mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
61 lines
2.6 KiB
Plaintext
61 lines
2.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/compliance_operator/co-concepts/compliance-operator-crd.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="advance-compliance-scan-object_{context}"]
|
|
= Advanced ComplianceScan Object
|
|
|
|
The Compliance Operator includes options for advanced users for debugging or integrating with existing tooling. While it is recommended that you not create a `ComplianceScan` object directly, you can instead manage it using a `ComplianceSuite` object.
|
|
|
|
.Example Advanced `ComplianceScan` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: ComplianceScan
|
|
metadata:
|
|
name: <name_of_the_compliance_scan>
|
|
spec:
|
|
scanType: Node <1>
|
|
profile: xccdf_org.ssgproject.content_profile_moderate <2>
|
|
content: ssg-ocp4-ds.xml
|
|
contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45dc... <3>
|
|
rule: "xccdf_org.ssgproject.content_rule_no_netrc_files" <4>
|
|
nodeSelector: <5>
|
|
node-role.kubernetes.io/worker: ""
|
|
status:
|
|
phase: DONE <6>
|
|
result: NON-COMPLIANT <7>
|
|
----
|
|
|
|
<1> Specify either `Node` or `Platform`. Node profiles scan the cluster nodes and platform profiles scan the Kubernetes platform.
|
|
<2> Specify the XCCDF identifier of the profile that you want to run.
|
|
<3> Specify the container image that encapsulates the profile files.
|
|
<4> It is optional. Specify the scan to run a single rule. This rule has to be identified with the XCCDF ID, and has to belong to the specified profile.
|
|
+
|
|
[NOTE]
|
|
====
|
|
If you skip the `rule` parameter, then scan runs for all the available rules of the specified profile.
|
|
====
|
|
<5> If you are on the {product-title} and wants to generate a remediation, then nodeSelector label has to match the `MachineConfigPool` label.
|
|
+
|
|
[NOTE]
|
|
====
|
|
If you do not specify `nodeSelector` parameter or match the `MachineConfig` label, scan will still run, but it will not create remediation.
|
|
====
|
|
<6> Indicates the current phase of the scan.
|
|
<7> Indicates the verdict of the scan.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
If you delete a `ComplianceSuite` object, then all the associated scans get deleted.
|
|
====
|
|
|
|
When the scan is complete, it generates the result as Custom Resources of the `ComplianceCheckResult` object. However, the raw results are available in ARF format. These results are stored in a Persistent Volume (PV), which has a Persistent Volume Claim (PVC) associated with the name of the scan.
|
|
You can programmatically fetch the `ComplianceScans` events. To generate events for the suite, run the following command:
|
|
|
|
[source,terminal]
|
|
----
|
|
oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name_of_the_compliance_scan>
|
|
----
|