Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14.0
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Priority Data:
PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    even after auto remediation steps the test cases returned fail

Version-Release number of selected component (if applicable):

   How reproducible:

Steps to Reproduce:

    1.oc get ccr |grep FAIL 


[root@m1326001 content]# oc get ccr|grep FAIL 

ocp4-pci-dss-api-server-api-priority-gate-enabled                                 FAIL     medium
ocp4-pci-dss-audit-log-forwarding-enabled                                         FAIL     medium
ocp4-pci-dss-idp-is-configured                                                    FAIL     medium
ocp4-pci-dss-kubeadmin-removed                                                    FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-master-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-master-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-master-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-worker-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-worker-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-ocp-allowed-registries                                               FAIL     medium
ocp4-pci-dss-ocp-allowed-registries-for-import                                    FAIL     medium

[root@m1326001 content]# oc get cr
NAME                                                                                STATE
ocp4-pci-dss-node-master-kubelet-configure-event-creation                           Applied
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                        Applied
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                        Applied
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                       Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available     Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available-1   Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available      Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available-1    Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available      Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available-1    Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree     Applied
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1   Applied
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                           Applied
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                        Applied
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                        Applied
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                       Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available     Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available-1   Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available      Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available-1    Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available      Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available-1    Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree     Applied
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1   Applied

one example test case for reference 
[root@m1326001 content]# oc describe cr/ocp4-pci-dss-node-master-kubelet-configure-event-creation 
Name:         ocp4-pci-dss-node-master-kubelet-configure-event-creation
Namespace:    openshift-compliance
Labels:       compliance.openshift.io/scan-name=ocp4-pci-dss-node-master
              compliance.openshift.io/suite=pci-compliance
Annotations:  compliance.openshift.io/xccdf-value-used: var-event-record-qps
API Version:  compliance.openshift.io/v1alpha1
Kind:         ComplianceRemediation
Metadata:
  Creation Timestamp:  2023-11-28T07:35:30Z
  Generation:          2
  Owner References:
    API Version:           compliance.openshift.io/v1alpha1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  ComplianceCheckResult
    Name:                  ocp4-pci-dss-node-master-kubelet-configure-event-creation
    UID:                   4ef8ebd9-c2e6-4fe7-8d88-a43ad75abc88
  Resource Version:        4161533
  UID:                     4cd345e8-c907-4589-b5aa-fbfd07234aeb
Spec:
  Apply:  true
  Current:
    Object:
      API Version:  machineconfiguration.openshift.io/v1
      Kind:         KubeletConfig
      Spec:
        Kubelet Config:
          Event Record QPS:  50
  Outdated:
  Type:  Configuration
Status:
  Application State:  Applied
Events:               <none>



 [root@m1326001 content]# oc get ccr|grep FAIL 
ocp4-pci-dss-api-server-api-priority-gate-enabled                                 FAIL     medium
ocp4-pci-dss-audit-log-forwarding-enabled                                         FAIL     medium
ocp4-pci-dss-idp-is-configured                                                    FAIL     medium
ocp4-pci-dss-kubeadmin-removed                                                    FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-master-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-master-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-master-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-master-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-master-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-master-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-master-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-conf-db-lock                         FAIL     medium
ocp4-pci-dss-node-worker-file-groupowner-ovs-sys-id-conf                          FAIL     medium
ocp4-pci-dss-node-worker-file-permissions-cni-conf                                FAIL     medium
ocp4-pci-dss-node-worker-kubelet-anonymous-auth                                   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-authorization-mode                               FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-client-ca                              FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-event-creation                         FAIL     medium
ocp4-pci-dss-node-worker-kubelet-configure-tls-cipher-suites                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-cert-rotation                             FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-iptables-util-chains                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-server-cert-rotation                      FAIL     medium
ocp4-pci-dss-node-worker-kubelet-enable-streaming-connections                     FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-memory-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available    FAIL     medium
ocp4-pci-dss-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   FAIL     medium
ocp4-pci-dss-ocp-allowed-registries                                               FAIL     medium
ocp4-pci-dss-ocp-allowed-registries-for-import                                    FAIL     medium


[root@m1326001 content]# oc get csv 
NAME                             DISPLAY                   VERSION   REPLACES   PHASE
compliance-operator.v1.3.1       Compliance Operator       1.3.1                Succeeded
file-integrity-operator.v1.3.3   File Integrity Operator   1.3.3                Succeeded

Actual results:

    returns fail after [oc get ccr]

Expected results:

    it should able to pass after autoremediation [oc get ccr]

Additional info:

    even oc describe <.....> for each and every test suite applied.

Assignee:: Lance Bragstad

Reporter:: NIthya Ganesan (Inactive)

Need Info From:: None

Contributors:: None

QA Contact:: Xiaojie Yuan

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/12/06 7:29 AM

Updated:: 2025/09/12 10:26 PM

Resolved:: 2024/06/17 4:03 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates