// Module included in the following assemblies:
//
// * security/compliance_operator/co-management/compliance-operator-installation.adoc

:_mod-docs-content-type: PROCEDURE
[id="installing-compliance-operator-cli_{context}"]
= Installing the Compliance Operator using the CLI

.Prerequisites

* You must have `admin` privileges.
* You must have a `StorageClass` resource configured.

.Procedure

. Define a `Namespace` object:
+
.Example `namespace-object.yaml`
[source,yaml]
----
apiVersion: v1
kind: Namespace
metadata:
  labels:
    openshift.io/cluster-monitoring: "true"
    pod-security.kubernetes.io/enforce: privileged <1>
  name: openshift-compliance
----
<1> In {product-title} {product-version}, the pod security label must be set to `privileged` at the namespace level.

. Create the `Namespace` object:
+
[source,terminal]
----
$ oc create -f namespace-object.yaml
----

. Define an `OperatorGroup` object:
+
.Example `operator-group-object.yaml`
[source,yaml]
----
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  targetNamespaces:
  - openshift-compliance
----

. Create the `OperatorGroup` object:
+
[source,terminal]
----
$ oc create -f operator-group-object.yaml
----

. Define a `Subscription` object:
+
.Example `subscription-object.yaml`
[source,yaml]
----
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator-sub
  namespace: openshift-compliance
spec:
  channel: "stable"
  installPlanApproval: Automatic
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
----
. Create the `Subscription` object:
+
[source,terminal]
----
$ oc create -f subscription-object.yaml
----

[NOTE]
====
If you are setting the global scheduler feature and enable `defaultNodeSelector`, you must create the namespace manually and update the annotations of the `openshift-compliance` namespace, or the namespace where the Compliance Operator was installed, with `openshift.io/node-selector: “”`. This removes the default node selector and prevents deployment failures.
====

.Verification

. Verify the installation succeeded by inspecting the CSV file:
+
[source,terminal]
----
$ oc get csv -n openshift-compliance
----

. Verify that the Compliance Operator is up and running:
+
[source,terminal]
----
$ oc get deploy -n openshift-compliance
----