1. Proposed title of this feature request

Make cipher suites variables configurable

2. What is the nature and description of the request?

There are multiple rules, which check the cipher configuration in an openshift cluster:

• applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
• applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
• applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
• applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml

of these rules only kubelet_configure_tls_cipher_suites uses a variable which is not interactive and not configurable (only a default value is supplied)

The other rules hardcode the cipher suites.

Currently the Compliance Operator checks for compliance to the "Intermediate" OpenShift TLS profile.

This RFE requests to make these rules configurable via an interactive variable where a customer can supply their own values.

3. Why does the customer need this? (List the business requirements here)

Customers have to adhere to different regulations. Some of these regulations have specific requirements regarding the used ciphers. This is why we allow to set different TLS profiles in OpenShift (https://docs.openshift.com/container-platform/4.17/security/tls-security-profiles.html).

If requirements are given, a customer can switch to FUTURE or CUSTOM profile, but currently the compliance-operator would not adjust to this.

4. List any affected packages or components.

compliance-operator content