Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38213

The variables for the kubelet config rules are not working as expected

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.17.0
    • Compliance Operator
    • None
    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The variables for the  kubelet config rules are not working as expected    

      Version-Release number of selected component (if applicable):

      4.17.0-0.nightly-2024-08-07-124849 + compliance-operator.v1.5.0    

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install Compliance Operator 
2. Create a tp with below yaml file:
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: testprofile
  namespace: openshift-compliance
  annotations:
    compliance.openshift.io/product-type: Node
spec:
  description: test
  title: test-node
  enableRules:
    - name: ocp4-kubelet-enable-server-cert-rotation
      rationale: test
    - name: ocp4-kubelet-enable-streaming-connections
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-available
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-hard-memory-available
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-hard-nodefs-available
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree
      rationale: test
  setValues:
    - name: ocp4-var-kubelet-evictionhard-imagefs-available
      value: "20%"
      rationale: test
    - name: ocp4-var-kubelet-evictionhard-imagefs-inodesfree
      value: "8%"
      rationale: test
    - name: ocp4-var-kubelet-evictionhard-memory-available
      value: "400Mi"
      rationale: test
    - name: ocp4-var-kubelet-evictionhard-nodefs-available
      value: "12%"
      rationale: test
    - name: ocp4-var-kubelet-evictionhard-nodefs-inodesfree
      value: "6%"
      rationale: test
    - name: ocp4-var-streaming-connection-timeouts
      value: "5h0m0s"
      rationale: test

3. Create a ssb with below yaml file:
% cat ssb_tp.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: testprofile
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
4. Check the scan result

      Actual results:

      The compliance suite returns COMPLIANT
% oc get suite
NAME   PHASE   RESULT
test   DONE    COMPLIANT    

      Expected results:

      The variables should take effect and return the scan result that reflects the actual status.  

      Additional info:

              lbragsta@redhat.com Lance Bragstad
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: