openshift-docs/modules/compliance-inconsistent.adoc

// Module included in the following assemblies:
//
// * security/compliance_operator/compliance-operator-remediation.adoc

[id="compliance-inconsistent_{context}"]
= Inconsistent remediations
The ScanSetting lists the node roles that the ComplianceScans generated from the ScanSetting or ScanSettingBinding would scan. Each node role usually maps to a MachineConfigPool.

[IMPORTANT]
====
It is expected that all machines in a MachineConfigPool are identical and all scan results from the nodes in a Pool should be identical.
====

If some of the results are different from others, the Compliance Operator flags a ComplianceCheckResult object where some of the nodes will report as `INCONSISTENT`. All ComplianceCheckResult objects are also labelled with `compliance.openshift.io/inconsistent-check`.

Because the number of machines in a pool might be quite large, the Compliance Operator attempts to find the most common state and list the nodes that differ from the common state. The most common state is stored in the `compliance.openshift.io/most-common-status` annotation and the annotation `compliance.openshift.io/inconsistent-source` contains pairs of `hostname:status` of check statuses that differ from the most common status. If no common state can be found, all the `hostname:status` pairs are listed in the `compliance.openshift.io/inconsistent-source annotation`.

If possible, a remediation is still created so that the cluster can converge to a compliant status. However, this might not always be possible and correcting the difference between nodes must be done manually. The ComplianceScan must be re-run to get a consistent result by annotating the scan with the `compliance.openshift.io/rescan=` option:

[source,terminal]
----
$ oc annotate compliancescans/<scan_name> \
compliance.openshift.io/rescan=
----