openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/compliance-updating.adoc
Andrew Taylor 21027248a0 OSDOCS-8898: Added notes to Compliance Operator
2023-12-12 12:28:46 +00:00

59 lines
2.7 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/compliance_operator/co-scans/compliance-operator-remediation.adoc
:_mod-docs-content-type: PROCEDURE
[id="compliance-updating_{context}"]
= Updating remediations
When a new version of compliance content is used, it might deliver a new and different version of a remediation than the previous version. The Compliance Operator will keep the old version of the remediation applied. The {product-title} administrator is also notified of the new version to review and apply. A ComplianceRemediation object that had been applied earlier, but was updated changes its status to *Outdated*. The outdated objects are labeled so that they can be searched for easily.
The previously applied remediation contents would then be stored in the `spec.outdated` attribute of a `ComplianceRemediation` object and the new updated contents would be stored in the `spec.current` attribute. After updating the content to a newer version, the administrator then needs to review the remediation. As long as the `spec.outdated` attribute exists, it would be used to render the resulting `MachineConfig` object. After the `spec.outdated` attribute is removed, the Compliance Operator re-renders the resulting `MachineConfig` object, which causes the Operator to push the configuration to the nodes.
.Procedure
. Search for any outdated remediations:
+
[source,terminal]
----
$ oc -n openshift-compliance get complianceremediations \
-l complianceoperator.openshift.io/outdated-remediation=
----
+
.Example output
[source,terminal]
----
NAME STATE
workers-scan-no-empty-passwords Outdated
----
+
The currently applied remediation is stored in the `Outdated` attribute and the new, unapplied remediation is stored in the `Current` attribute. If you are satisfied with the new version, remove the `Outdated` field. If you want to keep the updated content, remove the `Current` and `Outdated` attributes.
. Apply the newer version of the remediation:
+
[source,terminal]
----
$ oc -n openshift-compliance patch complianceremediations workers-scan-no-empty-passwords \
--type json -p '[{"op":"remove", "path":/spec/outdated}]'
----
. The remediation state will switch from `Outdated` to `Applied`:
+
[source,terminal]
----
$ oc get -n openshift-compliance complianceremediations workers-scan-no-empty-passwords
----
+
.Example output
[source,terminal]
----
NAME STATE
workers-scan-no-empty-passwords Applied
----
. The nodes will apply the newer remediation version and reboot.
[IMPORTANT]
====
The Compliance Operator does not automatically resolve dependency issues that can occur between remediations. Users should perform a rescan after remediations are applied to ensure accurate results.
====
View Git Blame Copy Permalink