openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/compliance-crd-rule.adoc

44 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/compliance_operator/co-concepts/compliance-operator-crd.adoc
:_mod-docs-content-type: CONCEPT
[id="rule-object_{context}"]
= Rule object
The `Rule` object, which forms the profiles, are also exposed as objects. Use the `Rule` object to define your compliance check requirements and specify how it could be fixed.
.Example `Rule` object
[source,yaml]
----
apiVersion: compliance.openshift.io/v1alpha1
checkType: Platform <1>
description: <description of the rule>
id: xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces <2>
instructions: <manual instructions for the scan>
kind: Rule
metadata:
annotations:
compliance.openshift.io/rule: configure-network-policies-namespaces
control.compliance.openshift.io/CIS-OCP: 5.3.2
control.compliance.openshift.io/NERC-CIP: CIP-003-3 R4;CIP-003-3 R4.2;CIP-003-3
R5;CIP-003-3 R6;CIP-004-3 R2.2.4;CIP-004-3 R3;CIP-007-3 R2;CIP-007-3 R2.1;CIP-007-3
R2.2;CIP-007-3 R2.3;CIP-007-3 R5.1;CIP-007-3 R6.1
control.compliance.openshift.io/NIST-800-53: AC-4;AC-4(21);CA-3(5);CM-6;CM-6(1);CM-7;CM-7(1);SC-7;SC-7(3);SC-7(5);SC-7(8);SC-7(12);SC-7(13);SC-7(18)
labels:
compliance.openshift.io/profile-bundle: ocp4
name: ocp4-configure-network-policies-namespaces
namespace: openshift-compliance
rationale: <description of why this rule is checked>
severity: high <3>
title: <summary of the rule>
----
<1> Specify the type of check this rule executes. `Node` profiles scan the cluster nodes and `Platform` profiles scan the Kubernetes platform. An empty value indicates there is no automated check.
<2> Specify the XCCDF name of the rule, which is parsed directly from the datastream.
<3> Specify the severity of the rule when it fails.
[NOTE]
====
The `Rule` object gets an appropriate label for an easy identification of the associated `ProfileBundle` object. The `ProfileBundle` also gets specified in the `OwnerReferences` of this object.
====
View Git Blame Copy Permalink