Epic Goal

The existing remediation actions that the compliance operator recommends may not actually be possible in scenarios where control plane is externalized, and/or cluster-admin is not empowered to make a change.

We should think of ways to adjust the scan settings for the HyperShift topology (with the assumption that the CP is not visible to end-users). 

Summary of current CO supportability on HyperShift: https://docs.google.com/spreadsheets/d/1dqaA593u00eE6fKbYcKfNGbS7qm0T7LDxoIfpBMT_NI/edit#gid=0

Why is this important?

With HyperShift cluster users do not have visibility over the cluster's control plane. The current mode of the compliance operator scans role=master and/or role=worker hosts and evaluates a set of profiles.  there is no reason the RHCOS related profiles can't work in HyperShift even if the operator ran on an infra host

Personas

Guest/Hosted Cluster Infrastructure SRE (GSRE) / Cluster Instance Admin

The user with a cluster-admin role in the provisioned cluster, but may have no power over when/how the cluster is upgraded or configured. May see some configuration projected into the cluster in a read-only fashion.

• Responsible for security operations for the infrastructure
  • Compliance checks on all the nodes(only worker nodes are available to Guest Cluster) 

Managed Cluster Infrastructure SRE (MSRE) / Cluster Service Provider

The user hosting cluster control planes, responsible for up-time. UI for fleet-wide alerts, configuring AWS account to host control planes in, user provisioned infra (host awareness of available compute), where to pull VMs from. Has cluster-admin management.

• Responsible for security operations for all the Managed HyperShift Clusters
  •  Compliance checks on all Hosted Clusters
  •  Ensure all hosted cluster is compliant with the specific standard by the remediation

Scenarios

1. As an MSRE I would like to assess the compliance of all my hosted clusters against CIS or other national benchmarks.
2. As a GSRE, I want to make sure all my worker nodes are in compliance with CIS or other national benchmarks.

Current State:

The compliance Operator is able to run Compliance Scans on the Management Cluster using a special HyperShift tailored profile. There is some work needed on Compliance Operator in order to run scans on the Cluster. (A master label needs to be added to worker nodes)

Acceptance Criteria

• Scope the work and research and write a design proposal to find what changes would be needed to apply scan and remediation on the Hypershift Management cluster
• Have the Compliance Operator to be installed on Management HyperShift clusters
• Create a tailored profile for CIS and PCI-DSS benchmark
• Able to run scans from the Management HyperShift Cluster into one or many hosted clusters it has
• Make sure all the rules in CIS and PCI-DSS work properly on the Management HyperShift cluster
• Document the usage and what scan has covered with the tailored profile

(Running CO directly on Guest/Hosted Cluster is out of scope)

Questions:

• Who will be MSRE, in another word, who will manage all the hosted clusters?
• What will be the most common use cases for Compliance Operator on HyperShift?
• What profiles to support, and which one has a higher priority? CIS and PCI-DSS
• How to communicate with customers what will and will not work with HyperShift?

QE needs:

A proposed test is as follows:

• Install HyperShift, and create a guest cluster.
• Install Compliance Operator on the HyperShift Management Cluster
• Using the HyperShift Tailored Profile to run CIS and PCI-DSS scan for Guest Cluster from the Management Cluster
• Verify the scan is complete without any issues.

Related

• https://cloud.ibm.com/docs/openshift?topic=openshift-compliance-operator 
• https://cloud.ibm.com/docs/openshift?topic=openshift-responsibilities_iks 
• https://www.cisecurity.org/benchmark/kubernetes/ 
• https://issues.redhat.com/browse/OCPPLAN-5771