CONSOLE-4265: add Graduation Criteria

openshift · Nov 1, 2024 · bc1b1b8 · bc1b1b8
1 parent 6617490
commit bc1b1b8
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 0 deletions.
diff --git a/enhancements/.DS_Store b/enhancements/.DS_Store
diff --git a/enhancements/console/dynamic-plugins.md b/enhancements/console/dynamic-plugins.md
@@ -479,6 +479,8 @@ down. For more info check [BZ#2015654](https://bugzilla.redhat.com/show_bug.cgi?
 
 #### Content Security Policy (CSP) Overview
 CSP is a security feature that helps detect and mitigate attacks by specifying which sources are allowed for fetching content like scripts, styles, images, and fonts. For dynamic plugins that require loading resources from external sources, defining custom CSP rules ensures secure integration into the OpenShift console.
+For more information about the CSP directives, see:
+https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
 #### Key Features of `ConsolePluginCSP`
 
@@ -600,6 +602,55 @@ Both `v1` and `v1alpha1` version are supported. `v1alpha1` plugins will get
 converted by the conversion webhook server into `v1` representation.
 Conversion webhook server is part of the `console-operator` pod.
 
+#### Content Security Policy
+For Content Security Policy (CSP) feature to be considered stable, the following
+changes need to be made:
+
+##### 1. Documentation updates
+
+* Update the OpenShift official documentation to include detailed guidelines
+on configuring `ConsolePluginCSP` in the `ConsoleDynamicPlugin` CRD, along with
+recommendations.
+PR link: TBD
+
+##### 2. Release notes updates
+
+* Add CSP feature to release notes.
+  * Pull request link: TBD
+
+##### 3. Extending integration and unit test suite
+
+* Extend integration and unit test suite for console-operator repository:
+    * Standart use case, with a single plugin setting valid sources and
+    validating the final CSP result set in the `console-config.yaml` file.
+    * Edge use cases, such as many plugins defining CSPs with overlapping sources,
+    and validates the final merged CSP result, set in the `console-config.yaml` file.
+    * Pull request link: https://github.com/openshift/console-operator/pull/938
+
+##### 4. Updates to demo plugin
+
+* Update one console-demo-plugin to use the new `ConsolePluginCSP` field
+in order to demonstrate the usage.
+  * Pull request link: TBD
+
+##### 5. Integration tests updates
+
+* Extend integration test suite in console repository CI to check for CSP violations.
+* PR link: [TBD](https://issues.redhat.com/browse/CONSOLE-4279)
+
+##### 6. CI updates to all dynamic plugins
+
+* All the dynamic plugins which are enabled on the cluster by default will
+update their CI to check for CSP violations.
+* PR link: TBD
+
+Currently Console uses `Content-Security-Policy-Report-Only` instead of
+`Content-Security-Policy` header. Due to that the browser will only warn about
+Console CSP violations.
+
+Once all the above listed items are met, Console will switch will be switched
+to use `Content-Security-Policy` header and start enforcing the policies.
+
 #### Dev Preview -> Tech Preview
 
 None