Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1693

PCI-DSS on ROSA

XMLWordPrintable

    • pci-dss-rosa-tailored-profile
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 29
    • 29% 29%

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • Create a TailoredProfile for running the PCI-DSS profile on ROSA that shows ROSA is compliance with PCI-DSS

      Why is this important?

      ROSA claims PCI-DSS compliance, but the Compliance Operator shows the OpenShift cluster as non-compliant when run on ROSA. We need to address these issues either in the ROSA platform, or in the rules so that the ROSA documentation (and audit) are not inconsistent with what the Compliance Operator reports.

      Scenarios

      1. As a ROSA customer, I want to run the PCI-DSS profile using the Compliance Operator and verify my cluster is in compliance

      Acceptance Criteria

      • Must have a KCS that describes the relationship between PCI-DSS profile rules and ROSA, if there are any discrepancies
      • Have a discussion with ROSA teams to understand where we can advertise the KCS before customers hit this issue (ROSA documentation or Compliance Operator documentation)
      • The TailoredProfile exists and contains valid rationale for why particular rules need be excluded
      • The TailoredProfile will be delivered by using the KCS article. It will not be delivered automatically in ROSA environments
      • Any PCI-DSS violations must be raised with the ROSA SRE team to ensure they're addressed or justified
      • Should have ROSA CI environment that exercises the TailoredProfile and fails if the profile returns non-compliance (depends on getting ROSA CI environments, see below)
      • Meet with the ROSA team to figure out if we can leverage any CI needs from ROSA for testing this TailoredProfile (stretch goal unless we get commitment from ROSA teams)
      • Identify a way to populate TailoredProfiles for managed platforms (stretch goal)

      Dependencies (internal and external)

      1. Working with ROSA service delivery teams to establish CI
      2. Working with ROSA SRE teams to remediate any legitimate PCI-DSS findings
      3. Working with PX and documentation teams to update KCS to include TailoredProfile

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

        1.
        		 QE-tracker Sub-task New Undefined Xiaojie Yuan

            lbragsta@redhat.com Lance Bragstad
            lbragsta@redhat.com Lance Bragstad
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: