Merge pull request #50778 from sheriff-rh/co-0.1.55-rns

Compliance Operator v0.1.57 release notes and enhancements added

Author: kalexand-rh

modules/compliance-applying-resource-requests-and-limits.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-scans.adoc
+
+:_content-type: CONCEPT
+[id="compliance-applying-resource-requests-and-limits_{context}"]
+= Applying resource requests and limits
+
+When the kubelet starts a container as part of a Pod, the kubelet passes that container's requests and limits for memory and CPU to the container runtime. In Linux, the container runtime configures the kernel cgroups that apply and enforce the limits you defined.
+
+The CPU limit defines how much CPU time the container can use. During each scheduling interval, the Linux kernel checks to see if this limit is exceeded. If so, the kernel waits before allowing the cgroup to resume execution.
+
+If several different containers (cgroups) want to run on a contended system, workloads with larger CPU requests are allocated more CPU time than workloads with small requests. The memory request is used during Pod scheduling. On a node that uses cgroups v2, the container runtime might use the memory request as a hint to set `memory.min` and `memory.low` values.
+
+If a container attempts to allocate more memory than this limit, the Linux kernel out-of-memory subsystem activates and intervenes by stopping one of the processes in the container that tried to allocate memory. The memory limit for the Pod or container can also apply to pages in memory-backed volumes, such as an emptyDir.
+
+The kubelet tracks `tmpfs` `emptyDir` volumes as container memory is used, rather than as local ephemeral storage. If a container exceeds its memory request and the node that it runs on becomes short of memory overall, the Pod's container might be evicted.
+
+[IMPORTANT]
+====
+A container may not exceed its CPU limit for extended periods. Container run times do not stop Pods or containers for excessive CPU usage. To determine whether a container cannot be scheduled or is being killed due to resource limits, see _Troubleshooting the Compliance Operator_.
+====

modules/compliance-custom-node-pools.adoc

@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-remediation.adoc
+
+:_content-type: PROCEDURE
+[id="compliance-custom-node-pools_{context}"]
+= Scanning custom node pools
+
+The Compliance Operator does not maintain a copy of each node pool configuration. The Compliance Operator aggregates consistent configuration options for all nodes within a single node pool into one copy of the configuration file. The Compliance Operator then uses the configuration file for a particular node pool to evaluate rules against nodes within that pool.
+
+If your cluster uses custom node pools outside the default `worker` and `master` node pools, you must supply additional variables to ensure the Compliance Operator aggregates a configuration file for that node pool.
+
+.Procedure
+
+. To check the configuration against all pools in an example cluster containing `master`, `worker`, and custom `example` node pools, set the value of the `ocp-var-role-master` and `opc-var-role-worker` fields to `example` in the `TailoredProfile` object:
++
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: TailoredProfile
+metadata:
+  name: cis-example-tp
+spec:
+  extends: ocp4-cis
+  title: My modified NIST profile to scan example nodes
+  setValues:
+  - name: ocp4-var-role-master
+    value: example
+    rationale: test for example nodes
+  - name: ocp4-var-role-worker
+    value: example
+    rationale: test for example nodes
+  description: cis-example-scan
+----
+
+. Add the `example` role to the `ScanSetting` object that will be stored in the `ScanSettingBinding` CR:
++
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ScanSetting
+metadata:
+  name: default
+  namespace: openshift-compliance
+rawResultStorage:
+  rotation: 3
+  size: 1Gi
+roles:
+- worker
+- master
+- example
+scanTolerations:
+- effect: NoSchedule
+  key: node-role.kubernetes.io/master
+  operator: Exists
+schedule: '0 1 * * *'
+----
+
+. Create a scan that uses the `ScanSettingBinding` CR:
++
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ScanSettingBinding
+metadata:
+  name: cis
+  namespace: openshift-compliance
+profiles:
+- apiGroup: compliance.openshift.io/v1alpha1
+  kind: Profile
+  name: ocp4-cis
+- apiGroup: compliance.openshift.io/v1alpha1
+  kind: Profile
+  name: ocp4-cis-node
+- apiGroup: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  name: cis-example-tp
+settingsRef:
+  apiGroup: compliance.openshift.io/v1alpha1
+  kind: ScanSetting
+  name: default
+----
+
+The Compliance Operator checks the runtime `KubeletConfig` through the `Node/Proxy` API object and then uses variables such as `ocp-var-role-master` and `ocp-var-role-worker` to determine the nodes it performs the check against. In the `ComplianceCheckResult`, the `KubeletConfig` rules are shown as `ocp4-cis-kubelet-*`. The scan passes only if all selected nodes pass this check.
+
+.Verification
+
+* The Platform KubeletConfig rules are checked through the `Node/Proxy` object. You can find those rules by running the following command:
++
+[source,terminal]
+----
+$ oc get rules -o json | jq '.items[] | select(.checkType == "Platform") | select(.metadata.name | contains("ocp4-kubelet-")) | .metadata.name'
+----
+

modules/compliance-evaluate-kubeletconfig-rules.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-remediation.adoc
+
+:_content-type: CONCEPT
+[id="compliance-evaluate-kubeletconfig-rules_{context}"]
+= Evaluating KubeletConfig rules against default configuration values
+
+{product-title} infrastructure might contain incomplete configuration files at run time, and nodes assume default configuration values for missing configuration options. Some configuration options can be passed as command line arguments. As a result, the Compliance Operator cannot verify if the configuration file on the node is complete because it might be missing options used in the rule checks.
+
+To prevent false negative results where the default configuration value passes a check, the Compliance Operator uses the Node/Proxy API to fetch the configuration for each node in a node pool, then all configuration options that are consistent across nodes in the node pool are stored in a file that represents the configuration for all nodes within that node pool. This increases the accuracy of the scan results.
+
+No additional configuration changes are required to use this feature with default `master` and `worker` node pools configurations.

modules/compliance-increasing-operator-limits.adoc

@@ -0,0 +1,31 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-troubleshooting.adoc
+
+:_content-type: PROCEDURE
+[id="compliance-increasing-operator-limits_{context}"]
+= Increasing Compliance Operator resource limits
+
+In some cases, the Compliance Operator might require more memory than the default limits allow. The best way to mitigate this issue is to set custom resource limits.
+
+To increase the default memory and CPU limits of scanner pods, see _`ScanSetting` Custom resource_.
+
+.Procedure
+
+. To increase the Operator's memory limits to 500 Mi, create the following patch file named `co-memlimit-patch.yaml`:
++
+[source,yaml]
+----
+spec:
+  config:
+    resources:
+      limits:
+        memory: 500Mi
+----
+
+. Apply the patch file:
++
+[source,terminal]
+----
+$ oc patch sub compliance-operator -nopenshift-compliance --patch-file co-memlimit-patch.yaml --type=merge
+----

modules/compliance-kubeletconfig-sub-pool-remediation.adoc

@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-remediation.adoc
+
+:_content-type: PROCEDURE
+[id="compliance-kubeletconfig-sub-pool-remediation_{context}"]
+= Remediating `KubeletConfig` sub pools
+
+`KubeletConfig` remediation labels can be applied to `MachineConfigPool` sub-pools.
+
+.Procedure
+
+* Add a label to the sub-pool `MachineConfigPool` CR:
++
+[source,terminal]
+----
+$ oc label mcp <sub-pool-name> pools.operator.machineconfiguration.openshift.io/<sub-pool-name>=
+----

modules/compliance-priorityclass.adoc

@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-advanced.adoc
+
+:_content-type: PROCEDURE
+[id="compliance-priorityclass_{context}"]
+= Setting `PriorityClass` for `ScanSetting` scans
+
+In large scale environments, the default `PriorityClass` object can be too low to guarantee Pods execute scans on time. For clusters that must maintain compliance or guarantee automated scanning, it is recommended to set the `PriorityClass` variable to ensure the Compliance Operator is always given priority in resource constrained situations.
+
+.Procedure
+
+* Set the `PriorityClass` variable:
++
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+strictNodeScan: true
+metadata:
+  name: default
+  namespace: openshift-compliance
+priorityClass: compliance-high-priority <1>
+kind: ScanSetting
+showNotApplicable: false
+rawResultStorage:
+  nodeSelector:
+    node-role.kubernetes.io/master: ''
+  pvAccessModes:
+    - ReadWriteOnce
+  rotation: 3
+  size: 1Gi
+  tolerations:
+    - effect: NoSchedule
+      key: node-role.kubernetes.io/master
+      operator: Exists
+    - effect: NoExecute
+      key: node.kubernetes.io/not-ready
+      operator: Exists
+      tolerationSeconds: 300
+    - effect: NoExecute
+      key: node.kubernetes.io/unreachable
+      operator: Exists
+      tolerationSeconds: 300
+    - effect: NoSchedule
+      key: node.kubernetes.io/memory-pressure
+      operator: Exists
+schedule: 0 1 * * *
+roles:
+  - master
+  - worker
+scanTolerations:
+  - operator: Exists
+----
+<1> If the `PriorityClass` referenced in the `ScanSetting` cannot be found, the Operator will leave the `PriorityClass` empty, issue a warning, and continue scheduling scans without a `PriorityClass`.

modules/compliance-scansetting-cr.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-scans.adoc
+
+:_content-type: CONCEPT
+[id="compliance-scansetting-cr_{context}"]
+= `ScanSetting` Custom Resource
+
+The `ScanSetting` Custom Resource now allows you to override the default CPU and memory limits of scanner pods through the scan limits attribute. The Compliance Operator will use defaults of 500Mi memory, 100m CPU for the scanner container, and 200Mi memory with 100m CPU for the `api-resource-collector` container. To set the memory limits of the Operator, modify the `Subscription` object if installed through OLM or the Operator deployment itself.
+
+To increase the default CPU and memory limits of the Compliance Operator, see _Increasing Compliance Operator resource limits_.
+
+[IMPORTANT]
+====
+Increasing the memory limit for the Compliance Operator or the scanner pods is needed if the default limits are not sufficient and the Operator or scanner pods are ended by the Out Of Memory (OOM) process.
+====

modules/compliance-scheduling-pods-with-resource-requests.adoc

@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-scans.adoc
+
+:_content-type: CONCEPT
+[id="compliance-scheduling-pods-with-resource-requests_{context}"]
+= Scheduling Pods with resource requests
+
+When a Pod is created, the scheduler selects a Node for the Pod to run on. Each node has a maximum capacity for each resource type in the amount of CPU and memory it can provide for the Pods. The scheduler ensures that the sum of the resource requests of the scheduled containers is less than the capacity nodes for each resource type.
+
+Although memory or CPU resource usage on nodes is very low, the scheduler might still refuse to place a Pod on a node if the capacity check fails to protect against a resource shortage on a node.
+
+For each container, you can specify the following resource limits and request:
+
+[source,terminal]
+----
+spec.containers[].resources.limits.cpu
+spec.containers[].resources.limits.memory
+spec.containers[].resources.limits.hugepages-<size>
+spec.containers[].resources.requests.cpu
+spec.containers[].resources.requests.memory
+spec.containers[].resources.requests.hugepages-<size>
+----
+
+[NOTE]
+====
+Although you can specify requests and limits for only individual containers, it is also useful to consider the overall resource requests and limits for a pod. For a particular resource, a pod resource request or limit is the sum of the resource requests or limits of that type for each container in the pod.
+====
+
+.Example Pod resource requests and limits
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    resources:
+      requests: <1>
+        memory: "64Mi"
+        cpu: "250m"
+      limits: <2>
+        memory: "128Mi"
+        cpu: "500m"
+  - name: log-aggregator
+    image: images.my-company.example/log-aggregator:v6
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"
+----
+<1> The Pod is requesting 64 Mi of memory and 250 m CPU.
+<2> The Pod's limits are defined as 128 Mi of memory and 500 m CPU.

modules/compliance-supported-profiles.adoc

@@ -86,12 +86,14 @@ The Compliance Operator provides the following compliance profiles:
 |0.1.47+
 |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
 |`x86_64`
+ `ppc64le`
 
 |ocp4-pci-dss-node
 |PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
 |0.1.47+
 |link:https://www.pcisecuritystandards.org/document_library?document=pci_dss[PCI Security Standards ® Council Document Library]
 |`x86_64`
+ `ppc64le`
 
 |ocp4-high
 |NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level

modules/operator-resource-constraints.adoc

@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-troubleshooting.adoc
+
+:_content-type: REFERENCE
+[id="operator-resource-constraints_{context}"]
+= Configuring Operator resource constraints
+
+The `resources` field defines Resource Constraints for all the containers in the Pod created by the Operator Lifecycle Manager (OLM).
+
+[NOTE]
+====
+Resource Constraints applied in this process overwrites the existing resource constraints.
+====
+
+.Procedure
+
+* Inject a request of 0.25 cpu and 64 Mi of memory, and a limit of 0.5 cpu and 128 Mi of memory in each container by editing the `Subscription` object:
++
+[source,yaml]
+----
+kind: Subscription
+metadata:
+  name: custom-operator
+spec:
+  package: etcd
+  channel: alpha
+  config:
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "250m"
+      limits:
+        memory: "128Mi"
+        cpu: "500m"
+----