Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document namespace prefix when scanning a hosted cluster #382

Merged
merged 3 commits into from
Oct 5, 2023
Merged

Document namespace prefix when scanning a hosted cluster #382

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4bc057c
Document namespace prefix when scanning a hosted cluster
yuumasato Aug 14, 2023
a288ec3
Describe Hypershift and reference some concepts
yuumasato Aug 15, 2023
c6e904f
Denote CRD as literals
yuumasato Sep 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions doc/usage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -573,14 +573,19 @@ error result.

## How to Use Compliance Operator with HyperShift Management Cluster

Compliance Operator is able to run a platform scan on the HyperShift Managment cluster
for the Hosted Cluster with a tailoredProfile.
[Hypershift](https://hypershift-docs.netlify.app/) allows one to create and manage clusters on existing infrastructure.
Compliance Operator is able to create a platform scan on the [HyperShift Management Cluster](https://hypershift-docs.netlify.app/reference/concepts-and-personas/)
for the Hosted Cluster with a `TailoredProfile`.

Currently, we only support CIS profile and PCI-DSS profile, in order to scan Hosted
Cluster, you need to create a tailoredProfile and then set the value of
`ocp4-hypershift-cluster` to the name of the Hosted Cluster you want to scan,
Currently, we only support CIS profile and PCI-DSS profile,
you can either extend `ocp4-cis` or `ocp4-pci-dss`.

In order to scan a Hosted Cluster, you need to create a `TailoredProfile` specifying the
name and namespace of the Hosted Cluster that you want to scan.
Set the value of `ocp4-hypershift-cluster` to the name of the target Hosted Cluster,
and set the value of `ocp4-hypershift-namespace-prefix` to the namespace where the
Hosted Cluster resides, e.g.: `local-cluster`, or `clusters`.

```yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
Expand All @@ -597,6 +602,9 @@ spec:
- name: ocp4-hypershift-cluster
value: "<hypershift-hosted-cluster-name>"
rationale: This value is used for HyperShift version detection
- name: ocp4-hypershift-namespace-prefix
value: "<hypershift-hosted-namespace-prefix>"
rationale: This value is used for HyperShift control plane namespace detection
```

And after you save the edit, you can then apply the edited `tailoredProfile`,
Expand All @@ -620,7 +628,7 @@ settingsRef:

## How to Use Compliance Operator with HyperShift Hosted Cluster

Compliance Operator is able to run a platform scan on the HyperShift Hosted cluster
Compliance Operator is able to run a platform scan on the [HyperShift Hosted Cluster](https://hypershift-docs.netlify.app/reference/concepts-and-personas/)
without any tailoredProfile. Any unsupport rules will be hidden from the `ComplianceCheckResult`.

However, you need to use a special subscription file to install Compliance Operator on the
Expand Down