Epic Goal

The existing remediation actions that the compliance operator recommends may not actually be possible in scenarios where control plane is externalized, and/or cluster-admin is not empowered to make a change.

We should think of ways to adjust the scan settings for the HyperShift topology (with the assumption that the CP is not visible to end-users). 

Why is this important?

With HyperShift cluster users do not have visibility over the cluster's control plane. The current mode of the compliance operator scans role=master and/or role=worker hosts and evaluates a set of profiles.  there is no reason the RHCOS related profiles can't work in HyperShift even if the operator ran on an infra host

Scenarios

1. As a cluster-admin I would like to assess the compliance of my cluster worker nodes against CIS or other national benchmarks.
2. As a customer, I believe that the control plane and data plane should be fully separated 

Acceptance Criteria

• Scope the work and research and write a design proposal to find what changes would be needed to apply scan and remediation on Hypershift cluster

Related

• https://cloud.ibm.com/docs/openshift?topic=openshift-compliance-operator 
• https://cloud.ibm.com/docs/openshift?topic=openshift-responsibilities_iks 
• https://www.cisecurity.org/benchmark/kubernetes/ 
• https://issues.redhat.com/browse/OCPPLAN-5771