|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/compliance_operator/compliance-scans.adoc |
| 4 | + |
| 5 | +[id="running-compliance-scans-worker-node_{context}"] |
| 6 | += Scheduling the result server pod on a worker node |
| 7 | + |
| 8 | +The result server pod mounts the persistent volume (PV) that stores the raw Asset Reporting Format (ARF) scan results. The `nodeSelector` and `tolerations` attributes enable you to configure the location of the result server pod. |
| 9 | + |
| 10 | +This is helpful for those environments where control plane nodes are not permitted to mount persistent volumes. |
| 11 | + |
| 12 | +.Procedure |
| 13 | +* Create a `ScanSetting` custom resource (CR) for the Compliance Operator: |
| 14 | +.. Define the `ScanSetting` CR, and save the YAML file, for example, `rs-workers.yaml`: |
| 15 | ++ |
| 16 | +[source,yaml] |
| 17 | +---- |
| 18 | +apiVersion: compliance.openshift.io/v1alpha1 |
| 19 | +kind: ScanSetting |
| 20 | +metadata: |
| 21 | + name: rs-on-workers |
| 22 | + namespace: openshift-compliance |
| 23 | +rawResultStorage: |
| 24 | + nodeSelector: |
| 25 | + node-role.kubernetes.io/worker: "" <1> |
| 26 | + pvAccessModes: |
| 27 | + - ReadWriteOnce |
| 28 | + rotation: 3 |
| 29 | + size: 1Gi |
| 30 | + tolerations: |
| 31 | + - operator: Exists <2> |
| 32 | +roles: |
| 33 | +- worker |
| 34 | +- master |
| 35 | +scanTolerations: |
| 36 | + - operator: Exists |
| 37 | +schedule: 0 1 * * * |
| 38 | +---- |
| 39 | +<1> The Compliance Operator uses this node to store scan results in ARF format. |
| 40 | +<2> The result server pod tolerates all taints. |
| 41 | + |
| 42 | +.. To create the `ScanSetting` CR, run the following command: |
| 43 | ++ |
| 44 | +[source,terminal] |
| 45 | +---- |
| 46 | +$ oc create -f rs-workers.yaml |
| 47 | +---- |
| 48 | + |
| 49 | +.Verification |
| 50 | + |
| 51 | +* To verify that the `ScanSetting` object is created, run the following command: |
| 52 | ++ |
| 53 | +[source,terminal] |
| 54 | +---- |
| 55 | +$ oc get scansettings rs-on-workers -n openshift-compliance -o yaml |
| 56 | +---- |
| 57 | ++ |
| 58 | +.Example output |
| 59 | +[source,terminal] |
| 60 | +---- |
| 61 | +apiVersion: compliance.openshift.io/v1alpha1 |
| 62 | +kind: ScanSetting |
| 63 | +metadata: |
| 64 | + creationTimestamp: "2021-11-19T19:36:36Z" |
| 65 | + generation: 1 |
| 66 | + name: rs-on-workers |
| 67 | + namespace: openshift-compliance |
| 68 | + resourceVersion: "48305" |
| 69 | + uid: 43fdfc5f-15a7-445a-8bbc-0e4a160cd46e |
| 70 | +rawResultStorage: |
| 71 | + nodeSelector: |
| 72 | + node-role.kubernetes.io/worker: "" |
| 73 | + pvAccessModes: |
| 74 | + - ReadWriteOnce |
| 75 | + rotation: 3 |
| 76 | + size: 1Gi |
| 77 | + tolerations: |
| 78 | + - operator: Exists |
| 79 | +roles: |
| 80 | +- worker |
| 81 | +- master |
| 82 | +scanTolerations: |
| 83 | +- operator: Exists |
| 84 | +schedule: 0 1 * * * |
| 85 | +strictNodeScan: true |
| 86 | +---- |
| 87 | + |
| 88 | + |
0 commit comments