[WIP] OSDOCS#3995: ROSA - port 'Security' content from OCP

[tmalove]

This PR is to port the "Security and compliance" OCP content to ROSA. Reference that section only for comments, reviews, etc.
OSDOCS-3995

Version(s):

Link to docs preview (local build): https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/index.html (Updated 3/5)

QE review:

• QE has approved this change.

[ocpdocs-previewbot]

🤖 Fri Feb 09 18:30:23 - Prow CI generated the docs preview: https://62384--ocpdocs-pr.netlify.app

[tmalove]

@jaybeeunix @xueli181114 See this spreadsheet of errors I get from testing CLI commands in the security section. This list is still WIP. Thx.
https://docs.google.com/document/d/1EE4o5iF9bXMZS20DeeuJkd-UakZnKssVXcjsaFrPvx4/edit#heading=h.g1x54zpbotj

[xiaojiey]

@xingxingxia @geliu2016 @sunilcio @wangke19 Could you please help to review for your components? thanks.
I will check for Compliance Operator, File Integrity Operator and Security Profiles Operator.

[xingxingxia]

It is ROSA document for ROSA cluster, then GCP documents cert-manager-authenticate-gcp and cert-manager-authenticate-non-sts-gcp are not applicable, need be removed.
cert-manager-operator-issuer-acme has GCP ambient credential section, that is also not applicable for ROSA cluster.

[wangke19]

Apiserver topics look good to me. But I checked the link https://file.rdu.redhat.com/tlove/sd-port-security-tlove/upgrading/rosa-upgrading-cluster-prepare.html, we still has this upgrade path, I think that's a problem.

Preparing to upgrade ROSA to 4.9 

[xiaojiey]

For Compliance Operator, generally it is good. There are minor issues need to be updated:

1. For important notice in https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/compliance_operator/compliance-operator-supported-profiles.html, better to remove unreleated platforms:
   Current: "The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418."
   Better to be: "The Compliance Operator might report incorrect results on Red Hat OpenShift Service on AWS. For more information, see the Red Hat Knowledgebase Solution #6983418."
2. For important notice in https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/compliance_operator/compliance-operator-installation.html,
   Current: "The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Microsoft Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418."
   Better to be: "The Compliance Operator might report incorrect results on Red Hat OpenShift Service on AWS. For more information, see the Red Hat Knowledgebase Solution #6983418."

[BhargaviGudi]

For file-integrity-operator, generally it is good. There are minor changes need to be updated:

1. Commands under below links needs to be appended with namespace name (-n openshift-file-integrity)
   a. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-understanding.html#checking-the-file-integrity-CR-status_file-integrity-operator
   b. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-understanding.html#understanding-file-integrity-node-statuses-object_file-integrity-operator
   c. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-understanding.html#file-integrity-node-status-failure_file-integrity-operator
   d. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-understanding.html#file-integrity-events_file-integrity-operator
   e. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-configuring.html#file-integrity-examine-default-config_file-integrity-operator
   f. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-configuring.html#file-integrity-operator-defining-custom-config_file-integrity-operator
   g. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-advanced-usage.html#file-integrity-operator-reinitializing-database_file-integrity-operator
   h. https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-troubleshooting.html#determining-the-fileintegrity-objects-phase

2. For Understanding the FileIntegrityNodeStatuses object, https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-understanding.html#understanding-file-integrity-node-statuses-object_file-integrity-operator , Example Output needs to be updated.
   Sample output:

$ oc get fileintegritynodestatuses -n openshift-file-integrity
NAME                                                              NODE                                         STATUS
worker-fileintegrity-ip-10-0-145-177.us-east-2.compute.internal   ip-10-0-145-177.us-east-2.compute.internal   Succeeded
worker-fileintegrity-ip-10-0-171-252.us-east-2.compute.internal   ip-10-0-171-252.us-east-2.compute.internal   Succeeded
worker-fileintegrity-ip-10-0-193-251.us-east-2.compute.internal   ip-10-0-193-251.us-east-2.compute.internal   Succeeded

3. Defining a custom File Integrity Operator configuration,https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/file_integrity_operator/file-integrity-operator-configuring.html#file-integrity-operator-defining-custom-config_file-integrity-operator , Step 7 need to update command to create fileintegrity.
   Currently only fileintegrity config is given.
   Add command: $ oc create -f master-fileintegrity.yaml -n openshift-file-integrity

[xiaojiey]

For Compliance Operator, below points are not applicable:

1. For important notice in https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/compliance_operator/compliance-operator-supported-profiles.html, better to remove unreleated platforms:
   Current: "The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418."
   Better to be: "The Compliance Operator might report incorrect results on Red Hat OpenShift Service on AWS. For more information, see the Red Hat Knowledgebase Solution #6983418."

2. For important notice in https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/compliance_operator/compliance-operator-installation.html,
   Current: "The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Microsoft Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418."
   Better to be: "The Compliance Operator might report incorrect results on Red Hat OpenShift Service on AWS. For more information, see the Red Hat Knowledgebase Solution #6983418."

3. For paragraph below, it is not applicable for ROSA as it is for hypershift hosted cluster only
   https://file.rdu.redhat.com/tlove/sd-port-security-tlove/security/compliance_operator/compliance-operator-installation.html#installing-compliance-operator-hcp_compliance-operator-installation

4. For paragraph below, it is not applicable for ROSA as creating custom mcp will fail. https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-operator-apply-remediation-for-customized-mcp
   https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-custom-node-pools_compliance-remediation

[tmalove]

Apiserver topics look good to me. But I checked the link file.rdu.redhat.com/tlove/sd-port-security-tlove/upgrading/rosa-upgrading-cluster-prepare.html, we still has this upgrade path, I think that's a problem.

Preparing to upgrade ROSA to 4.9 

@wangke19 When this was initially added, the admin acknowledgment was a new requirement. However, all major versions require this now. I will follow up with SRE to confirm. Thanks.

[xiaojiey]

Add one more important point for Compliance Operator:
The auto-remediation not works for ROSA(more accurately for all management platforms). Please add important notice in doc.
That means below sections not work for ROSA:
https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-applying_compliance-remediation
https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-manual_compliance-remediation
https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-updating_compliance-remediation
https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-remediation.html#compliance-unapplying_compliance-remediation

[tmalove]

@sheriff-rh @bergerhoffer @xenolinux adding you for your awareness.

[tmalove]

/test validate-asciidoc

[tmalove]

/test validate-asciidoc

[tmalove]

/retest

[tmalove]

/test validate-asciidoc

[tmalove]

/retest

[tmalove]

/retest

[tmalove]

/retest-required

[aireilly]

Put back this line. removing it breaks the build

[aireilly]

Whole stanza should look like:

Topics:
- Name: Deployments
  Dir: deployments
  Distros: openshift-rosa
  Topics:
  - Name: Custom domains for applications
    File: osd-config-custom-domains-applications

[openshift-ci]

@tmalove: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tmalove]

@arendej @rhmdnd @BillDett the preview is updated with the removal of the 'Compliance Operator' and 'File Integrity Operator' sections FYI. Thanks!

[codymant]

@tmalove the netflix preview link doesn't seem to work any more. Is there another link somewhere? Eric Chapman and Austin Quam would like to review and share feedback if the review window is still open.

https://62384--ocpdocs-pr.netlify.app/openshift-rosa/latest/welcome/index.html

[tmalove]

@tmalove the netflix preview link doesn't seem to work any more. Is there another link somewhere? Eric Chapman and Austin Quam would like to review and share feedback if the review window is still open.

62384--ocpdocs-pr.netlify.app/openshift-rosa/latest/welcome/index.html

@codymant An updated preview is available, however VPN/network access is required. Let me know if Eric or Austin cannot access it.

[tmalove]

This PR is superseded by #72837. Refer to this PR for the Security porting project.

[tmalove]

@rhmdnd @BillDett @arendej @xingxingxia Use this latest PR for updates on the 'Security and compliance' porting.

[tmalove]

Refer to the latest PR to continue updates.

[xingxingxia]

@rhmdnd @BillDett @arendej @xingxingxia Use this latest #72837 for updates on the 'Security and compliance' porting.

@tmalove got it. For me, what I reviewed was for cert-manager as in my previous comment #62384 (comment) . In the new PR, seems cert-manager doc is totally removed. Anyway nvm, I'm transfering to @lunarwhite to continue review for cert-manager area in the new PR.