openshift / compliance-operator

Operator providing OpenShift cluster compliance checks
Apache License 2.0
110 stars 110 forks source link

Add option to make scan scheduling strict/not strict #734

Closed JAORMX closed 3 years ago

JAORMX commented 3 years ago

Currently, when dealing with node scans, we only allow the scan to go forward if the node is not unschedulable (via the unschedulable flag of the Node object). However, for public cloud cases where there might be a lot of ephemeral nodes (e.g. when a node autoscaler is being used), this is not ideal as it's very difficult to do scans. On the other hand, if a node became unready while the scan was on-going, we also return a similar error.

So, to deal with this, the PR introduces the option strictNodeScan, which enables an administrator to toggle whether we want to be strict when getting results of a scan.

The default is true, which is the setting we were using before. However, when set to false, the scan will not fail if a node is set to unschedulable and will ignore "unschedulable" errors on the scan pods. Thus allowing us to still get a subset of scans.

Signed-off-by: Juan Antonio Osorio Robles jaosorior@redhat.com

JAORMX commented 3 years ago

/test all

JAORMX commented 3 years ago

/hold

JAORMX commented 3 years ago

/assign @pdhamdhe

JAORMX commented 3 years ago

Pull-request updated, HEAD is now c65cd9da4336cf4ef1abcaafb21ef2e63d84e9c2

pdhamdhe-zz commented 3 years ago

/approve /hold cancel

openshift-ci[bot] commented 3 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JAORMX, mrogers950, pdhamdhe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/compliance-operator/blob/master/OWNERS)~~ [JAORMX,mrogers950,pdhamdhe] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment