forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
116 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| FROM registry.fedoraproject.org/fedora-minimal:38 as builder | ||
| WORKDIR /content | ||
| COPY . . | ||
| RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils | ||
| RUN ./build_product --datastream-only --debug ocp4 rhcos4 | ||
|
|
||
|
|
||
| FROM registry.access.redhat.com/ubi8/ubi-minimal | ||
| WORKDIR / | ||
| COPY --from=builder /content/build/ssg-ocp4-ds.xml . | ||
| COPY --from=builder /content/build/ssg-rhcos4-ds.xml . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| apiVersion: compliance.openshift.io/v1alpha1 | ||
| kind: ProfileBundle | ||
| metadata: | ||
| name: upstream-rhcos4 | ||
| namespace: openshift-compliance | ||
| spec: | ||
| contentFile: ssg-rhcos4-ds.xml | ||
| contentImage: quay.io/sluetzen/sig-bsi-grundschutz-content@sha256:c69db5c430b46f102a0bdea1f22ff66dd74c8fc7b921ed9d0039c6dba4a831be | ||
| --- | ||
| apiVersion: compliance.openshift.io/v1alpha1 | ||
| kind: ProfileBundle | ||
| metadata: | ||
| name: upstream-ocp4 | ||
| namespace: openshift-compliance | ||
| spec: | ||
| contentFile: ssg-ocp4-ds.xml | ||
| contentImage: quay.io/sluetzen/sig-bsi-grundschutz-content@sha256:c69db5c430b46f102a0bdea1f22ff66dd74c8fc7b921ed9d0039c6dba4a831be |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Summary | ||
| The following is intended for people who want to use this UPSTREAM content in the context of OpenShift, and do not need to understand the details of the buildprocess. It combines the Red Hat packaged Compliance Operator from Red Hat with the upstream content | ||
|
|
||
| # Install Compliance Operator | ||
| Follow the guidance in the official docs | ||
| https://docs.openshift.com/container-platform/4.16/security/compliance_operator/co-management/compliance-operator-installation.html#compliance-operator-installation | ||
|
|
||
| # Build | ||
| You can get the content in different ways. First possibility is a build from source in your own infrastructure. | ||
| The other possibility is a prebuild-content image, which provides the build content for you | ||
|
|
||
| ## ALTERNATIVE A: BUILD FROM SOURCE | ||
| This Process builds the content only for one cluster in the internal registry. if you need it in different clusters, you need to build it and output it to a image-repository. You can do this in an openshift cluster using the `outputs` in the `BuildConfig` or just manually build with `podman build --tag $IMAGEREGISTRY:$TAG --file BSI/Containerfile .` from the `content` directory | ||
|
|
||
| ### Clone git Repository | ||
| `git clone --depth 1 https://github.com/sig-bsi-grundschutz/content.git --branch bsi-profile-complete-2024-10-31` | ||
|
|
||
| ### Build content in the cluster using the build scripts | ||
| `./utils/build_ds_container.py --create-profile-bundles --build-in-cluster` | ||
|
|
||
| IMPORTANT! | ||
| This creates additional upstream-rules and Profiles (prefixed with upstream) in the OpenShift Cluster due to the current functionality in RHACS the Compliance Dashboard in RHACS will show DUPLICATE RULES and throw ERRORS for the duplicate rules and not show the additional content | ||
|
|
||
| This can currently be worked around with the following command, which REPLACES THE SUPPORTED CONTENT with the upstream content | ||
| `./utils/build_ds_container.py --create-profile-bundles --build-in-cluster --no-upstream-prefix` | ||
|
|
||
| ## ALTERNATIVE B: Use PreBuild Image | ||
| in disconnected / airgapped environments you might want to mirror the image first and either change the contentImage or create a `ImageDigestMirrorSet`. | ||
|
|
||
| This follows https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-management/compliance-operator-manage.html | ||
|
|
||
| `oc apply -f BSI/ProfileBundles.yaml` | ||
|
|
||
| # Schedule | ||
| The profiles are prefixed with upstream in this case. If you do not use a prefix, please change accordingly | ||
| This follows https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-scans/compliance-scans.html | ||
|
|
||
| `oc apply -f BSI/ScanSettings.yaml` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| apiVersion: compliance.openshift.io/v1alpha1 | ||
| kind: ScanSettingBinding | ||
| metadata: | ||
| name: upstream-bsi-ocp | ||
| namespace: openshift-compliance | ||
| profiles: | ||
| - apiGroup: compliance.openshift.io/v1alpha1 | ||
| kind: Profile | ||
| name: upstream-ocp4-bsi | ||
| - apiGroup: compliance.openshift.io/v1alpha1 | ||
| kind: Profile | ||
| name: upstream-ocp4-bsi-node | ||
| settingsRef: | ||
| apiGroup: compliance.openshift.io/v1alpha1 | ||
| kind: ScanSetting | ||
| name: bsi-schedule | ||
| --- | ||
| apiVersion: compliance.openshift.io/v1alpha1 | ||
| kind: ScanSettingBinding | ||
| metadata: | ||
| name: upstream-bsi-rhcos | ||
| namespace: openshift-compliance | ||
| profiles: | ||
| - apiGroup: compliance.openshift.io/v1alpha1 | ||
| kind: Profile | ||
| name: upstream-rhcos4-bsi | ||
| settingsRef: | ||
| apiGroup: compliance.openshift.io/v1alpha1 | ||
| kind: ScanSetting | ||
| name: bsi-schedule | ||
| --- | ||
| apiVersion: compliance.openshift.io/v1alpha1 | ||
| kind: ScanSetting | ||
| maxRetryOnTimeout: 3 | ||
| metadata: | ||
| name: bsi-schedule | ||
| namespace: openshift-compliance | ||
| roles: | ||
| - master | ||
| - worker | ||
| schedule: 0 1 * * 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Test Profile for sandboxed_containers_operator_configured' | ||
|
|
||
| platform: ocp4 | ||
|
|
||
| description: Test Profile | ||
| selections: | ||
| - sandboxed_containers_operator_configured |