Details
-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.15.0
-
None
-
Low
-
No
-
False
-
Description
Description of problem:
After migrating tailedprofiles with annotation, the warning message of the tailoredprofile in ERROR status is showing confusing information
Below is an example: - apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: annotations: compliance.openshift.io/product-type: Platform compliance.openshift.io/prune-outdated-references: "true" kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"compliance.openshift.io/v1alpha1","kind":"TailoredProfile","metadata":{"annotations":{},"name":"cis-infra-tp-noextend-disablemix-enableonly-rules","namespace":"openshift-compliance"},"spec":{"description":"Test","disableRules":[{"name":"ocp4-kubelet-anonymous-auth","rationale":"test"},{"name":"ocp4-api-server-insecure-port","rationale":"test"},{"name":"ocp4-api-server-tls-cert","rationale":"test"}],"enableRules":[{"name":"ocp4-kubelet-enable-streaming-connections","rationale":"test"}],"title":"My modified nist profile with a custom value"}} creationTimestamp: "2024-01-09T06:16:16Z" generation: 2 name: cis-infra-tp-noextend-disablemix-enableonly-rules namespace: openshift-compliance ownerReferences: - apiVersion: compliance.openshift.io/v1alpha1 blockOwnerDeletion: true controller: true kind: ProfileBundle name: ocp4 uid: 75eeea1f-3b04-4183-9376-ad1d983c5357 resourceVersion: "105729" uid: 8af0ae5d-c657-40f1-89b3-0c4aea2d3994 spec: description: Test disableRules: - name: ocp4-api-server-insecure-port rationale: test - name: ocp4-api-server-tls-cert rationale: test title: My modified nist profile with a custom value status: errorMessage: Custom TailoredProfile with no extends does not have any rules enabled id: xccdf_compliance.openshift.io_profile_cis-infra-tp-noextend-disablemix-enableonly-rules outputRef: name: cis-infra-tp-noextend-disablemix-enableonly-rules-tp namespace: openshift-compliance state: ERROR warnings: | The following rules changed check type and need to be removed from the TailoredProfile. If these rules are important for you, add them to a TailoredProfile of matching check type: ocp4-kubelet-anonymous-auth,ocp4-kubelet-enable-streaming-connections
Version-Release number of selected component (if applicable):
4.15.0-0.nightly-2024-01-10-101042 + COv1.4.0
How reproducible:
Always
Steps to Reproduce:
1. Install COv1.3.1 2. Create a tp with below yaml file: --- apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: cis-infra-tp-noextend-disablemix-enableonly-rules namespace: openshift-compliance spec: description: Test disableRules: - name: ocp4-kubelet-anonymous-auth rationale: test - name: ocp4-api-server-insecure-port rationale: test - name: ocp4-api-server-tls-cert rationale: test enableRules: - name: ocp4-kubelet-enable-streaming-connections rationale: test title: My modified nist profile with a custom value 3. Upgrade CO to COv1.4.0 4. Check there is warning "The following rules changed check type and need to be removed from the TailoredProfile. If these rules are important for you, add them to a TailoredProfile of matching check type: ocp4-kubelet-anonymous-auth,ocp4-kubelet-enable-streaming-connections" for tp cis-infra-tp-noextend-disablemix-enableonly-rules 5. Add annotation compliance.openshift.io/prune-outdated-references: "true" to tp cis-infra-tp-noextend-disablemix-enableonly-rules 6. Check the status of tp cis-infra-tp-noextend-disablemix-enableonly-rules
Actual results:
After migrating tailedprofiles with the annotation, the outdated rules have been pruned and the tp in ERROR status. However, the warning message of the tailoredprofile is showing confusing information
Expected results:
After migrating tailedprofiles with the annotation, the outdated rules have been pruned and the tp in ERROR status. And the warning message of the tailoredprofile should be removed or showing helpful information
Additional info: