Description
Write a tutorial for a security hardening guide for the ocm controllers.
Must Have's:
- Secure set up of RBAC (including KRO and Flux)
- Secure OCM Controller usage (for example, configure
VerificationPolicy: Always and do not skip digest verification)
- Resource quotas for CPU, memory and especially also resource quotas for API object counts (especially for the
Repository, Component, Resource and Deployer). The combination of those resource quotas should ensure proper functioning of our toolset with a rough upper bound on reconcile performance characteristics (for example, time to first reconcile after object creation <= 1min).
- Secure credential setup (for example, with ESO for providing secrets from a secure secret manager)
Nice To Have's:
- Kyverno setup (for example, for ensuring hardened configuration of resources, such as
VerificationPolicy: Always)
- Secure logging / audit logging setup, including a set of potential alerting recommendations
As this is supposed to be a tutorial, the purpose of each of those steps should be explained.
Done Criteria
Description
Write a tutorial for a security hardening guide for the ocm controllers.
Must Have's:
VerificationPolicy: Alwaysand do not skip digest verification)Repository,Component,ResourceandDeployer). The combination of those resource quotas should ensure proper functioning of our toolset with a rough upper bound on reconcile performance characteristics (for example, time to first reconcile after object creation <= 1min).Nice To Have's:
VerificationPolicy: Always)As this is supposed to be a tutorial, the purpose of each of those steps should be explained.
Done Criteria