-
Bug
-
Resolution: Done
-
Major
-
ACM 2.7.3
-
1
-
False
-
None
-
False
-
No
-
-
-
GRC Sprint 2023-15
Description of problem:
We have a Policy which creates a Secrets. The secret is not changed on the system:
oc get secret -n openshift-config NAME TYPE DATA AGE htpasswd-secret Opaque 1 30h
Checking the compliance history we see changes (every minute) according to evaluation interval (which is 1 minute)
The non-compliance result must be very short
this is the Policy:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
argocd.argoproj.io/compare-options: IgnoreExtraneous
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"policy.open-cluster-management.io/v1","kind":"Policy","metadata":{"annotations":{"argocd.argoproj.io/compare-options":"IgnoreExtraneous","policy.open-cluster-management.io/categories":"CM Configuration Management","policy.open-cluster-management.io/controls":"CM-2 Baseline Configuration","policy.open-cluster-management.io/standards":"NIST SP 800-53"},"labels":{"app.kubernetes.io/instance":"openshift-provisioning","open-cluster-management.io/policy-set":"openshift-provisioning"},"name":"policy-config-oauth-hub","namespace":"policies"},"spec":{"disabled":false,"policy-templates":[{"objectDefinition":{"apiVersion":"policy.open-cluster-management.io/v1","kind":"ConfigurationPolicy","metadata":{"name":"policy-config-oauth-hub"},"spec":{"evaluationInterval":{"compliant":"1m","noncompliant":"1m"},"object-templates":[{"complianceType":"musthave","objectDefinition":{"apiVersion":"config.openshift.io/v1","kind":"OAuth","metadata":{"name":"cluster"},"spec":{"identityProviders":[{"htpasswd":{"fileData":{"name":"htpasswd-secret"}},"mappingMethod":"claim","name":"HTPasswd","type":"HTPasswd"}]}}},{"complianceType":"musthave","objectDefinition":{"apiVersion":"v1","kind":"Secret","metadata":{"name":"htpasswd-secret","namespace":"openshift-config"},"stringData":{"htpasswd":"alice:$2y$05$1q.7/6IRjJsQ/TwmZD3.dO.kRMORQxntStWrFnrufZtEequfNGD1a\nbob:$2y$05$jo2bKJdPPw9G0D7Xwdht3e5Bf9TQvIEbHoKjSrH/VyN1Pu5SlwXri\neve:$2y$05$NAgUWXKiD2EMDFIh8RcWbO7S.LJ0MGsWZCZFyf8puJGHAHyk3eFEy\n"}}}],"pruneObjectBehavior":"None","remediationAction":"enforce","severity":"medium"}}}],"remediationAction":"enforce"}}
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
creationTimestamp: "2023-04-19T00:22:45Z"
generation: 1
labels:
app.kubernetes.io/instance: openshift-provisioning
open-cluster-management.io/policy-set: openshift-provisioning
managedFields:
- apiVersion: policy.open-cluster-management.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:argocd.argoproj.io/compare-options: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:policy.open-cluster-management.io/categories: {}
f:policy.open-cluster-management.io/controls: {}
f:policy.open-cluster-management.io/standards: {}
f:labels:
.: {}
f:app.kubernetes.io/instance: {}
f:open-cluster-management.io/policy-set: {}
f:spec:
.: {}
f:disabled: {}
f:policy-templates: {}
f:remediationAction: {}
manager: argocd-controller
operation: Update
time: "2023-04-19T00:22:45Z"
- apiVersion: policy.open-cluster-management.io/v1
fieldsType: FieldsV1
fieldsV1:
f:status:
.: {}
f:compliant: {}
f:placement: {}
f:status: {}
manager: governance-policy-propagator
operation: Update
subresource: status
time: "2023-04-20T06:42:53Z"
name: policy-config-oauth-hub
namespace: policies
resourceVersion: "2948015"
uid: 0fbb6207-4044-4017-9112-a4840c1f208c
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-config-oauth-hub
spec:
evaluationInterval:
compliant: 1m
noncompliant: 1m
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- htpasswd:
fileData:
name: htpasswd-secret
mappingMethod: claim
name: HTPasswd
type: HTPasswd
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Secret
metadata:
name: htpasswd-secret
namespace: openshift-config
stringData:
htpasswd: |
alice:$2y$05$1q.7/6IRjJsQ/TwmZD3.dO.kRMORQxntStWrFnrufZtEequfNGD1a
bob:$2y$05$jo2bKJdPPw9G0D7Xwdht3e5Bf9TQvIEbHoKjSrH/VyN1Pu5SlwXri
eve:$2y$05$NAgUWXKiD2EMDFIh8RcWbO7S.LJ0MGsWZCZFyf8puJGHAHyk3eFEy
pruneObjectBehavior: None
remediationAction: enforce
severity: medium
remediationAction: enforce
status:
compliant: Compliant
placement:
- placement: placement-hub-clusters
placementBinding: binding-policy-cluster-provisioning3
policySet: policyset-hub-clusters
status:
- clustername: local-cluster
clusternamespace: local-cluster
compliant: Compliant
logs from the PolicyController will be attached
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
- ...
Actual results:
Expected results:
Additional info:
- clones
-
-
- Closed
-
