Installing the Compliance Operator

Before you can use the Compliance Operator, you must ensure it is deployed in the cluster.

The Compliance Operator might report incorrect results on managed platforms, such as OpenShift Dedicated, Red Hat OpenShift Service on AWS, and Microsoft Azure Red Hat OpenShift. For more information, see the Red Hat Knowledgebase Solution #6983418.

Installing the Compliance Operator through the web console

Prerequisites

  • You must have admin privileges.

Procedure

  1. In the OKD web console, navigate to OperatorsOperatorHub.

  2. Search for the Compliance Operator, then click Install.

  3. Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-compliance namespace.

  4. Click Install.

Verification

To confirm that the installation is successful:

  1. Navigate to the OperatorsInstalled Operators page.

  2. Check that the Compliance Operator is installed in the openshift-compliance namespace and its status is Succeeded.

If the Operator is not installed successfully:

  1. Navigate to the OperatorsInstalled Operators page and inspect the Status column for any errors or failures.

  2. Navigate to the WorkloadsPods page and check the logs in any pods in the openshift-compliance project that are reporting issues.

If the restricted Security Context Constraints (SCC) have been modified to contain the system:authenticated group or has added requiredDropCapabilities, the Compliance Operator may not function properly due to permissions issues.

You can create a custom SCC for the Compliance Operator scanner pod service account. For more information, see Creating a custom SCC for the Compliance Operator.

Installing the Compliance Operator using the CLI

Prerequisites

  • You must have admin privileges.

Procedure

  1. Define a Namespace object:

    Example namespace-object.yaml

    1. apiVersion: v1
    2. kind: Namespace
    3. metadata:
    4. labels:
    5. openshift.io/cluster-monitoring: "true"
    6. pod-security.kubernetes.io/enforce: privileged (1)
    7. name: openshift-compliance
    1In OKD 4, the pod security label must be set to privileged at the namespace level.
  2. Create the Namespace object:

    1. $ oc create -f namespace-object.yaml
  3. Define an OperatorGroup object:

    Example operator-group-object.yaml

    1. apiVersion: operators.coreos.com/v1
    2. kind: OperatorGroup
    3. metadata:
    4. name: compliance-operator
    5. namespace: openshift-compliance
    6. spec:
    7. targetNamespaces:
    8. - openshift-compliance
  4. Create the OperatorGroup object:

    1. $ oc create -f operator-group-object.yaml
  5. Define a Subscription object:

    Example subscription-object.yaml

    1. apiVersion: operators.coreos.com/v1alpha1
    2. kind: Subscription
    3. metadata:
    4. name: compliance-operator-sub
    5. namespace: openshift-compliance
    6. spec:
    7. channel: "stable"
    8. installPlanApproval: Automatic
    9. name: compliance-operator
    10. source: redhat-operators
    11. sourceNamespace: openshift-marketplace
  6. Create the Subscription object:

    1. $ oc create -f subscription-object.yaml

If you are setting the global scheduler feature and enable defaultNodeSelector, you must create the namespace manually and update the annotations of the openshift-compliance namespace, or the namespace where the Compliance Operator was installed, with openshift.io/node-selector: “”. This removes the default node selector and prevents deployment failures.

Verification

  1. Verify the installation succeeded by inspecting the CSV file:

    1. $ oc get csv -n openshift-compliance
  2. Verify that the Compliance Operator is up and running:

    1. $ oc get deploy -n openshift-compliance

If the restricted Security Context Constraints (SCC) have been modified to contain the system:authenticated group or has added requiredDropCapabilities, the Compliance Operator may not function properly due to permissions issues.

You can create a custom SCC for the Compliance Operator scanner pod service account. For more information, see Creating a custom SCC for the Compliance Operator.

Installing the Compliance Operator on Hosted control planes

The Compliance Operator can be installed in Hosted control planes using the OperatorHub by creating a Subscription file.

Hosted control planes is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

  • You must have admin privileges.

Procedure

  1. Define a Namespace object similar to the following:

    Example namespace-object.yaml

    1. apiVersion: v1
    2. kind: Namespace
    3. metadata:
    4. labels:
    5. openshift.io/cluster-monitoring: "true"
    6. pod-security.kubernetes.io/enforce: privileged (1)
    7. name: openshift-compliance
    1In OKD 4, the pod security label must be set to privileged at the namespace level.
  2. Create the Namespace object by running the following command:

    1. $ oc create -f namespace-object.yaml
  3. Define an OperatorGroup object:

    Example operator-group-object.yaml

    1. apiVersion: operators.coreos.com/v1
    2. kind: OperatorGroup
    3. metadata:
    4. name: compliance-operator
    5. namespace: openshift-compliance
    6. spec:
    7. targetNamespaces:
    8. - openshift-compliance
  4. Create the OperatorGroup object by running the following command:

    1. $ oc create -f operator-group-object.yaml
  5. Define a Subscription object:

    Example subscription-object.yaml

    1. apiVersion: operators.coreos.com/v1alpha1
    2. kind: Subscription
    3. metadata:
    4. name: compliance-operator-sub
    5. namespace: openshift-compliance
    6. spec:
    7. channel: "stable"
    8. installPlanApproval: Automatic
    9. name: compliance-operator
    10. source: redhat-operators
    11. sourceNamespace: openshift-marketplace
    12. config:
    13. nodeSelector:
    14. node-role.kubernetes.io/worker: ""
    15. env:
    16. - name: PLATFORM
    17. value: "HyperShift"
  6. Create the Subscription object by running the following command:

    1. $ oc create -f subscription-object.yaml

Verification

  1. Verify the installation succeeded by inspecting the CSV file by running the following command:

    1. $ oc get csv -n openshift-compliance
  2. Verify that the Compliance Operator is up and running by running the following command:

    1. $ oc get deploy -n openshift-compliance

Additional resources

Additional resources