-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
[SPIKE] HyperShift Compliance Operator Awareness
-
BU Product Work
-
False
-
False
-
Done
-
OCPSTRAT-596 - HyperShift Security & Compliance
-
-
Undefined
Epic Goal
The existing remediation actions that the compliance operator recommends may not actually be possible in scenarios where control plane is externalized, and/or cluster-admin is not empowered to make a change.
We should think of ways to adjust the scan settings for the HyperShift topology (with the assumption that the CP is not visible to end-users).
Why is this important?
With HyperShift cluster users do not have visibility over the cluster's control plane. The current mode of the compliance operator scans role=master and/or role=worker hosts and evaluates a set of profiles. there is no reason the RHCOS related profiles can't work in HyperShift even if the operator ran on an infra host
Scenarios
- As a cluster-admin I would like to assess the compliance of my cluster worker nodes against CIS or other national benchmarks.
- As a customer, I believe that the control plane and data plane should be fully separated
Acceptance Criteria
- Scope the work and research and write a design proposal to find what changes would be needed to apply scan and remediation on Hypershift cluster
Related
- https://cloud.ibm.com/docs/openshift?topic=openshift-compliance-operator
- https://cloud.ibm.com/docs/openshift?topic=openshift-responsibilities_iks
- https://www.cisecurity.org/benchmark/kubernetes/
- https://issues.redhat.com/browse/OCPPLAN-5771
- is cloned by
-
-
- Closed
-