Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2169

Failed to run a compliance scan on OpenShift 4.12 when following CLI install instructions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • 4.12
    • Compliance Operator
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • None
    • Proposed
    • None
    • Set a Value
    • If Release Note Needed, Set a Value
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Unable to run a compliance scan following the upstream documentation on OpenShift 4.12

      Version-Release number of selected component (if applicable):

      Client Version: 4.12.0-202210050049.p0.g48a51fe.assembly.stream-48a51fe
Kustomize Version: v4.5.4
Server Version: 4.12.0-0.nightly-2022-10-05-053337
Kubernetes Version: v1.25.0+3ef6ef3

      How reproducible:

       

      Steps to Reproduce:

      1. Install Compliance Operator 0.1.53

$ cat co-install.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    openshift.io/cluster-monitoring: "true"
  name: openshift-compliance
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  targetNamespaces:
  - openshift-compliance
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator-sub
  namespace: openshift-compliance
spec:
  channel: "release-0.1"
  installPlanApproval: Automatic
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
$ oc apply -f co-install.yaml

2. Create a scan setting binding for CIS

$ cat tmp.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

$ oc apply -f tmp.yaml

3.

      Actual results:

      The compliance operator fails to create the scans.

Error from the compliance-operator logs:

{"level":"info","ts":1665416116.4404655,"logger":"scansettingbindingctrl","msg":"Reconciling ScanSettingBinding","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
{"level":"info","ts":1665416126.798029,"logger":"scansettingbindingctrl","msg":"Reconciling ScanSettingBinding","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
{"level":"info","ts":1665416126.804372,"logger":"scansettingbindingctrl","msg":"Reconciling ScanSettingBinding","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
{"level":"info","ts":1665416126.8044908,"logger":"scansettingbindingctrl","msg":"Resolving object","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance","kind":"Profile","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.807283,"logger":"scansettingbindingctrl","msg":"Retrieving parent object","child.Kind":"Profile","child.Name":"ocp4-cis-node","parent.Name":"ocp4","parent.Kind":"ProfileBundle"}
{"level":"info","ts":1665416126.8072999,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ProfileBundle","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.8098528,"logger":"scansettingbindingctrl","msg":"Resolving object","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance","kind":"Profile","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.8119948,"logger":"scansettingbindingctrl","msg":"Retrieving parent object","child.Kind":"Profile","child.Name":"ocp4-cis","parent.Name":"ocp4","parent.Kind":"ProfileBundle"}
{"level":"info","ts":1665416126.812011,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ProfileBundle","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.816073,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ScanSetting","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.8199372,"logger":"scansettingbindingctrl","msg":"Processing original scan","scan.Name":"ocp4-cis-node"}
{"level":"info","ts":1665416126.8199565,"logger":"scansettingbindingctrl","msg":"Adding per-role scan","scanCopy.Name":"ocp4-cis-node-master"}
{"level":"info","ts":1665416126.819961,"logger":"scansettingbindingctrl","msg":"Adding per-role scan","scanCopy.Name":"ocp4-cis-node-worker"}
{"level":"info","ts":1665416126.8199644,"logger":"scansettingbindingctrl","msg":"Processing original scan","scan.Name":"ocp4-cis"}
{"level":"info","ts":1665416126.819967,"logger":"scansettingbindingctrl","msg":"Adding platform scan","scanCopy.Name":"ocp4-cis"}
{"level":"info","ts":1665416126.8285449,"logger":"scansettingbindingctrl","msg":"Reconciling ScanSettingBinding","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
{"level":"info","ts":1665416126.8287275,"logger":"scansettingbindingctrl","msg":"Resolving object","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance","kind":"Profile","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.833316,"logger":"scansettingbindingctrl","msg":"Retrieving parent object","child.Kind":"Profile","child.Name":"ocp4-cis-node","parent.Name":"ocp4","parent.Kind":"ProfileBundle"}
{"level":"info","ts":1665416126.833338,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ProfileBundle","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.8355248,"logger":"scansettingbindingctrl","msg":"Resolving object","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance","kind":"Profile","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.837706,"logger":"scansettingbindingctrl","msg":"Retrieving parent object","child.Kind":"Profile","child.Name":"ocp4-cis","parent.Name":"ocp4","parent.Kind":"ProfileBundle"}
{"level":"info","ts":1665416126.8377218,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ProfileBundle","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.840079,"logger":"scansettingbindingctrl","msg":"Resolving object","kind":"ScanSetting","api":"compliance.openshift.io/v1alpha1"}
{"level":"info","ts":1665416126.8420837,"logger":"scansettingbindingctrl","msg":"Processing original scan","scan.Name":"ocp4-cis-node"}
{"level":"info","ts":1665416126.842104,"logger":"scansettingbindingctrl","msg":"Adding per-role scan","scanCopy.Name":"ocp4-cis-node-master"}
{"level":"info","ts":1665416126.8421104,"logger":"scansettingbindingctrl","msg":"Adding per-role scan","scanCopy.Name":"ocp4-cis-node-worker"}
{"level":"info","ts":1665416126.842115,"logger":"scansettingbindingctrl","msg":"Processing original scan","scan.Name":"ocp4-cis"}
{"level":"info","ts":1665416126.8421185,"logger":"scansettingbindingctrl","msg":"Adding platform scan","scanCopy.Name":"ocp4-cis"}
{"level":"info","ts":1665416126.8421938,"logger":"scansettingbindingctrl","msg":"Suite does not need update","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance","suite.Name":"cis-compliance"}
{"level":"info","ts":1665416532.1929603,"logger":"suitectrl","msg":"Reconciling ComplianceSuite","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
I1010 15:42:13.243753       1 request.go:645] Throttling request took 1.047339847s, request: GET:https://172.30.0.1:443/apis/operator.openshift.io/v1?timeout=32s
{"level":"error","ts":1665416534.544767,"logger":"controller","msg":"Reconciler error","controller":"compliancesuite-controller","name":"cis-compliance","namespace":"openshift-compliance","error":"no matches for kind \"CronJob\" in version \"batch/v1beta1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.2/pkg/internal/controller/controller.go:209\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.2/pkg/internal/controller/controller.go:188\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:90"}
{"level":"info","ts":1665417534.5459626,"logger":"suitectrl","msg":"Reconciling ComplianceSuite","Request.Namespace":"openshift-compliance","Request.Name":"cis-compliance"}
I1010 15:58:55.596916       1 request.go:645] Throttling request took 1.04545724s, request: GET:https://172.30.0.1:443/apis/flowcontrol.apiserver.k8s.io/v1beta2?timeout=32s
{"level":"error","ts":1665417536.902193,"logger":"controller","msg":"Reconciler error","controller":"compliancesuite-controller","name":"cis-compliance","namespace":"openshift-compliance","error":"no matches for kind \"CronJob\" in version \"batch/v1beta1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.2/pkg/internal/controller/controller.go:209\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.2/pkg/internal/controller/controller.go:188\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/apimachinery@v0.19.11/pkg/util/wait/wait.go:90"}

      Expected results:

      The Compliance Operator will create the necessary scan resources to scan the cluster infrastructure.

      Additional info:

      $ oc get all -n openshift-compliance
NAME                                                  READY   STATUS    RESTARTS       AGE
pod/compliance-operator-67877d9cb8-lvl2l              1/1     Running   1 (126m ago)   127m
pod/ocp4-openshift-compliance-pp-6df497b96d-lz8qf     1/1     Running   0              125m
pod/rhcos4-openshift-compliance-pp-699c88c68b-pmr2q   1/1     Running   0              125m
NAME              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
service/metrics   ClusterIP   172.30.166.168   <none>        8383/TCP,8686/TCP,8585/TCP   126m
NAME                                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/compliance-operator              1/1     1            1           127m
deployment.apps/ocp4-openshift-compliance-pp     1/1     1            1           125m
deployment.apps/rhcos4-openshift-compliance-pp   1/1     1            1           125m
NAME                                                        DESIRED   CURRENT   READY   AGE
replicaset.apps/compliance-operator-67877d9cb8              1         1         1       127m
replicaset.apps/ocp4-openshift-compliance-pp-6df497b96d     1         1         1       125m
replicaset.apps/rhcos4-openshift-compliance-pp-699c88c68b   1         1         1       125m

              jhrozek@redhat.com Jakub Hrozek (Inactive)
              lbragsta@redhat.com Lance Bragstad
              None
              None
              Xiaojie Yuan Xiaojie Yuan
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: