-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
remediation templating
-
False
-
False
-
Done
-
0% To Do, 0% In Progress, 100% Done
-
Undefined
Epic Goal
- Support using OpenSCAP variables in the OpenShift/RHCOS content.
Problem Statement
Currently, the remediations supported by the compliance operator are static. We have a set of “golden” configurations for services but no way to set custom values. This situation gets problematic as we ask customers to decipher how to remediate the gaps that the operator didn’t remediate either by reading the security guide or the descriptions we output in our CRDs. It would be ideal if we could use the variables that SCAP supports in our content in our remediations and that the operator would understand them.
Why is this important?
- This will enable us to remediate more rules and offer opinionated profiles that users can easily customize to their needs.
- Gets us closer to the one-click compliance goal
Scenarios
- As an administrator of several clusters, I want a set of them to immediately comply with certain regulations. I want them to be automatically fixed for any issues by the Compliance Operator using variables that I define.
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
- ...
Quality Assurance Needs
Rule `audit_profile_set` and non-kubelet config remediations can be tested without CMP-912
Rule `audit_profile_set` needs to be tested and ensure the following:
* The rules are able to get the necessary information
- The rules generate appropriate remediations
- XCCDF variable value used rendered correctly in remediations (it will use a default value if no value set using tailored profile)
- XCCDF variable default value rendered correctly in the description, rationale
- The remediations indeed address the found gaps (defines by the rules)
- The cluster is in a working state after the remediations have been applied
A proposed test is as follows:
- In a clean cluster, install the compliance-operator
- Run a scan using a tailored profile included the rule `audit_profile_set`
- Set variable value for rule `audit_profile_set` to a non-default value / or just don't set value check if it will be the default value
- Apply the generated remediation
- Verify that the rules which had issues were fixed and are now in a compliant state
- Run a smoke test to verify that the cluster is still usable
Dependencies (internal and external)
- ...
Previous Work (Optional):
- …
Open questions::
- How do we deal with MachineConfigs?
MachineConfig contents need to be url-encoded. Should we add special logic to the operator to deal with this depending on where the variable is used?
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
