-
Bug
-
Resolution: Done
-
Normal
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
-
-
CMP Sprint 105, CMP Sprint 106, CMP Sprint 107
Description of problem:
The remediation for updating TLS ciphers for the kubeapi server is broken because the Compliance Operator is missing permissions.
Version-Release number of selected component (if applicable):
1.7.0 or the latest development content for the Compliance Operator (1.7.1-dev)
How reproducible:
100%
Steps to Reproduce:
1. Run a profile with the kubelet-configure-tls-cipher-suites-kubeapiserver-operator rule
2. Apply the remediation
Actual results:
Compliance Operator errors out trying to apply the remediation due to permission issues:
$ oc get rems platform-kubelet-configure-tls-cipher-suites-kubeapiserver-operator -ojson | jq .status
{
"applicationState": "Error",
"errorMessage": "Unable to get fix object from ComplianceRemediation. Please update the compliance-operator's permissions: kubeapiservers.operator.openshift.io \"cluster\" is forbidden: User \"system:serviceaccount:openshift-compliance:compliance-operator\" cannot get resource \"kubeapiservers\" in API group \"operator.openshift.io\" at the cluster scope"
}
Expected results:
The remediation should apply successfully.
Additional info:
