-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.16.0
Description of problem:
rhcos4-disa-stig applications/openshift/registry/imagestream_sets_schedule/rule.yml Fails even when the imagestreams are properly setup oc get compliancecheckresults -l 'compliance.openshift.io/scan-name in (ocp4-disa-stig-stig, ocp4-disa-stig-stig-node-worker, ocp4-disa-stig-stig-node-master)' | grep imagestream ocp4-disa-stig-stig-imagestream-sets-schedule FAIL medium
Version-Release number of selected component (if applicable):
Compliance Operator 1.4.1
How reproducible:
Every time
Steps to Reproduce:
1.Create Compliance Operator with disa-stig rhcos4 node profile 2.Create ScanSettingBinding apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: ocp4-stig-compliance namespace: openshift-compliance profiles: - name: ocp4-stig kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-stig-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 3. Check the ComplianceCheckResults for imagestream-sets-schedule oc get compliancecheckresults -l 'compliance.openshift.io/scan-name in (ocp4-disa-stig-stig, ocp4-disa-stig-stig-node-worker, ocp4-disa-stig-stig-node-master)' | grep imagestream 4. Grab the instructions oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]?.importPolicy.scheduled != true) | "\(.metadata.name),\(.metadata.namespace)"' | sort | uniq
Actual results:
The instructions / description and check are incorrect.
from.kind should be used to consider DockerImage and not ImageStreamTag
Expected results:
Rule should be marked PASS
Additional info: