$ oc get compliancesuites nist-moderate-modified \
-o json -n openshift-compliance | jq '.status.scanStatuses[].resultsStorage'
When proving compliance for your OKD cluster, you might need to provide the scan results for auditing purposes.
The Compliance Operator generates and stores the raw results in a persistent volume. These results are in Asset Reporting Format (ARF).
Explore the ComplianceSuite
object:
$ oc get compliancesuites nist-moderate-modified \
-o json -n openshift-compliance | jq '.status.scanStatuses[].resultsStorage'
{
"name": "ocp4-moderate",
"namespace": "openshift-compliance"
}
{
"name": "nist-moderate-modified-master",
"namespace": "openshift-compliance"
}
{
"name": "nist-moderate-modified-worker",
"namespace": "openshift-compliance"
}
This shows the persistent volume claims where the raw results are accessible.
Verify the raw data location by using the name and namespace of one of the results:
$ oc get pvc -n openshift-compliance rhcos4-moderate-worker
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
rhcos4-moderate-worker Bound pvc-548f6cfe-164b-42fe-ba13-a07cfbc77f3a 1Gi RWO gp2 92m
Fetch the raw results by spawning a pod that mounts the volume and copying the results:
$ oc create -n openshift-compliance -f pod.yaml
apiVersion: "v1"
kind: Pod
metadata:
name: pv-extract
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: pv-extract-pod
image: registry.access.redhat.com/ubi9/ubi
command: ["sleep", "3000"]
volumeMounts:
- mountPath: "/workers-scan-results"
name: workers-scan-vol
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
volumes:
- name: workers-scan-vol
persistentVolumeClaim:
claimName: rhcos4-moderate-worker
After the pod is running, download the results:
$ oc cp pv-extract:/workers-scan-results -n openshift-compliance .
Spawning a pod that mounts the persistent volume will keep the claim as |
After the extraction is complete, the pod can be deleted:
$ oc delete pod pv-extract -n openshift-compliance