mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
73 lines
2.7 KiB
Plaintext
73 lines
2.7 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/compliance_operator/co-concepts/compliance-operator-crd.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="scan-setting-object_{context}"]
|
|
= ScanSetting object
|
|
|
|
Use the `ScanSetting` object to define and reuse the operational policies to run your scans.
|
|
By default, the Compliance Operator creates the following `ScanSetting` objects:
|
|
|
|
* *default* - it runs a scan every day at 1 AM on both master and worker nodes using a 1Gi Persistent Volume (PV) and keeps the last three results. Remediation is neither applied nor updated automatically.
|
|
* *default-auto-apply* - it runs a scan every day at 1AM on both control plane and worker nodes using a 1Gi Persistent Volume (PV) and keeps the last three results. Both `autoApplyRemediations` and `autoUpdateRemediations` are set to true.
|
|
|
|
.Example `ScanSetting` object
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
autoApplyRemediations: true <1>
|
|
autoUpdateRemediations: true <2>
|
|
kind: ScanSetting
|
|
maxRetryOnTimeout: 3
|
|
metadata:
|
|
creationTimestamp: "2022-10-18T20:21:00Z"
|
|
generation: 1
|
|
name: default-auto-apply
|
|
namespace: openshift-compliance
|
|
resourceVersion: "38840"
|
|
uid: 8cb0967d-05e0-4d7a-ac1c-08a7f7e89e84
|
|
rawResultStorage:
|
|
nodeSelector:
|
|
node-role.kubernetes.io/master: ""
|
|
pvAccessModes:
|
|
- ReadWriteOnce
|
|
rotation: 3 <3>
|
|
size: 1Gi <4>
|
|
tolerations:
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
- effect: NoExecute
|
|
key: node.kubernetes.io/not-ready
|
|
operator: Exists
|
|
tolerationSeconds: 300
|
|
- effect: NoExecute
|
|
key: node.kubernetes.io/unreachable
|
|
operator: Exists
|
|
tolerationSeconds: 300
|
|
- effect: NoSchedule
|
|
key: node.kubernetes.io/memory-pressure
|
|
operator: Exists
|
|
roles: <6>
|
|
- master
|
|
- worker
|
|
scanTolerations:
|
|
- operator: Exists
|
|
schedule: 0 1 * * * <5>
|
|
showNotApplicable: false
|
|
strictNodeScan: true
|
|
timeout: 30m
|
|
----
|
|
<1> Set to `true` to enable auto remediations. Set to `false` to disable auto remediations.
|
|
<2> Set to `true` to enable auto remediations for content updates. Set to `false` to disable auto remediations for content updates.
|
|
<3> Specify the number of stored scans in the raw result format. The default value is `3`. As the older results get rotated, the administrator must store the results elsewhere before the rotation happens.
|
|
<4> Specify the storage size that should be created for the scan to store the raw results. The default value is `1Gi`
|
|
<5> Specify how often the scan should be run in cron format.
|
|
+
|
|
[NOTE]
|
|
====
|
|
To disable the rotation policy, set the value to `0`.
|
|
====
|
|
<6> Specify the `node-role.kubernetes.io` label value to schedule the scan for `Node` type. This value has to match the name of a `MachineConfigPool`.
|