-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13
-
None
-
Moderate
-
No
-
False
-
Description of problem:
The Compliance Operator has logic to prevent a ScanSettingBinding from referencing multiple product types. For example, you shouldn't be able to launch a suite that scan Platform and Node infrastructure. This was originally opened as a bugzilla, linked below. However, if you create a ScanSettingBinding with two profiles, one being a Platform and the second being a Node, you can get around this validation.
Original bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1901760
Version-Release number of selected component (if applicable):
I was able to recreate this on 1.4.0 upstream - but it appears the validation logic has been in CO since 0.1.21 release upstream.
How reproducible:
100%
Steps to Reproduce:
Create a scan setting binding with two profiles, one of each product type $ cat recreate.yaml --- apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: valid-binding-single-product namespace: openshift-compliance profiles: # platform profile for OpenShift - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 --- apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: valid-binding-multiple-products-should-be-invalid namespace: openshift-compliance profiles: # platform profile for OpenShift - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 # Shouldn't be allowed since it's a Node profiles and the first profile is # Platform. - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 --- apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: invalid-binding-multiple-products namespace: openshift-compliance profiles: # platform profile for OpenShift - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 # Shouldn't be allowed since they're Node profiles and the first profile is # Platform. - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: rhcos4-high kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 $ oc apply -n openshift-compliance -f recreate.yaml $ oc get ssb -n openshift-compliance NAME STATUS invalid-binding-multiple-products INVALID valid-binding-multiple-products-should-be-invalid READY valid-binding-single-product READY
Actual results:
The valid-binding-multiple-products-should-be-invalid ssb should be invalid, or we should relax the validation to just allow multiple products in a single binding.
Expected results:
Validation should be consistent regardless of the number of profiles in the Scan Setting Binding.
Additional info:
Initial patch that introduced the validation: https://github.com/openshift/compliance-operator/pull/498
- links to
-
RHBA-2024:129828
openshift-compliance-operator bug fix and/or enhancement update