Merge pull request #29673 from ahardin-rh/cmp-operator-updates

Updating Compliance Operator docs

Author: ahardin-rh

_topic_map.yml

@@ -590,16 +590,20 @@ Topics:
 - Name: Compliance Operator
   Dir: compliance_operator
   Topics:
+  - Name: Installing the Compliance Operator
+    File: compliance-operator-installation
+  - Name: Compliance Operator scans
+    File: compliance-scans
   - Name: Understanding the Compliance Operator
     File: compliance-operator-understanding
   - Name: Managing the Compliance Operator
     File: compliance-operator-manage
-  - Name: Managing Compliance Operator remediation
-    File: compliance-operator-remediation
   - Name: Tailoring the Compliance Operator
     File: compliance-operator-tailor
   - Name: Retrieving Compliance Operator raw results
     File: compliance-operator-raw-results
+  - Name: Managing Compliance Operator remediation
+    File: compliance-operator-remediation
   - Name: Performing advanced Compliance Operator tasks
     File: compliance-operator-advanced
   - Name: Troubleshooting the Compliance Operator

modules/compliance-anatomy.adoc

@@ -2,17 +2,22 @@
 //
 // * security/compliance_operator/compliance-operator-troubleshooting.adoc
 
-[id="compliance_anatomy_{context}"]
+[id="compliance-anatomy_{context}"]
 = Anatomy of a scan
 
 The following sections outline the components and stages of Compliance Operator scans.
 
+[id="compliance-anatomy-compliance-sources_{context}"]
 == Compliance sources
-The compliance content is stored in `Profile` objects that are generated from a `ProfileBundle`. The Compliance Operator creates a `ProfileBundle` for the cluster and another for the cluster nodes.
+The compliance content is stored in `Profile` objects that are generated from a `ProfileBundle` object. The Compliance Operator creates a `ProfileBundle` object for the cluster and another for the cluster nodes.
 
 [source,terminal]
 ----
 $ oc get profilebundle.compliance
+----
+
+[source,terminal]
+----
 $ oc get profile.compliance
 ----
 
@@ -21,12 +26,25 @@ The `ProfileBundle` objects are processed by deployments labeled with the `Bundl
 [source,terminal]
 ----
 $ oc logs -lprofile-bundle=ocp4 -c profileparser
+----
+
+[source,terminal]
+----
 $ oc get deployments,pods -lprofile-bundle=ocp4
+----
+
+[source,terminal]
+----
 $ oc logs pods/<pod-name>
+----
+
+[source,terminal]
+----
 $ oc describe pod/<pod-name> -c profileparser
 ----
 
-== The `ScanSetting` and `ScanSettingBinding` lifecycle and debugging
+[id="compliance-anatomy-scan-setting-scan-binding-lifecycle_{context}"]
+== The ScanSetting and ScanSettingBinding objects lifecycle and debugging
 With valid compliance content sources, the high-level `ScanSetting` and `ScanSettingBinding` objects can be used to generate `ComplianceSuite` and `ComplianceScan` objects:
 
 [source,yaml]
@@ -72,7 +90,8 @@ Events:
 
 Now a `ComplianceSuite` object is created. The flow continues to reconcile the newly created `ComplianceSuite`.
 
-== `ComplianceSuite` lifecycle and debugging
+[id="compliance-suite-lifecycle-debugging_{context}"]
+== ComplianceSuite custom resource lifecycle and debugging
 The `ComplianceSuite` CR is a wrapper around `ComplianceScan` CRs. The `ComplianceSuite` CR is handled by controller tagged with `logger=suitectrl`.
 This controller handles creating scans from a suite, reconciling and aggregating individual Scan statuses into a single Suite status. If a suite is set to execute periodically, the `suitectrl` also handles creating a `CronJob` CR that re-runs the scans in the suite after the initial run is done:
 
@@ -90,12 +109,15 @@ NAME                                           SCHEDULE    SUSPEND   ACTIVE   LA
 
 For the most important issues, events are emitted. View them with `oc describe compliancesuites/<name>`. The `Suite` objects also have a `Status` subresource that is updated when any of `Scan` objects that belong to this suite update their `Status` subresource. After all expected scans are created, control is passed to the scan controller.
 
-== `ComplianceScan` lifecycle and debugging
+[id="compliance-scan-lifecycle-debugging_{context}"]
+== ComplianceScan custom resource lifecycle and debugging
 The `ComplianceScan` CRs are handled by the `scanctrl` controller. This is also where the actual scans happen and the scan results are created. Each scan goes through several phases:
 
+[id="compliance-scan-pending-phase_{context}"]
 === Pending phase
 The scan is validated for correctness in this phase. If some parameters like storage size are invalid, the scan transitions to DONE with ERROR result, otherwise proceeds to the Launching phase.
 
+[id="compliance-scan-launching-phase_{context}"]
 === Launching phase
 In this phase, several config maps that contain either environment for the scanner pods or directly the script that the scanner pods will be evaluating. List the config maps:
 
@@ -128,6 +150,7 @@ rhcos4-e8-worker-ip-10-0-169-90.eu-north-1.compute.internal-pod   0/2     Comple
 At this point, the scan proceeds to the Running phase.
 ----
 
+[id="compliance-scan-running-phase_{context}"]
 === Running phase
 The running phase waits until the scanner pods finish. The following terms and processes are in use in the running phase:
 
@@ -139,7 +162,12 @@ The running phase waits until the scanner pods finish. The following terms and p
 +
 [source,terminal]
 ----
-      $ oc describe cm/rhcos4-e8-worker-ip-10-0-169-90.eu-north-1.compute.internal-pod
+$ oc describe cm/rhcos4-e8-worker-ip-10-0-169-90.eu-north-1.compute.internal-pod
+----
++
+.Example output
+[source,terminal]
+----
       Name:         rhcos4-e8-worker-ip-10-0-169-90.eu-north-1.compute.internal-pod
       Namespace:    openshift-compliance
       Labels:       compliance.openshift.io/scan-name-scan=rhcos4-e8-worker
@@ -169,6 +197,7 @@ Scanner pods for `Platform` scans are similar, except:
 
 When the scanner pods are done, the scans move on to the Aggregating phase.
 
+[id="compliance-scan-aggregating-phase_{context}"]
 === Aggregating phase
 In the aggregating phase, the scan controller spawns yet another pod called the aggregator pod. Its purpose it to take the result `ConfigMap` objects, read the results and for each check result create the corresponding Kubernetes object. If the check failure can be automatically remediated, a `ComplianceRemediation` object is created. To provide human-readable metadata for the checks and remediations, the aggregator pod also mounts the OpenSCAP content using an init container.
 
@@ -177,6 +206,11 @@ When a config map is processed by an aggregator pod, it is labeled the `complian
 [source,terminal]
 ----
 $ oc get compliancecheckresults -lcompliance.openshift.io/scan-name=rhcos4-e8-worker
+----
+
+.Example output
+[source,terminal]
+----
 NAME                                                       STATUS   SEVERITY
 rhcos4-e8-worker-accounts-no-uid-except-zero               PASS     high
 rhcos4-e8-worker-audit-rules-dac-modification-chmod        FAIL     medium
@@ -186,6 +220,11 @@ and `ComplianceRemediation` objects:
 [source,terminal]
 ----
 $ oc get complianceremediations -lcompliance.openshift.io/scan-name=rhcos4-e8-worker
+----
+
+.Example output
+[source,terminal]
+----
 NAME                                                       STATE
 rhcos4-e8-worker-audit-rules-dac-modification-chmod        NotApplied
 rhcos4-e8-worker-audit-rules-dac-modification-chown        NotApplied
@@ -197,6 +236,7 @@ rhcos4-e8-worker-audit-rules-execution-setfiles            NotApplied
 
 After these CRs are created, the aggregator pod exits and the scan moves on to the Done phase.
 
+[id="compliance-scan-done-phase_{context}"]
 === Done phase
 In the final scan phase, the scan resources are cleaned up if needed and the `ResultServer` deployment is either scaled down (if the scan was one-time) or deleted if the scan is continuous; the next scan instance would then recreate the deployment again.
 
@@ -209,7 +249,8 @@ $ oc annotate compliancescans/<scan_name> compliance.openshift.io/rescan=
 
 After the scan reaches the Done phase, nothing else happens on its own unless the remediations are set to be applied automatically with `autoApplyRemediations: true`. The {product-title} administrator would now review the remediations and apply them as needed. If the remediations are set to be applied automatically, the `ComplianceSuite` controller takes over in the Done phase, pauses the machine config pool to which the scan maps to and applies all the remediations in one go. If a remediation is applied, the `ComplianceRemediation` controller takes over.
 
-== `ComplianceRemediation` lifecycle and debugging
+[id="compliance-remediation-lifecycle-debugging_{context}"]
+== ComplianceRemediation controller lifecycle and debugging
 The example scan has reported some findings. One of the remediations can be enabled by toggling its `apply` attribute to `true`:
 
 [source,terminal]
@@ -224,6 +265,11 @@ The `MachineConfig` object always begins with `75-` and is named after the scan
 [source,terminal]
 ----
 $ oc get mc | grep 75-
+----
+
+.Example output
+[source,terminal]
+----
 75-rhcos4-e8-worker-my-companys-compliance-requirements                                                2.2.0             2m46s
 ----
 
@@ -232,6 +278,11 @@ The remediations the `mc` currently consists of are listed in the machine config
 [source,terminal]
 ----
 $ oc describe mc/75-rhcos4-e8-worker-my-companys-compliance-requirements
+----
+
+.Example output
+[source,terminal]
+----
 Name:         75-rhcos4-e8-worker-my-companys-compliance-requirements
 Labels:       machineconfiguration.openshift.io/role=worker
 Annotations:  remediation/rhcos4-e8-worker-audit-rules-dac-modification-chmod:
@@ -257,16 +308,21 @@ The scan will run and finish. Check for the remediation to pass:
 [source,terminal]
 ----
 $ oc get compliancecheckresults/rhcos4-e8-worker-audit-rules-dac-modification-chmod
+----
+
+.Example output
+[source,terminal]
+----
 NAME                                                  STATUS   SEVERITY
 rhcos4-e8-worker-audit-rules-dac-modification-chmod   PASS     medium
 ----
 
-// TODO: This shouldn't be a level one in this module
-= Useful labels
+[id="compliance-operator-useful-labels_{context}"]
+== Useful labels
 
-Each pod that is spawned by the compliance-operator is labeled specifically with the scan it belongs to and the work it does. The scan identifier is labeled with the `compliance.openshift.io/scan-name` label. The workload identifier is labeled with the `workload` label.
+Each pod that is spawned by the Compliance Operator is labeled specifically with the scan it belongs to and the work it does. The scan identifier is labeled with the `compliance.openshift.io/scan-name` label. The workload identifier is labeled with the `workload` label.
 
-The compliance-operator schedules the following workloads:
+The Compliance Operator schedules the following workloads:
 
 * *scanner*: Performs the compliance scan.
 
@@ -282,5 +338,5 @@ When debugging and logs are required for a certain workload, run:
 
 [source,terminal]
 ----
-$ oc logs -l workload=<workload_name> -c <container-name>
+$ oc logs -l workload=<workload_name> -c <container_name>
 ----

modules/compliance-apply-remediations-from-scans.adoc

@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-advanced.adoc
+
+[id="installing-compliance-operator-cli_{context}"]
+=  Applying remediations generated by suite scans
+
+Although you can use the `autoApplyRemediations` boolean parameter in a `ComplianceSuite` object, you can alternatively annotate the object with `compliance.openshift.io/apply-remediations`. This allows the Operator to apply all of the created remediations.
+
+.Procedure
+
+* Apply the `compliance.openshift.io/apply-remediations` annotation by running:
+
+[source,terminal]
+----
+$ oc annotate compliancesuites/<suite-_name> compliance.openshift.io/apply-remediations=
+----

modules/compliance-auto-update-remediations.adoc

@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-advanced.adoc
+
+[id="automatically-update-remediations_{context}"]
+=  Automatically update remediations
+
+In some cases, a scan with newer content might mark remediations as `OUTDATED`. As an administrator, you can apply the `compliance.openshift.io/remove-outdated` annotation to apply new remediations and remove the outdated ones.
+
+.Procedure
+
+* Apply the `compliance.openshift.io/remove-outdated` annotation:
+
+[source,terminal]
+----
+$ oc annotate compliancesuites/<suite_name> compliance.openshift.io/remove-outdated=
+----
+
+Alternatively, set the `autoUpdateRemediations` flag in a `ScanSetting` or `ComplianceSuite` object to update the remediations automatically.

modules/compliance-custom-storage.adoc

@@ -8,7 +8,7 @@ While the custom resources such as `ComplianceCheckResult` represent an aggregat
 
 A related parameter is `rawResultStorage.rotation` which controls how many scans are retained in the PV before the older scans are rotated. The default value is 3, setting the rotation policy to 0 disables the rotation. Given the default rotation policy and an estimate of 100MB per a raw ARF scan report, you can calculate the right PV size for your environment.
 
-
+[id="using-custom-result-storage-values_{context}"]
 == Using custom result storage values
 Because {product-title} can be deployed in a variety of public clouds or bare metal, the Compliance Operator cannot determine available storage configurations. By default, the Compliance Operator will try to create the PV for storing results using the default storage class of the cluster, but a custom storage class can be configured using the `rawResultStorage.StorageClassName` attribute.
 

modules/compliance-filtering-failed-results.adoc

@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-remediation.adoc
+
+[id="filtering-failed-compliance-check-results_{context}"]
+= Filters for failed compliance check results
+
+By default, the `ComplianceCheckResult` objects are labeled with several useful labels that allow you to query the checks and decide on the next steps after the results are generated.
+
+List checks that belong to a specific suite:
+
+[source,terminal]
+----
+$ oc get compliancecheckresults -l compliance.openshift.io/suite=example-compliancesuite
+----
+
+List checks that belong to a specific scan:
+
+[source,terminal]
+----
+$ oc get compliancecheckresults -l compliance.openshift.io/scan=example-compliancescan
+----
+
+Not all `ComplianceCheckResult` objects create `ComplianceRemediation` objects. Only `ComplianceCheckResult` objects that can be remediated automatically do. A `ComplianceCheckResult` object has a related remediation if it is labeled with the `compliance.openshift.io/automated-remediation` label. The name of the remediation is the same as the name of the check.
+
+List all failing checks that can be remediated automatically:
+
+[source,terminal]
+----
+$ oc get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,compliance.openshift.io/automated-remmediation
+----
+
+List all failing checks that must be remediated manually:
+
+[source,terminal]
+----
+$ oc get compliancecheckresults -l 'compliance.openshift.io/check-status=FAIL,!compliance.openshift.io/automated-remediation
+----
+
+The manual remediation steps are typically stored in the `description` attribute in the `ComplianceCheckResult` object.

modules/compliance-inconsistent.adoc

@@ -4,18 +4,18 @@
 
 [id="compliance-inconsistent_{context}"]
 = Inconsistent remediations
-The `ScanSetting` lists the node roles that the compliance scans generated from the `ScanSetting` or `ScanSettingBinding` would scan. Each node role usually maps to a machine config pool.
+The `ScanSetting` object lists the node roles that the compliance scans generated from the `ScanSetting` or `ScanSettingBinding` objects would scan. Each node role usually maps to a machine config pool.
 
 [IMPORTANT]
 ====
-It is expected that all machines in a machine config pool are identical and all scan results from the nodes in a Pool should be identical.
+It is expected that all machines in a machine config pool are identical and all scan results from the nodes in a pool should be identical.
 ====
 
 If some of the results are different from others, the Compliance Operator flags a `ComplianceCheckResult` object where some of the nodes will report as `INCONSISTENT`. All `ComplianceCheckResult` objects are also labeled with `compliance.openshift.io/inconsistent-check`.
 
 Because the number of machines in a pool might be quite large, the Compliance Operator attempts to find the most common state and list the nodes that differ from the common state. The most common state is stored in the `compliance.openshift.io/most-common-status` annotation and the annotation `compliance.openshift.io/inconsistent-source` contains pairs of `hostname:status` of check statuses that differ from the most common status. If no common state can be found, all the `hostname:status` pairs are listed in the `compliance.openshift.io/inconsistent-source annotation`.
 
-If possible, a remediation is still created so that the cluster can converge to a compliant status. However, this might not always be possible and correcting the difference between nodes must be done manually. The `ComplianceScan` must be re-run to get a consistent result by annotating the scan with the `compliance.openshift.io/rescan=` option:
+If possible, a remediation is still created so that the cluster can converge to a compliant status. However, this might not always be possible and correcting the difference between nodes must be done manually. The compliance scan must be re-run to get a consistent result by annotating the scan with the `compliance.openshift.io/rescan=` option:
 
 [source,terminal]
 ----