Implement rules for CIS OCP Section 5.5 #10787
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
controls/cis_ocp_1_4_0/section-5.yml
Outdated
| rules: [] | ||
| status: partial | ||
| rules: | ||
| - general_configure_imagepolicywebhook |
There was a problem hiding this comment.
This rule needs some work, so the partial status is correct. But, shouldn't we keep notes or links to cards in that case?
Additionally, I wonder if the rules ocp_allowed_registries, ocp_allowed_registries_for_import, ocp_insecure_registries could be used here?
There was a problem hiding this comment.
I think those rules are relevant, but they will fail by default, and we don't have a remediation for it, wondering if this might be too strict to add here
There was a problem hiding this comment.
I'm ok with the rules failing by default since that's inline with what's documented in the benchmark (we say that image provenance is not setup by default, and we provide links to users to help them configure image registries).
That approach here seems reasonable since it's highlighting a legitimate finding for users.
|
merging conflicts |
rhmdnd
force-pushed
the
implement-cis-ocp-5-5
branch
2 times, most recently
from
18c9821
to
ee1e203
Compare
rhmdnd
force-pushed
the
implement-cis-ocp-5-5
branch
from
ee1e203
to
c1c4687
Compare
Now that we have a profile and control files for CIS 1.4.0, we can start wiring up the existing rules. This commit ports all the existing rules we were using for the CIS OpenShift profile into the CIS 1.4.0 version.
rhmdnd
force-pushed
the
implement-cis-ocp-5-5
branch
from
c1c4687
to
afa2bfa
Compare
|
/test e2e-aws-ocp4-cis |
|
Code Climate has analyzed commit afa2bfa and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.4% (0.0% change). View more on Code Climate. |
Now that we have a profile and control files for CIS 1.4.0, we can start
wiring up the existing rules.
This commit ports all the existing rules we were using for the CIS
OpenShift profile into the CIS 1.4.0 version.