-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
4.12
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Tailoredprofile should show error when trying to use a platform rule as a node rule
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-09-26-111919 + compliance-operator.v0.1.55
How reproducible:
always
Steps to Reproduce:
Install compliance-operator.v0.1.55.
2. Create tp, use a platform rule as a node rule in the tp:
$oc get rules ocp4-machine-volume-encrypted -o=jsonpath='{.checkType}'Platform
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
annotations:
compliance.openshift.io/product-type: Node
name: tp-check-volume-encryption-node
namespace: openshift-compliance
spec:
description: test
enableRules:
- name: ocp4-machine-volume-encrypted
rationale: we only want to test this rule
title: test
EOF
tailoredprofile.compliance.openshift.io/tp-check-volume-encryption-node created
Actual results:
The tp is in ready status. And a ssb could be created with the tp and return result.
For the ccr, as a platform rule, it should return PASS; now it returns FAIL.
$ oc get tp
NAME STATE
tp-check-volume-encryption-node READY
$ oc describe tp tp-check-volume-encryption-node
Name: tp-check-volume-encryption-node
Namespace: openshift-compliance
Labels: <none>
Annotations: compliance.openshift.io/product-type: Node
API Version: compliance.openshift.io/v1alpha1
Kind: TailoredProfile
Metadata:
Creation Timestamp: 2022-09-28T09:12:44Z
Generation: 1
Managed Fields:
API Version: compliance.openshift.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:ownerReferences:
.:
k:{"uid":"39348bff-0c81-4581-835b-2d10a5c225f0"}:
Manager: compliance-operator
Operation: Update
Time: 2022-09-28T09:12:44Z
API Version: compliance.openshift.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:id:
f:outputRef:
.:
f:name:
f:namespace:
f:state:
Manager: compliance-operator
Operation: Update
Subresource: status
Time: 2022-09-28T09:12:44Z
API Version: compliance.openshift.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:compliance.openshift.io/product-type:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:description:
f:enableRules:
f:title:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-09-28T09:12:44Z
Owner References:
API Version: compliance.openshift.io/v1alpha1
Block Owner Deletion: true
Controller: true
Kind: ProfileBundle
Name: ocp4
UID: 39348bff-0c81-4581-835b-2d10a5c225f0
Resource Version: 194117
UID: 976069c4-45d7-42ad-908c-fcff44a941ad
Spec:
Description: test
Enable Rules:
Name: ocp4-machine-volume-encrypted
Rationale: we only want to test this rule
Title: test
Status:
Id: xccdf_compliance.openshift.io_profile_tp-check-volume-encryption-node
Output Ref:
Name: tp-check-volume-encryption-node-tp
Namespace: openshift-compliance
State: READY
Events: <none>
$ $ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb4
> namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: tp-check-volume-encryption-node
> settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
scansettingbinding.compliance.openshift.io/my-ssb4 created
$ oc get suite
NAME PHASE RESULT
my-ssb4 DONE NON-COMPLIANT
$ oc get ccr
NAME STATUS SEVERITY
tp-check-volume-encryption-node-master-machine-volume-encrypted FAIL hightp-check-volume-encryption-node-worker-machine-volume-encrypted FAIL high
Expected results:
The tailoredprofile should in error status.
Additional info: