Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.13.z
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No
Epic Link:
co-1.2.0-bugs

Target Backport Versions:
None
Target Version:

4.14.0
Release Blocker:
None
Sprint:
CMP Sprint 68, CMP Sprint 69
sprint_count:
2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Technical Impact:
PX Impact Range:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

When scanning from mgmt cluster on a aws-ipi-ovn-hypershift-mce cluster, rule ocp4-api-server-encryption-provider-cipher return FAIL while it should PASS. $ oc get ccr -l compliance.openshift.io/check-status=FAIL
$ oc get ccr -l compliance.openshift.io/check-status=FAIL
NAME                                                             STATUS   SEVERITY
hypershift-cismzv9kys8g7-api-server-encryption-provider-cipher   FAIL     medium
hypershift-cismzv9kys8g7-audit-log-forwarding-enabled            FAIL     medium
hypershift-cismzv9kys8g7-configure-network-policies-namespaces   FAIL     high
hypershift-cismzv9kys8g7-idp-is-configured                       FAIL     medium
hypershift-cismzv9kys8g7-kubeadmin-removed                       FAIL     medium
hypershift-cismzv9kys8g7-ocp-api-server-audit-log-maxbackup      FAIL     low
$ oc get --raw  /apis/hypershift.openshift.io/v1beta1/namespaces/local-cluster/hostedclusters/acfd5e74e18f6cb76f95 | jq [.spec.secretEncryption.type]
[
  "aescbc"
]

Version-Release number of selected component (if applicable):

4.13.z

How reproducible:

Always on a aws-ipi-ovn-hypershift-mce cluster

Steps to Reproduce:

1. Install Compliance Operator 
2. Create a tp use below yaml file:
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: hypershift-cismzv9kys8g7
  namespace: openshift-compliance
spec:
  description: This profile test required rules
  extends: ocp4-cis
  setValues:
  - name: ocp4-hypershift-cluster
    rationale: This value is used for HyperShift version detection
    value: acfd5e74e18f6cb76f95
  - name: ocp4-hypershift-namespace-prefix
    rationale: This value is used for HyperShift controlplane namespace detection
    value: local-cluster
  title: My little profile
$ oc get tp
NAME                           STATE
hypershift-cismzv9kys8g7       READY
 
3. Create a ssb:
$ oc compliance bind -N test tailoredprofile/hypershift-pci-dssmzv9kys8g7
Creating ScanSettingBinding test

Actual results:

Rule ocp4-api-server-encryption-provider-cipher return FAIL.

Expected results:

Rule ocp4-api-server-encryption-provider-cipher should PASS.

Additional info:

It only reproduced on a aws-ipi-ovn-hypershift-mce cluster

links to

pull request

mentioned on

Merge request - Updated US source to: bad8d76 Merge pull request #10987 from yuumasato/fix_hypershift_namespace_prefix

Assignee:: Watson Sato

Reporter:: Xiaojie Yuan

Need Info From:: None

Contributors:: None

QA Contact:: Xiaojie Yuan

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2023/07/21 2:36 AM

Updated:: 2025/07/25 11:50 PM

Resolved:: 2023/08/23 5:34 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates