Description

A good amount of ACS deployments are EKS clusters. While they currently have a compliance solution that addresses those customers, in order to better address the overall ACS ecosystem, the Compliance Operator should be able to be used in other distributions.

There has already been a POC that deployed Compliance Operator on EKS. The intent is to take that work and do what's missing to make Compliance Operator usable there.

Epic Goal

• Figure out deployment strategy for non-OCP distros.
• Implement a deployment strategy that isn't OpenShift specific to install the operator on other Kubernetes distributions
• Implement EKS CIS benchmark in ComplianceAsCode

Why is this important?

• This work helps the ACS team offer a compliance scanner to their customers, in addition to the workload scanning they already perform, providing a more well-rounded compliance tool
• This work has the potential to impact a large portion of ACS users who use AWS EKS
• This work increases collaboration between ISC and the ACS teams, which will be a useful relationship moving forward as the compliance operator evolves to support other organizations within Red Hat

Scenarios

1. As an ACS user, I'd like to evaluate the compliance stance of EKS against the CIS benchmark.

Acceptance Criteria

• Must have a way to deploy the compliance operator on EKS (using Helm or kustomize - filling the gap that OLM provides for OpenShift)
• The deployment strategy must be usable, or importable, by ACS (e.g., adding the compliance operator Helm charts as dependencies for the ACS Helm charts)
• Must have upstream CI running against the compliance-operator, ComplianceAsCode, or both to ensure the profile doesn't regress
• Must execute the complete CIS EKS benchmark (remediation is not supported or targeted on EKS since it would require MCO, which is specific to OpenShift)
• Must have documentation upstream that describes how to use the EKS CIS profile
• Must have documentation upstream that describes how to deploy on EKS

Open questions::

1. Will we be providing a Helm Chart for Compliance Operator? What's the process of releasing it?
2. This will require documentation about deploying the Compliance Operator on something other than OpenShift. Perhaps this should then live in the ACS documentation
3. This will require us testing non-OCP clusters. Perhaps the ACS team can help us with QE for this?

Documentation needs

We do not intend to ship this deployment strategy or EKS CIS profile downstream in OpenShift. OpenShift has it's own CIS profile, which is already included in the product. Including a CIS profile for another Kubernetes distribution would be confusing for end-users. As a result, the ISC team doesn't plan to modify the OCP security and compliance documentation as a result of this work.

However, the purpose of this epic is to enable another Red Hat product, ACS. We need to collaborate with the ACS team to understand where the downstream documentation for this will live, and how to QE this functionality.