-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compliance opt-in changes #1506
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change all references of compliance
to a lower case c
, for consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change all references of compliance to a lower case c, for consistency.
On the Manager UI, click **Compliance Reports**, **Configure Compliance Reports**. | ||
|
||
:::note | ||
Enabling packet capture might take a few seconds to create the compliance deployment, daemonset and other dependent resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be Enabling compliance
?
On the Manager UI, click **Compliance Reports**, **Configure Compliance Reports**. | ||
|
||
:::note | ||
Enabling packet capture might take a few seconds to create the compliance deployment, daemonset and other dependent resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be Enabling compliance
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any prerequisites of note we want to highlight?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't thing there would be any prerequisites for enabling compliance.
However, there be prerequisites to enable compliance before other configuring compliance features hence made changes for those.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any prerequisites of note we want to highlight?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments for you @vara2504. Thanks for this!
```bash | ||
kubectl get compliance tigera-secure | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the command to verify compliance is enabled in cluster
description: Enable compliance to configure reports to assess compliance for all assets in a Kubernetes cluster. | ||
--- | ||
|
||
# Enable Compliance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This title doesn't sound quite right to me, but maybe I'm just not familiar with the jargon. "Compliance" sounds like a large, abstract concept. The function of this set of features is to enable reporting that lets you figure out whether your system complies with various standards, right?
If I'm not off here, we should go with a title along the lines of "Enable compliance reporting".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should change instances of 'compliance' to 'compliance reporting' throughout, where applicable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
compliance include compliance reports, compliance snapshot and compliance benchmark. How able using "compliance features" instead @ctauchen
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get that there's a specific component that deals with reports, while others do other things. But I still think the general idea here is all in service of the compliance reports, no?
And in any case, we should continue to match the UI, which is clearly about enabling compliance reports, not 'compliance' or 'compliance features'.
We can open the conversation wider if necessary, but I'm pretty confident we should just change these to 'compliance reports' throughout.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI @vara2504
|
||
The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting: | ||
|
||
- **compliance-snapshotter:** Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These look like component names. Better to have these formatted in code font
.
:::note | ||
Enabling compliance might take a few seconds to create the compliance deployment, daemonset and other dependent resources. | ||
::: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless this is a truly long time, remove this note. It's fair to expect users to understand it's not instant. And I would hope there's some kind of status indicator in the UI.
|
||
### Enable Compliance using kubectl | ||
|
||
Create a compliance custom resource, named `tigera-secure`, in the cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a procedure has only one step, format as a bulleted list. So:
* Create a compliance ...
```bash | ||
kubectl apply -f - <<EOF | ||
apiVersion: operator.tigera.io/v1 | ||
kind: Compliance | ||
metadata: | ||
name: tigera-secure | ||
EOF | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And don't forget to indent this block to match the instruction.
EOF | ||
``` | ||
|
||
### Enable Compliance using Manager UI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Enable Compliance using Manager UI | |
### Enable compliance (reporting?) using Manager UI |
|
||
## Big picture | ||
|
||
Enabling compliance improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that first statement is true. Doesn't this just enable reporting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
compliance include compliance reports, compliance snapshot and compliance benchmark. How able using "compliance features" instead @ctauchen
```bash | ||
kubectl get compliance tigera-secure | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove. Users can visit the doc to figure out details about the requirement.
@ctauchen Addressed all the review comments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
0ee28d9
to
e9fb4cf
Compare
https://tigera.atlassian.net/browse/EV-4834
From 3.20, compliance components will not be deployed by default. User would be enabling compliance feature to get the resources deployed
Product Version(s):
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: