Skip to content

Commit 3ee1f46

Browse files
committed
CO 1.6.0 release notes
1 parent 89dba97 commit 3ee1f46

19 files changed

+639
-183
lines changed

_topic_maps/_topic_map.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1056,6 +1056,8 @@ Topics:
10561056
File: co-overview
10571057
- Name: Compliance Operator release notes
10581058
File: compliance-operator-release-notes
1059+
- Name: Compliance Operator support
1060+
File: co-support
10591061
- Name: Compliance Operator concepts
10601062
Dir: co-concepts
10611063
Topics:
@@ -1089,7 +1091,7 @@ Topics:
10891091
File: compliance-operator-remediation
10901092
- Name: Performing advanced Compliance Operator tasks
10911093
File: compliance-operator-advanced
1092-
- Name: Troubleshooting the Compliance Operator
1094+
- Name: Troubleshooting Compliance Operator scans
10931095
File: compliance-operator-troubleshooting
10941096
- Name: Using the oc-compliance plugin
10951097
File: oc-compliance-plug-in-using

modules/co-scansetting-resources.adoc

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * security/compliance_operator/co-scans/compliance-operator-troubleshooting.adoc
4+
5+
:_mod-docs-content-type: REFERENCE
6+
[id="co-scansetting-resources_{context}"]
7+
= Configuring ScanSetting resources
8+
9+
When using the Compliance Operator in a cluster that contains more than 500 MachineConfigs, the `ocp4-pci-dss-api-checks-pod` pod may pause in the `init` phase when performing a `Platform` scan.
10+
11+
[NOTE]
12+
====
13+
Resource constraints applied in this process overwrites the existing resource constraints.
14+
====
15+
16+
.Procedure
17+
18+
. Confirm the `ocp4-pci-dss-api-checks-pod` pod is stuck in the `Init:OOMKilled` status:
19+
+
20+
[source,terminal]
21+
----
22+
$ oc get pod ocp4-pci-dss-api-checks-pod -w
23+
----
24+
+
25+
.Example output
26+
[source,terminal]
27+
----
28+
NAME READY STATUS RESTARTS AGE
29+
ocp4-pci-dss-api-checks-pod 0/2 Init:1/2 8 (5m56s ago) 25m
30+
ocp4-pci-dss-api-checks-pod 0/2 Init:OOMKilled 8 (6m19s ago) 26m
31+
----
32+
33+
. Edit the `scanLimits` attribute in the `ScanSetting` CR to increase the available memory for the `ocp4-pci-dss-api-checks-pod` pod:
34+
+
35+
[source,yaml]
36+
----
37+
timeout: 30m
38+
strictNodeScan: true
39+
metadata:
40+
name: default
41+
namespace: openshift-compliance
42+
kind: ScanSetting
43+
showNotApplicable: false
44+
rawResultStorage:
45+
nodeSelector:
46+
node-role.kubernetes.io/master: ''
47+
pvAccessModes:
48+
- ReadWriteOnce
49+
rotation: 3
50+
size: 1Gi
51+
tolerations:
52+
- effect: NoSchedule
53+
key: node-role.kubernetes.io/master
54+
operator: Exists
55+
- effect: NoExecute
56+
key: node.kubernetes.io/not-ready
57+
operator: Exists
58+
tolerationSeconds: 300
59+
- effect: NoExecute
60+
key: node.kubernetes.io/unreachable
61+
operator: Exists
62+
tolerationSeconds: 300
63+
- effect: NoSchedule
64+
key: node.kubernetes.io/memory-pressure
65+
operator: Exists
66+
schedule: 0 1 * * *
67+
roles:
68+
- master
69+
- worker
70+
apiVersion: compliance.openshift.io/v1alpha1
71+
maxRetryOnTimeout: 3
72+
scanTolerations:
73+
- operator: Exists
74+
scanLimits:
75+
memory: 1024Mi <1>
76+
----
77+
<1> The default setting is `500Mi`.
78+
79+
. Apply the `ScanSetting` CR to your cluster:
80+
+
81+
[source,terminal]
82+
----
83+
$ oc apply -f scansetting.yaml
84+
----

modules/compliance-must-gather.adoc

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * security/compliance_operator/co-support.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="compliance-must-gather_{context}"]
7+
= Using the must-gather tool for the Compliance Operator
8+
9+
Starting in Compliance Operator v1.6.0, you can collect data about the Compliance Operator resources by running the `must-gather` command with the Compliance Operator image.
10+
11+
[NOTE]
12+
====
13+
Consider using the `must-gather` tool when opening support cases or filing bug reports, as it provides additional details about the Operator configuration and logs.
14+
====
15+
16+
.Procedure
17+
18+
* Run the following command to collect data about the Compliance Operator:
19+
+
20+
[source,terminal]
21+
----
22+
$ oc adm must-gather --image=$(oc get csv compliance-operator.v1.6.0 -o=jsonpath='{.spec.relatedImages[?(@.name=="must-gather")].image}')
23+
----

modules/compliance-operator-cli-installation.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
.Prerequisites
1010

1111
* You must have `admin` privileges.
12+
* You must have a `StorageClass` resource configured.
1213
1314
.Procedure
1415

modules/compliance-operator-console-installation.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
.Prerequisites
1010

1111
* You must have `admin` privileges.
12+
* You must have a `StorageClass` resource configured.
1213
1314
.Procedure
1415

modules/compliance-operator-rosa-installation.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ As of the Compliance Operator 1.5.0 release, the Operator is tested against {pro
1313
.Prerequisites
1414

1515
* You must have `admin` privileges.
16+
* You must have a `StorageClass` resource configured.
1617
1718
.Procedure
1819

modules/compliance-profiles.adoc

Lines changed: 40 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -12,28 +12,51 @@ There are several profiles available as part of the Compliance Operator installa
1212
+
1313
[source,terminal]
1414
----
15-
$ oc get -n openshift-compliance profiles.compliance
15+
$ oc get profile.compliance -n openshift-compliance
1616
----
1717
+
1818
.Example output
1919
[source,terminal]
2020
----
21-
NAME AGE
22-
ocp4-cis 94m
23-
ocp4-cis-node 94m
24-
ocp4-e8 94m
25-
ocp4-high 94m
26-
ocp4-high-node 94m
27-
ocp4-moderate 94m
28-
ocp4-moderate-node 94m
29-
ocp4-nerc-cip 94m
30-
ocp4-nerc-cip-node 94m
31-
ocp4-pci-dss 94m
32-
ocp4-pci-dss-node 94m
33-
rhcos4-e8 94m
34-
rhcos4-high 94m
35-
rhcos4-moderate 94m
36-
rhcos4-nerc-cip 94m
21+
NAME AGE VERSION
22+
ocp4-cis 3h49m 1.5.0
23+
ocp4-cis-1-4 3h49m 1.4.0
24+
ocp4-cis-1-5 3h49m 1.5.0
25+
ocp4-cis-node 3h49m 1.5.0
26+
ocp4-cis-node-1-4 3h49m 1.4.0
27+
ocp4-cis-node-1-5 3h49m 1.5.0
28+
ocp4-e8 3h49m
29+
ocp4-high 3h49m Revision 4
30+
ocp4-high-node 3h49m Revision 4
31+
ocp4-high-node-rev-4 3h49m Revision 4
32+
ocp4-high-rev-4 3h49m Revision 4
33+
ocp4-moderate 3h49m Revision 4
34+
ocp4-moderate-node 3h49m Revision 4
35+
ocp4-moderate-node-rev-4 3h49m Revision 4
36+
ocp4-moderate-rev-4 3h49m Revision 4
37+
ocp4-nerc-cip 3h49m
38+
ocp4-nerc-cip-node 3h49m
39+
ocp4-pci-dss 3h49m 3.2.1
40+
ocp4-pci-dss-3-2 3h49m 3.2.1
41+
ocp4-pci-dss-4-0 3h49m 4.0.0
42+
ocp4-pci-dss-node 3h49m 3.2.1
43+
ocp4-pci-dss-node-3-2 3h49m 3.2.1
44+
ocp4-pci-dss-node-4-0 3h49m 4.0.0
45+
ocp4-stig 3h49m V2R1
46+
ocp4-stig-node 3h49m V2R1
47+
ocp4-stig-node-v1r1 3h49m V1R1
48+
ocp4-stig-node-v2r1 3h49m V2R1
49+
ocp4-stig-v1r1 3h49m V1R1
50+
ocp4-stig-v2r1 3h49m V2R1
51+
rhcos4-e8 3h49m
52+
rhcos4-high 3h49m Revision 4
53+
rhcos4-high-rev-4 3h49m Revision 4
54+
rhcos4-moderate 3h49m Revision 4
55+
rhcos4-moderate-rev-4 3h49m Revision 4
56+
rhcos4-nerc-cip 3h49m
57+
rhcos4-stig 3h49m V2R1
58+
rhcos4-stig-v1r1 3h49m V1R1
59+
rhcos4-stig-v2r1 3h49m V2R1
3760
----
3861
+
3962
These profiles represent different compliance benchmarks. Each profile has the product name that it applies to added as a prefix to the profile’s name. `ocp4-e8` applies the Essential 8 benchmark to the {product-title} product, while `rhcos4-e8` applies the Essential 8 benchmark to the {op-system-first} product.

0 commit comments

Comments
 (0)