XML

Word

Printable

Details

Type: Epic
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: container-security-operator
Labels:
- triaged

Epic Name:
CSO disconnected support
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Green
Epic Status:
In Progress
Hierarchy Progress:
75
Hierarchy Progress Bar:

75% 75%

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

Epic Goal

Allow the container security operator to be effectively used in disconnected OpenShift clusters

Why is this important?

Today CSO only partially works in disconnected environments, because
- cluster-wide pull secrets for disconnected registries are not taken into account
- ImageContentSourcePolicies are not taken into account to scan Red Hat providers images used for OpenShift, Image Streams, any operators, etc
- Proxy information cannot be specified
- additional CAs need to be maintained explicitly for CSO instead of using the cluster CA

Scenarios

A customer wants to get scan results for OpenShift cluster components and operators when running air-gapped via a mirror of those images specified in an ImageContentSourcePolicy
A customer runs partially disconnected from the internet via an HTTPS proxy
A customer employs a private registry with self-signed certificates
A customer employs a private registry with pull-secrets stored in the cluster's global pull secrets

Acceptance Criteria

CSO respects ImageContentSourcePolicy
CSO allows to specify an HTTPS proxy
CSO allows to add additional custom CAs to trust self-signed/customer-provided certs
CSO allows to specify additional pull-secrets

Open questions::

We may want to introduce a CustomResourceDefinition for some of these configuration items

Attachments

Activity

People

Assignee:: Jonathan King

Reporter:: Daniel Messer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022/06/29 1:56 PM

Updated:: 2023/04/27 6:42 AM