Make CQA changes

Author: aksjoshi89

modules/containers-signature-verify-application.adoc

@@ -6,6 +6,7 @@
 [id="containers-signature-verify-application_{context}"]
 = Verifying the signature verification configuration
 
+[role="_abstract"]
 After you apply the machine configs to the cluster, the Machine Config Controller detects the new `MachineConfig` object and generates a new `rendered-worker-<hash>` version.
 
 .Prerequisites
@@ -20,7 +21,7 @@ After you apply the machine configs to the cluster, the Machine Config Controlle
 $ oc describe machineconfigpool/worker
 ----
 +
-.Example output of initial worker monitoring
+**Example output of initial worker monitoring**
 +
 [source,terminal]
 ----
@@ -126,7 +127,7 @@ Events:                       <none>
 $ oc describe machineconfigpool/worker
 ----
 +
-.Example output after the worker is updated
+**Example output after the worker is updated**
 +
 [source,terminal]
 ----
@@ -183,7 +184,7 @@ The `Observed Generation` parameter shows an increased count based on the genera
 $ oc debug node/<node> -- chroot /host cat /etc/containers/policy.json
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----
@@ -230,7 +231,7 @@ To use host binaries, run `chroot /host`
 $ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.redhat.io.yaml
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----
@@ -248,7 +249,7 @@ docker:
 $ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.access.redhat.com.yaml
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----

modules/containers-signature-verify-enable.adoc

@@ -6,16 +6,20 @@
 [id="containers-signature-verify-enable_{context}"]
 = Enabling signature verification for Red Hat Container Registries
 
+[role="_abstract"]
 Enabling container signature validation for Red Hat Container Registries requires writing a signature verification policy file specifying the keys to verify images from these registries. For RHEL8 nodes, the registries are already defined in `/etc/containers/registries.d` by default.
 
-.Procedure
-
-. Create a Butane config file, `51-worker-rh-registry-trust.bu`, containing the necessary configuration for the worker nodes.
+.Prerequisites
+* You have access to the cluster as a user with the `cluster-admin` role.
 +
 [NOTE]
 ====
 include::snippets/butane-version.adoc[]
 ====
+
+.Procedure
+
+. Create a Butane config file, `51-worker-rh-registry-trust.bu`, containing the necessary configuration for the worker nodes:
 +
 [source,yaml,subs="attributes+"]
 ----
@@ -89,7 +93,8 @@ $ oc apply -f 51-worker-rh-registry-trust.yaml
 $ oc get mc
 ----
 +
-.Sample output
+**Sample output**
++
 [source,terminal]
 ----
 NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
@@ -100,7 +105,7 @@ NAME                                               GENERATEDBYCONTROLLER
 01-worker-container-runtime                        a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             25m
 01-worker-kubelet                                  a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             25m
 51-master-rh-registry-trust                                                                   3.5.0             13s
-51-worker-rh-registry-trust                                                                   3.5.0             53s <1>
+51-worker-rh-registry-trust                                                                   3.5.0             53s
 99-master-generated-crio-seccomp-use-default                                                  3.5.0             25m
 99-master-generated-registries                     a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             25m
 99-master-ssh                                                                                 3.2.0             28m
@@ -110,10 +115,10 @@ NAME                                               GENERATEDBYCONTROLLER
 rendered-master-af1e7ff78da0a9c851bab4be2777773b   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             8s
 rendered-master-cd51fd0c47e91812bfef2765c52ec7e6   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             24m
 rendered-worker-2b52f75684fbc711bd1652dd86fd0b82   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             24m
-rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             48s <2>
+rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   a2178ad522c49ee330b0033bb5cb5ea132060b0a   3.5.0             48s
 ----
-<1> New machine config
-<2> New rendered machine config
++
+Review the output to confirm that the new `51-worker-rh-registry-trust` machine config is listed and a new `rendered-worker` machine config has been created.
 
 .. Check that the worker machine config pool is updating with the new machine config:
 +
@@ -127,9 +132,10 @@ $ oc get mcp
 ----
 NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
 master   rendered-master-af1e7ff78da0a9c851bab4be2777773b   True      False      False      3              3                   3                     0                      30m
-worker   rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   False     True       False      3              0                   0                     0                      30m <1>
+worker   rendered-worker-be3b3bce4f4aa52a62902304bac9da3c   False     True       False      3              0                   0                     0                      30m
 ----
-<1> When the `UPDATING` field is `True`, the machine config pool is updating with the new machine config. When the field becomes `False`, the worker machine config pool has rolled out to the new machine config.
++
+When the `UPDATING` field is `True`, the machine config pool is updating with the new machine config. When the field becomes `False`, the worker machine config pool has rolled out to the new machine config.
 
 . If your cluster uses any RHEL7 worker nodes, when the worker machine config pool is updated, create YAML files on those nodes in the `/etc/containers/registries.d` directory, which specify the location of the detached signatures for a given registry server. The following example works only for images hosted in `registry.access.redhat.com` and `registry.redhat.io`.
 

modules/containers-signature-verify-skopeo.adoc

@@ -6,7 +6,8 @@
 [id="containers-signature-verify-skopeo_{context}"]
 = Using skopeo to verify signatures of Red Hat container images
 
-You can verify the signatures for container images included in an {product-title} release image by pulling those signatures from link:https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/[OCP release mirror site]. Because the signatures on the mirror site are not in a format readily understood by Podman or CRI-O, you can use the `skopeo standalone-verify` command to verify that the your release images are signed by Red Hat.
+[role="_abstract"]
+You can verify the signatures for container images included in an {product-title} release image by pulling those signatures from the OCP release mirror site. Because the signatures on the mirror site are not in a format readily understood by Podman or CRI-O, you can use the `skopeo standalone-verify` command to verify that your release images are signed by Red Hat.
 
 .Prerequisites
 
@@ -18,11 +19,12 @@ You can verify the signatures for container images included in an {product-title
 +
 [source,terminal]
 ----
-$ oc adm release info <release_version>  \ <1>
+$ oc adm release info <release_version>
 ----
-<1> Substitute <release_version> with your release number, for example, `4.14.3`.
 +
-.Example output snippet
+Substitute `<release_version>` with your release number, for example, `4.14.3`.
++
+**Example output snippet**
 +
 [source,terminal]
 ----
@@ -42,17 +44,19 @@ $ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
 +
 [source,terminal]
 ----
-$ curl -o signature-1 https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=<sha_from_version>/signature-1 \ <1>
+$ curl -o signature-1 https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=<sha_from_version>/signature-1
 ----
-<1> Replace `<sha_from_version>` with SHA value from the full link to the mirror site that matches the SHA of your release. For example, the link to the signature for the 4.12.23 release is `https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55/signature-1`, and the SHA value is `e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
++
+Replace `<sha_from_version>` with the SHA value from the full link to the mirror site that matches the SHA of your release. For example, the link to the signature for the 4.12.23 release is `https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55/signature-1`, and the SHA value is `e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
 
 . Get the manifest for the release image by running the following command:
 +
 [source,terminal]
 ----
-$ skopeo inspect --raw docker://<quay_link_to_release> > manifest.json \ <1>
+$ skopeo inspect --raw docker://<quay_link_to_release> > manifest.json
 ----
-<1> Replace `<quay_link_to_release>` with the output of the `oc adm release info` command. For example, `quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
++
+Replace `<quay_link_to_release>` with the output of the `oc adm release info` command. For example, `quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
 
 . Use skopeo to verify the signature:
 +
@@ -66,9 +70,9 @@ where:
 `<release_number>`:: Specifies the release number, for example `4.14.3`.
 `<arch>`:: Specifies the architecture, for example `x86_64`.
 +
-.Example output
+**Example output**
++
 [source,terminal]
 ----
 Signature verified using fingerprint 567E347AD0044ADE55BA8A5F199E2F91FD431D51, digest sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55
 ----
-

modules/containers-signature-verify-unsigned.adoc

@@ -6,19 +6,19 @@
 [id="containers-signature-verify-artifacts_{context}"]
 = Understanding the verification of container images lacking verifiable signatures
 
+[role="_abstract"]
 Each {product-title} release image is immutable and signed with a Red Hat production key. During an {product-title} update or installation, a release image might deploy container images that do not have verifiable signatures. Each signed release image digest is immutable. Each reference in the release image is to the immutable digest of another image, so the contents can be trusted transitively. In other words, the signature on the release image validates all release contents.
 
 For example, the image references lacking a verifiable signature are contained in the signed {product-title} release image:
 
 .Example release info output
 [source,terminal]
 ----
-$ oc adm release info quay.io/openshift-release-dev/ocp-release@sha256:2309578b68c5666dad62aed696f1f9d778ae1a089ee461060ba7b9514b7ca417 -o pullspec <1>
-quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9aafb914d5d7d0dec4edd800d02f811d7383a7d49e500af548eab5d00c1bffdb <2>
+$ oc adm release info quay.io/openshift-release-dev/ocp-release@sha256:2309578b68c5666dad62aed696f1f9d778ae1a089ee461060ba7b9514b7ca417 -o pullspec
+quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9aafb914d5d7d0dec4edd800d02f811d7383a7d49e500af548eab5d00c1bffdb
 ----
 
-<1> Signed release image SHA.
-<2> Container image lacking a verifiable signature included in the release.
+The first line displays the signed release image SHA. The subsequent lines display the container images lacking a verifiable signature that are securely included in the release.
 
 [id="containers-signature-verification-automatic_{context}"]
 == Automated verification during updates

modules/removing-cso-operator.adoc

@@ -6,6 +6,7 @@
 [id="uninstalling-container-security-operator_{context}"]
 = Uninstalling the {rhq-cso}
 
+[role="_abstract"]
 To uninstall the Container Security Operator, you must uninstall the Operator and delete the `imagemanifestvulns.secscan.quay.redhat.com` custom resource definition (CRD).
 
 .Procedure
@@ -27,7 +28,7 @@ To uninstall the Container Security Operator, you must uninstall the Operator an
 $ oc delete customresourcedefinition imagemanifestvulns.secscan.quay.redhat.com
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----

modules/security-hardening-how.adoc

@@ -6,6 +6,7 @@
 [id="security-hardening-how_{context}"]
 = Choosing how to harden {op-system}
 
+[role="_abstract"]
 Direct modification of {op-system} systems in {product-title} is discouraged. Instead, you should think of modifying systems in pools of nodes, such as worker nodes and control plane nodes. When a new node is needed, in non-bare metal installs, you can request a new node of the type you want and it will be created from an {op-system} image plus the modifications you created earlier.
 
 There are opportunities for modifying {op-system} before installation, during installation, and after the cluster is up and running.
@@ -31,9 +32,13 @@ You can interrupt the {product-title} installation process and change Ignition c
 == Hardening after the cluster is running
 After the {product-title} cluster is up and running, there are several ways to apply hardening features to {op-system}:
 
-* Daemon set: If you need a service to run on every node, you can add
-that service with a link:https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[Kubernetes `DaemonSet` object].
+* Daemon set: If you need a service to run on every node, you can add that service with a Kubernetes `DaemonSet` object.
 
 * Machine config: `MachineConfig` objects contain a subset of Ignition configs in the same format. By applying machine configs to all worker or control plane nodes, you can ensure that the next node of the same type that is added to the cluster has the same changes applied.
 
 All of the features noted here are described in the {product-title} product documentation.
+
+[id="additional-resources_security-hardening-how"]
+[role="_additional-resources"]
+== Additional resources
+* link:https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[Kubernetes DaemonSet object documentation]

modules/security-hardening-what.adoc

@@ -6,16 +6,27 @@
 [id="security-hardening-what_{context}"]
 = Choosing what to harden in {op-system}
 
+[role="_abstract"]
+With the knowledge of what operating system features you want to harden, you can decide how to best configure and enforce security profiles in {op-system}.
+
 ifdef::openshift-origin[]
-For information on how to approach security for any {op-system-base} system, see the link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9#Security[Security] category in the Red{nbsp}Hat Enterprise Linux 9 documentation.
+For information on how to approach security for any {op-system-base} system, see the Security category in the Red{nbsp}Hat Enterprise Linux 9 documentation.
 
 Use these documents to learn about managing security updates, security hardening, securing networks, and other security measures.  
 endif::[]
 ifdef::openshift-enterprise,openshift-webscale,openshift-aro[]
-For information on how to approach security for any {op-system-base} system, see the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#scanning-container-and-container-images-for-vulnerabilities_scanning-the-system-for-security-compliance-and-vulnerabilities[{op-system-base} 9 Security Hardening] guide.
+For information on how to approach security for any {op-system-base} system, see the {op-system-base} 9 Security Hardening guide.
 
 Use this guide to learn how to approach cryptography, evaluate vulnerabilities, and assess threats to various services.
 Likewise, you can learn how to scan for compliance standards, check file integrity, perform auditing, and encrypt storage devices.
 endif::[]
 
-With the knowledge of what features you want to harden, you can then decide how to harden them in {op-system}.
+[id="additional-resources_security-hardening-what"]
+[role="_additional-resources"]
+== Additional resources
+ifdef::openshift-origin[]
+* link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9#Security[Red Hat Enterprise Linux 9 Security Product Documentation]
+endif::[]
+ifdef::openshift-enterprise,openshift-webscale,openshift-aro[]
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#scanning-container-and-container-images-for-vulnerabilities_scanning-the-system-for-security-compliance-and-vulnerabilities[{op-system-base} 9 Security Hardening Guide]
+endif::[]

modules/security-pod-scan-cso-using.adoc

@@ -6,6 +6,7 @@
 [id="security-pod-scan-cso-using_{context}"]
 = Using the {rhq-cso}
 
+[role="_abstract"]
 The following procedure shows you how to use the {rhq-cso}.
 
 .Prerequisites

modules/security-pod-scan-cso.adoc

@@ -6,6 +6,7 @@
 [id="security-pod-scan-cso_{context}"]
 = Installing the {rhq-cso}
 
+[role="_abstract"]
 You can install the {rhq-cso} from the {product-title} web console Operator Hub, or by using the CLI.
 
 .Prerequisites
@@ -48,7 +49,7 @@ $ oc get packagemanifests container-security-operator \
   | head -1
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----
@@ -65,15 +66,15 @@ metadata:
   name: container-security-operator
   namespace: openshift-operators
 spec:
-  channel: ${CHANNEL} <1>
+  channel: ${CHANNEL}
   installPlanApproval: Automatic
   name: container-security-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: ${STARTING_CSV} <2>
+  startingCSV: ${STARTING_CSV}
 ----
-<1> Specify the value you obtained in the previous step for the `spec.channel` parameter.
-<2> Specify the value you obtained in the previous step for the `spec.startingCSV` parameter.
++
+For the `spec.channel` parameter, specify the value you obtained in the previous step (such as `stable-3.8`). For the `spec.startingCSV` parameter, specify the value you obtained in the previous step (such as `container-security-operator.v3.8.9`).
 
 .. Enter the following command to apply the configuration:
 +
@@ -82,7 +83,7 @@ spec:
 $ oc apply -f container-security-operator.yaml
 ----
 +
-.Example output
+**Example output**
 +
 [source,terminal]
 ----

modules/security-pod-scan-query-cli.adoc

@@ -6,6 +6,7 @@
 [id="security-pod-scan-query-cli_{context}"]
 = Querying image vulnerabilities from the CLI
 
+[role="_abstract"]
 Using the `oc` command, you can display information about vulnerabilities detected by the {rhq-cso}.
 
 .Prerequisites