Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-3617

Incorrect complianceType from PolicyGenerator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • ACM 2.8.0
    • ACM 2.7.0
    • GRC
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • GRC Sprint 2023-05, GRC Sprint 2023-06
    • Moderate
    • No

      Description of problem:

      In the case where the code is commented out of a file included as part of a policy. The PolicyGenerator will assign the complianceType from the previous empty code entry.

      Example of the below policy snippet, in the case where "placeholder-test.yml" content is commented out the resulting Policy as created by the PolicyGenerator will have the complianceType for "kubeadmin-removed.yml" set to mustonlyhave instead of the expected mustnothave.

        - name: with-placeholder
    remediationAction: enforce
    manifests: 
      - path: policies/kubeletconfig.yml
        complianceType: musthave
      - path: policies/placeholder-test.yml
        complianceType: mustonlyhave
      - path: policies/kubeadmin-removed.yml
        complianceType: mustnothave

      Version-Release number of selected component (if applicable):

      2.7

      How reproducible:

      everytime

      Steps to Reproduce:

      see attached example

      Actual results:

            apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata: 
        name: with-placeholder
      spec: 
        object-templates: 
        - complianceType: musthave
          objectDefinition: 
            apiVersion: machineconfiguration.openshift.io/v1
            kind: KubeletConfig
            metadata: 
              name: 75-master-kubelet-ocp4-cis
            spec: 
              kubeletConfig: 
                protectKernelDefaults: true
                streamingConnectionIdleTimeout: 5m0s
              machineConfigPoolSelector: 
                matchLabels: 
                  pools.operator.machineconfiguration.openshift.io/master: ""
        - complianceType: mustonlyhave   <<<<<<<<<<----------------------------------->>>>>>>>>>>>
          objectDefinition: 
            apiVersion: v1
            kind: Secret
            metadata: 
              name: kubeadmin
              namespace: kube-system
            type: Opaque
        remediationAction: enforce
        severity: low
  remediationAction: enforce

      Expected results:

            apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata: 
        name: only-real-code
      spec: 
        object-templates: 
        - complianceType: musthave
          objectDefinition: 
            apiVersion: machineconfiguration.openshift.io/v1
            kind: KubeletConfig
            metadata: 
              name: 75-master-kubelet-ocp4-cis
            spec: 
              kubeletConfig: 
                protectKernelDefaults: true
                streamingConnectionIdleTimeout: 5m0s
              machineConfigPoolSelector: 
                matchLabels: 
                  pools.operator.machineconfiguration.openshift.io/master: ""
        - complianceType: mustnothave  <<<<<<<<<<----------------------------------->>>>>>>>>>>>
          objectDefinition: 
            apiVersion: v1
            kind: Secret
            metadata: 
              name: kubeadmin
              namespace: kube-system
            type: Opaque
        remediationAction: enforce
        severity: low
  remediationAction: enforce

      Additional info:

        1. generator-complianceType.tar.xz
          1 kB

              rh-ee-dhaiduce Dale Haiducek
              rhn-support-bjarvis Brian Jarvis
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: