5.4. Compliance Operator 扫描

建议使用 ScanSetting 和 ScanSettingBinding API 来通过 Compliance Operator 运行合规性扫描。如需有关这些 API 对象的更多信息，请运行：

oc explain scansettings

$ oc explain scansettings

Copy to Clipboard

Toggle word wrap

或者

oc explain scansettingbindings

$ oc explain scansettingbindings

Copy to Clipboard

Toggle word wrap

5.4.1. 运行合规性扫描
复制链接

您可以使用互联网安全中心（CIS）配置集运行扫描。为方便起见，Compliance Operator 创建一个在启动时具有合理的默认值的 ScanSetting 对象。这个 ScanSetting 对象名为 default。

注意

对于 all-in-one control plane 和 worker 节点，合规性扫描在 worker 和 control plane 节点上运行两次。合规性扫描可能会导致扫描结果不一致。您可以通过在 ScanSetting 对象中只定义单个角色来避免结果不一致。

流程

运行以下命令检查 ScanSetting 对象：

oc describe scansettings default -n openshift-compliance

$ oc describe scansettings default -n openshift-compliance

Copy to Clipboard

Toggle word wrap

输出示例

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: default
  namespace: openshift-compliance
rawResultStorage:
  pvAccessModes:
  - ReadWriteOnce 
  rotation: 3 
  size: 1Gi 
roles:
- worker 
- master 
scanTolerations: 
  default:
  - operator: Exists
  schedule: 0 1 * * *

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: default
  namespace: openshift-compliance
rawResultStorage:
  pvAccessModes:
  - ReadWriteOnce


  rotation: 3


  size: 1Gi


roles:
- worker


- master


scanTolerations:


  default:
  - operator: Exists
  schedule: 0 1 * * *

Copy to Clipboard

Toggle word wrap

1: Compliance Operator 创建一个包含扫描结果的持久性卷（PV）。默认情况下，PV 将使用访问模式 ReadWriteOnce，因为 Compliance Operator 无法假定集群中配置的存储类。另外，多数集群中可以使用 ReadWriteOnce 访问模式。如果需要获取扫描结果，可以使用一个 helper pod 来完成此操作，该 pod 也绑定卷。使用 ReadWriteOnce 访问模式的卷只能由一个 pod 挂载，因此请记住删除帮助程序 pod。否则，Compliance Operator 将无法重复使用卷进行后续扫描。
2: Compliance Operator 在卷中保留三个后续扫描的结果，旧的扫描会被轮转。
3: Compliance Operator 将为扫描结果分配一个 GB 存储。
4 5: 如果扫描设置使用扫描集群节点的任何配置集，请扫描这些节点角色。
6: 默认扫描设置对象还会扫描所有节点。
7: 默认扫描设置对象每天 01:00 运行扫描。

作为默认扫描设置的替代，您可以使用 default-auto-apply，它有以下设置：

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: default-auto-apply
  namespace: openshift-compliance
autoUpdateRemediations: true 
autoApplyRemediations: true 
rawResultStorage:
  pvAccessModes:
    - ReadWriteOnce
  rotation: 3
  size: 1Gi
schedule: 0 1 * * *
roles:
  - worker
  - master
scanTolerations:
  default:
  - operator: Exists

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: default-auto-apply
  namespace: openshift-compliance
autoUpdateRemediations: true


autoApplyRemediations: true


rawResultStorage:
  pvAccessModes:
    - ReadWriteOnce
  rotation: 3
  size: 1Gi
schedule: 0 1 * * *
roles:
  - worker
  - master
scanTolerations:
  default:
  - operator: Exists

Copy to Clipboard

Toggle word wrap

1 2: 通过将 autoUpdateRemediations 和 autoApplyRemediations 标记设置为 true，您可以轻松地创建无需额外步骤自动修复的 ScanSetting 对象。

创建一个 ScanSettingBinding 对，,它绑定到默认的 ScanSetting 对象，并使用 cis 和 cis-node 配置集扫描集群。例如：

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

Copy to Clipboard

Toggle word wrap

运行以下命令来创建 ScanSettingBinding 对象：
```
oc create -f <file-name>.yaml -n openshift-compliance
```
```
$ oc create -f <file-name>.yaml -n openshift-compliance
```
Copy to Clipboard Toggle word wrap
此时，ScanSettingBinding 对象已协调，并以 Binding 和 Bound 设置为基础。Compliance Operator 会创建一个 ComplianceSuite 对象和关联的 ComplianceScan 对象。
运行以下命令跟踪合规性扫描进度：
```
oc get compliancescan -w -n openshift-compliance
```
```
$ oc get compliancescan -w -n openshift-compliance
```
Copy to Clipboard Toggle word wrap
扫描过程通过扫描阶段进行，最终完成后到达 DONE 阶段。在大多数情况下，扫描的结果是 NON-COMPLIANT。您可以检查扫描结果，并开始应用补救使集群兼容。如需更多信息，请参阅管理 Compliance Operator 补救。

5.4.2. 将结果服务器 pod 调度到 worker 节点上
复制链接

结果服务器 pod 挂载存储原始资产报告格式(ARF)扫描结果的持久性卷(PV)。nodeSelector 和 tolerations 属性允许您配置结果服务器 pod 的位置。

这适用于那些不允许 control plane 节点挂载持久性卷的环境。

流程

为 Compliance Operator 创建 ScanSetting 自定义资源(CR)：

定义 ScanSetting CR，并保存 YAML 文件，如 rs-workers.yaml ：

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: rs-on-workers
  namespace: openshift-compliance
rawResultStorage:
  nodeSelector:
    node-role.kubernetes.io/worker: "" 
  pvAccessModes:
  - ReadWriteOnce
  rotation: 3
  size: 1Gi
  tolerations:
  - operator: Exists 
roles:
- worker
- master
scanTolerations:
  - operator: Exists
schedule: 0 1 * * *

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: rs-on-workers
  namespace: openshift-compliance
rawResultStorage:
  nodeSelector:
    node-role.kubernetes.io/worker: ""


  pvAccessModes:
  - ReadWriteOnce
  rotation: 3
  size: 1Gi
  tolerations:
  - operator: Exists


roles:
- worker
- master
scanTolerations:
  - operator: Exists
schedule: 0 1 * * *

Copy to Clipboard

Toggle word wrap

1: Compliance Operator 使用此节点以 ARF 格式存储扫描结果。
2: 结果服务器 pod 容限所有污点。

要创建 ScanSetting CR，请运行以下命令：
```
oc create -f rs-workers.yaml
```
```
$ oc create -f rs-workers.yaml
```
Copy to Clipboard Toggle word wrap

验证

要验证 ScanSetting 对象是否已创建，请运行以下命令：

oc get scansettings rs-on-workers -n openshift-compliance -o yaml

$ oc get scansettings rs-on-workers -n openshift-compliance -o yaml

Copy to Clipboard

Toggle word wrap

输出示例

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  creationTimestamp: "2021-11-19T19:36:36Z"
  generation: 1
  name: rs-on-workers
  namespace: openshift-compliance
  resourceVersion: "48305"
  uid: 43fdfc5f-15a7-445a-8bbc-0e4a160cd46e
rawResultStorage:
  nodeSelector:
    node-role.kubernetes.io/worker: ""
  pvAccessModes:
  - ReadWriteOnce
  rotation: 3
  size: 1Gi
  tolerations:
  - operator: Exists
roles:
- worker
- master
scanTolerations:
- operator: Exists
schedule: 0 1 * * *
strictNodeScan: true

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  creationTimestamp: "2021-11-19T19:36:36Z"
  generation: 1
  name: rs-on-workers
  namespace: openshift-compliance
  resourceVersion: "48305"
  uid: 43fdfc5f-15a7-445a-8bbc-0e4a160cd46e
rawResultStorage:
  nodeSelector:
    node-role.kubernetes.io/worker: ""
  pvAccessModes:
  - ReadWriteOnce
  rotation: 3
  size: 1Gi
  tolerations:
  - operator: Exists
roles:
- worker
- master
scanTolerations:
- operator: Exists
schedule: 0 1 * * *
strictNodeScan: true

Copy to Clipboard

Toggle word wrap

返回顶部

5.4. Compliance Operator 扫描

5.4.1. 运行合规性扫描
复制链接

5.4.2. 将结果服务器 pod 调度到 worker 节点上
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

5.4. Compliance Operator 扫描

5.4.1. 运行合规性扫描复制链接链接已复制到粘贴板!

5.4.2. 将结果服务器 pod 调度到 worker 节点上复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

5.4.1. 运行合规性扫描
复制链接

5.4.2. 将结果服务器 pod 调度到 worker 节点上
复制链接