Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.13.z
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
PX Priority Data:
PX Impact Score:
PX Technical Impact:
PX Impact Range:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Issue:

Tailored profile created for Infra Nodes duplicating the results

Description:

I did some testing regarding the steps mentioned in the KB [1] and below are my test results which indicates that the scan results are the same for `ocp4-cis-node-infra` and `cis-node-infra-tp-infra`

[1]https://access.redhat.com/solutions/7001151

My Testing results:

1. Add a node with infra role in the cluster
~~~

$ oc get nodes
NAME STATUS ROLES AGE VERSION
master-0.saktest413.lab.psi.pnq2.redhat.com Ready control-plane,master 3d18h v1.26.6+6bf3f75
master-1.saktest413.lab.psi.pnq2.redhat.com Ready control-plane,master 3d18h v1.26.6+6bf3f75
master-2.saktest413.lab.psi.pnq2.redhat.com Ready control-plane,master 3d18h v1.26.6+6bf3f75
worker-0.saktest413.lab.psi.pnq2.redhat.com Ready worker 3d18h v1.26.6+6bf3f75
worker-1.saktest413.lab.psi.pnq2.redhat.com Ready infra 3d18h v1.26.6+6bf3f75
~~~
2. Create a Tailored profile
~~~
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-infra-tp
spec:
extends: ocp4-cis
title: modified profile to scan infra nodes
setValues:

name: ocp4-var-role-master
value: infra
rationale: scan infra nodes
name: ocp4-var-role-worker
value: infra
rationale: infra nodes
description: infra-scan
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-node-infra-tp
spec:
extends: ocp4-cis-node
title: modified profile to scan infra nodes
setValues:
name: ocp4-var-role-master
value: infra
rationale: scan infra nodes
name: ocp4-var-role-worker
value: infra
rationale: infra nodes
description: infra-scan cis-node
~~~

3. Include the infra role now in default scanSetting
~~~
$ oc get scansetting default -o yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
maxRetryOnTimeout: 3
metadata:
creationTimestamp: "2023-09-15T01:56:46Z"
generation: 2
name: default
namespace: openshift-compliance
resourceVersion: "390622"
uid: 9d96021c-c8db-4a01-a569-5694c36c6934
rawResultStorage:
nodeSelector:
node-role.kubernetes.io/master: ""
pvAccessModes:

ReadWriteOnce
rotation: 3
size: 1Gi
tolerations:
effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
roles:
master
worker
infra <=This should be present
scanTolerations:
operator: Exists
schedule: 0 1 * * *
showNotApplicable: false
strictNodeScan: true
timeout: 30m
~~~~

4. Create a scansettingbinding cis
~~~
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: cis
namespace: openshift-compliance
profiles:

apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis
apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis-node
apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: cis-infra-tp
apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: cis-node-infra-tp
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
~~~~

5. View the running scans
~~~
$ oc get scans
NAME PHASE RESULT
cis-infra-tp DONE NON-COMPLIANT
cis-node-infra-tp-infra DONE NON-COMPLIANT
cis-node-infra-tp-master DONE NON-COMPLIANT
cis-node-infra-tp-worker DONE NON-COMPLIANT
ocp4-cis DONE NON-COMPLIANT
ocp4-cis-node-infra DONE NON-COMPLIANT
ocp4-cis-node-master DONE NON-COMPLIANT
ocp4-cis-node-worker DONE NON-COMPLIANT
~~~

6. Checking the results of cis-node-infra-tp-infra $ oc get ccr -n openshift-compliance | grep cis-node-infra-tp-infra-file-groupowner-cni-conf cis-node-infra-tp-infra-file-groupowner-ip-allocations cis-node-infra-tp-infra-file-groupowner-kubelet-conf cis-node-infra-tp-infra-file-groupowner-multus-conf cis-node-infra-tp-infra-file-groupowner-openshift-sd cis-node-infra-tp-infra-file-groupowner-ovs-conf-db cis-node-infra-tp-infra-file-groupowner-ovs-conf-db-lock cis-node-infra-tp-infra-file-groupowner-ovs-pid cis-node-infra-tp-infra-file-groupowner-ovs-sys-id-conf cis-node-infra-tp-infra-file-groupowner-ovs-vswitchd-pid cis-node-infra-tp-infra-file-groupowner-ovsdb-server-pid cis-node-infra-tp-infra-file-groupowner-worker-ca cis-node-infra-tp-infra-file-groupowner-worker-kubeconfig cis-node-infra-tp-infra-file-groupowner-worker-service cis-node-infra-tp-infra-file-owner-cni-conf cis-node-infra-tp-infra-file-owner-ip-allocations cis-node-infra-tp-infra-file-owner-kubelet cis-node-infra-tp-infra-file-owner-kubelet-conf cis-node-infra-tp-infra-file-owner-multus-conf cis-node-infra-tp-infra-file-owner-openshift-sdn-cniserver-config cis-node-infra-tp-infra-file-owner-ovs-conf-db cis-node-infra-tp-infra-file-owner-ovs-conf-db-lock cis-node-infra-tp-infra-file-owner-ovs-pid cis-node-infra-tp-infra-file-owner-ovs-sys-id-conf cis-node-infra-tp-infra-file-owner-ovs-vswitchd-pid cis-node-infra-tp-infra-file-owner-ovsdb-server-pid cis-node-infra-tp-infra-file-owner-worker-ca cis-node-infra-tp-infra-file-owner-worker-kubeconfig cis-node-infra-tp-infra-file-owner-worker-service cis-node-infra-tp-infra-file-permissions-cni-conf cis-node-infra-tp-infra-file-permissions-ip-allocations cis-node-infra-tp-infra-file-permissions-kubelet-conf cis-node-infra-tp-infra-file-permissions-multus-conf cis-node-infra-tp-infra-file-permissions-ovs-conf-db cis-node-infra-tp-infra-file-permissions-ovs-conf-db-lock cis-node-infra-tp-infra-file-permissions-ovs-pid cis-node-infra-tp-infra-file-permissions-ovs-sys-id-conf cis-node-infra-tp-infra-file-permissions-ovs-vswitchd-pid cis-node-infra-tp-infra-file-permissions-ovsdb-server-pid cis-node-infra-tp-infra-file-permissions-worker-ca cis-node-infra-tp-infra-file-permissions-worker-kubeconfig cis-node-infra-tp-infra-file-permissions-worker-service cis-node-infra-tp-infra-file-perms-openshift-sdn-cniserver-config r/> "cis-node-infra-tp-infra"
PASS medium
PASS medium
PASS medium
PASS medium
n-cniserver-config PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
FAIL medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium
PASS medium

$ oc get ccr -n openshift-compliance | grep "cis-node-infra-tp-infra" > cis-node-infra-tp-infra.txt

$ oc get ccr -n openshift-compliance | grep "cis-node-infra-tp-infra" | wc -l
43

7. Checking the scan results of ocp4-cis-node-infra
~~~
$ oc get ccr -n openshift-compliance | grep "ocp4-cis-node-infra"
ocp4-cis-node-infra-file-groupowner-cni-conf PASS medium
ocp4-cis-node-infra-file-groupowner-ip-allocations PASS medium
ocp4-cis-node-infra-file-groupowner-kubelet-conf PASS medium
ocp4-cis-node-infra-file-groupowner-multus-conf PASS medium
ocp4-cis-node-infra-file-groupowner-openshift-sdn-cniserver-config PASS medium
ocp4-cis-node-infra-file-groupowner-ovs-conf-db PASS medium
ocp4-cis-node-infra-file-groupowner-ovs-conf-db-lock PASS medium
ocp4-cis-node-infra-file-groupowner-ovs-pid PASS medium
ocp4-cis-node-infra-file-groupowner-ovs-sys-id-conf PASS medium
ocp4-cis-node-infra-file-groupowner-ovs-vswitchd-pid PASS medium
ocp4-cis-node-infra-file-groupowner-ovsdb-server-pid PASS medium
ocp4-cis-node-infra-file-groupowner-worker-ca PASS medium
ocp4-cis-node-infra-file-groupowner-worker-kubeconfig PASS medium
ocp4-cis-node-infra-file-groupowner-worker-service PASS medium
ocp4-cis-node-infra-file-owner-cni-conf PASS medium
ocp4-cis-node-infra-file-owner-ip-allocations PASS medium
ocp4-cis-node-infra-file-owner-kubelet PASS medium
ocp4-cis-node-infra-file-owner-kubelet-conf PASS medium
ocp4-cis-node-infra-file-owner-multus-conf PASS medium
ocp4-cis-node-infra-file-owner-openshift-sdn-cniserver-config PASS medium
ocp4-cis-node-infra-file-owner-ovs-conf-db PASS medium
ocp4-cis-node-infra-file-owner-ovs-conf-db-lock PASS medium
ocp4-cis-node-infra-file-owner-ovs-pid PASS medium
ocp4-cis-node-infra-file-owner-ovs-sys-id-conf PASS medium
ocp4-cis-node-infra-file-owner-ovs-vswitchd-pid PASS medium
ocp4-cis-node-infra-file-owner-ovsdb-server-pid PASS medium
ocp4-cis-node-infra-file-owner-worker-ca PASS medium
ocp4-cis-node-infra-file-owner-worker-kubeconfig PASS medium
ocp4-cis-node-infra-file-owner-worker-service PASS medium
ocp4-cis-node-infra-file-permissions-cni-conf FAIL medium
ocp4-cis-node-infra-file-permissions-ip-allocations PASS medium
ocp4-cis-node-infra-file-permissions-kubelet-conf PASS medium
ocp4-cis-node-infra-file-permissions-multus-conf PASS medium
ocp4-cis-node-infra-file-permissions-ovs-conf-db PASS medium
ocp4-cis-node-infra-file-permissions-ovs-conf-db-lock PASS medium
ocp4-cis-node-infra-file-permissions-ovs-pid PASS medium
ocp4-cis-node-infra-file-permissions-ovs-sys-id-conf PASS medium
ocp4-cis-node-infra-file-permissions-ovs-vswitchd-pid PASS medium
ocp4-cis-node-infra-file-permissions-ovsdb-server-pid PASS medium
ocp4-cis-node-infra-file-permissions-worker-ca PASS medium
ocp4-cis-node-infra-file-permissions-worker-kubeconfig PASS medium
ocp4-cis-node-infra-file-permissions-worker-service PASS medium
ocp4-cis-node-infra-file-perms-openshift-sdn-cniserver-config PASS medium

$ oc get ccr -n openshift-compliance | grep "ocp4-cis-node-infra" | wc -l
43

$ oc get ccr -n openshift-compliance | grep "ocp4-cis-node-infra" > ocp4-cis-node-infra.txt

~~~~

8. Diff ocp4-cis-node-infra.txt and cis-node-infra-tp-infra.txt

~~~
$ diff cis-node-infra-tp-infra.txt ocp4-cis-node-infra.txt
1,43c1,43
< cis-node-infra-tp-infra-file-groupowner-cni-conf PASS medium
< cis-node-infra-tp-infra-file-groupowner-ip-allocations PASS medium
< cis-node-infra-tp-infra-file-groupowner-kubelet-conf PASS medium
< cis-node-infra-tp-infra-file-groupowner-multus-conf PASS medium
< cis-node-infra-tp-infra-file-groupowner-openshift-sdn-cniserver-config PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovs-conf-db PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovs-conf-db-lock PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovs-pid PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovs-sys-id-conf PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovs-vswitchd-pid PASS medium
< cis-node-infra-tp-infra-file-groupowner-ovsdb-server-pid PASS medium
< cis-node-infra-tp-infra-file-groupowner-worker-ca PASS medium
< cis-node-infra-tp-infra-file-groupowner-worker-kubeconfig PASS medium
< cis-node-infra-tp-infra-file-groupowner-worker-service PASS medium
< cis-node-infra-tp-infra-file-owner-cni-conf PASS medium
< cis-node-infra-tp-infra-file-owner-ip-allocations PASS medium
< cis-node-infra-tp-infra-file-owner-kubelet PASS medium
< cis-node-infra-tp-infra-file-owner-kubelet-conf PASS medium
< cis-node-infra-tp-infra-file-owner-multus-conf PASS medium
< cis-node-infra-tp-infra-file-owner-openshift-sdn-cniserver-config PASS medium
< cis-node-infra-tp-infra-file-owner-ovs-conf-db PASS medium
< cis-node-infra-tp-infra-file-owner-ovs-conf-db-lock PASS medium
< cis-node-infra-tp-infra-file-owner-ovs-pid PASS medium
< cis-node-infra-tp-infra-file-owner-ovs-sys-id-conf PASS medium
< cis-node-infra-tp-infra-file-owner-ovs-vswitchd-pid PASS medium
< cis-node-infra-tp-infra-file-owner-ovsdb-server-pid PASS medium
< cis-node-infra-tp-infra-file-owner-worker-ca PASS medium
< cis-node-infra-tp-infra-file-owner-worker-kubeconfig PASS medium
< cis-node-infra-tp-infra-file-owner-worker-service PASS medium
< cis-node-infra-tp-infra-file-permissions-cni-conf FAIL medium
< cis-node-infra-tp-infra-file-permissions-ip-allocations PASS medium
< cis-node-infra-tp-infra-file-permissions-kubelet-conf PASS medium
< cis-node-infra-tp-infra-file-permissions-multus-conf PASS medium
< cis-node-infra-tp-infra-file-permissions-ovs-conf-db PASS medium
< cis-node-infra-tp-infra-file-permissions-ovs-conf-db-lock PASS medium
< cis-node-infra-tp-infra-file-permissions-ovs-pid PASS medium
< cis-node-infra-tp-infra-file-permissions-ovs-sys-id-conf PASS medium
< cis-node-infra-tp-infra-file-permissions-ovs-vswitchd-pid PASS medium
< cis-node-infra-tp-infra-file-permissions-ovsdb-server-pid PASS medium
< cis-node-infra-tp-infra-file-permissions-worker-ca PASS medium
< cis-node-infra-tp-infra-file-permissions-worker-kubeconfig PASS medium
< cis-node-infra-tp-infra-file-permissions-worker-service PASS medium
< cis-node-infra-tp-infra-file-perms-openshift-sdn-cniserver-config PASS medium
—
> ocp4-cis-node-infra-file-groupowner-cni-conf PASS medium
> ocp4-cis-node-infra-file-groupowner-ip-allocations PASS medium
> ocp4-cis-node-infra-file-groupowner-kubelet-conf PASS medium
> ocp4-cis-node-infra-file-groupowner-multus-conf PASS medium
> ocp4-cis-node-infra-file-groupowner-openshift-sdn-cniserver-config PASS medium
> ocp4-cis-node-infra-file-groupowner-ovs-conf-db PASS medium
> ocp4-cis-node-infra-file-groupowner-ovs-conf-db-lock PASS medium
> ocp4-cis-node-infra-file-groupowner-ovs-pid PASS medium
> ocp4-cis-node-infra-file-groupowner-ovs-sys-id-conf PASS medium
> ocp4-cis-node-infra-file-groupowner-ovs-vswitchd-pid PASS medium
> ocp4-cis-node-infra-file-groupowner-ovsdb-server-pid PASS medium
> ocp4-cis-node-infra-file-groupowner-worker-ca PASS medium
> ocp4-cis-node-infra-file-groupowner-worker-kubeconfig PASS medium
> ocp4-cis-node-infra-file-groupowner-worker-service PASS medium
> ocp4-cis-node-infra-file-owner-cni-conf PASS medium
> ocp4-cis-node-infra-file-owner-ip-allocations PASS medium
> ocp4-cis-node-infra-file-owner-kubelet PASS medium
> ocp4-cis-node-infra-file-owner-kubelet-conf PASS medium
> ocp4-cis-node-infra-file-owner-multus-conf PASS medium
> ocp4-cis-node-infra-file-owner-openshift-sdn-cniserver-config PASS medium
> ocp4-cis-node-infra-file-owner-ovs-conf-db PASS medium
> ocp4-cis-node-infra-file-owner-ovs-conf-db-lock PASS medium
> ocp4-cis-node-infra-file-owner-ovs-pid PASS medium
> ocp4-cis-node-infra-file-owner-ovs-sys-id-conf PASS medium
> ocp4-cis-node-infra-file-owner-ovs-vswitchd-pid PASS medium
> ocp4-cis-node-infra-file-owner-ovsdb-server-pid PASS medium
> ocp4-cis-node-infra-file-owner-worker-ca PASS medium
> ocp4-cis-node-infra-file-owner-worker-kubeconfig PASS medium
> ocp4-cis-node-infra-file-owner-worker-service PASS medium
> ocp4-cis-node-infra-file-permissions-cni-conf FAIL medium
> ocp4-cis-node-infra-file-permissions-ip-allocations PASS medium
> ocp4-cis-node-infra-file-permissions-kubelet-conf PASS medium
> ocp4-cis-node-infra-file-permissions-multus-conf PASS medium
> ocp4-cis-node-infra-file-permissions-ovs-conf-db PASS medium
> ocp4-cis-node-infra-file-permissions-ovs-conf-db-lock PASS medium
> ocp4-cis-node-infra-file-permissions-ovs-pid PASS medium
> ocp4-cis-node-infra-file-permissions-ovs-sys-id-conf PASS medium
> ocp4-cis-node-infra-file-permissions-ovs-vswitchd-pid PASS medium
> ocp4-cis-node-infra-file-permissions-ovsdb-server-pid PASS medium
> ocp4-cis-node-infra-file-permissions-worker-ca PASS medium
> ocp4-cis-node-infra-file-permissions-worker-kubeconfig PASS medium
> ocp4-cis-node-infra-file-permissions-worker-service PASS medium
> ocp4-cis-node-infra-file-perms-openshift-sdn-cniserver-config PASS medium
~~~

Conclusion from above diff :

Diff exists in the above two files only due to different rule prefixes. One file has a rule named cis-node-infra-tp-infra-file-groupowner-cni-conf and the other file has ocp4-cis-node-infra-file-groupowner-cni-conf but the test results and rules executed are the same.

Query from the customer:

I think profile cis-node should not add tailored profile and scan setting binding settings because of infra, because it seems to work well even if it is not set, but I need verification from Red Hat.

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates