Compliance opt-in changes #1506
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Change all references of compliance to a lower case c, for consistency.
There was a problem hiding this comment.
Change all references of compliance to a lower case c, for consistency.
| On the Manager UI, click **Compliance Reports**, **Configure Compliance Reports**. | ||
|
|
||
| :::note | ||
| Enabling packet capture might take a few seconds to create the compliance deployment, daemonset and other dependent resources. |
There was a problem hiding this comment.
Should it be Enabling compliance ?
| On the Manager UI, click **Compliance Reports**, **Configure Compliance Reports**. | ||
|
|
||
| :::note | ||
| Enabling packet capture might take a few seconds to create the compliance deployment, daemonset and other dependent resources. |
There was a problem hiding this comment.
Should it be Enabling compliance ?
There was a problem hiding this comment.
Are there any prerequisites of note we want to highlight?
There was a problem hiding this comment.
I don't thing there would be any prerequisites for enabling compliance.
However, there be prerequisites to enable compliance before other configuring compliance features hence made changes for those.
There was a problem hiding this comment.
Are there any prerequisites of note we want to highlight?
| ```bash | ||
| kubectl get compliance tigera-secure | ||
| ``` |
There was a problem hiding this comment.
this is the command to verify compliance is enabled in cluster
| description: Enable compliance to configure reports to assess compliance for all assets in a Kubernetes cluster. | ||
| --- | ||
|
|
||
| # Enable Compliance |
There was a problem hiding this comment.
This title doesn't sound quite right to me, but maybe I'm just not familiar with the jargon. "Compliance" sounds like a large, abstract concept. The function of this set of features is to enable reporting that lets you figure out whether your system complies with various standards, right?
If I'm not off here, we should go with a title along the lines of "Enable compliance reporting".
There was a problem hiding this comment.
We should change instances of 'compliance' to 'compliance reporting' throughout, where applicable.
There was a problem hiding this comment.
compliance include compliance reports, compliance snapshot and compliance benchmark. How able using "compliance features" instead @ctauchen
There was a problem hiding this comment.
I get that there's a specific component that deals with reports, while others do other things. But I still think the general idea here is all in service of the compliance reports, no?
And in any case, we should continue to match the UI, which is clearly about enabling compliance reports, not 'compliance' or 'compliance features'.
We can open the conversation wider if necessary, but I'm pretty confident we should just change these to 'compliance reports' throughout.
|
|
||
| The compliance system consists of several key components that work together to ensure comprehensive compliance monitoring and reporting: | ||
|
|
||
| - **compliance-snapshotter:** Lists required configurations and pushes snapshots to Elasticsearch, providing visibility into configuration changes. |
There was a problem hiding this comment.
These look like component names. Better to have these formatted in code font.
| :::note | ||
| Enabling compliance might take a few seconds to create the compliance deployment, daemonset and other dependent resources. | ||
| ::: |
There was a problem hiding this comment.
Unless this is a truly long time, remove this note. It's fair to expect users to understand it's not instant. And I would hope there's some kind of status indicator in the UI.
|
|
||
| ### Enable Compliance using kubectl | ||
|
|
||
| Create a compliance custom resource, named `tigera-secure`, in the cluster. |
There was a problem hiding this comment.
If a procedure has only one step, format as a bulleted list. So:
* Create a compliance ...
| ```bash | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: operator.tigera.io/v1 | ||
| kind: Compliance | ||
| metadata: | ||
| name: tigera-secure | ||
| EOF | ||
| ``` |
There was a problem hiding this comment.
And don't forget to indent this block to match the instruction.
| EOF | ||
| ``` | ||
|
|
||
| ### Enable Compliance using Manager UI |
There was a problem hiding this comment.
| ### Enable Compliance using Manager UI | |
| ### Enable compliance (reporting?) using Manager UI |
|
|
||
| ## Big picture | ||
|
|
||
| Enabling compliance improves the cluster's compliance posture. It involves generating compliance reports for Kubernetes clusters based on archived flow and audit logs for Calico Enterprise and Kubernetes resources. The process includes components for snapshotting configurations, generating reports, managing jobs, providing APIs with RBAC, and benchmarking security. |
There was a problem hiding this comment.
I'm not sure that first statement is true. Doesn't this just enable reporting?
There was a problem hiding this comment.
compliance include compliance reports, compliance snapshot and compliance benchmark. How able using "compliance features" instead @ctauchen
| ```bash | ||
| kubectl get compliance tigera-secure | ||
| ``` |
There was a problem hiding this comment.
Remove. Users can visit the doc to figure out details about the requirement.
|
@ctauchen Addressed all the review comments |
vara2504
force-pushed
the
comp_optin
branch
3 times, most recently
from
0ee28d9
to
e9fb4cf
Compare
https://tigera.atlassian.net/browse/EV-4834
From 3.20, compliance components will not be deployed by default. User would be enabling compliance feature to get the resources deployed
Product Version(s):
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: