mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
74 lines
2.6 KiB
Plaintext
74 lines
2.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/compliance_operator/co-concepts/compliance-operator-crd.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="compliance-remediation-object_{context}"]
|
|
= ComplianceRemediation object
|
|
|
|
For a specific check you can have a datastream specified fix. However, if a Kubernetes fix is available, then the Compliance Operator creates a `ComplianceRemediation` object.
|
|
|
|
.Example `ComplianceRemediation` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: ComplianceRemediation
|
|
metadata:
|
|
labels:
|
|
compliance.openshift.io/suite: example-compliancesuite
|
|
compliance.openshift.io/scan-name: workers-scan
|
|
machineconfiguration.openshift.io/role: worker
|
|
name: workers-scan-disable-users-coredumps
|
|
namespace: openshift-compliance
|
|
ownerReferences:
|
|
- apiVersion: compliance.openshift.io/v1alpha1
|
|
blockOwnerDeletion: true
|
|
controller: true
|
|
kind: ComplianceCheckResult
|
|
name: workers-scan-disable-users-coredumps
|
|
uid: <UID>
|
|
spec:
|
|
apply: false <1>
|
|
object:
|
|
current: <2>
|
|
apiVersion: machineconfiguration.openshift.io/v1
|
|
kind: MachineConfig
|
|
spec:
|
|
config:
|
|
ignition:
|
|
version: 2.2.0
|
|
storage:
|
|
files:
|
|
- contents:
|
|
source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
|
|
filesystem: root
|
|
mode: 420
|
|
path: /etc/security/limits.d/75-disable_users_coredumps.conf
|
|
outdated: {} <3>
|
|
----
|
|
|
|
<1> `true` indicates the remediation was applied. `false` indicates the remediation was not applied.
|
|
<2> Includes the definition of the remediation.
|
|
<3> Indicates remediation that was previously parsed from an earlier version of the content. The Compliance Operator still retains the outdated objects to give the administrator a chance to review the new remediations before applying them.
|
|
|
|
To get all the remediations from a suite, run the following command:
|
|
[source,terminal]
|
|
----
|
|
oc get complianceremediations \
|
|
-l compliance.openshift.io/suite=workers-compliancesuite
|
|
----
|
|
|
|
To list all failing checks that can be remediated automatically, run the following command:
|
|
[source,terminal]
|
|
----
|
|
oc get compliancecheckresults \
|
|
-l 'compliance.openshift.io/check-status in (FAIL),compliance.openshift.io/automated-remediation'
|
|
----
|
|
|
|
To list all failing checks that can be remediated manually, run the following command:
|
|
[source,terminal]
|
|
----
|
|
oc get compliancecheckresults \
|
|
-l 'compliance.openshift.io/check-status in (FAIL),!compliance.openshift.io/automated-remediation'
|
|
----
|