|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/compliance_operator/compliance-scans.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="co-hcp-mgmt-config_{context}"] |
| 7 | += Configuring the Hosted control planes management cluster |
| 8 | + |
| 9 | +If you are hosting your own Hosted control plane or Hypershift environment and want to scan a Hosted Cluster from the management cluster, you will need to set the name and prefix namespace for the target Hosted Cluster. You can achieve this by creating a `TailoredProfile`. |
| 10 | + |
| 11 | +[IMPORTANT] |
| 12 | +==== |
| 13 | +This procedure only applies to users managing their own Hosted control planes environment. |
| 14 | +==== |
| 15 | + |
| 16 | +[NOTE] |
| 17 | +==== |
| 18 | +Only `ocp4-cis` and `ocp4-pci-dss` profiles are supported in Hosted control planes management clusters. |
| 19 | +==== |
| 20 | + |
| 21 | +.Prerequisites |
| 22 | + |
| 23 | +* The Compliance Operator is installed in the management cluster. |
| 24 | +
|
| 25 | +.Procedure |
| 26 | + |
| 27 | +. Obtain the `name` and `namespace` of the hosted cluster to be scanned by running the following command: |
| 28 | ++ |
| 29 | +[source,terminal] |
| 30 | +---- |
| 31 | +$ oc get hostedcluster -A |
| 32 | +---- |
| 33 | ++ |
| 34 | +.Example output |
| 35 | +[source,terminal] |
| 36 | +---- |
| 37 | +NAMESPACE NAME VERSION KUBECONFIG PROGRESS AVAILABLE PROGRESSING MESSAGE |
| 38 | +local-cluster 79136a1bdb84b3c13217 4.13.5 79136a1bdb84b3c13217-admin-kubeconfig Completed True False The hosted control plane is available |
| 39 | +---- |
| 40 | + |
| 41 | +. In the management cluster, create a `TailoredProfile` extending the scan Profile and define the name and namespace of the Hosted Cluster to be scanned: |
| 42 | ++ |
| 43 | +.Example `management-tailoredprofile.yaml` |
| 44 | +[source,yaml] |
| 45 | +---- |
| 46 | +apiVersion: compliance.openshift.io/v1alpha1 |
| 47 | +kind: TailoredProfile |
| 48 | +metadata: |
| 49 | + name: hypershift-cisk57aw88gry |
| 50 | + namespace: openshift-compliance |
| 51 | +spec: |
| 52 | + description: This profile test required rules |
| 53 | + extends: ocp4-cis <1> |
| 54 | + title: Management namespace profile |
| 55 | + setValues: |
| 56 | + - name: ocp4-hypershift-cluster |
| 57 | + rationale: This value is used for HyperShift version detection |
| 58 | + value: 79136a1bdb84b3c13217 <2> |
| 59 | + - name: ocp4-hypershift-namespace-prefix |
| 60 | + rationale: This value is used for HyperShift control plane namespace detection |
| 61 | + value: local-cluster <3> |
| 62 | +---- |
| 63 | +<1> Variable. Only `ocp4-cis` and `ocp4-pci-dss` profiles are supported in Hosted control planes management clusters. |
| 64 | +<2> The `value` is the `NAME` from the output in the previous step. |
| 65 | +<3> The `value` is the `NAMESPACE` from the output in the previous step. |
| 66 | + |
| 67 | +. Create the `TailoredProfile`: |
| 68 | ++ |
| 69 | +[source,terminal] |
| 70 | +---- |
| 71 | +$ oc create -n openshift-compliance -f mgmt-tp.yaml |
| 72 | +---- |
0 commit comments