Epic Goal

• Allow the container security operator to be effectively used in disconnected OpenShift clusters

Why is this important?

• Today CSO only partially works in disconnected environments, because
  • cluster-wide pull secrets for disconnected registries are not taken into account
  • ImageContentSourcePolicies are not taken into account to scan Red Hat providers images used for OpenShift, Image Streams, any operators, etc
  • Proxy information cannot be specified
  • additional CAs need to be maintained explicitly for CSO instead of using the cluster CA

Scenarios

1. A customer wants to get scan results for OpenShift cluster components and operators when running air-gapped via a mirror of those images specified in an ImageContentSourcePolicy
2. A customer runs partially disconnected from the internet via an HTTPS proxy
3. A customer employs a private registry with self-signed certificates
4. A customer employs a private registry with pull-secrets stored in the cluster's global pull secrets

Acceptance Criteria

• CSO respects ImageContentSourcePolicy
• CSO allows to specify an HTTPS proxy
• CSO allows to add additional custom CAs to trust self-signed/customer-provided certs
• CSO allows to specify additional pull-secrets

Open questions::

1. We may want to introduce a CustomResourceDefinition for some of these configuration items