Ozznotes

This is a blog with random OpenShift, Kubernetes, OpenStack and Linux related notes so I don't forget things. If you find something inaccurate or that could be fixed, please file a bug report here.

View on GitHub

Back to home

16 September 2021

How to automatically remediate issues using the compliance Operator

by Juan Antonio Osorio Robles

The Compliance Operator is able to automatically remediate some issues that it finds. Let’s look at the following example

---
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: moderate-rhcos
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: rhcos4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default-auto-apply

This ScanSettingBinding object will ensure the cluster is scanned with the rhcos4-moderate profile, and will automatically apply any generated remediations. This is done because of the default-auto-apply ScanSetting object, which by default has the autoApplyRemediations flag set to true. This is in contrast to the default ScanSetting object which will not auto-apply the remediations that are generated by the Compliance Operator.

There is more information on ScanSettings in the product documentation:

https://docs.openshift.com/container-platform/latest/security/compliance_operator/compliance-scans.html#running-compliance-scans_compliance-operator-scans

When effectuating scans, the Compliance Operator always generate ComplianceRemediation objects. These objects, when applied, will fix compliance issues found by the operator. They are only generated after a scan is done executing, and they can be browsed as follows:

oc get -n openshift-compliance complianceremediations

Compliance Remediations can also be applied individually by switching the apply flag in the ComplianceRemediation object’s spec. For more information on this, please see the relevant documentation:

https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-remediation.html

If you don’t want the Compliance Operator to always auto-apply the remediations it creates each scan, but instead want to do a one-off bulk application, it’s possible to do so via an annotation:

oc annotate compliancesuites/<suite-name> \ 
	compliance.openshift.io/apply-remediations=

As documented here: https://docs.openshift.com/container-platform/4.8/security/compliance_operator/compliance-operator-advanced.html#installing-compliance-operator-cli_compliance-advanced

What about GitOps?

There are more advanced use-cases where SREs would prefer to have all of the remediations in Git. This can be very useful for:

For such cases, there is work-in-progress to enable the oc-compliance plugin to fetch the remediations before applying them and putting them in a format that’s usable by popular GitOps systems. There is work on-going to formalize this for both ArgoCD and Hive.

A POC has already merged for ArgoCD, I’ll elaborate more on this on a separate blog post.


Disclaimer: Hive is not a GitOps system, but has constructs that can easily be integrated into such systems such as SyncSets.

tags: openshift

Back to home