|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/compliance_operator/compliance-operator-remediation.adoc |
| 4 | + |
| 5 | +[id="compliance-removing-kubeletconfig_{context}"] |
| 6 | += Removing a KubeletConfig remediation |
| 7 | +`KubeletConfig` remediations are included in node-level profiles. In order to remove a KubeletConfig remediation, you must manually remove it from the `KubeletConfig` objects. This example demonstrates how to remove the compliance check for the `one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available` remediation. |
| 8 | + |
| 9 | +.Procedure |
| 10 | + |
| 11 | +. Locate the `scan-name` and compliance check for the `one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available` remediation: |
| 12 | ++ |
| 13 | +[source,terminal] |
| 14 | +---- |
| 15 | +$ oc get remediation one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available -o yaml |
| 16 | +---- |
| 17 | ++ |
| 18 | +.Example output |
| 19 | +[source,yaml] |
| 20 | +---- |
| 21 | +apiVersion: compliance.openshift.io/v1alpha1 |
| 22 | +kind: ComplianceRemediation |
| 23 | +metadata: |
| 24 | + annotations: |
| 25 | + compliance.openshift.io/xccdf-value-used: var-kubelet-evictionhard-imagefs-available |
| 26 | + creationTimestamp: "2022-01-05T19:52:27Z" |
| 27 | + generation: 1 |
| 28 | + labels: |
| 29 | + compliance.openshift.io/scan-name: one-rule-tp-node-master <1> |
| 30 | + compliance.openshift.io/suite: one-rule-ssb-node |
| 31 | + name: one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available |
| 32 | + namespace: openshift-compliance |
| 33 | + ownerReferences: |
| 34 | + - apiVersion: compliance.openshift.io/v1alpha1 |
| 35 | + blockOwnerDeletion: true |
| 36 | + controller: true |
| 37 | + kind: ComplianceCheckResult |
| 38 | + name: one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available |
| 39 | + uid: fe8e1577-9060-4c59-95b2-3e2c51709adc |
| 40 | + resourceVersion: "84820" |
| 41 | + uid: 5339d21a-24d7-40cb-84d2-7a2ebb015355 |
| 42 | +spec: |
| 43 | + apply: true |
| 44 | + current: |
| 45 | + object: |
| 46 | + apiVersion: machineconfiguration.openshift.io/v1 |
| 47 | + kind: KubeletConfig |
| 48 | + spec: |
| 49 | + kubeletConfig: |
| 50 | + evictionHard: |
| 51 | + imagefs.available: 10% <2> |
| 52 | + outdated: {} |
| 53 | + type: Configuration |
| 54 | +status: |
| 55 | + applicationState: Applied |
| 56 | +---- |
| 57 | +<1> The scan name of the remediation. |
| 58 | +<2> The remediation that was added to the `KubeletConfig` objects. |
| 59 | ++ |
| 60 | +. Remove the remediation: |
| 61 | + |
| 62 | +.. Set `apply` to false for the remediation object: |
| 63 | ++ |
| 64 | +[source,terminal] |
| 65 | +---- |
| 66 | +$ oc patch complianceremediations/one-rule-tp-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available -p '{"spec":{"apply":false}}' --type=merge |
| 67 | +---- |
| 68 | ++ |
| 69 | +.. Using the `scan-name`, find the `KubeletConfig` object that the remediation was applied to: |
| 70 | ++ |
| 71 | +[source,terminal] |
| 72 | +---- |
| 73 | +$ oc get kubeletconfig --selector compliance.openshift.io/scan-name=one-rule-tp-node-master |
| 74 | +---- |
| 75 | ++ |
| 76 | +.Example output |
| 77 | +[source,terminal] |
| 78 | +---- |
| 79 | +NAME AGE |
| 80 | +compliance-operator-kubelet-master 2m34s |
| 81 | +---- |
| 82 | +.. Manually remove the remediation, `imagefs.available: 10%`, from the `KubeletConfig` object: |
| 83 | ++ |
| 84 | +[source,terminal] |
| 85 | +---- |
| 86 | +$ oc edit KubeletConfig compliance-operator-kubelet-master |
| 87 | +---- |
| 88 | ++ |
| 89 | +[IMPORTANT] |
| 90 | +==== |
| 91 | +All affected nodes with the remediation will be rebooted. |
| 92 | +==== |
| 93 | + |
| 94 | +[NOTE] |
| 95 | +==== |
| 96 | +You must also exclude the rule from any scheduled scans in your tailored profiles that auto-applies the remediation, otherwise, the remediation will be re-applied during the next scheduled scan. |
| 97 | +==== |
| 98 | + |
0 commit comments