AVAILABLE
periodic-e8 RUNNING NOT-AVAILABLE
periodic-e8 AGGREGATING NOT-AVAILABLE
periodic-e8 DONE NON-COMPLIANT
- 查看名为“ocp4-e8”的合规扫描的结果compliancecheckresult。
$ oc get compliancecheckresult -n openshift-compliance -l compliance.openshift.io/scan-name=ocp4-e8
NAME STATUS SEVERITY
ocp4-e8-api-server-encryption-provider-cipher FAIL medium
ocp4-e8-api-server-tls-cipher-suites PASS medium
ocp4-e8-ocp-allowed-registries FAIL medium
ocp4-e8-ocp-allowed-registries-for-import FAIL medium
ocp4-e8-ocp-idp-no-htpasswd FAIL medium
ocp4-e8-rbac-limit-cluster-admin MANUAL medium
ocp4-e8-rbac-pod-creation-access MANUAL medium
ocp4-e8-rbac-wildcard-use MANUAL medium
ocp4-e8-scc-limit-container-allowed-capabilities PASS medium
ocp4-e8-scc-limit-privilege-escalation MANUAL medium
ocp4-e8-scc-limit-privileged-containers MANUAL medium
ocp4-e8-scc-limit-root-containers MANUAL medium
- 查看名为“ocp4-e8”的合规扫描结果compliancecheckresults,且“check-status=FAIL”或“check-severity=medium”。
$ oc get compliancecheckresult -n openshift-compliance -l compliance.openshift.io/scan-name=ocp4-e8,compliance.openshift.io/check-status=FAIL
NAME STATUS SEVERITY
ocp4-e8-api-server-encryption-provider-cipher FAIL medium
ocp4-e8-ocp-allowed-registries FAIL medium
ocp4-e8-ocp-allowed-registries-for-import FAIL medium
ocp4-e8-ocp-idp-no-htpasswd FAIL medium$ oc get compliancecheckresult -l compliance.openshift.io/scan-name=ocp4-e8,compliance.openshift.io/check-severity=medium
NAME STATUS SEVERITY
ocp4-e8-api-server-encryption-provider-cipher FAIL medium
ocp4-e8-api-server-tls-cipher-suites PASS medium
ocp4-e8-ocp-allowed-registries FAIL medium
ocp4-e8-ocp-allowed-registries-for-import FAIL medium
ocp4-e8-ocp-idp-no-htpasswd FAIL medium
ocp4-e8-rbac-limit-cluster-admin MANUAL medium
ocp4-e8-rbac-pod-creation-access MANUAL medium
ocp4-e8-rbac-wildcard-use MANUAL medium
ocp4-e8-scc-limit-container-allowed-capabilities PASS medium
ocp4-e8-scc-limit-privilege-escalation MANUAL medium
ocp4-e8-scc-limit-privileged-containers MANUAL medium
ocp4-e8-scc-limit-root-containers MANUAL medium
- 查看名为“rhcos4-e8-master”和“rhcos4-e8-worker”的合规扫描结果compliancecheckresults。
$ oc get compliancecheckresult -n openshift-compliance -l compliance.openshift.io/scan-name=rhcos4-e8-master
$ oc get compliancecheckresult -n openshift-compliance -l compliance.openshift.io/scan-name=rhcos4-e8-worker
- 统计不同状态的扫描结果数量。
$ echo -n PASS: && oc get compliancecheckresult -n openshift-compliance | grep PASS | wc -l && \
echo -n FAIL: && oc get compliancecheckresult -n openshift-compliance | grep FAIL | wc -l && \
echo -n INFO: && oc get compliancecheckresult -n openshift-compliance | grep INFO | wc -l && \
echo -n MANUAL: && oc get compliancecheckresult -n openshift-compliance | grep MANUAL | wc -l && \
echo -n NOT-APPLICABLE: && oc get compliancecheckresult -n openshift-compliance | grep NOT-APPLICABLE | wc -lPASS:235
FAIL:104
INFO:0
MANUAL:32
NOT-APPLICABLE:0
获取扫描结果文件
可以用以下2种方法任意一种获得打包的扫描结果:
通过辅助 Pod 获取扫描结果
此种方法需要OpenShift中配置有storageclass。
- 查看所有compliancescan的扫描结果保存的PV名称。
$ oc get compliancescans -n openshift-compliance -o json | jq '.items[].status.resultsStorage'
{"name": "ocp4-e8","namespace": "openshift-compliance"
}
{"name": "rhcos4-e8-master","namespace": "openshift-compliance"
}
{"name": "rhcos4-e8-worker","namespace": "openshift-compliance"
}
- 验证在OpenShift中已经有“rhcos4-e8-master”的PV了,它是用来保存 rhcos4-e8-master 扫描结果的 PV。
$ oc get pvc -n openshift-compliance
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
ocp4-e8 Bound pvc-7e363d19-69d7-4bde-939a-74212e9cf9d3 2Gi RWO gp2 33m
rhcos4-e8-master Bound pvc-cb6a9594-5333-4d8d-8959-9429a9212ea3 2Gi RWO gp2 33m
rhcos4-e8-worker Bound pvc-00a3ed90-d608-436b-84e0-40ea435937d8 2Gi RWO gp2 34m
- 创建一个pod,也将其挂载到上一步看到的名为“rhcos4-e8-master”的PV。
$ cat << EOF > pv-extract.yaml
apiVersion: "v1"
kind: Pod
metadata:name: pv-extractnamespace: openshift-compliance
spec:containers:- name: pv-extract-podimage: registry.access.redhat.com/ubi8/ubicommand: ["sleep", "3000"]volumeMounts:- mountPath: "/master-scan-results"name: master-scan-volvolumes:- name: master-scan-volpersistentVolumeClaim:claimName: rhcos4-e8-master
EOF$ oc create -f pv-extract.yaml
- 确认名为“pv-extract”的pod已经运行起来。
$ oc get pod pv-extract -n openshift-compliance
NAME READY STATUS RESTARTS AGE
pv-extract 1/1 Running 0 34s
- 将名为“pv-extract”的pod的合规扫描结果复制到本地“extract_results_dir”目录中。
$ oc -n openshift-compliance cp pv-extract:/master-scan-results ./extract_results_dir
tar: Removing leading `/' from member names
- 查看本地目录中已经包含扫描结果的打包文件。
$ ll extract_results_dir/0/
total 488
-rw-r--r--. 1 lab-user users 529771 Feb 28 03:28 rhcos4-e8-master-ip-10-0-136-94.us-east-2.compute.internal-pod.xml.bzip2
-rw-r--r--. 1 lab-user users 529801 Feb 28 03:28 rhcos4-e8-master-ip-10-0-179-237.us-east-2.compute.internal-pod.xml.bzip2
-rw-r--r--. 1 lab-user users 529790 Feb 28 03:28 rhcos4-e8-master-ip-10-0-218-59.us-east-2.compute.internal-pod.xml.bzip2$ cd extract_results_dir/0/
通过 oc-compliance 命令插件获取扫描结果
此种方法需要有 registry.redhat.io 账号用来下载oc-compliance 命令插件,该插件可用来简化使用 oc 命令对合规结果进行操作。
- 创建使用的目录,并安装必要的工具和 openscap-scanner。
$ mkdir ~/.local/bin
$ podman login -u <USER> -p <PASSWORD> registry.redhat.io
$ podman run --rm --entrypoint /bin/cat registry.redhat.io/compliance/oc-compliance-rhel8 /usr/bin/oc-compliance > ~/.local/bin/oc-compliance
Trying to pull registry.redhat.io/compliance/oc-compliance-rhel8...
Getting image source signatures
Copying blob f0ae454850a7 done
Copying blob 053724d29990 done
Copying blob ecbbd3f38c20 done
Copying config df71917de3 done
Writing manifest to image destination
Storing signatures$ chmod +x ~/.local/bin/oc-compliance
- 使用oc-compliance获取和名为periodic-e8的scansettingbinding相关的扫描结果,保存到指定目录。
$ mkdir /tmp/periodic-e8
$ oc-compliance fetch-raw scansettingbinding periodic-e8 -o /tmp/periodic-e8
Fetching results for periodic-e8 scans: rhcos4-e8-worker, rhcos4-e8-master, ocp4-e8
Fetching raw compliance results for scan 'rhcos4-e8-worker'.....
The raw compliance results are avaliable in the following directory: /tmp/periodic-e8/rhcos4-e8-worker
Fetching raw compliance results for scan 'rhcos4-e8-master'...
The raw compliance results are avaliable in the following directory: /tmp/periodic-e8/rhcos4-e8-master
Fetching raw compliance results for scan 'ocp4-e8'......
The raw compliance results are avaliable in the following directory: /tmp/periodic-e8/ocp4-e8
- 确认获取的扫描结果中的内容。
$ tree /tmp/periodic-e8/
/tmp/periodic-e8/
├── ocp4-e8
│ └── ocp4-e8-api-checks-pod.xml.bzip2
├── rhcos4-e8-master
│ ├── rhcos4-e8-master-ip-10-0-136-94.us-east-2.compute.internal-pod.xml.bzip2
│ ├── rhcos4-e8-master-ip-10-0-179-237.us-east-2.compute.internal-pod.xml.bzip2
│ └── rhcos4-e8-master-ip-10-0-218-59.us-east-2.compute.internal-pod.xml.bzip2
└── rhcos4-e8-worker├── rhcos4-e8-worker-ip-10-0-135-205.us-east-2.compute.internal-pod.xml.bzip2└── rhcos4-e8-worker-ip-10-0-200-246.us-east-2.compute.internal-pod.xml.bzip2
查看扫描结果
查看扫描结果
- 查看所有标签有 “rhcos4-e8-master” 的合规扫描结果,确认其中有 “rhcos4-e8-master-selinux-state”。
$ oc get compliancecheckresult -n openshift-compliance -l compliance.openshift.io/scan-name=rhcos4-e8-master
- 查看扫描结果详细情况
$ oc-compliance view-result rhcos4-e8-master-selinux-state
+----------------------+--------------------------------+
| KEY | VALUE |
+----------------------+--------------------------------+
| Title | Ensure SELinux State is |
| | Enforcing |
+----------------------+--------------------------------+
| Status | PASS |
+----------------------+--------------------------------+
| Severity | medium |
+----------------------+--------------------------------+
| Description | The SELinux state should be |
| | set to enforcing at system |
| | boot time. In the file |
| | /etc/selinux/config , add or |
| | correct the following line to |
| | configure the system to boot |
| | into enforcing mode: |
| | |
| | |
| | |
| | SELINUX= enforcing |
+----------------------+--------------------------------+
| Rationale | Setting the SELinux state to |
| | enforcing ensures SELinux is |
| | able to confine potentially |
| | compromised processes to the |
| | security policy, which is |
| | designed to prevent them from |
| | causing damage to the system |
| | or further elevating their |
| | privileges. |
+----------------------+--------------------------------+
| Instructions | Check the file |
| | /etc/selinux/config and ensure |
| | the following line appears: |
| | |
| | SELINUX= |
+----------------------+--------------------------------+
| NIST-800-53 Controls | AC-3, AC-3(3)(a), AU-9, |
| | SC-7(21) |
+----------------------+--------------------------------+
| NERC-CIP Controls | CIP-003-8 R5.1.1, CIP-003-8 |
| | R5.2, CIP-003-8 R5.3, |
| | CIP-004-6 R2.2.3, CIP-004-6 |
| | R2.3, CIP-004-6 R3.3, |
| | CIP-007-3 R5.1, CIP-007-3 |
| | R5.1.2, CIP-007-3 R5.2, |
| | CIP-007-3 R5.3.1, CIP-007-3 |
| | R5.3.2, CIP-007-3 R5.3.3, |
| | CIP-007-3 R6.5 |
+----------------------+--------------------------------+
| Available Fix | No |
+----------------------+--------------------------------+
| Result Object Name | rhcos4-e8-master-selinux-state |
+----------------------+--------------------------------+
| Rule Object Name | rhcos4-selinux-state |
+----------------------+--------------------------------+
| Remediation Created | No |
+----------------------+--------------------------------+
查看扫描报告
- 安装 openscap-scanner 和其他工具
$ sudo yum install openscap-scanner -y
$ sudo yum install bzip2 -y
- 将结果从XML格式文件解压出来,然后转换成 HTML 格式。
$ mkdir /tmp/periodic-e8/ocp4-e8 -p
$ bunzip2 -c /tmp/periodic-e8/ocp4-e8/ocp4-e8-api-checks-pod.xml.bzip2 > /tmp/periodic-e8/ocp4-e8/ocp4-e8-api-checks-pod.xml
$ oscap xccdf generate report /tmp/periodic-e8/ocp4-e8/ocp4-e8-api-checks-pod.xml > /tmp/periodic-e8/ocp4-e8/report.html
- 然后可以打开 HTML 格式的扫描报告。
参考
https://github.com/openshift/compliance-operator/tree/master/doc/tutorials
https://blog.stderr.at/compliance/2021/07/compliance-operator/
https://shanna-chan.blog/2021/11/17/getting-started-on-openshift-compliance-operator/
https://github.com/openshift/oc-compliance
https://myopenshiftblog.com/openshift-compliance-operator/
https://github.com/pittar/ocp4-compliance-pbmm
OpenShift 4 - 用Compliance Operator对OpenShift进行安全合规扫描相关推荐
- OpenShift 4 - 对镜像进行合规扫描,加固应用镜像安全
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 文章目录 环境说明 构建应用镜像并加固镜像安全漏洞 镜像合规扫描 环境说明 OpenS ...
- OpenShift 4 - DevSecOps Workshop (14) - 镜像合规扫描
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.8环境中验证 <OpenShift 4 - DevSecOps Workshop 系列视频 & ...
- OpenShift Security (7) - 风险合规评估
<OpenShift 4.x HOL教程汇总> 本文在 OpenShift 4.9 和 RHACS 3.67.1 环境中进行验证. 文章目录 进入 Compliance 菜单,然后点击右上 ...
- OpenShift 4 - 用 Quay Operator 安装 Quay 环境(4.10 修正)
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.10 环境中验证 由于新版 Quay 需要使用 OpenShift Data Foundation ...
- OpenShift 4 - 锁定被保护的 OpenShift 资源,禁止删除和修改操作
<OpenShift 4.x HOL教程汇总> 说明:本文已经在OpenShift 4.9环境中验证 演示视频 文章目录 安装 Resource Locker Operator 配置被保护 ...
- OpenShift 4 - 通过 REST API 操作 OpenShift
OpenShift 4 - 通过 REST API 操作 OpenShift OpenShift API 访问机制 如何访问Rest API 使用Token直接访问Rest API 方法1 方法2 使 ...
- SAP产品合规管理(Product Compliance)之危险品管理(Dangerous Goods Management)功能讲解
在上次SAP 产品合规(Product Compliance)管理系列文章SAP产品合规管理-物质量追踪(SVT)实例展现及功能简介中有介绍过其中的物质量追踪(SVT)的功能,今天继续介绍产品合规中的 ...
- 公有云提到的各个合规compliance都是什么东西?
公有云提到的各个合规compliance都是什么东西? 看了下面的文档解释,接可以大概知道内容了 https://www.microsoft.com/en-us/TrustCenter/Complia ...
- Compliance department(合规部门/法规部门)相关内容
0.Preface/Foreword Compliance department:合规部门,法规部门,体系部 部门的主要工作:体系部门到底是干啥的?简单理解,公司相关标准文件,比如公司通知,工作off ...
最新文章
- 文本挖掘预处理之向量化与Hash Trick
- 1.17 项目实例:模仿斗地主洗牌发牌小游戏
- 传智学员信息登记表html代码_IT兄弟连 HTML5教程 HTML5文字版面和编辑标签 使用HTML表格...
- glib-2.28.6 的编译和安装 以及错误的解决方法
- 【工业控制】PolyWorks培训教程-PCB字符机平行度和垂直度
- C语言二维数组找出交集,【leetcode C语言实现】剑指 Offer 04. 二维数组中的查找...
- Linux环境 安装 Redis-6.2.6 配置运行_01
- 融资租赁业务的基本知识
- [论文阅读][经典ICP] A Method For Registration Of 3D Shapes
- 最近和很多创业者和中小企业老板沟通
- ImageView加载本地图片资源
- 车机没有carlife可以自己下载吗_安卓车机CarPlay模块初体验
- 斐波那契堆(Fibonacci Heap)
- 为什么QQ空间远离我们?
- python-利用python写一个购物小程序
- MFC编程 小说分割器
- Qt Quick事件处理之鼠标 键盘 定时器
- HA(高可用)集群之AIS(corosync),高可用httpd+NFS
- 大学生学习摄影如何进行构图?
- 水仙花数是指一个N位正整数(N≥3),它的每个位上的数字的N次幂之和等于它本身
热门文章
- mysql 分区 key 写法_MySQL KEY分区
- 2021湖南l高考成绩查询入口,湘潭2021高考成绩查询入口
- vue watch 修改滚动条_Vue.js 中滚动条始终定位在底部的方法
- rust建的怎么拆除_罗志祥私建泳池已拆除,后续还将接受物业的监督与教育
- stl 基于哈希的map c++_关于哈希表,你该了解这些!
- layui时间选择30分钟为单位_如何集中注意力,不妨试试番茄工作法 | 五色时间管理法...
- 适用于iPhone X屏幕|美丽线框 UI套件模板
- linux软件包管理解析,linux学习笔记_09_软件包管理解析.doc
- mysql完备_mysql简单完备脚本
- webpack转内联px为rem_Vuejs项目配置webpack将px自动转化为rem,适配移动端