Compliance Operator scans

The ScanSetting and ScanSettingBinding APIs are recommended to run compliance scans with the Compliance Operator. For more information on these API objects, run:

  1. $ oc explain scansettings

or

  1. $ oc explain scansettingbindings

Running compliance scans

You can run a scan using the Center for Internet Security (CIS) profiles. For convenience, the Compliance Operator creates a ScanSetting object with reasonable defaults on startup. This ScanSetting object is named default.

Procedure

  1. Inspect the ScanSetting object by running:

    1. $ oc describe scansettings default -n openshift-compliance

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4.   name: default
    5.   namespace: openshift-compliance
    6. rawResultStorage:
    7.   pvAccessModes:
    8.   - ReadWriteOnce (1)
    9.   rotation: 3 (2)
    10.   size: 1Gi (3)
    11. roles:
    12. - worker (4)
    13. - master (4)
    14. scanTolerations: (5)
    15. - effect: NoSchedule
    16.   key: node-role.kubernetes.io/master
    17.   operator: Exists
    18. schedule: 0 1 * * * (6)
    1The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode ReadWriteOnce because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, ReadWriteOnce access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the ReadWriteOnce access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans.
    2The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated.
    3The Compliance Operator will allocate one GB of storage for the scan results.
    4If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
    5The default scan setting object also scans the control plane nodes.
    6The default scan setting object runs scans at 01:00 each day.

    As an alternative to the default scan setting, you can use default-auto-apply, which has the following settings:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4.   name: default-auto-apply
    5.   namespace: openshift-compliance
    6. autoUpdateRemediations: true (1)
    7. autoApplyRemediations: true (1)
    8. rawResultStorage:
    9.   pvAccessModes:
    10.     - ReadWriteOnce
    11.   rotation: 3
    12.   size: 1Gi
    13. schedule: 0 1 * * *
    14. roles:
    15.   - worker
    16.   - master
    17. scanTolerations:
    18.   - effect: NoSchedule
    19.     key: node-role.kubernetes.io/master
    20.     operator: Exists
    1Setting autoUpdateRemediations and autoApplyRemediations flags to true allows you to easily create ScanSetting objects that auto-remediate without extra steps.

  2. Create a ScanSettingBinding object that binds to the default ScanSetting object and scans the cluster using the cis and cis-node profiles. For example:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSettingBinding
    3. metadata:
    4.   name: cis-compliance
    5. profiles:
    6.   - name: ocp4-cis-node
    7.     kind: Profile
    8.     apiGroup: compliance.openshift.io/v1alpha1
    9.   - name: ocp4-cis
    10.     kind: Profile
    11.     apiGroup: compliance.openshift.io/v1alpha1
    12. settingsRef:
    13.   name: default
    14.   kind: ScanSetting
    15.   apiGroup: compliance.openshift.io/v1alpha1

  3. Create the ScanSettingBinding object by running:

    1. $ oc create -f <file-name>.yaml -n openshift-compliance

    At this point in the process, the ScanSettingBinding object is reconciled and based on the Binding and the Bound settings. The Compliance Operator creates a ComplianceSuite object and the associated ComplianceScan objects.

  4. Follow the compliance scan progress by running:

    1. $ oc get compliancescan -w -n openshift-compliance

    The scans progress through the scanning phases and eventually reach the DONE phase when complete. In most cases, the result of the scan is NON-COMPLIANT. You can review the scan results and start applying remediations to make the cluster compliant. See Managing Compliance Operator remediation for more information.

Scheduling the result server pod on a worker node

The result server pod mounts the persistent volume (PV) that stores the raw Asset Reporting Format (ARF) scan results. The nodeSelector and tolerations attributes enable you to configure the location of the result server pod.

This is helpful for those environments where control plane nodes are not permitted to mount persistent volumes.

Procedure

  • Create a ScanSetting custom resource (CR) for the Compliance Operator:

    1. Define the ScanSetting CR, and save the YAML file, for example, rs-workers.yaml:

      1. apiVersion: compliance.openshift.io/v1alpha1
      2. kind: ScanSetting
      3. metadata:
      4.   name: rs-on-workers
      5.   namespace: openshift-compliance
      6. rawResultStorage:
      7.   nodeSelector:
      8.     node-role.kubernetes.io/worker: "" (1)
      9.   pvAccessModes:
      10.   - ReadWriteOnce
      11.   rotation: 3
      12.   size: 1Gi
      13.   tolerations:
      14.   - operator: Exists (2)
      15. roles:
      16. - worker
      17. - master
      18. scanTolerations:
      19.   - operator: Exists
      20. schedule: 0 1 * * *
      1The Compliance Operator uses this node to store scan results in ARF format.
      2The result server pod tolerates all taints.

    2. To create the ScanSetting CR, run the following command:

      1. $ oc create -f rs-workers.yaml

Verification

  • To verify that the ScanSetting object is created, run the following command:

    1. $ oc get scansettings rs-on-workers -n openshift-compliance -o yaml

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4.   creationTimestamp: "2021-11-19T19:36:36Z"
    5.   generation: 1
    6.   name: rs-on-workers
    7.   namespace: openshift-compliance
    8.   resourceVersion: "48305"
    9.   uid: 43fdfc5f-15a7-445a-8bbc-0e4a160cd46e
    10. rawResultStorage:
    11.   nodeSelector:
    12.     node-role.kubernetes.io/worker: ""
    13.   pvAccessModes:
    14.   - ReadWriteOnce
    15.   rotation: 3
    16.   size: 1Gi
    17.   tolerations:
    18.   - operator: Exists
    19. roles:
    20. - worker
    21. - master
    22. scanTolerations:
    23. - operator: Exists
    24. schedule: 0 1 * * *
    25. strictNodeScan: true