From c7bea535d3556af32627ab4cdf5a1389661276ca Mon Sep 17 00:00:00 2001 From: aksjoshi Date: Fri, 26 Jun 2026 09:56:43 +0530 Subject: [PATCH] Make changes --- .../compliance-operator-cli-uninstall.adoc | 5 +- modules/compliance-operator-uninstall.adoc | 7 +- modules/compliance-profilebundle.adoc | 17 +++-- modules/compliance-update.adoc | 13 +++- .../compliance-operator-manage.adoc | 3 +- .../compliance-operator-uninstallation.adoc | 9 ++- security/compliance_operator/co-overview.adoc | 69 ++++++++----------- 7 files changed, 66 insertions(+), 57 deletions(-) diff --git a/modules/compliance-operator-cli-uninstall.adoc b/modules/compliance-operator-cli-uninstall.adoc index e58b751eef96..0e592a31119f 100644 --- a/modules/compliance-operator-cli-uninstall.adoc +++ b/modules/compliance-operator-cli-uninstall.adoc @@ -6,12 +6,13 @@ [id="compliance-operator-uninstall-cli_{context}"] = Uninstalling the OpenShift Compliance Operator from {product-title} using the CLI +[role="_abstract"] To remove the Compliance Operator, you must first delete the objects in the namespace. After the objects are removed, you can remove the Operator and its namespace by deleting the *openshift-compliance* project. .Prerequisites -* Access to an {product-title} cluster using an account with `cluster-admin` permissions. -* The OpenShift Compliance Operator must be installed. +* Access to an {product-title} cluster by using an account with `cluster-admin` permissions. +* The OpenShift Compliance Operator is installed. .Procedure diff --git a/modules/compliance-operator-uninstall.adoc b/modules/compliance-operator-uninstall.adoc index 88a72c7c5d1d..e71ba3b1dabc 100644 --- a/modules/compliance-operator-uninstall.adoc +++ b/modules/compliance-operator-uninstall.adoc @@ -6,17 +6,16 @@ [id="compliance-operator-uninstall_{context}"] = Uninstalling the OpenShift Compliance Operator from {product-title} using the web console +[role="_abstract"] To remove the Compliance Operator, you must first delete the objects in the namespace. After the objects are removed, you can remove the Operator and its namespace by deleting the *openshift-compliance* project. .Prerequisites -* Access to an {product-title} cluster using an account with `cluster-admin` permissions. -* The OpenShift Compliance Operator must be installed. +* Access to an {product-title} cluster by using an account with `cluster-admin` permissions. +* The OpenShift Compliance Operator is installed. .Procedure -To remove the Compliance Operator by using the {product-title} web console: - . Go to the *Ecosystem* -> *Installed Operators* -> *Compliance Operator* page. .. Click *All instances*. diff --git a/modules/compliance-profilebundle.adoc b/modules/compliance-profilebundle.adoc index 77fd2d982718..981af8c02191 100644 --- a/modules/compliance-profilebundle.adoc +++ b/modules/compliance-profilebundle.adoc @@ -6,7 +6,10 @@ [id="compliance-profilebundle_{context}"] = ProfileBundle CR example -The `ProfileBundle` object requires two pieces of information: the URL of a container image that contains the `contentImage` and the file that contains the compliance content. The `contentFile` parameter is relative to the root of the file system. You can define the built-in `rhcos4` `ProfileBundle` object as shown in the following example: +[role="_abstract"] +The `ProfileBundle` custom resource defines compliance content sources by specifying a container image URL and content file path. Understanding this structure helps you create custom security profiles for your organization. + +The built-in `rhcos4` `ProfileBundle` object is defined as follows: [source,yaml] ---- @@ -22,8 +25,8 @@ metadata: resourceVersion: "46741" uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d spec: - contentFile: ssg-rhcos4-ds.xml <1> - contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... <2> + contentFile: ssg-rhcos4-ds.xml + contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... status: conditions: - lastTransitionTime: "2022-10-19T12:07:51Z" @@ -33,9 +36,13 @@ status: type: Ready dataStreamStatus: VALID ---- -<1> Location of the file containing the compliance content. -<2> Content image location. + +where: + +`spec.contentFile`:: Specifies the location of the file containing the compliance content. +`spec.contentImage`:: Specifies the content image location. ++ + [IMPORTANT] ==== The base image used for the content images must include `coreutils`. diff --git a/modules/compliance-update.adoc b/modules/compliance-update.adoc index 89bf414f5ba7..0bcc94ef34f7 100644 --- a/modules/compliance-update.adoc +++ b/modules/compliance-update.adoc @@ -6,7 +6,10 @@ [id="compliance-update_{context}"] = Updating security content -Security content is included as container images that the `ProfileBundle` objects refer to. To accurately track updates to `ProfileBundles` and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag: +[role="_abstract"] +You can use container image digests instead of tags to track `ProfileBundle` updates accurately and ensure predictable compliance profile versions across cluster deployments. + +Security content is included as container images that the `ProfileBundle` objects refer to. To accurately track updates to `ProfileBundles` and the custom resources parsed from the bundles, such as rules or profiles, you can view the container image digest in the ProfileBundle status. [source,terminal] ---- @@ -29,7 +32,7 @@ metadata: uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d spec: contentFile: ssg-rhcos4-ds.xml - contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... <1> + contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... status: conditions: - lastTransitionTime: "2022-10-19T12:07:51Z" @@ -39,6 +42,10 @@ status: type: Ready dataStreamStatus: VALID ---- -<1> Security container image. ++ +where: + +`spec.contentImage`:: Specifies the security container image. ++ Each `ProfileBundle` is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles. diff --git a/security/compliance_operator/co-management/compliance-operator-manage.adoc b/security/compliance_operator/co-management/compliance-operator-manage.adoc index a7ca3def0cee..09349368a064 100644 --- a/security/compliance_operator/co-management/compliance-operator-manage.adoc +++ b/security/compliance_operator/co-management/compliance-operator-manage.adoc @@ -6,7 +6,8 @@ include::_attributes/common-attributes.adoc[] toc::[] -This section describes the lifecycle of security content, including how to use an updated version of compliance content and how to create a custom `ProfileBundle` object. +[role="_abstract"] +You can manage the Compliance Operator security content lifecycle to keep compliance profiles current and create custom `ProfileBundle` objects tailored to your organization security requirements. include::modules/compliance-profilebundle.adoc[leveloffset=+1] diff --git a/security/compliance_operator/co-management/compliance-operator-uninstallation.adoc b/security/compliance_operator/co-management/compliance-operator-uninstallation.adoc index 5a62eef99ec3..803b6f90e241 100644 --- a/security/compliance_operator/co-management/compliance-operator-uninstallation.adoc +++ b/security/compliance_operator/co-management/compliance-operator-uninstallation.adoc @@ -6,8 +6,15 @@ include::_attributes/common-attributes.adoc[] toc::[] +[role="_abstract"] You can remove the OpenShift Compliance Operator from your cluster by using the {product-title} web console or the CLI. include::modules/compliance-operator-uninstall.adoc[leveloffset=+1] -include::modules/compliance-operator-cli-uninstall.adoc[leveloffset=+1] \ No newline at end of file +include::modules/compliance-operator-cli-uninstall.adoc[leveloffset=+1] + +[role="_additional-resources"] +.Additional resources + +* xref:compliance-operator-installation.adoc#compliance-operator-installation[Installing the Compliance Operator] +* xref:compliance-operator-manage.adoc#compliance-operator-understanding[Managing the Compliance Operator] \ No newline at end of file diff --git a/security/compliance_operator/co-overview.adoc b/security/compliance_operator/co-overview.adoc index 1f988592058f..d814916a31f9 100644 --- a/security/compliance_operator/co-overview.adoc +++ b/security/compliance_operator/co-overview.adoc @@ -4,56 +4,43 @@ include::_attributes/common-attributes.adoc[] :context: co-overview -The {product-title} Compliance Operator assists users by automating the -inspection of numerous technical implementations and compares those against -certain aspects of industry standards, benchmarks, and baselines; the -Compliance Operator is not an auditor. In order to be compliant or certified -under these various standards, you need to engage an authorized auditor such as -a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other -industry recognized regulatory authority to assess your environment. - -The Compliance Operator makes recommendations based on generally available -information and practices regarding such standards and may assist with -remediations, but actual compliance is your responsibility. You are required to -work with an authorized auditor to achieve compliance with a standard. For the -latest updates, see the -xref:../../security/compliance_operator/compliance-operator-release-notes.adoc#compliance-operator-release-notes[Compliance -Operator release notes]. For more information on compliance support for all Red{nbsp}Hat products, see link:https://access.redhat.com/compliance[Product Compliance]. +[role="_abstract"] +The {product-title} Compliance Operator assists users by automating the inspection of numerous technical implementations and compares those against certain aspects of industry standards, benchmarks, and baselines. The Compliance Operator is not an auditor. To be compliant or certified under these various standards, you need to engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry recognized regulatory authority to assess your environment. + +The Compliance Operator makes recommendations based on generally available information and practices regarding such standards and might assist with remediations, but actual compliance is your responsibility. You are required to work with an authorized auditor to achieve compliance with a standard. [id="co-overview-operator-concepts"] == Compliance Operator concepts -xref:../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance-operator-understanding[Understanding the Compliance Operator] - -xref:../../security/compliance_operator/co-concepts/compliance-operator-crd.adoc#custom-resource-definitions[Understanding the Custom Resource Definitions] -//[new page] Quick start? +The Compliance Operator provides concepts and custom resource definitions to help you understand and configure compliance scanning. [id="co-overview-operator-mgmt"] == Compliance Operator management -xref:../../security/compliance_operator/co-management/compliance-operator-installation.adoc#compliance-operator-installation[Installing the Compliance Operator] - -xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#compliance-operator-updating[Updating the Compliance Operator] - -xref:../../security/compliance_operator/co-management/compliance-operator-manage.adoc#compliance-operator-understanding[Managing the Compliance Operator] - -xref:../../security/compliance_operator/co-management/compliance-operator-uninstallation.adoc#compliance-operator-uninstallation[Uninstalling the Compliance Operator] +You can install, update, manage, and uninstall the Compliance Operator on your cluster. [id="co-overview-operator-scan-mgmt"] == Compliance Operator scan management -xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-operator-supported-profiles[Supported compliance profiles] - -xref:../../security/compliance_operator/co-scans/compliance-scans.adoc#compliance-operator-scans[Compliance Operator scans] - -xref:../../security/compliance_operator/co-scans/compliance-operator-tailor.adoc#compliance-operator-tailor[Tailoring the Compliance Operator] - -xref:../../security/compliance_operator/co-scans/compliance-operator-raw-results.adoc#compliance-operator-raw-results[Retrieving Compliance Operator raw results] - -xref:../../security/compliance_operator/co-scans/compliance-operator-remediation.adoc#compliance-operator-remediation[Managing Compliance Operator remediation] - -xref:../../security/compliance_operator/co-scans/compliance-operator-advanced.adoc#compliance-operator-advanced[Performing advanced Compliance Operator tasks] - -xref:../../security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc#compliance-operator-troubleshooting[Troubleshooting the Compliance Operator] - -xref:../../security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc#using-oc-compliance-plug-in[Using the oc-compliance plugin] +The Compliance Operator supports various compliance profiles and provides tools for scanning, tailoring, retrieving results, managing remediations, and troubleshooting. + +[role="_additional-resources"] +[id="additional-resources_co-overview"] +== Additional resources + +* xref:../../security/compliance_operator/compliance-operator-release-notes.adoc#compliance-operator-release-notes[Compliance Operator release notes] +* link:https://access.redhat.com/compliance[Product Compliance] +* xref:../../security/compliance_operator/co-concepts/compliance-operator-understanding.adoc#compliance-operator-understanding[Understanding the Compliance Operator] +* xref:../../security/compliance_operator/co-concepts/compliance-operator-crd.adoc#custom-resource-definitions[Understanding the Custom Resource Definitions] +* xref:../../security/compliance_operator/co-management/compliance-operator-installation.adoc#compliance-operator-installation[Installing the Compliance Operator] +* xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#compliance-operator-updating[Updating the Compliance Operator] +* xref:../../security/compliance_operator/co-management/compliance-operator-manage.adoc#compliance-operator-understanding[Managing the Compliance Operator] +* xref:../../security/compliance_operator/co-management/compliance-operator-uninstallation.adoc#compliance-operator-uninstallation[Uninstalling the Compliance Operator] +* xref:../../security/compliance_operator/co-scans/compliance-operator-supported-profiles.adoc#compliance-operator-supported-profiles[Supported compliance profiles] +* xref:../../security/compliance_operator/co-scans/compliance-scans.adoc#compliance-operator-scans[Compliance Operator scans] +* xref:../../security/compliance_operator/co-scans/compliance-operator-tailor.adoc#compliance-operator-tailor[Tailoring the Compliance Operator] +* xref:../../security/compliance_operator/co-scans/compliance-operator-raw-results.adoc#compliance-operator-raw-results[Retrieving Compliance Operator raw results] +* xref:../../security/compliance_operator/co-scans/compliance-operator-remediation.adoc#compliance-operator-remediation[Managing Compliance Operator remediation] +* xref:../../security/compliance_operator/co-scans/compliance-operator-advanced.adoc#compliance-operator-advanced[Performing advanced Compliance Operator tasks] +* xref:../../security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc#compliance-operator-troubleshooting[Troubleshooting the Compliance Operator] +* xref:../../security/compliance_operator/co-scans/oc-compliance-plug-in-using.adoc#using-oc-compliance-plug-in[Using the oc-compliance plugin]