我的书签
添加书签
移除书签Retrieving Compliance Operator raw results
When proving compliance for your OKD cluster, you might need to provide the scan results for auditing purposes.
Obtaining Compliance Operator raw results from a persistent volume
Procedure
The Compliance Operator generates and stores the raw results in a persistent volume. These results are in Asset Reporting Format (ARF).
Explore the
ComplianceSuiteobject:$ oc get compliancesuites nist-moderate-modified -o json \| jq '.status.scanStatuses[].resultsStorage'{"name": "rhcos4-moderate-worker","namespace": "openshift-compliance"}{"name": "rhcos4-moderate-master","namespace": "openshift-compliance"}
This shows the persistent volume claims where the raw results are accessible.
Verify the raw data location by using the name and namespace of one of the results:
$ oc get pvc -n openshift-compliance rhcos4-moderate-worker
Example output
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGErhcos4-moderate-worker Bound pvc-548f6cfe-164b-42fe-ba13-a07cfbc77f3a 1Gi RWO gp2 92m
Fetch the raw results by spawning a pod that mounts the volume and copying the results:
Example pod
apiVersion: "v1"kind: Podmetadata:name: pv-extractspec:containers:- name: pv-extract-podimage: registry.access.redhat.com/ubi8/ubicommand: ["sleep", "3000"]volumeMounts:- mountPath: "/workers-scan-results"name: workers-scan-volvolumes:- name: workers-scan-volpersistentVolumeClaim:claimName: rhcos4-moderate-worker
After the pod is running, download the results:
$ oc cp pv-extract:/workers-scan-results .
Spawning a pod that mounts the persistent volume will keep the claim as
Bound. If the volume’s storage class in use has permissions set toReadWriteOnce, the volume is only mountable by one pod at a time. You must delete the pod upon completion, or it will be possible for the Operator to schedule a pod and continue storing results in this location.After the extraction is complete, the pod can be deleted:
$ oc delete pod pv-extract
