Updating Compliance Operator docs

[ahardin-rh]

Preview Build: https://deploy-preview-29673--osdocs.netlify.app/openshift-enterprise/latest/security/compliance_operator/compliance-operator-installation.html

Addresses:

• https://bugzilla.redhat.com/show_bug.cgi?id=1904418
• https://bugzilla.redhat.com/show_bug.cgi?id=1915917
• https://bugzilla.redhat.com/show_bug.cgi?id=1917835
• https://bugzilla.redhat.com/show_bug.cgi?id=1911893
• https://bugzilla.redhat.com/show_bug.cgi?id=1898474

[netlify]

Deploy preview for osdocs ready!

Built with commit 344aa99

https://deploy-preview-29673--osdocs.netlify.app

[JAORMX]

nice!!

[ahardin-rh]

@pdhamdhe Please provide QE review. Thank you!

[JAORMX]

Everything looks great! Just did a small comment and I think this is good to go.

[xiaojiey]

for the subscription, there is an important field called "channel":
a. Run the following command to set the OpenShift Container Platform major and minor version as an environment variable, which is used as the channel value in the next step.
OC_VERSION=$(oc version -o yaml | grep openshiftVersion | grep -o '[0-9]*[.][0-9]*' | head -1)
b. Create the Subscription object YAML file by running:

----
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator-sub
  namespace: openshift-compliance
spec:
  channel: "${OC_VERSION}"
  installPlanApproval: Automatic
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
----

[pdhamdhe-zz]

It would be good if we mention channel while creating subscription but it is not mandatory. We can create subscription without mentioning channel and operator will get deployed using defaultChannel

$ oc get packagemanifest compliance-operator -oyaml |grep defaultChannel
  defaultChannel: "4.6"

[xiaojiey]

@pdhamdhe If works for 4.6. What if a 4.7 cluster? It will have 2 packagemanifests(one for 4.6 and the other one for 4.7). If so, for fresh install, it is better to recommend users to use OCP version instead.

[pdhamdhe-zz]

@xiaojiey Jfyi.. By default there will be only one packagemanifest for each ocp version for operator. So on 4.7 cluster, the compliance operator packagemanifest will only have defaultChannel : "4.7" . I was able to installed operator on both the cluster i.e 4.6 & 4.7 using the subscription yaml file which is mentioned in documentation. Though, I am fine with both the methods.

[xiaojiey]

‘ProfileBundle’ is much reasonable, as it is a CR name.

[pdhamdhe-zz]

No need to apply the file if we are creating namespace resource using $ oc create -f <file-name>.yaml and step 2 can be merged in step 1

[pdhamdhe-zz]

This is ScanSetting object. In point 5 & 6, it is mentioned scan setting binding, please make correction.

[pdhamdhe-zz]

Also ScanSetting runs scans at 01:00 everyday not periodically every hour.

[pdhamdhe-zz]

It would be good if we add -n openshift-compliance in all command mentioned in this section.

[pdhamdhe-zz]

Correct command would be :
$ oc get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,compliance.openshift.io/automated-remmediation

[pdhamdhe-zz]

Also here, please update the selector to compliance.openshift.io/check-status=FAIL

[lbarbeevargas]

This reworking of the Compliance Operator section looks great. I left feedback for general guidelines adherence and minimalism/simplification purposes.

It looks like there is a mix of command lead-in sentences (this inconsistency is present through the OCP docs), so I gave some varying feedback depending on the assembly. Examples:

To list all failing checks that can be remediated automatically , run:
Search for any outdated remediations:
Create a namespace object YAML file by running:

For the sake of minimalism, I think the second example above works best.

[lbarbeevargas]

s/Compliance Operator Scans/Compliance Operator scans/

[lbarbeevargas]

I think it would be helpful in this intro sentence to say "Compliance Operator."
s/Before you can use the Operator, you must ensure it is deployed in the cluster./Before you can use the Compliance Operator, you must ensure that it is deployed in the cluster./

[lbarbeevargas]

In the "not installed successfully" section below, it says to "Navigate to the Operators -> Installed Operators page." Is it important in this first verification step to also include Operators in the navigation directions?

[lbarbeevargas]

Might be good to specify the "Compliance Operator" here in case there are other Operators installed.
s/the Operator/the Compliance Operator/

[lbarbeevargas]

s/namespace/Namespace/

[lbarbeevargas]

Is this a Procedure module? If so, you can add .Procedure with a single bullet (or two bullets because this isn't necessarily a sequence).

[lbarbeevargas]

Is this a Procedure or Concept module? If Procedure, you can add .Procedure and then have bullets for each potential check? If Concept, I think the rest of the module looks okay as is, but you could change the title to something like "Filters for failed compliance check results".

[lbarbeevargas]

s/To list checks that belong to a specific suite, run:/List checks that belong to a specific suite:/

Similar rewording suggestion applies to the other commands in this module (for minimalism and consistency across the Compliance Operator book).

[lbarbeevargas]

Might be a good candidate to split the command into two lines with \.

[lbarbeevargas]

Might be a good candidate to split the command into two lines with \.

[ahardin-rh]

/cherrypick enterprise-4.6

[ahardin-rh]

/cherrypick enterprise-4.7

[ahardin-rh]

/cherrypick enterprise-4.8

[openshift-cherrypick-robot]

@ahardin-rh: new pull request created: #31436

Details

In response to this:

/cherrypick enterprise-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@ahardin-rh: new pull request created: #31437

Details

In response to this:

/cherrypick enterprise-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@ahardin-rh: new pull request created: #31438

Details

In response to this:

/cherrypick enterprise-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.