$ oc get compliancecheckresults -l compliance.openshift.io/suite=example-compliancesuite- Documentation
- OpenShift Container Platform
- Security and compliance
- Compliance Operator
- Managing Compliance Operator remediation history bug_report picture_as_pdf
- About
- Release notes
- Architecture
-
Installing
- Mirroring images for a disconnected installation
-
Installing on AWS
- Configuring an AWS account
- Manually creating IAM
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS in a restricted network
- Installing a cluster on AWS into an existing VPC
- Installing a private cluster on AWS
- Installing a cluster on AWS into a government region
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on AWS
-
Installing on Azure
- Configuring an Azure account
- Manually creating IAM
- Installing a cluster quickly on Azure
- Installing a cluster on Azure with customizations
- Installing a cluster on Azure with network customizations
- Installing a cluster on Azure into an existing VNet
- Installing a private cluster on Azure
- Installing a cluster on Azure into a government region
- Installing a cluster on Azure using ARM templates
- Uninstalling a cluster on Azure
-
Installing on GCP
- Configuring a GCP project
- Manually creating IAM
- Installing a cluster quickly on GCP
- Installing a cluster on GCP with customizations
- Installing a cluster on GCP with network customizations
- Installing a cluster on GCP in a restricted network
- Installing a cluster on GCP into an existing VPC
- Installing a private cluster on GCP
- Installing a cluster on GCP using Deployment Manager templates
- Installing a cluster into a shared VPC on GCP using Deployment Manager templates
- Installing a cluster on GCP in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on GCP
- Installing on bare metal
- Deploying installer-provisioned clusters on bare metal
- Installing on IBM Z and LinuxONE
- Installing on IBM Power Systems
-
Installing on OpenStack
- Installing a cluster on OpenStack with customizations
- Installing a cluster on OpenStack with Kuryr
- Installing a cluster on OpenStack on your own infrastructure
- Installing a cluster on OpenStack with Kuryr on your own infrastructure
- Installing a cluster on OpenStack in a restricted network
- Uninstalling a cluster on OpenStack
- Uninstalling a cluster on OpenStack from your own infrastructure
- Installing on RHV
-
Installing on vSphere
- Installing a cluster on vSphere
- Installing a cluster on vSphere with customizations
- Installing a cluster on vSphere with network customizations
- Installing a cluster on vSphere with user-provisioned infrastructure
- Installing a cluster on vSphere with user-provisioned infrastructure and network customizations
- Installing a cluster on vSphere in a restricted network
- Installing a cluster on vSphere in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on vSphere that uses installer-provisioned infrastructure
-
Installing on VMC
- Installing a cluster on VMC
- Installing a cluster on VMC with customizations
- Installing a cluster on VMC with network customizations
- Installing a cluster on VMC in a restricted network
- Installing a cluster on VMC with user-provisioned infrastructure
- Installing a cluster on VMC with user-provisioned infrastructure and network customizations
- Installing a cluster on VMC in a restricted network with user-provisioned infrastructure
- Uninstalling a cluster on VMC
- Installing on any platform
- Installation configuration
- Validating an installation
- Troubleshooting installation issues
- Support for FIPS cryptography
-
Updating clusters
- Updating clusters overview
- Understanding the OpenShift Update Service
- Installing and configuring the OpenShift Update Service
- Understanding upgrade channels
- Updating a cluster using the web console
- Updating a cluster using the CLI
- Updating a cluster that includes RHEL compute machines
- Updating a restricted network cluster
- Post-installation configuration
-
Support
- Support overview
- Managing your cluster resources
- Getting support
- Remote health monitoring with connected clusters
- Gathering data about your cluster
- Summarizing cluster specifications
-
Troubleshooting
- Troubleshooting installations
- Verifying node health
- Troubleshooting CRI-O container runtime issues
- Troubleshooting network issues
- Troubleshooting Operator issues
- Investigating pod issues
- Troubleshooting the Source-to-Image process
- Troubleshooting storage issues
- Troubleshooting Windows container workload issues
- Investigating monitoring issues
- Diagnosing OpenShift CLI (oc) issues
- Web console
- CLI tools
-
Security and compliance
- Security and compliance overview
-
Container security
- Understanding container security
- Understanding host and VM security
- Hardening Red Hat Enterprise Linux CoreOS
- Container image signatures
- Understanding compliance
- Securing container content
- Using container registries securely
- Securing the build process
- Deploying containers
- Securing the container platform
- Securing networks
- Securing attached storage
- Monitoring cluster events and logs
- Configuring certificates
-
Certificate types and descriptions
- User-provided certificates for the API server
- Proxy certificates
- Service CA certificates
- Node certificates
- Bootstrap certificates
- etcd certificates
- OLM certificates
- User-provided certificates for default ingress
- Ingress certificates
- Monitoring and cluster logging Operator component certificates
- Control plane certificates
-
Compliance Operator
- Compliance Operator release notes
- Supported compliance profiles
- Installing the Compliance Operator
- Compliance Operator scans
- Understanding the Compliance Operator
- Managing the Compliance Operator
- Tailoring the Compliance Operator
- Retrieving Compliance Operator raw results
- Managing Compliance Operator remediation
- Performing advanced Compliance Operator tasks
- Troubleshooting the Compliance Operator
- Uninstalling the Compliance Operator
- Understanding the Custom Resource Definitions
- File Integrity Operator
- Viewing audit logs
- Configuring the audit log policy
- Configuring TLS security profiles
- Configuring seccomp profiles
- Allowing JavaScript-based access to the API server from additional hosts
- Encrypting etcd data
- Scanning pods for vulnerabilities
-
Authentication and authorization
- Authentication and authorization overview
- Understanding authentication
- Configuring the internal OAuth server
- Configuring OAuth clients
- Understanding identity provider configuration
-
Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Using bound service account tokens
- Managing security context constraints
- Impersonating the system:admin user
- Syncing LDAP groups
-
Networking
- Understanding networking
- Accessing hosts
- Networking Operators overview
- Understanding the Cluster Network Operator
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Configuring the node port service range
- Using SCTP
- Configuring PTP hardware
- Network policy
- Multiple networks
-
Hardware networks
- About Single Root I/O Virtualization (SR-IOV) hardware networks
- Installing the SR-IOV Operator
- Configuring the SR-IOV Operator
- Configuring an SR-IOV network device
- Configuring an SR-IOV Ethernet network attachment
- Configuring an SR-IOV InfiniBand network attachment
- Adding pod to an SR-IOV network
- Using high performance multicast
- Using DPDK and RDMA
- Uninstalling the SR-IOV Operator
-
OpenShift SDN default CNI network provider
- About the OpenShift SDN default CNI network provider
- Configuring egress IPs for a project
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Considerations for the use of an egress router pod
- Deploying an egress router pod in redirect mode
- Deploying an egress router pod in HTTP proxy mode
- Deploying an egress router pod in DNS proxy mode
- Configuring an egress router pod destination list from a config map
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring multitenant isolation
- Configuring kube-proxy
-
OVN-Kubernetes default CNI network provider
- About the OVN-Kubernetes network provider
- Migrating from the OpenShift SDN cluster network provider
- Rolling back to the OpenShift SDN cluster network provider
- Configuring an egress firewall for a project
- Viewing an egress firewall for a project
- Editing an egress firewall for a project
- Removing an egress firewall from a project
- Configuring an egress IP address
- Assigning an egress IP address
- Enabling multicast for a project
- Disabling multicast for a project
- Configuring hybrid networking
- Configuring Routes
-
Configuring ingress cluster traffic
- Overview
- Configuring ExternalIPs for services
- Configuring ingress cluster traffic using an Ingress Controller
- Configuring ingress cluster traffic using a load balancer
- Configuring ingress cluster traffic on AWS using a Network Load Balancer
- Configuring ingress cluster traffic using a service external IP
- Configuring ingress cluster traffic using a NodePort
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Load balancing on OpenStack
- Associating secondary interfaces metrics to network attachments
-
Storage
- Storage overview
- Understanding ephemeral storage
- Understanding persistent storage
-
Configuring persistent storage
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Using Container Storage Interface (CSI)
- Expanding persistent volumes
- Dynamic provisioning
- Registry
-
Operators
- Operators overview
- Understanding Operators
- User tasks
- Administrator tasks
-
Developing Operators
- About the Operator SDK
- Installing the Operator SDK CLI
- Creating Go-based Operators
- Creating Ansible-based Operators
- Creating Helm-based Operators
- Generating a cluster service version (CSV)
- Working with bundle images
- Validating Operators using the scorecard
- Configuring built-in monitoring with Prometheus
- Configuring leader election
- Operator SDK CLI reference
- Appendices
- Red Hat Operators reference
-
Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Pipelines
-
Images
- Overview of images
- Configuring the Cluster Samples Operator
- Using the Cluster Samples Operator with an alternate registry
- Creating images
- Managing images
- Managing image streams
- Using image streams with Kubernetes resources
- Triggering updates on image stream changes
- Image configuration resources
- Using templates
- Using Ruby on Rails
- Using images
-
Applications
- Applications overview
- Projects
- Application life cycle management
- Deployments
- Quotas
- Using config maps with applications
- Monitoring project and application metrics using the Developer perspective
- Monitoring application health
- Idling applications
- Pruning objects to reclaim resources
- Using the Red Hat Marketplace
-
Machine management
- Overview of machine management
- Creating machine sets
- Manually scaling a machine set
- Modifying a machine set
- Deleting a machine
- Applying autoscaling to a cluster
- Creating infrastructure machine sets
- Adding a RHEL compute machine
- Adding more RHEL compute machines
- User-provisioned infrastructure
- Deploying machine health checks
-
Nodes
- Overview of nodes
-
Working with pods
- About pods
- Viewing pods
- Configuring a cluster for pods
- Automatically scaling pods with the horizontal pod autoscaler
- Automatically adjust pod resource levels with the vertical pod autoscaler
- Providing sensitive data to pods
- Creating and using config maps
- Using Device Manager to make devices available to nodes
- Including pod priority in pod scheduling decisions
- Placing pods on specific nodes using node selectors
-
Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Controlling pod placement using pod topology spread constraints
- Running a custom scheduler
- Evicting pods using the descheduler
- Using Jobs and DaemonSets
-
Working with nodes
- Viewing and listing the nodes in your cluster
- Working with nodes
- Managing nodes
- Managing the maximum number of pods per node
- Using the Node Tuning Operator
- Understanding node rebooting
- Freeing node resources using garbage collection
- Allocating resources for nodes
- Allocating specific CPUs for nodes in a cluster
- Machine Config Daemon metrics
-
Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Remote worker nodes on the network edge
-
Windows Container Support for OpenShift
- Red Hat OpenShift support for Windows Containers overview
- Red Hat OpenShift support for Windows Containers release notes
- Understanding Windows container workloads
- Enabling Windows container workloads
- Creating Windows MachineSet objects
- Scheduling Windows container workloads
- Windows node upgrades
- Removing Windows nodes
- Disabling Windows container workloads
-
Logging
- About cluster logging
- Installing cluster logging
-
Configuring your cluster logging deployment
- About the Cluster Logging custom resource
- Configuring the logging collector
- Configuring the log store
- Configuring the log visualizer
- Configuring cluster logging storage
- Configuring CPU and memory limits for cluster logging components
- Using tolerations to control cluster logging pod placement
- Moving the cluster logging resources with node selectors
- Configuring systemd-journald for cluster logging
- Configuring the log curator
- Maintenance and support
- Viewing logs for a specific resource
- Viewing cluster logs in Kibana
- Forwarding logs to third party systems
- Collecting and storing Kubernetes events
- Updating cluster logging
- Viewing cluster dashboards
- Troubleshooting cluster logging
- Uninstalling cluster logging
- Exported fields
- Monitoring
- Metering
-
Scalability and performance
- Recommended installation practices
- Recommended host practices
- Recommended cluster scaling practices
- Using the Node Tuning Operator
- Using Cluster Loader
- Using CPU Manager
- Using Topology Manager
- Scaling the Cluster Monitoring Operator
- Planning your environment according to object maximums
- Optimizing storage
- Optimizing routing
- Optimizing networking
- Managing bare metal hosts
- What huge pages do and how they are consumed by apps
- Performance Addon Operator for low latency nodes
- Optimizing data plane performance with Intel devices
- Backup and restore
-
Migrating from version 3 to 4
- Migrating from version 3 to 4 overview
- About migrating from OpenShift Container Platform 3 to 4
- Differences between OpenShift Container Platform 3 and 4
- Planning considerations
- About MTC
- Installing MTC
- Installing MTC in a restricted network environment
- Upgrading MTC
- Premigration checklists
- Migrating your applications
- Advanced migration options
- Troubleshooting
- Migration Toolkit for Containers
-
API reference
- Editing kubelet log level verbosity and gathering logs
- API list
- Common object reference
-
Authorization APIs
- About Authorization APIs
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- TokenReview [authentication.k8s.io/v1]
- LocalSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectAccessReview [authorization.k8s.io/v1]
- SelfSubjectRulesReview [authorization.k8s.io/v1]
- SubjectAccessReview [authorization.k8s.io/v1]
- Autoscale APIs
-
Config APIs
- About Config APIs
- APIServer [config.openshift.io/v1]
- Authentication [config.openshift.io/v1]
- Build [config.openshift.io/v1]
- ClusterOperator [config.openshift.io/v1]
- ClusterVersion [config.openshift.io/v1]
- Console [config.openshift.io/v1]
- DNS [config.openshift.io/v1]
- FeatureGate [config.openshift.io/v1]
- HelmChartRepository [helm.openshift.io/v1beta1]
- Image [config.openshift.io/v1]
- Infrastructure [config.openshift.io/v1]
- Ingress [config.openshift.io/v1]
- Network [config.openshift.io/v1]
- OAuth [config.openshift.io/v1]
- OperatorHub [config.openshift.io/v1]
- Project [config.openshift.io/v1]
- Proxy [config.openshift.io/v1]
- Scheduler [config.openshift.io/v1]
- Console APIs
- Extension APIs
-
Image APIs
- About Image APIs
- Image [image.openshift.io/v1]
- ImageSignature [image.openshift.io/v1]
- ImageStreamImage [image.openshift.io/v1]
- ImageStreamImport [image.openshift.io/v1]
- ImageStreamMapping [image.openshift.io/v1]
- ImageStream [image.openshift.io/v1]
- ImageStreamTag [image.openshift.io/v1]
- ImageTag [image.openshift.io/v1]
-
Machine APIs
- About Machine APIs
- ContainerRuntimeConfig [machineconfiguration.openshift.io/v1]
- ControllerConfig [machineconfiguration.openshift.io/v1]
- KubeletConfig [machineconfiguration.openshift.io/v1]
- MachineConfigPool [machineconfiguration.openshift.io/v1]
- MachineConfig [machineconfiguration.openshift.io/v1]
- MachineHealthCheck [machine.openshift.io/v1beta1]
- Machine [machine.openshift.io/v1beta1]
- MachineSet [machine.openshift.io/v1beta1]
- Metadata APIs
- Monitoring APIs
-
Network APIs
- About Network APIs
- ClusterNetwork [network.openshift.io/v1]
- Endpoints [core/v1]
- EndpointSlice [discovery.k8s.io/v1beta1]
- EgressNetworkPolicy [network.openshift.io/v1]
- HostSubnet [network.openshift.io/v1]
- Ingress [networking.k8s.io/v1]
- IngressClass [networking.k8s.io/v1]
- IPPool [whereabouts.cni.cncf.io/v1alpha1]
- NetNamespace [network.openshift.io/v1]
- NetworkAttachmentDefinition [k8s.cni.cncf.io/v1]
- NetworkPolicy [networking.k8s.io/v1]
- Route [route.openshift.io/v1]
- Service [core/v1]
- Node APIs
- OAuth APIs
-
Operator APIs
- About Operator APIs
- Authentication [operator.openshift.io/v1]
- CloudCredential [operator.openshift.io/v1]
- ClusterCSIDriver [operator.openshift.io/v1]
- Console [operator.openshift.io/v1]
- Config [operator.openshift.io/v1]
- Config [imageregistry.operator.openshift.io/v1]
- Config [samples.operator.openshift.io/v1]
- CSISnapshotController [operator.openshift.io/v1]
- DNS [operator.openshift.io/v1]
- DNSRecord [ingress.operator.openshift.io/v1]
- Etcd [operator.openshift.io/v1]
- ImageContentSourcePolicy [operator.openshift.io/v1alpha1]
- ImagePruner [imageregistry.operator.openshift.io/v1]
- IngressController [operator.openshift.io/v1]
- KubeAPIServer [operator.openshift.io/v1]
- KubeControllerManager [operator.openshift.io/v1]
- KubeScheduler [operator.openshift.io/v1]
- KubeStorageVersionMigrator [operator.openshift.io/v1]
- Network [operator.openshift.io/v1]
- OpenShiftAPIServer [operator.openshift.io/v1]
- OpenShiftControllerManager [operator.openshift.io/v1]
- OperatorPKI [network.operator.openshift.io/v1]
- ServiceCA [operator.openshift.io/v1]
- Storage [operator.openshift.io/v1]
-
OperatorHub APIs
- About OperatorHub APIs
- CatalogSource [operators.coreos.com/v1alpha1]
- ClusterServiceVersion [operators.coreos.com/v1alpha1]
- InstallPlan [operators.coreos.com/v1alpha1]
- OperatorGroup [operators.coreos.com/v1]
- PackageManifest [packages.operators.coreos.com/v1]
- Subscription [operators.coreos.com/v1alpha1]
- Policy APIs
- Project APIs
- Provisioning APIs
- RBAC APIs
- Role APIs
-
Schedule and quota APIs
- About Schedule and quota APIs
- AppliedClusterResourceQuota [quota.openshift.io/v1]
- ClusterResourceQuota [quota.openshift.io/v1]
- FlowSchema [flowcontrol.apiserver.k8s.io/v1alpha1]
- LimitRange [core/v1]
- PriorityClass [scheduling.k8s.io/v1]
- PriorityLevelConfiguration [flowcontrol.apiserver.k8s.io/v1alpha1]
- ResourceQuota [core/v1]
-
Security APIs
- About Security APIs
- CertificateSigningRequest [certificates.k8s.io/v1]
- CredentialsRequest [cloudcredential.openshift.io/v1]
- PodSecurityPolicyReview [security.openshift.io/v1]
- PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- PodSecurityPolicySubjectReview [security.openshift.io/v1]
- RangeAllocation [security.openshift.io/v1]
- Secret [core/v1]
- SecurityContextConstraints [security.openshift.io/v1]
- ServiceAccount [core/v1]
-
Storage APIs
- About Storage APIs
- CSIDriver [storage.k8s.io/v1]
- CSINode [storage.k8s.io/v1]
- PersistentVolumeClaim [core/v1]
- StorageClass [storage.k8s.io/v1]
- StorageState [migration.k8s.io/v1alpha1]
- StorageVersionMigration [migration.k8s.io/v1alpha1]
- VolumeAttachment [storage.k8s.io/v1]
- VolumeSnapshot [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotClass [snapshot.storage.k8s.io/v1beta1]
- VolumeSnapshotContent [snapshot.storage.k8s.io/v1beta1]
- Template APIs
- User and group APIs
-
Workloads APIs
- About Workloads APIs
- BuildConfig [build.openshift.io/v1]
- Build [build.openshift.io/v1]
- CronJob [batch/v1beta1]
- DaemonSet [apps/v1]
- Deployment [apps/v1]
- DeploymentConfig [apps.openshift.io/v1]
- Job [batch/v1]
- Pod [core/v1]
- ReplicationController [core/v1]
- PersistentVolume [core/v1]
- ReplicaSet [apps/v1]
- StatefulSet [apps/v1]
-
Service Mesh
-
Service Mesh 2.x
- About OpenShift Service Mesh
- Service Mesh 2.x release notes
- Service Mesh architecture
- Service Mesh deployment models
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing the Operators
- Creating the ServiceMeshControlPlane
- Adding workloads to a service mesh
- Enabling sidecar injection
- Upgrading Service Mesh
- Managing users and profiles
- Security
- Traffic management
- Metrics, logs, and traces
- Performance and scalability
- Deploying to production
- Federation
- Extensions
- 3scale WebAssembly for 2.1
- 3scale Istio adapter for 2.0
- Troubleshooting Service Mesh
- Control plane configuration reference
- Kiali configuration reference
- Jaeger configuration reference
- Uninstalling Service Mesh
-
Service Mesh 1.x
- Service Mesh 1.x release notes
- Service Mesh architecture
- Service Mesh and Istio differences
- Preparing to install Service Mesh
- Installing Service Mesh
- Security
- Traffic management
- Deploying applications on Service Mesh
- Data visualization and observability
- Custom resources
- 3scale Istio adapter for 1.x
- Removing Service Mesh
-
Service Mesh 2.x
- Distributed tracing
-
OpenShift Virtualization
- About OpenShift Virtualization
- OpenShift Virtualization release notes
-
OpenShift Virtualization installation
- Preparing your cluster for OpenShift Virtualization
- Installing OpenShift Virtualization using the web console
- Installing OpenShift Virtualization using the CLI
- Installing the virtctl client
- Uninstalling OpenShift Virtualization using the web console
- Uninstalling OpenShift Virtualization using the CLI
- Upgrading OpenShift Virtualization
- Additional security privileges granted for kubevirt-controller and virt-launcher
- Using the CLI tools
-
Virtual machines
- Creating virtual machines
- Editing virtual machines
- Editing boot order
- Deleting virtual machines
- Managing virtual machine instances
- Controlling virtual machine states
- Accessing virtual machine consoles
- Triggering virtual machine failover by resolving a failed node
- Installing the QEMU guest agent on virtual machines
- Viewing the QEMU guest agent information for virtual machines
- Managing config maps, secrets, and service accounts in virtual machines
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Advanced virtual machine management
- Importing virtual machines
- Cloning virtual machines
-
Virtual machine networking
- Configuring the virtual machine for the default pod network
- Attaching a virtual machine to a Linux bridge network
- Configuring IP addresses for virtual machines
- Configuring an SR-IOV network device for virtual machines
- Defining an SR-IOV network
- Attaching a virtual machine to an SR-IOV network
- Viewing the IP address of NICs on a virtual machine
- Using a MAC address pool for virtual machines
-
Virtual machine disks
- Features for storage
- Configuring local storage for virtual machines
- Configuring CDI to work with namespaces that have a compute resource quota
- Uploading local disk images by using the web console
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage data volume
- Managing offline virtual machine snapshots
- Moving a local virtual machine disk to a different node
- Expanding virtual storage by adding blank disk images
- Cloning a data volume using smart-cloning
- Storage defaults for data volumes
- Creating and using default OS images
- Using container disks with virtual machines
- Preparing CDI scratch space
- Re-using statically provisioned persistent volumes
- Deleting data volumes
- Virtual machine templates
- Live migration
- Node maintenance
- Node networking
- Logging, events, and monitoring
-
Serverless
- Release notes
- Discover
- Install
- Knative CLI
-
Develop
- Serverless applications
- Autoscaling
- Traffic management
- Routing
- Event sinks
- Event delivery
- Listing event sources and event source types
- Creating an API server source
- Creating a ping source
- Custom event sources
- Creating channels
- Creating and managing subscriptions
- Creating brokers
- Triggers
- Using Knative Kafka
- Administer
- Monitor
- Tracing
- Support
- Security
-
Functions
- Setting up OpenShift Serverless Functions
- Getting started with functions
- Developing Node.js functions
- Developing TypeScript functions
- Developing Go functions
- Developing Python functions
- Developing Quarkus functions
- Function project configuration in func.yaml
- Accessing secrets and config maps from functions
- Adding annotations to functions
- Functions development reference guide
- Integrations
×
Managing Compliance Operator result and remediation
- Filters for compliance check results
- Reviewing a remediation
- Applying remediation when using customized machine config pools
- Applying a remediation
- Remediating a platform check manually
- Updating remediations
- Unapplying a remediation
- Removing a KubeletConfig remediation
- Inconsistent ComplianceScan
- Additional resources
Each ComplianceCheckResult represents a result of one compliance rule check. If the rule can be remediated automatically, a ComplianceRemediation object with the same name, owned by the ComplianceCheckResult is created. Unless requested, the remediations are not applied automatically, which gives an OpenShift Container Platform administrator the opportunity to review what the remediation does and only apply a remediation once it has been verified.
Filters for compliance check results
By default, the ComplianceCheckResult objects are labeled with several useful labels that allow you to query the checks and decide on the next steps after the results are generated.
List checks that belong to a specific suite:
List checks that belong to a specific scan:
$ oc get compliancecheckresults -l compliance.openshift.io/scan=example-compliancescanNot all ComplianceCheckResult objects create ComplianceRemediation objects. Only ComplianceCheckResult objects that can be remediated automatically do. A ComplianceCheckResult object has a related remediation if it is labeled with the compliance.openshift.io/automated-remediation label. The name of the remediation is the same as the name of the check.
List all failing checks that can be remediated automatically:
$ oc get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,compliance.openshift.io/automated-remediation'List all failing checks that must be remediated manually:
$ oc get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,!compliance.openshift.io/automated-remediation'The manual remediation steps are typically stored in the description attribute in the ComplianceCheckResult object.
| ComplianceCheckResult Status | Description |
|---|---|
PASS |
Compliance check ran to completion and passed. |
FAIL |
Compliance check ran to completion and failed. |
INFO |
Compliance check ran to completion and found something not severe enough to be considered an error. |
MANUAL |
Compliance check does not have a way to automatically assess the success or failure and must be checked manually. |
INCONSISTENT |
Compliance check reports different results from different sources, typically cluster nodes. |
ERROR |
Compliance check ran, but could not complete properly. |
NOT-APPLICABLE |
Compliance check did not run because it is not applicable or not selected. |
Reviewing a remediation
Review both the ComplianceRemediation object and the ComplianceCheckResult object that owns the remediation. The ComplianceCheckResult object contains human-readable descriptions of what the check does and the hardening trying to prevent, as well as other metadata like the severity and the associated security controls. The ComplianceRemediation object represents a way to fix the problem described in the ComplianceCheckResult. After first scan, check for remediations with the state MissingDependencies.
Below is an example of a check and a remediation called sysctl-net-ipv4-conf-all-accept-redirects. This example is redacted to only show spec and status and omits metadata:
spec:
apply: false
current:
object:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
mode: 0644
contents:
source: data:,net.ipv4.conf.all.accept_redirects%3D0
outdated: {}
status:
applicationState: NotAppliedThe remediation payload is stored in the spec.current attribute. The payload can be any Kubernetes object, but because this remediation was produced by a node scan, the remediation payload in the above example is a MachineConfig object. For Platform scans, the remediation payload is often a different kind of an object (for example, a ConfigMap or Secret object), but typically applying that remediation is up to the administrator, because otherwise the Compliance Operator would have required a very broad set of permissions in order to manipulate any generic Kubernetes object. An example of remediating a Platform check is provided later in the text.
To see exactly what the remediation does when applied, the MachineConfig object contents use the Ignition objects for the configuration. Refer to the Ignition specification for further information about the format. In our example, the spec.config.storage.files[0].path attribute specifies the file that is being create by this remediation (/etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf) and the spec.config.storage.files[0].contents.source attribute specifies the contents of that file.
|
The contents of the files are URL-encoded. |
Use the following Python script to view the contents:
$ echo "net.ipv4.conf.all.accept_redirects%3D0" | python3 -c "import sys, urllib.parse; print(urllib.parse.unquote(''.join(sys.stdin.readlines())))"Example output
net.ipv4.conf.all.accept_redirects=0Applying remediation when using customized machine config pools
When you create a custom MachineConfigPool, add a label to the MachineConfigPool so that machineConfigPoolSelector present in the KubeletConfig can match the label with MachineConfigPool.
|
Do not set |
Procedure
-
List the nodes.
$ oc get nodesExample outputNAME STATUS ROLES AGE VERSION ip-10-0-128-92.us-east-2.compute.internal Ready master 5h21m v1.23.3+d99c04f ip-10-0-158-32.us-east-2.compute.internal Ready worker 5h17m v1.23.3+d99c04f ip-10-0-166-81.us-east-2.compute.internal Ready worker 5h17m v1.23.3+d99c04f ip-10-0-171-170.us-east-2.compute.internal Ready master 5h21m v1.23.3+d99c04f ip-10-0-197-35.us-east-2.compute.internal Ready master 5h22m v1.23.3+d99c04f -
Add a label to nodes.
$ oc label node ip-10-0-166-81.us-east-2.compute.internal node-role.kubernetes.io/<machine_config_pool_name>=Example outputnode/ip-10-0-166-81.us-east-2.compute.internal labeled -
Create custom
MachineConfigPoolCR.apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfigPool metadata: name: <machine_config_pool_name> labels: pools.operator.machineconfiguration.openshift.io/<machine_config_pool_name>: '' (1) spec: machineConfigSelector: matchExpressions: - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,<machine_config_pool_name>]} nodeSelector: matchLabels: node-role.kubernetes.io/<machine_config_pool_name>: ""1 The labelsfield defines label name to add for Machine config pool(MCP). -
Verify MCP created successfully.
$ oc get mcp -w
Applying a remediation
The boolean attribute spec.apply controls whether the remediation should be applied by the Compliance Operator. You can apply the remediation by setting the attribute to true:
$ oc patch complianceremediations/<scan_name>-sysctl-net-ipv4-conf-all-accept-redirects --patch '{"spec":{"apply":true}}' --type=mergeAfter the Compliance Operator processes the applied remediation, the status.ApplicationState attribute would change to Applied or to Error if incorrect. When a machine config remediation is applied, that remediation along with all other applied remediations are rendered into a MachineConfig object named 75-$scan-name-$suite-name. That MachineConfig object is subsequently rendered by the Machine Config Operator and finally applied to all the nodes in a machine config pool by an instance of the machine control daemon running on each node.
Note that when the Machine Config Operator applies a new MachineConfig object to nodes in a pool, all the nodes belonging to the pool are rebooted. This might be inconvenient when applying multiple remediations, each of which re-renders the composite 75-$scan-name-$suite-name MachineConfig object. To prevent applying the remediation immediately, you can pause the machine config pool by setting the .spec.paused attribute of a MachineConfigPool object to true.
The Compliance Operator can apply remediations automatically. Set autoApplyRemediations: true in the ScanSetting top-level object.
|
Applying remediations automatically should only be done with careful consideration. |
Remediating a platform check manually
Checks for Platform scans typically have to be remediated manually by the administrator for two reasons:
-
It is not always possible to automatically determine the value that must be set. One of the checks requires that a list of allowed registries is provided, but the scanner has no way of knowing which registries the organization wants to allow.
-
Different checks modify different API objects, requiring automated remediation to possess
rootor superuser access to modify objects in the cluster, which is not advised.
Procedure
-
The example below uses the
ocp4-ocp-allowed-registries-for-importrule, which would fail on a default OpenShift Container Platform installation. Inspect the ruleoc get rule.compliance/ocp4-ocp-allowed-registries-for-import -oyaml, the rule is to limit the registries the users are allowed to import images from by setting theallowedRegistriesForImportattribute, The warning attribute of the rule also shows the API object checked, so it can be modified and remediate the issue:$ oc edit image.config.openshift.io/clusterExample outputapiVersion: config.openshift.io/v1 kind: Image metadata: annotations: release.openshift.io/create-only: "true" creationTimestamp: "2020-09-10T10:12:54Z" generation: 2 name: cluster resourceVersion: "363096" selfLink: /apis/config.openshift.io/v1/images/cluster uid: 2dcb614e-2f8a-4a23-ba9a-8e33cd0ff77e spec: allowedRegistriesForImport: - domainName: registry.redhat.io status: externalRegistryHostnames: - default-route-openshift-image-registry.apps.user-cluster-09-10-12-07.devcluster.openshift.com internalRegistryHostname: image-registry.openshift-image-registry.svc:5000 -
Re-run the scan:
$ oc annotate compliancescans/<scan_name> compliance.openshift.io/rescan=
Updating remediations
When a new version of compliance content is used, it might deliver a new and different version of a remediation than the previous version. The Compliance Operator will keep the old version of the remediation applied. The OpenShift Container Platform administrator is also notified of the new version to review and apply. A ComplianceRemediation object that had been applied earlier, but was updated changes its status to Outdated. The outdated objects are labeled so that they can be searched for easily.
The previously applied remediation contents would then be stored in the spec.outdated attribute of a ComplianceRemediation object and the new updated contents would be stored in the spec.current attribute. After updating the content to a newer version, the administrator then needs to review the remediation. As long as the spec.outdated attribute exists, it would be used to render the resulting MachineConfig object. After the spec.outdated attribute is removed, the Compliance Operator re-renders the resulting MachineConfig object, which causes the Operator to push the configuration to the nodes.
Procedure
-
Search for any outdated remediations:
$ oc get complianceremediations -lcomplianceoperator.openshift.io/outdated-remediation=Example outputNAME STATE workers-scan-no-empty-passwords OutdatedThe currently applied remediation is stored in the
Outdatedattribute and the new, unapplied remediation is stored in theCurrentattribute. If you are satisfied with the new version, remove theOutdatedfield. If you want to keep the updated content, remove theCurrentandOutdatedattributes. -
Apply the newer version of the remediation:
$ oc patch complianceremediations workers-scan-no-empty-passwords --type json -p '[{"op":"remove", "path":/spec/outdated}]' -
The remediation state will switch from
OutdatedtoApplied:$ oc get complianceremediations workers-scan-no-empty-passwordsExample outputNAME STATE workers-scan-no-empty-passwords Applied -
The nodes will apply the newer remediation version and reboot.
Unapplying a remediation
It might be required to unapply a remediation that was previously applied.
Procedure
-
Set the
applyflag tofalse:$ oc patch complianceremediations/<scan_name>-sysctl-net-ipv4-conf-all-accept-redirects -p '{"spec":{"apply":false}}' --type=merge -
The remediation status will change to
NotAppliedand the compositeMachineConfigobject would be re-rendered to not include the remediation.All affected nodes with the remediation will be rebooted.
Removing a KubeletConfig remediation
KubeletConfig remediations are included in node-level profiles. In order to remove a KubeletConfig remediation, you must manually remove it from the KubeletConfig objects. This example demonstrates how to remove the compliance check for the one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available remediation.
Procedure
-
Locate the
scan-nameand compliance check for theone-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-availableremediation:$ oc get remediation one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available -o yamlExample outputapiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceRemediation metadata: annotations: compliance.openshift.io/xccdf-value-used: var-kubelet-evictionhard-imagefs-available creationTimestamp: "2022-01-05T19:52:27Z" generation: 1 labels: compliance.openshift.io/scan-name: one-rule-tp-node-master (1) compliance.openshift.io/suite: one-rule-ssb-node name: one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available namespace: openshift-compliance ownerReferences: - apiVersion: compliance.openshift.io/v1alpha1 blockOwnerDeletion: true controller: true kind: ComplianceCheckResult name: one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available uid: fe8e1577-9060-4c59-95b2-3e2c51709adc resourceVersion: "84820" uid: 5339d21a-24d7-40cb-84d2-7a2ebb015355 spec: apply: true current: object: apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig spec: kubeletConfig: evictionHard: imagefs.available: 10% (2) outdated: {} type: Configuration status: applicationState: Applied1 The scan name of the remediation. 2 The remediation that was added to the KubeletConfigobjects.If the remediation invokes an
evictionHardkubelet configuration, you must specify all of theevictionHardparameters:memory.available,nodefs.available,nodefs.inodesFree,imagefs.available, andimagefs.inodesFree. If you do not specify all parameters, only the specified parameters are applied and the remediation will not function properly. -
Remove the remediation:
-
Set
applyto false for the remediation object:$ oc patch complianceremediations/one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available -p '{"spec":{"apply":false}}' --type=merge -
Using the
scan-name, find theKubeletConfigobject that the remediation was applied to:$ oc get kubeletconfig --selector compliance.openshift.io/scan-name=one-rule-tp-node-masterExample outputNAME AGE compliance-operator-kubelet-master 2m34s -
Manually remove the remediation,
imagefs.available: 10%, from theKubeletConfigobject:$ oc edit KubeletConfig compliance-operator-kubelet-masterAll affected nodes with the remediation will be rebooted.
-
|
You must also exclude the rule from any scheduled scans in your tailored profiles that auto-applies the remediation, otherwise, the remediation will be re-applied during the next scheduled scan. |
Inconsistent ComplianceScan
The ScanSetting object lists the node roles that the compliance scans generated from the ScanSetting or ScanSettingBinding objects would scan. Each node role usually maps to a machine config pool.
|
It is expected that all machines in a machine config pool are identical and all scan results from the nodes in a pool should be identical. |
If some of the results are different from others, the Compliance Operator flags a ComplianceCheckResult object where some of the nodes will report as INCONSISTENT. All ComplianceCheckResult objects are also labeled with compliance.openshift.io/inconsistent-check.
Because the number of machines in a pool might be quite large, the Compliance Operator attempts to find the most common state and list the nodes that differ from the common state. The most common state is stored in the compliance.openshift.io/most-common-status annotation and the annotation compliance.openshift.io/inconsistent-source contains pairs of hostname:status of check statuses that differ from the most common status. If no common state can be found, all the hostname:status pairs are listed in the compliance.openshift.io/inconsistent-source annotation.
If possible, a remediation is still created so that the cluster can converge to a compliant status. However, this might not always be possible and correcting the difference between nodes must be done manually. The compliance scan must be re-run to get a consistent result by annotating the scan with the compliance.openshift.io/rescan= option:
$ oc annotate compliancescans/<scan_name> compliance.openshift.io/rescan=