OCP4 content for RHCOS and RHEL

Tue, 17 Mar 2020 03:23:22 -0700 

Hi,

at the moment, we have a single content for OCP4:
    
https://github.com/ComplianceAsCode/content/blob/master/ocp4/profiles/moderate.profile
all the rules currently are targetting RHCOS as the YAML probe usage
is still being integrated into the compliance operator. But even at the
OS or cluster node level, the rules are only applicable to RHCOS or
RHEL-8 with the help of rules from this file:
    
https://github.com/ComplianceAsCode/content/blob/master/shared/checks/oval/installed_OS_is_centos8.xml

However, our customers would also run UPI-provisioned (User Provided
Infrastructure provisioned) clusters with RHEL-7 or RHEL-8 as workers.
Master nodes, or the control plane nodes, can only run RHCOS as the OS.

So the question is how do we go about the content? On one hand, even
though RHCOS is sort-of-kind-of RHEL-8, the rules for RHCOS and RHEL-8
might differ. As an example, the way to install a required package would
be different, on RHCOS you would have used rpm-ostree, but on RHEL-8 you
would have used yum. Coming from a different angle, I don't think we can
reuse the RHEL content either, because some rules are not applicable in
the OCP content even though the OS is vanilla RHEL. As an example, you
wouldn't configure bind for DNS in OCP, but you would use CoreDNS.

Even though I don't know what the YAML checks would look like, I assume
that there might also be checks about e.g. kubelet configuration
(kubelet is the node agent that runs on each node in the cluster) that
need to be run and evaluated on all nodes in the cluster, regardless of
the node OS.

With that in mind, what options do we have to deliver content that would
both be applicable across RHCOS, RHEL-8 and RHEL-7 but also with the OCP
use-cases in mind? Should we fork the contents for each OS or try to reuse
all the rules in single content? How would reusing rules work in
practice?
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org

Reply via email to