The ScanSetting and ScanSettingBinding APIs are recommended to run compliance scans with the Compliance Operator. For more information on these API objects, run:

$ oc explain scansettings

or

$ oc explain scansettingbindings

Running compliance scans

You can run a scan using the Center for Internet Security (CIS) profiles. For convenience, the Compliance Operator creates a ScanSetting object with reasonable defaults on startup. This ScanSetting object is named default.

Procedure
  1. Inspect the ScanSetting object by running:

    $ oc describe scansettings default -n openshift-compliance
    Example output
    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    metadata:
      name: default
      namespace: openshift-compliance
    rawResultStorage:
      pvAccessModes:
      - ReadWriteOnce (1)
      rotation: 3 (2)
      size: 1Gi (3)
    roles:
    - worker (4)
    - master (4)
    scanTolerations: (5)
    - effect: NoSchedule
      key: node-role.kubernetes.io/master
      operator: Exists
    schedule: 0 1 * * * (6)
    
    1 The Compliance Operator creates a persistent volume (PV) that contains the results of the scans. By default, the PV will use access mode ReadWriteOnce because the Compliance Operator cannot make any assumptions about the storage classes configured on the cluster. Additionally, ReadWriteOnce access mode is available on most clusters. If you need to fetch the scan results, you can do so by using a helper pod, which also binds the volume. Volumes that use the ReadWriteOnce access mode can be mounted by only one pod at time, so it is important to remember to delete the helper pods. Otherwise, the Compliance Operator will not be able to reuse the volume for subsequent scans.
    2 The Compliance Operator keeps results of three subsequent scans in the volume; older scans are rotated.
    3 The Compliance Operator will allocate one GB of storage for the scan results.
    4 If the scan setting uses any profiles that scan cluster nodes, scan these node roles.
    5 The default scan setting object also scans the master nodes.
    6 The default scan setting object runs scans at 01:00 each day.

    As an alternative to the default scan setting, you can use default-auto-apply, which has the following settings:

    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    metadata:
      name: default-auto-apply
      namespace: openshift-compliance
    autoUpdateRemediations: true (1)
    autoApplyRemediations: true (1)
    rawResultStorage:
      pvAccessModes:
        - ReadWriteOnce
      rotation: 3
      size: 1Gi
    schedule: 0 1 * * *
    roles:
      - worker
      - master
    scanTolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
    1 Setting autoUpdateRemediations and autoApplyRemediations flags to true allows you to easily create ScanSetting objects that auto-remediate without extra steps.
  2. Create a ScanSettingBinding object that binds to the default ScanSetting object and scans the cluster using the cis and cis-node profiles. For example:

    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSettingBinding
    metadata:
      name: cis-compliance
    profiles:
      - name: ocp4-cis-node
        kind: Profile
        apiGroup: compliance.openshift.io/v1alpha1
      - name: ocp4-cis
        kind: Profile
        apiGroup: compliance.openshift.io/v1alpha1
    settingsRef:
      name: default
      kind: ScanSetting
      apiGroup: compliance.openshift.io/v1alpha1
  3. Create the ScanSettingBinding object by running:

    $ oc create -f <file-name>.yaml -n openshift-compliance

    At this point in the process, the ScanSettingBinding object is reconciled and based on the Binding and the Bound settings. The Compliance Operator creates a ComplianceSuite object and the associated ComplianceScan objects.

  4. Follow the compliance scan progress by running:

    $ oc get compliancescan -w -n openshift-compliance

    The scans progress through the scanning phases and eventually reach the DONE phase when complete. In most cases, the result of the scan is NON-COMPLIANT. You can review the scan results and start applying remediations to make the cluster compliant. See Managing Compliance Operator remediation for more information.