Compliance Operator scans

The ScanSetting and ScanSettingBinding APIs are recommended to run compliance scans with the Compliance Operator. For more information on these API objects, run:

  1. $ oc explain scansettings

or

  1. $ oc explain scansettingbindings

Running compliance scans

You can run a scan using the Center for Internet Security (CIS) profiles. For convenience, the Compliance Operator creates a ScanSetting object with reasonable defaults on startup. This ScanSetting object is named default.

For all-in-one control plane and worker nodes, the compliance scan runs twice on the worker and control plane nodes. The compliance scan might generate inconsistent scan results. You can avoid inconsistent results by defining only a single role in the ScanSetting object.

Procedure

  1. Inspect the ScanSetting object by running:

    1. $ oc describe scansettings default -n openshift-compliance

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4. name: default
    5. namespace: openshift-compliance
    6. rawResultStorage:
    7. pvAccessModes:
    8. - ReadWriteOnce (1)
    9. rotation: 3 (2)
    10. size: 1Gi (3)
    11. roles:
    12. - worker (4)
    13. - master (4)
    14. scanTolerations: (5)
    15. default:
    16. - operator: Exists
    17. schedule: 0 1 * * * (6)
    1The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode ReadWriteOnce because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, ReadWriteOnce access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the ReadWriteOnce access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans.
    2The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated.
    3The Compliance Operator will allocate one GB of storage for the scan results.
    4If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
    5The default scan setting object scans all the nodes.
    6The default scan setting object runs scans at 01:00 each day.

    As an alternative to the default scan setting, you can use default-auto-apply, which has the following settings:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4. name: default-auto-apply
    5. namespace: openshift-compliance
    6. autoUpdateRemediations: true (1)
    7. autoApplyRemediations: true (1)
    8. rawResultStorage:
    9. pvAccessModes:
    10. - ReadWriteOnce
    11. rotation: 3
    12. size: 1Gi
    13. schedule: 0 1 * * *
    14. roles:
    15. - worker
    16. - master
    17. scanTolerations:
    18. default:
    19. - operator: Exists
    1Setting autoUpdateRemediations and autoApplyRemediations flags to true allows you to easily create ScanSetting objects that auto-remediate without extra steps.
  2. Create a ScanSettingBinding object that binds to the default ScanSetting object and scans the cluster using the cis and cis-node profiles. For example:

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSettingBinding
    3. metadata:
    4. name: cis-compliance
    5. namespace: openshift-compliance
    6. profiles:
    7. - name: ocp4-cis-node
    8. kind: Profile
    9. apiGroup: compliance.openshift.io/v1alpha1
    10. - name: ocp4-cis
    11. kind: Profile
    12. apiGroup: compliance.openshift.io/v1alpha1
    13. settingsRef:
    14. name: default
    15. kind: ScanSetting
    16. apiGroup: compliance.openshift.io/v1alpha1
  3. Create the ScanSettingBinding object by running:

    1. $ oc create -f <file-name>.yaml -n openshift-compliance

    At this point in the process, the ScanSettingBinding object is reconciled and based on the Binding and the Bound settings. The Compliance Operator creates a ComplianceSuite object and the associated ComplianceScan objects.

  4. Follow the compliance scan progress by running:

    1. $ oc get compliancescan -w -n openshift-compliance

    The scans progress through the scanning phases and eventually reach the DONE phase when complete. In most cases, the result of the scan is NON-COMPLIANT. You can review the scan results and start applying remediations to make the cluster compliant. See Managing Compliance Operator remediation for more information.

Scheduling the result server pod on a worker node

The result server pod mounts the persistent volume (PV) that stores the raw Asset Reporting Format (ARF) scan results. The nodeSelector and tolerations attributes enable you to configure the location of the result server pod.

This is helpful for those environments where control plane nodes are not permitted to mount persistent volumes.

Procedure

  • Create a ScanSetting custom resource (CR) for the Compliance Operator:

    1. Define the ScanSetting CR, and save the YAML file, for example, rs-workers.yaml:

      1. apiVersion: compliance.openshift.io/v1alpha1
      2. kind: ScanSetting
      3. metadata:
      4. name: rs-on-workers
      5. namespace: openshift-compliance
      6. rawResultStorage:
      7. nodeSelector:
      8. node-role.kubernetes.io/worker: "" (1)
      9. pvAccessModes:
      10. - ReadWriteOnce
      11. rotation: 3
      12. size: 1Gi
      13. tolerations:
      14. - operator: Exists (2)
      15. roles:
      16. - worker
      17. - master
      18. scanTolerations:
      19. - operator: Exists
      20. schedule: 0 1 * * *
      1The Compliance Operator uses this node to store scan results in ARF format.
      2The result server pod tolerates all taints.
    2. To create the ScanSetting CR, run the following command:

      1. $ oc create -f rs-workers.yaml

Verification

  • To verify that the ScanSetting object is created, run the following command:

    1. $ oc get scansettings rs-on-workers -n openshift-compliance -o yaml

    Example output

    1. apiVersion: compliance.openshift.io/v1alpha1
    2. kind: ScanSetting
    3. metadata:
    4. creationTimestamp: "2021-11-19T19:36:36Z"
    5. generation: 1
    6. name: rs-on-workers
    7. namespace: openshift-compliance
    8. resourceVersion: "48305"
    9. uid: 43fdfc5f-15a7-445a-8bbc-0e4a160cd46e
    10. rawResultStorage:
    11. nodeSelector:
    12. node-role.kubernetes.io/worker: ""
    13. pvAccessModes:
    14. - ReadWriteOnce
    15. rotation: 3
    16. size: 1Gi
    17. tolerations:
    18. - operator: Exists
    19. roles:
    20. - worker
    21. - master
    22. scanTolerations:
    23. - operator: Exists
    24. schedule: 0 1 * * *
    25. strictNodeScan: true