Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25323

Ovs rules not available in scans for profile ocp4-cis-node for compliance-operator.v1.4.0

    XMLWordPrintable

Details

    Description

      Description of problem:

       

      Ovs rules not available in scans for profile ocp4-cis-node for compliance-operator.v1.4.0
$ oc compliance bind -N test profile/ocp4-cis profile/ocp4-cis-node
Creating ScanSettingBinding test
$ oc get ccr | grep -i ovs
$
Or if
if try to upgrade from  compliance-operator.v1.3.1 to compliance-operator.v1.4.0. the ovs rules scan result will be updated from PASS to NOT-APPLICABLE : 
$ oc get ccr | grep -i ovs 
ocp4-cis-node-master-file-permissions-ovs-conf-db                                      NOT-APPLICABLE   medium 
ocp4-cis-node-master-file-permissions-ovs-conf-db-lock                                 NOT-APPLICABLE   medium 
ocp4-cis-node-master-file-permissions-ovs-pid                                          NOT-APPLICABLE   medium 
ocp4-cis-node-master-file-permissions-ovs-sys-id-conf                                  NOT-APPLICABLE   medium 
ocp4-cis-node-master-file-permissions-ovs-vswitchd-pid                                 NOT-APPLICABLE   medium 
ocp4-cis-node-master-file-permissions-ovsdb-server-pid                                 NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovs-conf-db                                      NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovs-conf-db-lock                                 NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovs-pid                                          NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovs-sys-id-conf                                  NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovs-vswitchd-pid                                 NOT-APPLICABLE   medium 
ocp4-cis-node-worker-file-permissions-ovsdb-server-pid                                 NOT-APPLICABLE   medium

      Version-Release number of selected component (if applicable):

       4.14.0-0.nightly-2023-12-12-073004 + compliance-operator.v1.4.  

      How reproducible:

        Always

      Steps to Reproduce:

       

       

      1. Install compliance-operator.v1.4.0 and create a ssb with command: $ oc compliance bind -N test profile/ocp4-cis profile/ocp4-cis-node

Or you can also install compliance-operator.v1.3.1 and trigger the scan with command 
$ oc compliance bind -N test profile/ocp4-cis profile/ocp4-cis-node, and then upgrade CO to compliance-operator.v1.4.0
 
 
 
 

      Actual results:

      For compliance-operator.v1.4.0 fresh install, the result doesn't contain ovs rules.  
For upgrade, the ovs rules will become NOT-applicable for all ovs rules.

      Expected results:

      The result should contain ovs rules and ovs rules should show PASS.

      Additional info:

       The result is the same on SDN and OVN clusters on a 4.14 cluster

      Attachments

        Issue Links

          links to

          Web Link RHBA-2023:7658 OpenShift Compliance Operator bug fix and enhancement update

          Activity

            People

              lbragsta@redhat.com Lance Bragstad
              xiyuan@redhat.com Xiaojie Yuan
              Bhargavi Gudi Bhargavi Gudi
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: