openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-06 06:46:26 +01:00
Code Issues Releases Activity
Files
649f9b9e12e35ce1a1e9679faa34e51367dd94de
openshift-docs/modules/compliance-applying.adoc
sheriff-rh 2b61d4e038 osdocs-1466 Compliance Operator docs 
typo1

typo2

syntax corrections

typo3

feedback1

morecorrections

correctionss

syntax fix

peer review feedback applied

further peer review feedback

final qe requested changes
2020-10-12 17:37:05 +00:00

25 lines
1.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * security/compliance_operator/compliance-operator-remediation.adoc
[id="compliance-applying_{context}"]
= Applying a remediation
The boolean attribute `spec.apply` controls whether the remediation should be applied by the Compliance Operator. We can apply the remediation by setting the attribute to true:
[source,terminal]
----
$ oc patch complianceremediations/<scan_name>-sysctl-net-ipv4-conf-all-accept-redirects --patch '{"spec":{"apply":true}}' --type=merge
----
After the Compliance Operator processes the applied remediation, the `status.ApplicationState` attribute would change to *Applied* or to *Error* if incorrect. When a MachineConfig remediation is applied, that remediation along with all other applied remediations are rendered into a MachineConfig object named `75-$scan-name-$suite-name`. That MachineConfig object is subsequently rendered by the MachineConfigOperator and finally applied to all the nodes in a MachineConfigPool by an instance of the MachineControlDaemon running on each node.
Note that when the MachineConfigOperator applies a new MachineConfig object to nodes in a pool, all the nodes belonging to the pool are rebooted. This might be inconvenient when applying multiple remediations, each of which re-renders the composite `75-$scan-name-$suite-name` MachineConfig object. To prevent applying the remediation immediately, you can pause the MachineConfigPool by setting the `.spec.paused` attribute of a MachineConfigPool to `true`.
The Compliance Operator can apply remediations automatically. Set `autoApplyRemediations: true` in the ScanSetting top-level object.
[WARNING]
====
Applying remediations automatically should only be done with careful consideration.
====
View Git Blame Copy Permalink