mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
e247646f0d
engineering feedback applied peer review addressed Changed version number to 0.1.56 Updated to 0.1.57 QE feedback applied
95 lines
3.2 KiB
Plaintext
95 lines
3.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/compliance_operator/compliance-operator-remediation.adoc
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="compliance-custom-node-pools_{context}"]
|
|
= Scanning custom node pools
|
|
|
|
The Compliance Operator does not maintain a copy of each node pool configuration. The Compliance Operator aggregates consistent configuration options for all nodes within a single node pool into one copy of the configuration file. The Compliance Operator then uses the configuration file for a particular node pool to evaluate rules against nodes within that pool.
|
|
|
|
If your cluster uses custom node pools outside the default `worker` and `master` node pools, you must supply additional variables to ensure the Compliance Operator aggregates a configuration file for that node pool.
|
|
|
|
.Procedure
|
|
|
|
. To check the configuration against all pools in an example cluster containing `master`, `worker`, and custom `example` node pools, set the value of the `ocp-var-role-master` and `opc-var-role-worker` fields to `example` in the `TailoredProfile` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: TailoredProfile
|
|
metadata:
|
|
name: cis-example-tp
|
|
spec:
|
|
extends: ocp4-cis
|
|
title: My modified NIST profile to scan example nodes
|
|
setValues:
|
|
- name: ocp4-var-role-master
|
|
value: example
|
|
rationale: test for example nodes
|
|
- name: ocp4-var-role-worker
|
|
value: example
|
|
rationale: test for example nodes
|
|
description: cis-example-scan
|
|
----
|
|
|
|
. Add the `example` role to the `ScanSetting` object that will be stored in the `ScanSettingBinding` CR:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: ScanSetting
|
|
metadata:
|
|
name: default
|
|
namespace: openshift-compliance
|
|
rawResultStorage:
|
|
rotation: 3
|
|
size: 1Gi
|
|
roles:
|
|
- worker
|
|
- master
|
|
- example
|
|
scanTolerations:
|
|
- effect: NoSchedule
|
|
key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
schedule: '0 1 * * *'
|
|
----
|
|
|
|
. Create a scan that uses the `ScanSettingBinding` CR:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: compliance.openshift.io/v1alpha1
|
|
kind: ScanSettingBinding
|
|
metadata:
|
|
name: cis
|
|
namespace: openshift-compliance
|
|
profiles:
|
|
- apiGroup: compliance.openshift.io/v1alpha1
|
|
kind: Profile
|
|
name: ocp4-cis
|
|
- apiGroup: compliance.openshift.io/v1alpha1
|
|
kind: Profile
|
|
name: ocp4-cis-node
|
|
- apiGroup: compliance.openshift.io/v1alpha1
|
|
kind: TailoredProfile
|
|
name: cis-example-tp
|
|
settingsRef:
|
|
apiGroup: compliance.openshift.io/v1alpha1
|
|
kind: ScanSetting
|
|
name: default
|
|
----
|
|
|
|
The Compliance Operator checks the runtime `KubeletConfig` through the `Node/Proxy` API object and then uses variables such as `ocp-var-role-master` and `ocp-var-role-worker` to determine the nodes it performs the check against. In the `ComplianceCheckResult`, the `KubeletConfig` rules are shown as `ocp4-cis-kubelet-*`. The scan passes only if all selected nodes pass this check.
|
|
|
|
.Verification
|
|
|
|
* The Platform KubeletConfig rules are checked through the `Node/Proxy` object. You can find those rules by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get rules -o json | jq '.items[] | select(.checkType == "Platform") | select(.metadata.name | contains("ocp4-kubelet-")) | .metadata.name'
|
|
----
|
|
|