From 4bc057ccd92155bbf54e3d5e0e71965979a4419a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Aug 2023 16:01:02 +0200 Subject: [PATCH 1/3] Document namespace prefix when scanning a hosted cluster When using hypershift and scanning a hosted cluster, the namespace of the hosted cluster needs to be defined as well. The namespace where clusters are installed can vary, and should be set accordingly for th scans to work. --- doc/usage.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/doc/usage.md b/doc/usage.md index 7647edef0..e59275f1d 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -576,11 +576,15 @@ error result. Compliance Operator is able to run a platform scan on the HyperShift Managment cluster for the Hosted Cluster with a tailoredProfile. -Currently, we only support CIS profile and PCI-DSS profile, in order to scan Hosted -Cluster, you need to create a tailoredProfile and then set the value of -`ocp4-hypershift-cluster` to the name of the Hosted Cluster you want to scan, +Currently, we only support CIS profile and PCI-DSS profile, you can either extend `ocp4-cis` or `ocp4-pci-dss`. +In order to scan a Hosted Cluster, you need to create a tailoredProfile to define the +name and namespace of the Hosted cluster that you want to scan. +Set the value of `ocp4-hypershift-cluster` to the name of the target Hosted Cluster, +and set the value of `ocp4-hypershift-namespace-prefix` to the namespace where the +Hosted Cluster resides, e.g.: `local-cluster`, or `clusters`. + ```yaml apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile @@ -597,6 +601,9 @@ spec: - name: ocp4-hypershift-cluster value: "" rationale: This value is used for HyperShift version detection + - name: ocp4-hypershift-namespace-prefix + value: "" + rationale: This value is used for HyperShift controlplane namespace detection ``` And after you save the edit, you can then apply the edited `tailoredProfile`, From a288ec3b3bbbd22f9fa735d5a58f9f79fa76d240 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 15 Aug 2023 14:12:24 +0200 Subject: [PATCH 2/3] Describe Hypershift and reference some concepts Add very brief description of Hypershift and reference where Management and Hosted Clusters are described. --- doc/usage.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/doc/usage.md b/doc/usage.md index e59275f1d..1e5dcdb3f 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -573,13 +573,14 @@ error result. ## How to Use Compliance Operator with HyperShift Management Cluster -Compliance Operator is able to run a platform scan on the HyperShift Managment cluster -for the Hosted Cluster with a tailoredProfile. +[Hypershift](https://hypershift-docs.netlify.app/) allows one to create and manage clusters on existing infrastructure. +Compliance Operator is able to create a platform scan on the [HyperShift Management Cluster](https://hypershift-docs.netlify.app/reference/concepts-and-personas/) +for the Hosted Cluster with a TailoredProfile. Currently, we only support CIS profile and PCI-DSS profile, you can either extend `ocp4-cis` or `ocp4-pci-dss`. -In order to scan a Hosted Cluster, you need to create a tailoredProfile to define the +In order to scan a Hosted Cluster, you need to create a TailoredProfile specifying the name and namespace of the Hosted cluster that you want to scan. Set the value of `ocp4-hypershift-cluster` to the name of the target Hosted Cluster, and set the value of `ocp4-hypershift-namespace-prefix` to the namespace where the @@ -603,7 +604,7 @@ spec: rationale: This value is used for HyperShift version detection - name: ocp4-hypershift-namespace-prefix value: "" - rationale: This value is used for HyperShift controlplane namespace detection + rationale: This value is used for HyperShift control plane namespace detection ``` And after you save the edit, you can then apply the edited `tailoredProfile`, @@ -627,7 +628,7 @@ settingsRef: ## How to Use Compliance Operator with HyperShift Hosted Cluster -Compliance Operator is able to run a platform scan on the HyperShift Hosted cluster +Compliance Operator is able to run a platform scan on the [HyperShift Hosted Cluster](https://hypershift-docs.netlify.app/reference/concepts-and-personas/) without any tailoredProfile. Any unsupport rules will be hidden from the `ComplianceCheckResult`. However, you need to use a special subscription file to install Compliance Operator on the From c6e904f36c75572a8ecd7626515e2d76f173a1e0 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 29 Sep 2023 18:00:47 +0200 Subject: [PATCH 3/3] Denote CRD as literals Also, for consistency, capitalize term Hosted Cluster. --- doc/usage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/usage.md b/doc/usage.md index 1e5dcdb3f..cdc35b236 100644 --- a/doc/usage.md +++ b/doc/usage.md @@ -575,13 +575,13 @@ error result. [Hypershift](https://hypershift-docs.netlify.app/) allows one to create and manage clusters on existing infrastructure. Compliance Operator is able to create a platform scan on the [HyperShift Management Cluster](https://hypershift-docs.netlify.app/reference/concepts-and-personas/) -for the Hosted Cluster with a TailoredProfile. +for the Hosted Cluster with a `TailoredProfile`. Currently, we only support CIS profile and PCI-DSS profile, you can either extend `ocp4-cis` or `ocp4-pci-dss`. -In order to scan a Hosted Cluster, you need to create a TailoredProfile specifying the -name and namespace of the Hosted cluster that you want to scan. +In order to scan a Hosted Cluster, you need to create a `TailoredProfile` specifying the +name and namespace of the Hosted Cluster that you want to scan. Set the value of `ocp4-hypershift-cluster` to the name of the target Hosted Cluster, and set the value of `ocp4-hypershift-namespace-prefix` to the namespace where the Hosted Cluster resides, e.g.: `local-cluster`, or `clusters`.