Performing advanced Compliance Operator tasks

    While it is recommended that users take advantage of the and ScanSettingBinding objects to define the suites and scans, there are valid use cases to define the ComplianceSuite objects directly:

    • Specifying only a single rule to scan. This can be useful for debugging together with the debug: true attribute which increases the OpenSCAP scanner verbosity, as the debug mode tends to get quite verbose otherwise. Limiting the test to one rule helps to lower the amount of debug information.

    • Providing a custom nodeSelector. In order for a remediation to be applicable, the nodeSelector must match a pool.

    • Pointing the Scan to a bespoke config map with a tailoring file.

    • For testing or development when the overhead of parsing profiles from bundles is not required.

    The following example shows a ComplianceSuite that scans the worker machines with only a single rule:

    The ComplianceSuite object and the ComplianceScan objects referred to above specify several attributes in a format that OpenSCAP expects.

    To find out the profile, content, or rule values, you can start by creating a similar Suite from ScanSetting and ScanSettingBinding or inspect the objects parsed from the ProfileBundle objects like rules or profiles. Those objects contain the xccdf_org identifiers you can use to refer to them from a ComplianceSuite.

    Using raw tailored profiles

    The ComplianceSuite object contains an optional attribute that you can point to a custom tailoring file. The value of the TailoringConfigMap attribute is a name of a config map which must contain a key called tailoring.xml and the value of this key is the tailoring contents.

    Procedure

    1. Reference the tailoring file in a scan that belongs to a suite:

    Typically you will want to re-run a scan on a defined schedule, like every Monday or daily. It can also be useful to re-run a scan once after fixing a problem on a node. To perform a single scan, annotate the scan with the compliance.openshift.io/rescan= option:

    1. $ oc annotate compliancescans/<scan_name> compliance.openshift.io/rescan=

    Setting custom storage size for results

    While the custom resources such as ComplianceCheckResult represent an aggregated result of one check across all scanned nodes, it can be useful to review the raw results as produced by the scanner. The raw results are produced in the ARF format and can be large (tens of megabytes per node), it is impractical to store them in a Kubernetes resource backed by the etcd key-value store. Instead, every scan creates a persistent volume (PV) which defaults to 1GB size. Depending on your environment, you may want to increase the PV size accordingly. This is done using the rawResultStorage.size attribute that is exposed in both the ScanSetting and ComplianceScan resources.

    A related parameter is which controls how many scans are retained in the PV before the older scans are rotated. The default value is 3, setting the rotation policy to 0 disables the rotation. Given the default rotation policy and an estimate of 100MB per a raw ARF scan report, you can calculate the right PV size for your environment.

    If your cluster does not specify a default storage class, this attribute must be set.

    Configure the ScanSetting custom resource to use a standard storage class and create persistent volumes that are 10GB in size and keep the last 10 results:

    Example ScanSetting CR

    Although you can use the autoApplyRemediations boolean parameter in a ComplianceSuite object, you can alternatively annotate the object with compliance.openshift.io/apply-remediations. This allows the Operator to apply all of the created remediations.

    Procedure

    • Apply the compliance.openshift.io/apply-remediations annotation by running:
    1. $ oc annotate compliancesuites/<suite-_name> compliance.openshift.io/apply-remediations=

    Automatically update remediations

    In some cases, a scan with newer content might mark remediations as OUTDATED. As an administrator, you can apply the compliance.openshift.io/remove-outdated annotation to apply new remediations and remove the outdated ones.

    Procedure

    Alternatively, set the autoUpdateRemediations flag in a ScanSetting or object to update the remediations automatically.