-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
-
-
There are multiple rules, which filter on kube- or openshift- to exclude red hat provided namespaces from certain rules.
applications/openshift/networking/routes_rate_limit/rule.yml
applications/openshift/networking/route_ip_whitelist/rule.yml
applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml
applications/openshift/general/resource_requests_limits_in_deployment/rule.yml
applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml
from my understanding this is done, so a customer doesnt have alerts from things he cannot change, because he would lose support.
some layered products (like ACM) do not use openshift- prefixed namespaces, or allow users to deploy to a custom namespace. In this cases, the exceptions do not apply.
a customer in this situation has only two choices:
- disable the rule - which would not show them if anyone else (where risk is not accepted) is incompliant.
- accept a incompliant result for the rule and continuously check if this is another namespace than the ones where risk is accepted
while 1 will just degrade compliance visibility, 2 will apply a additional work upon the user.
I propose, that compliance operator adds configurable variables for exclusion of namespaces for rules, where CO already does namespace exclusion based on the prefixes.
This would add the choice for the user to only exclude certain namespaces from the check, which would maintain compliance visibility and not inflict additional continuous burden upon the user.
There were some internal discussions around this:
https://redhat-internal.slack.com/archives/CTDEY6EEA/p1709696299449919
https://redhat-internal.slack.com/archives/CHCRR73PF/p1709734486932619