Compliance Operator scans

The ScanSetting and ScanSettingBinding APIs are recommended to run compliance scans with the Compliance Operator. For more information on these API objects, run:

  1. $ oc explain scansettings

or

  1. $ oc explain scansettingbindings

Running compliance scans

You can run a scan using the Center for Internet Security (CIS) profiles. For convenience, the Compliance Operator creates a ScanSetting object with reasonable defaults on startup. This ScanSetting object is named default.

Procedure

  1. Inspect the ScanSetting object by running:

    1. $ oc describe scansettings default -n openshift-compliance

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4.   name: default
    5.   namespace: openshift-compliance
    6. rawResultStorage:
    7.   pvAccessModes:
    8.   - ReadWriteOnce (1)
    9.   rotation: 3 (2)
    10.   size: 1Gi (3)
    11. roles:
    12. - worker (4)
    13. - master (4)
    14. scanTolerations: (5)
    15. - effect: NoSchedule
    16.   key: node-role.kubernetes.io/master
    17.   operator: Exists
    18. schedule: 0 1 * * * (6)
    1The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode ReadWriteOnce because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, ReadWriteOnce access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the ReadWriteOnce access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans.
    2The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated.
    3The Compliance Operator will allocate one GB of storage for the scan results.
    4If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
    5The default scan setting object also scans the control plane nodes (also known as the master nodes).
    6The default scan setting object runs scans at 01:00 each day.

    As an alternative to the default scan setting, you can use default-auto-apply, which has the following settings:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4.   name: default-auto-apply
    5.   namespace: openshift-compliance
    6. autoUpdateRemediations: true (1)
    7. autoApplyRemediations: true (1)
    8. rawResultStorage:
    9.   pvAccessModes:
    10.     - ReadWriteOnce
    11.   rotation: 3
    12.   size: 1Gi
    13. schedule: 0 1 * * *
    14. roles:
    15.   - worker
    16.   - master
    17. scanTolerations:
    18.   - effect: NoSchedule
    19.     key: node-role.kubernetes.io/master
    20.     operator: Exists
    1Setting autoUpdateRemediations and autoApplyRemediations flags to true allows you to easily create ScanSetting objects that auto-remediate without extra steps.

  2. Create a ScanSettingBinding object that binds to the default ScanSetting object and scans the cluster using the cis and cis-node profiles. For example:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSettingBinding
    3. metadata:
    4.   name: cis-compliance
    5. profiles:
    6.   - name: ocp4-cis-node
    7.     kind: Profile
    8.     apiGroup: compliance.openshift.io/v1alpha1
    9.   - name: ocp4-cis
    10.     kind: Profile
    11.     apiGroup: compliance.openshift.io/v1alpha1
    12. settingsRef:
    13.   name: default
    14.   kind: ScanSetting
    15.   apiGroup: compliance.openshift.io/v1alpha1

  3. Create the ScanSettingBinding object by running:

    1. $ oc create -f <file-name>.yaml -n openshift-compliance

    At this point in the process, the ScanSettingBinding object is reconciled and based on the Binding and the Bound settings. The Compliance Operator creates a ComplianceSuite object and the associated ComplianceScan objects.

  4. Follow the compliance scan progress by running:

    1. $ oc get compliancescan -w -n openshift-compliance

    The scans progress through the scanning phases and eventually reach the DONE phase when complete. In most cases, the result of the scan is NON-COMPLIANT. You can review the scan results and start applying remediations to make the cluster compliant. See Managing Compliance Operator remediation for more information.