-
Bug
-
Resolution: Done
-
Minor
-
None
-
4.16.0
Description of problem:
rhcos4-disa-stig applications/openshift/registry/imagestream_sets_schedule/rule.yml Fails even when the imagestreams are properly setup oc get compliancecheckresults -l 'compliance.openshift.io/scan-name in (ocp4-disa-stig-stig, ocp4-disa-stig-stig-node-worker, ocp4-disa-stig-stig-node-master)' | grep imagestream ocp4-disa-stig-stig-imagestream-sets-schedule FAIL medium
Version-Release number of selected component (if applicable):
Compliance Operator 1.4.1
How reproducible:
Every time
Steps to Reproduce:
1.Create Compliance Operator with disa-stig rhcos4 node profile
2.Create ScanSettingBinding
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: ocp4-stig-compliance
namespace: openshift-compliance
profiles:
- name: ocp4-stig
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
- name: ocp4-stig-node
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
3. Check the ComplianceCheckResults for imagestream-sets-schedule
oc get compliancecheckresults -l 'compliance.openshift.io/scan-name in (ocp4-disa-stig-stig, ocp4-disa-stig-stig-node-worker, ocp4-disa-stig-stig-node-master)' | grep imagestream
4. Grab the instructions
oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]?.importPolicy.scheduled != true) | "\(.metadata.name),\(.metadata.namespace)"' | sort | uniq
Actual results:
The instructions / description and check are incorrect.
from.kind should be used to consider DockerImage and not ImageStreamTag
Expected results:
Rule should be marked PASS
Additional info:
