Closed krumware closed 1 year ago
(I don't expect this to get merged as-is, hopefully it helps discussion!)
I suggested the version change to hopefully provide some guidance to folks viewing the accelerators as to which baseline version was used, as the guidance changes over time. It's likely not in the preferred format, if there is one.
Hi Colin, @krumware @abdullahgarcia
I like the idea of adding version to the template. I just wanted to confirm which SAA had more detailed information. Last year we moved from a detailed set of requirements to CIS and in doing so we simplified the template. This simplified template is used for OCP and EKS. The old template is still being used for AKS. Was your comment re templates having details on their own source guidelines? Thanks A
I couldn't tell if it was intended for the SAA to start from a CFI set of baselines, with further clarifications or baselines to be added, or if a standalone baseline was meant to be defined. I didn't mean to pick on one doc over the other.
It might be easier just to comment about the OCP doc since it's most up-to-date with the template. I was using that as a starting point, and I wasn't sure what baseline meant in that context or how to start with a new template. Things I couldn't tell when referencing the template: It appears to establish its own baseline (OCP CIS Benchmark) rather than add it to the template's table with the Kubernetes CIS or clarify in the Amendments section. Is it supposed to include both, or provide clarification via the Amendments? Is there a CFI-provided kubernetes baseline? Is it the Kubernetes CIS in the template, how does this compare? It's also also missing the security section, but probably just because it wasn't there when the template was first used.
"As a contributor" I want to create an accelerator by clarifying how to meet or exceed baseline CFI policy/guidance (how do I use the template) "As an administrator" I want to understand how my policies compare to CFI policy/guidance, and audit my implementation "As an adopter" I want to understand how to implement my kubernetes to meet or exceed CFI policy/guidance
Apologies if I'm barking up the wrong tree!
No apologies needed @krumware
My understanding, @eddie-knight and @abdullahgarcia comment please.
The CFI baseline is CIS Kubernetes, if a vendor has an implementation of the CIS Kubernetes benchmark then that can be used as the baseline (as per OCP). The amendments and extensions to the baseline were added to the document for future use when we had additional security / compliance policies that needed to be added.
Maybe we should have a quick call with @eddie-knight and @abdullahgarcia
-A-
I suspect @AdrianHammond is correct that this will be more clear once we have more robust accelerators. At present, the team is still building a strategy for compiling input to develop more robust policy recommendations for each service.
@abdullahgarcia, what do you think about creating a strike team that can work with @niamhoparker to focus on getting policy recommendations for a single commonly used service? We could use slack to recruit two or three people from the maintainers and community.
Will be addressed in the maintainer's meeting.
I found it difficult to understand where baselines were being communicated after getting stuck on the OCP accelerator: https://github.com/finos/compliant-financial-infrastructure/blob/dev/accelerators/kubernetes/ocp/ServiceApprovalAccelerator_OCP.md
That document does not appear to add to the CFI baseline, nor help me understand which version of a CFI baseline it uses. It just seems to override the baseline.
The other accelerators have more detailed information about their own source guidelines, but it still isn't clear if there are additional CFI guidance that need to be applied.
This PR proposes changes: