Skip to content

Red Hat OpenShift Compliance Operator – Report

Avatar photo


In my previous posts, I have shared the overview, installation procedure, how to trigger compliance scans and remediations using the Red Hat OpenShift compliance operator. In this post, I will discuss how to generate a HTML report for the scan results.


In order to generate a report:

  1. Compliance scan should be completed and the results are stored on a persistent volume (PV).
  2. Sudo or root access to install openscap utilities package on the bastion host.


After the compliance scan is completed, results are stored in the underlying persistent storage used using a PV object. Create a pod to extract the results from the PV to jump host. In order to do this, we mount the same PVC used by the compliance pods in our pod.

In the below example, I have mounted each individual PVC’s used for ocp4-cis, ocp4-cis-master-node and ocp4-cis-worker-node scan results.

$ vi results-extract.yaml

apiVersion: "v1"
kind: Pod
  name: pv-extract
    - name: pv-extract-pod
      command: ["sleep", "3000"]
      - mountPath: "/workers-scan-results"
        name: workers-scan-vol
      - mountPath: "/masters-scan-results"
        name: masters-scan-vol
      - mountPath: "/cis-scan-results"
        name: cis-scan-vol
    - name: workers-scan-vol
        claimName: ocp4-cis-node-worker
    - name: masters-scan-vol
        claimName: ocp4-cis-node-master
    - name: cis-scan-vol
        claimName: ocp4-cis

Create the pod and wait for it to start.

$ oc create -f results-extract.yaml -n openshift-compliance

$ oc get pods -n openshift-compliance

Once the pod is in running state, create three directories to store the scan results locally on the jump host. Run the “oc cp” command to copy the results from the PVs to the local host.

$ mkdir master-scan-results worker-scan-results cis-scan-results

$ oc cp pv-extract:/masters-scan-results -n openshift-compliance ./master-scan-results
tar: Removing leading `/' from member names

$ oc cp pv-extract:/workers-scan-results -n openshift-compliance ./worker-scan-results
tar: Removing leading `/' from member names

$ oc cp pv-extract:/cis-scan-results -n openshift-compliance ./cis-scan-results
tar: Removing leading `/' from member names

$ ls *-scan-results/*/

ocp4-cis-node-master-master1-pod.xml.bzip2  ocp4-cis-node-master-master2-pod.xml.bzip2  ocp4-cis-node-master-master3-pod.xml.bzip2

ocp4-cis-node-worker-master1-pod.xml.bzip2  ocp4-cis-node-worker-master2-pod.xml.bzip2  ocp4-cis-node-worker-master3-pod.xml.bzip2

Once the results are extracted, install the openscap utils package on the jump host to generate the host.

$ yum install -y openscap-utils

$ oscap xccdf generate report ./cis-scan-results/0/ocp4-cis-api-checks-pod.xml.bzip2 >> ./cis-scan-results/0/cis-scan-results.html

Review the HTML report and verify the results.

NOTE: Once the report is generated, delete the pod. If you leave the pod running then operator won’t be able to start the scan and store the results as the PV is in bound state with other pod.


In this post, I have shared how to generate a HTML report for the compliance scan performed on the OpenShift cluster.

I hope this series on Red Hat OpenShift compliance operator would help you to better understand the operator, scan and keep the cluster compliant. Feel free to leave your comments/feedback.


The views expressed and the content shared in all published articles on this website are solely those of the respective authors, and they do not necessarily reflect the views of the author’s employer or the techbeatly platform. We strive to ensure the accuracy and validity of the content published on our website. However, we cannot guarantee the absolute correctness or completeness of the information provided. It is the responsibility of the readers and users of this website to verify the accuracy and appropriateness of any information or opinions expressed within the articles. If you come across any content that you believe to be incorrect or invalid, please contact us immediately so that we can address the issue promptly.

Avatar photo
Platform Consultant - OpenShift/Kubernetes


1 Response

  1. Nagarjuna says:

    Very Detailed and usefull information Anand , thank you for sharing

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.