openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity
Files
649f9b9e12e35ce1a1e9679faa34e51367dd94de
openshift-docs/modules/compliance-objects.adoc
sheriff-rh 2b61d4e038 osdocs-1466 Compliance Operator docs 
typo1

typo2

syntax corrections

typo3

feedback1

morecorrections

correctionss

syntax fix

peer review feedback applied

further peer review feedback

final qe requested changes
2020-10-12 17:37:05 +00:00

41 lines
2.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * security/compliance_operator/compliance-operator-advanced.adoc
[id="compliance-objects_{context}"]
= Using the ComplianceSuite and ComplianceScan objects directly
While it is recommended that users take advantage of the ScanSetting and ScanSettingBinding objects to define the Suites and Scans, there are valid use cases to define the ComplianceSuites directly:
* Specifying only a single rule to scan. This can be useful for debugging together with the `debug: true` attribute which increases the OpenSCAP scanner verbosity, as the debug mode tends to get quite verbose otherwise. Limiting the test to one rule helps to lower the amount of debug information.
* Providing a custom nodeSelector. In order for a remediation to be applicable, the nodeSelector must match a pool.
* Pointing the Scan to a bespoke ConfigMap with a tailoring file.
* For testing or development when the overhead of parsing profiles from bundles is not required.
The following example shows a ComplianceSuite that scans the worker machines with only a single rule:
[source,yaml]
----
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
name: workers-compliancesuite
spec:
scans:
- name: workers-scan
profile: xccdf_org.ssgproject.content_profile_moderate
content: ssg-rhcos4-ds.xml
contentImage: quay.io/complianceascode/ocp4:latest
debug: true
rule: xccdf_org.ssgproject.content_rule_no_direct_root_logins
nodeSelector:
node-role.kubernetes.io/worker: ""
----
The ComplianceSuite object and the ComplianceScan objects referred to above specify several attributes in a format that OpenSCAP expects.
To find out the profile, content, or rule values, you can start by creating a similar Suite from ScanSetting and ScanSettingBinding or inspect the objects parsed from the ProfileBundles like Rules or Profiles. Those objects contain the `xccdf_org` identifiers you can use to refer to them from a ComplianceSuite.
View Git Blame Copy Permalink