Files
homelab/cluster-config/components/compliance-operator/overlays/cis-compliance/ocp-cis-tailored-profile.yaml

39 lines
1.5 KiB
YAML

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: ocp4-cis-lab
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "1"
spec:
extends: ocp4-cis
description: Lab CIS profile
title: Lab CIS profile
disableRules:
- name: ocp4-api-server-encryption-provider-cipher
rationale: Using letsencrypt certificates, not applicable
- name: ocp4-audit-log-forwarding-enabled
rationale: Homelab so no log forwarding available
- name: ocp4-scc-limit-container-allowed-capabilities
rationale: Some containers require extra privileges
- name: ocp4-configure-network-policies-namespaces
rationale: Home lab supports ad-hoc demos
- name: ocp4-api-server-audit-log-maxsize
rationale: Home lab, no need for auditing
- name: ocp4-ocp-api-server-audit-log-maxsize
rationale: Home lab, no need for auditing
- name: ocp4-audit-profile-set
rationale: Home lab, default auditing is sufficient
- name: ocp4-ocp-allowed-registries
rationale: Home lab, open registries is fine
- name: ocp4-ocp-allowed-registries-for-import
rationale: Home lab, open registries is fine
- name: ocp4-api-server-api-priority-gate-enabled
rationale: Need to understand mis-behaving clients in Home lab
- name: ocp4-kubelet-configure-tls-cipher-suites-ingresscontroller
rationale: Home lab
- name: ocp4-api-server-tls-cipher-suites
rationale: Home lab
- name: ocp4-kubelet-configure-tls-cipher-suites
rationale: Home lab