Merge pull request #51728 from Wiharris/OSDOCS-4311

maxwelldb · web-flow · commit 97ccc5a43533 · 2022-10-21T11:55:57.000-04:00
OSDOCS-4311 spec.manualRules Added in Attributes
diff --git a/modules/compliance-tailored-profiles.adoc b/modules/compliance-tailored-profiles.adoc
@@ -15,14 +15,14 @@ The `ComplianceSuite` object contains an optional `TailoringConfigMap` attribute
 +
 [source,terminal]
 ----
-$ oc get rules.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4 
+$ oc get rules.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4
 ----
 
 . Browse the available variables in the same `ProfileBundle`:
 +
 [source,terminal]
 ----
-$ oc get variables.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4 
+$ oc get variables.compliance -n openshift-compliance -l compliance.openshift.io/profile-bundle=rhcos4
 ----
 
 . Create a tailored profile named `nist-moderate-modified`:
@@ -65,6 +65,9 @@ spec:
 |`disableRules`
 |A list of name and rationale pairs. Each name refers to a name of a rule object that is to be disabled. The rationale value is human-readable text describing why the rule is disabled.
 
+|`manualRules`
+| A list of name and rationale pairs. When a manual rule is added, the check result status will always be `manual` and remediation will not be generated. This attribute is automatic and by default has no values when set as a manual rule.
+
 |`enableRules`
 |A list of name and rationale pairs. Each name refers to a name of a rule object that is to be enabled. The rationale value is human-readable text describing why the rule is enabled.
 
@@ -74,6 +77,24 @@ spec:
 |`setValues`
 | A list of name, rationale, and value groupings. Each name refers to a name of the value set. The rationale is human-readable text describing the set. The value is the actual setting.
 |===
++
+.. Add the `tailoredProfile.spec.manualRules` attribute:
++
+.Example `tailoredProfile.spec.manualRules.yaml`
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: TailoredProfile
+metadata:
+  name: ocp4-manual-scc-check
+spec:
+  extends: ocp4-cis
+  description: This profile extends ocp4-cis by forcing the SCC check to always return MANUAL
+  title: OCP4 CIS profile with manual SCC check
+  manualRules:
+    - name: ocp4-scc-limit-container-allowed-capabilities
+      rationale: We use third party software that installs its own SCC with extra privileges
+----
 
 .. Create the `TailoredProfile` object:
 +
@@ -89,7 +110,7 @@ $ oc create -n openshift-compliance -f new-profile-node.yaml <1>
 tailoredprofile.compliance.openshift.io/nist-moderate-modified created
 ----
 
-. Define the `ScanSettingBinding` object to bind the new `nist-moderate-modified` tailored profile to the default `ScanSetting` object. 
+. Define the `ScanSettingBinding` object to bind the new `nist-moderate-modified` tailored profile to the default `ScanSetting` object.
 +
 .Example `new-scansettingbinding.yaml`
 [source,yaml]
