Compliance Mappings
Purpose: For security and compliance reviewers, maps openCenter controls to CIS Kubernetes Benchmark, NIST 800-53, PCI-DSS, and SOC 2 requirements.
Control Mapping Table
| openCenter Control | CIS K8s | NIST 800-53 | PCI-DSS | SOC 2 |
|---|---|---|---|---|
| Pod Security Admission (restricted) | 5.2.1–5.2.13 | AC-6, SC-7 | 2.2, 6.2 | CC6.1 |
| Kyverno policy enforcement | 5.2.x | CM-7, SI-7 | 6.1, 6.2 | CC6.1, CC7.1 |
| RBAC via rbac-manager + Keycloak | 5.1.1–5.1.9 | AC-2, AC-3 | 7.1, 7.2 | CC6.1, CC6.2 |
| SOPS-encrypted secrets in Git | 1.2.31 | SC-12, SC-28 | 3.4, 3.5 | CC6.1, CC6.7 |
| NetworkPolicy per namespace | 5.3.1–5.3.2 | SC-7, AC-4 | 1.2, 1.3 | CC6.6 |
| TLS on all ingress (cert-manager) | — | SC-8, SC-13 | 4.1 | CC6.7 |
| Audit logging (API server) | 1.2.22–1.2.25 | AU-2, AU-3 | 10.1–10.3 | CC7.2 |
| etcd encryption at rest | 1.2.31 | SC-28 | 3.4 | CC6.1 |
| Container image signing (Kyverno) | — | SI-7 | 6.3 | CC7.1 |
| FluxCD GitOps (immutable deploys) | — | CM-3, CM-5 | 6.4 | CC8.1 |
| Velero backup | — | CP-9, CP-10 | 12.10 | A1.2 |
| Kubelet TLS bootstrap | 4.2.10 | SC-8 | 4.1 | CC6.7 |
| API server authn/authz | 1.2.1–1.2.8 | IA-2, AC-2 | 8.1–8.3 | CC6.1 |
| Disable anonymous auth | 1.2.1 | IA-2 | 8.1 | CC6.1 |
| Restrict service account tokens | 5.1.6 | AC-6 | 7.2 | CC6.3 |
| Node OS hardening (sysctl) | 3.2.x | CM-6 | 2.2 | CC6.1 |
CIS Kubernetes Benchmark Coverage
openCenter targets CIS Kubernetes Benchmark v1.8. Coverage by section:
| Section | Total Controls | Covered by Default | Manual Steps Required |
|---|---|---|---|
| 1 — Control Plane | 37 | 31 | 6 (audit policy, encryption config) |
| 2 — etcd | 7 | 7 | 0 |
| 3 — Control Plane Config | 4 | 3 | 1 (sysctl hardening) |
| 4 — Worker Nodes | 13 | 11 | 2 (read-only port, protect kernel) |
| 5 — Policies | 29 | 24 | 5 (network policies per tenant) |
See Hardening Guide for manual steps.
NIST 800-53 Control Families
| Family | Controls Addressed | openCenter Implementation |
|---|---|---|
| AC (Access Control) | AC-2, AC-3, AC-4, AC-6 | Keycloak OIDC, RBAC, NetworkPolicy |
| AU (Audit) | AU-2, AU-3, AU-6, AU-12 | API server audit logs, Loki |
| CM (Config Management) | CM-3, CM-5, CM-6, CM-7 | GitOps, Kyverno, Kubespray hardening |
| CP (Contingency) | CP-9, CP-10 | Velero, etcd backup |
| IA (Identification) | IA-2, IA-5 | Keycloak, OIDC tokens, cert-manager |
| SC (System Comms) | SC-7, SC-8, SC-12, SC-13, SC-28 | NetworkPolicy, TLS, SOPS, etcd encryption |
| SI (System Integrity) | SI-7 | Kyverno image verification |
PCI-DSS v4.0
| Requirement | openCenter Control | Evidence Source |
|---|---|---|
| 1.2 — Network segmentation | Calico NetworkPolicy, namespace isolation | kubectl get networkpolicies -A |
| 2.2 — Secure configuration | Kubespray hardened defaults, sysctl | Node config audit |
| 3.4 — Render PAN unreadable | SOPS encryption, etcd encryption | .sops.yaml, encryption provider config |
| 4.1 — TLS in transit | cert-manager ClusterIssuer, Gateway TLS | kubectl get certificates -A |
| 6.2 — Secure development | Kyverno policies block unsafe images | kubectl get clusterpolicy |
| 7.1 — Least privilege | RBAC via rbac-manager | kubectl get rbacdefinitions |
| 8.1 — User identification | Keycloak OIDC, no shared accounts | Keycloak admin console |
| 10.1 — Audit trail | API server audit logs | /var/log/kubernetes/audit.log |
| 12.10 — Incident response | Velero backup + restore | velero backup get |
SOC 2 Trust Service Criteria
| Criteria | openCenter Control | Evidence |
|---|---|---|
| CC6.1 — Logical access | RBAC, OIDC, namespace isolation | RBACDefinition manifests in Git |
| CC6.2 — Auth mechanisms | Keycloak MFA, OIDC tokens | Keycloak realm config |
| CC6.6 — Network boundaries | NetworkPolicy, Gateway API | GitOps manifests |
| CC6.7 — Encryption | TLS (cert-manager), SOPS | Certificate resources, .sops.yaml |
| CC7.1 — Configuration management | GitOps, Kyverno | Git commit history, policy reports |
| CC7.2 — Monitoring | Prometheus, Loki, audit logs | Grafana dashboards |
| CC8.1 — Change management | PR-based GitOps workflow | Git PR history |
| A1.2 — Recovery | Velero, etcd backup | Backup schedules and restore tests |
Generating Evidence
Automated Evidence Collection
# Export Kyverno policy reports
kubectl get policyreports -A -o yaml > evidence/kyverno-reports.yaml
# Export RBAC state
kubectl get rbacdefinitions -o yaml > evidence/rbac-definitions.yaml
kubectl get clusterrolebindings -o yaml > evidence/cluster-role-bindings.yaml
# Export network policies
kubectl get networkpolicies -A -o yaml > evidence/network-policies.yaml
# Export certificate state
kubectl get certificates -A -o yaml > evidence/certificates.yaml
# Export FluxCD reconciliation state
flux get all -A > evidence/flux-state.txt
Audit Report Generation
Use the CLI to generate a compliance snapshot:
# Validate cluster configuration offline
opencenter cluster validate --output json > evidence/config-validation.json
# Validate GitOps manifests
opencenter cluster validate --manifests > evidence/manifest-validation.txt
Continuous Compliance
Schedule periodic evidence collection via a CronJob:
apiVersion: batch/v1
kind: CronJob
metadata:
name: compliance-evidence
namespace: monitoring
spec:
schedule: "0 2 * * 1" # Weekly Monday 2am
jobTemplate:
spec:
template:
spec:
serviceAccountName: compliance-collector
containers:
- name: collector
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- |
kubectl get policyreports -A -o json > /evidence/kyverno-$(date +%Y%m%d).json
kubectl get networkpolicies -A -o json > /evidence/netpol-$(date +%Y%m%d).json
volumeMounts:
- name: evidence
mountPath: /evidence
volumes:
- name: evidence
persistentVolumeClaim:
claimName: compliance-evidence-pvc
restartPolicy: OnFailure