-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.14.0
-
None
-
No
-
CMP Sprint 68, CMP Sprint 69
-
2
-
False
-
Description of problem:
Rule ocp4-cis-kubelet-configure-event-creation will fail by default for 4.14. The reason is the default value of eventRecordQPS was updated to 50. Not sure if we can support different default values on different versions to make the rule PASS by default. $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50,
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-07-20-215234 + compliance-operator.v1.2.0
How reproducible:
Always
Steps to Reproduce:
1. Install compliance-operator.v1.2.0; 2. Create a ssb: $ oc compliance bind -N test profile/ocp4-cis profile/ocp4-cis-node 3.
Actual results:
Rule ocp4-cis-kubelet-configure-event-creation will fail by default. $ oc get ccr ocp4-cis-kubelet-configure-event-creation NAME STATUS SEVERITY ocp4-cis-kubelet-configure-event-creation FAIL medium $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50, "eventRecordQPS": 50,
Expected results:
Rule ocp4-cis-kubelet-configure-event-creation should PASS by default.
Additional info:
- links to
-
RHBA-2023:4245
OpenShift Compliance Operator enhancement update