mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
2b61d4e038
typo1 typo2 syntax corrections typo3 feedback1 morecorrections correctionss syntax fix peer review feedback applied further peer review feedback final qe requested changes
85 lines
2.3 KiB
Plaintext
85 lines
2.3 KiB
Plaintext
// Module included in the following assemblies:
|
||
//
|
||
// * security/compliance_operator/compliance-operator-raw-results.adoc
|
||
|
||
[id="compliance-results_{context}"]
|
||
= Obtaining Compliance Operator raw results from a Persistent Volume
|
||
|
||
.Procedure
|
||
|
||
The Compliance Operator generates and stores the raw results in a Persistent Volume. These results are in Asset Reporting Format (ARF).
|
||
|
||
. Explore the ComplianceSuite object:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc get compliancesuites nist-moderate -o json \
|
||
| jq '.status.scanStatuses[].resultsStorage'
|
||
{
|
||
"name": "rhcos4-moderate-worker",
|
||
"namespace": "openshift-compliance"
|
||
}
|
||
{
|
||
"name": "rhcos4-moderate-master",
|
||
"namespace": "openshift-compliance"
|
||
}
|
||
----
|
||
+
|
||
This shows the Persistent Volume Claims where the raw results are accessible.
|
||
|
||
. Verify the raw data location by using the name and namespace of one of the results:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc get pvc -n openshift-compliance rhcos4-moderate-worker
|
||
----
|
||
+
|
||
.Example output
|
||
[source,terminal]
|
||
----
|
||
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
|
||
rhcos4-moderate-worker Bound pvc-548f6cfe-164b-42fe-ba13-a07cfbc77f3a 1Gi RWO gp2 92m
|
||
----
|
||
|
||
. Fetch the raw results by spawning a pod that mounts the volume and copying the results:
|
||
+
|
||
.Example pod
|
||
[source,yaml]
|
||
----
|
||
apiVersion: "v1"
|
||
kind: Pod
|
||
metadata:
|
||
name: pv-extract
|
||
spec:
|
||
containers:
|
||
- name: pv-extract-pod
|
||
image: registry.access redhat.com/ubi8/ubi
|
||
command: ["sleep", "3000"]
|
||
volumeMounts:
|
||
- mountPath: "/workers-scan-results"
|
||
name: workers-scan-vol
|
||
volumes:
|
||
- name: workers-scan-vol
|
||
persistentVolumeClaim:
|
||
claimName: rhcos4-moderate-worker
|
||
----
|
||
|
||
. After the pod is running, download the results:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc cp pv-extract:/workers-scan-results .
|
||
----
|
||
+
|
||
[IMPORTANT]
|
||
====
|
||
Spawning a pod that mounts the Persistent Volume will keep the claim as `Bound`. If the volume’s storage class in use has permissions set to `ReadWriteOnce`, the volume is only mountable by one pod at a time. You must delete the pod upon completion, or it will be possible for the Operator to schedule a pod and continue storing results in this location.
|
||
====
|
||
|
||
. After the extraction is complete, the pod can be deleted:
|
||
+
|
||
[source,terminal]
|
||
----
|
||
$ oc delete pod pv-extract
|
||
----
|