ComplianceAsCode
Propose a different layout for kubernetes rules
Initially, this repository only contained profiles for OCP. With the addition of EKS profiles, we now have two distributions and we should think about how we want to organize the rules for kubernetes platforms.
The new layout must:
- Render accurate content for each kubernetes distribution
- Allow for rule re-use wherever possible
- Keep existing rule names for backwards compatibility
The first point is important so that end-users are presented with content that matches the official benchmarks word-for-word.
This commit adds a new group under applications/ for kubernetes
distributions. Each rule added to this new layout should be written as
generically as possible if it pertains to more than one kubernetes
platform (e.g., EKS or OCP). Existing rules under
applications/openshift/ will be ported to applications/kubernetes/
without changing the rule name to preserve backwards compatibility.
Those changes will also include parameterization templating in the rule
to support each platform currently using it.
This will result in template-heavy rules, but it provides the following benefits:
- All kubernetes-specific rules are in a platform agnostic location
- We won't have issues with multiple sub-groups with the same name
(e.g.,
applications/kubernetes/eks/loggingandapplications/kubernetes/openshift/loggingsee issue 8190) which breaks the content build process - We can still reuse rules across platforms
Additionally, this commit adds a new rule for the EKS CIS profile as an example. Further, more complicated examples will be ported in future patches.
Description:
- Description here. Replace this text. Don't use the italics format!
Rationale:
-
Rationale here. Replace this text. Don't use the italics format!
-
Fixes # Issue number here (e.g. #26) or remove this line if no issue exists.
Start a new ephemeral environment with changes proposed in this pull request:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/e2e-aws-rhcos4-high | cfcdfcb019cc947f0a8e55b8f273045aa1170861 | link | true | /test e2e-aws-rhcos4-high |
| ci/prow/e2e-aws-ocp4-high-node | cfcdfcb019cc947f0a8e55b8f273045aa1170861 | link | true | /test e2e-aws-ocp4-high-node |
| ci/prow/e2e-aws-ocp4-high | cfcdfcb019cc947f0a8e55b8f273045aa1170861 | link | true | /test e2e-aws-ocp4-high |
| ci/prow/e2e-aws-ocp4-stig | cfcdfcb019cc947f0a8e55b8f273045aa1170861 | link | true | /test e2e-aws-ocp4-stig |
| ci/prow/e2e-aws-ocp4-stig-node | cfcdfcb019cc947f0a8e55b8f273045aa1170861 | link | true | /test e2e-aws-ocp4-stig-node |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Closing because of inactivity. Feel free to reopen if you want this to get merged.