When using the Compliance Operator with the OCP4-CIS profile, some rules meant for control plane components (like API server or etcd) are being checked on all nodes, including worker nodes. Since these components don’t exist on worker nodes, the scan shows the result as NOT APPLICABLE for those rules.

While this is correct, it can confuse users and clutter the compliance reports. The customer expects the operator to automatically run control plane checks only on master nodes, and not evaluate them at all on worker nodes.

Currently, this behavior can only be achieved by:

• Creating separate scan settings for master and worker nodes

• Using tailored profiles to manually disable rules

This setup requires extra effort and isn't ideal for customers using the operator.

The customer is requesting a built-in enhancement where the Compliance Operator:

• Detects node roles (master/worker)

• Applies rules only to the appropriate nodes

• Avoids showing NOT APPLICABLE results