-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
4.13.0
Description of problem:
Rule upstream-ocp4-kubelet-enable-protect-kernel-sysctl-file-exist fail for rhel9 based RHCOS systems
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2023-05-11-225357
How reproducible:
Always
Steps to Reproduce:
1. Install Compliance Operator 2. Deploy content with upstream repo git@github.com:ComplianceAsCode/content.git 3. Create a ssb: $ oc compliance bind -N test profile/upstream-ocp4-stig profile/upstream-ocp4-stig-node Creating ScanSettingBinding test
Actual results:
The rule upstream-ocp4-kubelet-enable-protect-kernel-sysctl-file-exist will FAIL by default. Per the instructions, the rule was trying to check whether file /etc/sysctl.d/90-kubelet.conf exists or not on nodes. $ oc get ccr | grep kubelet-enable-protect-kernel-sysctl-file-exist upstream-ocp4-stig-node-master-kubelet-enable-protect-kernel-sysctl-file-exist FAIL medium upstream-ocp4-stig-node-worker-kubelet-enable-protect-kernel-sysctl-file-exist FAIL medium $ oc get ccr upstream-ocp4-stig-node-master-kubelet-enable-protect-kernel-sysctl-file-exist -o=jsonpath={.instructions} Run the following command on the kubelet node(s): $ sudo [ -f /etc/sysctl.d/90-kubelet.conf ] && echo "Exists" || echo "Not Exists" The output should return Exists.
Expected results:
The rule upstream-ocp4-kubelet-enable-protect-kernel-sysctl-file-exist will PASS for rhel9 based RHCOS systems. For rhel8, the file exists(after auto remediation applied); for rhel9, it doesn't exist.
Additional info:
- links to
-
RHBA-2024:129828
openshift-compliance-operator bug fix and/or enhancement update
- mentioned on
