Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 4.13.0
Affects Version/s: 4.11
Component/s: Compliance Operator
Labels:
- P-QE

Regression:
None
Story Points:
2
Sprint:
CMP Sprint 56, CMP Sprint 57
sprint_count:
2
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause: Some compliance operator remediations require variables as input.

Consequence: Remediations without variables set can be applied cluster wide and result in stuck nodes even though it looks like the remediation has been applied.

Fix: Update the compliance operator, rerun the scan, and reapply remediations.

Result: The compliance operator will properly validate if a variable needs to be supplied using a TailoredProfile for a particular remediation.

Show
Cause: Some compliance operator remediations require variables as input. Consequence: Remediations without variables set can be applied cluster wide and result in stuck nodes even though it looks like the remediation has been applied. Fix: Update the compliance operator, rerun the scan, and reapply remediations. Result: The compliance operator will properly validate if a variable needs to be supplied using a TailoredProfile for a particular remediation.
Release Note Type:
Bug Fix
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Node in NotReady,SchedulingDisabled after applying complianceremediations for ocp4-pci-dss-node-wrscan-kubelet-enable-protect-kernel-defaults 
I performed the test case on OCP 4.11.13 cluster and Power architecture

Version-Release number of selected component (if applicable):

compliance-operator.v0.1.59

How reproducible:

Every time

Steps to Reproduce:

I have attached the detailed steps with logs in attachment.

1. Install Compliance operator
2. Set label 1 rhcos worker nodes out of all workers
3. Create a custom MachineConfigPool to bring them in wrscan pool
4. Create ScanSetting auto-apply with remediations enable
5. Create ScanSettingBinding using auto-apply scansetting
6. Check all failed rules through compliancecheckresult object  
7. check all rules are applied remediations except ocp4-pci-dss-node-kubelet-enable-protect-kernel-defaults. 
8. Verify kubeletconfigs are created for compliance operator and machineConfigs are created for ocp4-kubelet-enable-protect-kernel-sysctl rule to apply remediation 
9. Rerun scan
10. Check rule ocp4-kubelet-enable-protect-kernel-defaults status and Confirm machineConfigPool has been updated after rescan

After these steps the one of the worker node stuck in  NotReady,SchedulingDisabled state.

Actual results:

# oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGEmaster   rendered-master-7db0bc2d0d2023b1ea18079c86220edc   True      False      False      3              3                   3                     0                      128mworker   rendered-worker-0a178a44beebe95c2f912f3868bc1bad   False     True       False      2              0                   0                     0                      128mwrscan   rendered-wrscan-f8e480d30438d642bd4c6792b4e48f1b   True      False      False      1              1                   1                     0                      56m

# oc get node
NAME                                           STATUS                        ROLES           AGE    VERSIONlon06-master-0.rdr-vard-ocp-411l-upi.ibm.com   Ready                         master          136m   v1.24.6+5157800lon06-master-1.rdr-vard-ocp-411l-upi.ibm.com   Ready                         master          136m   v1.24.6+5157800lon06-master-2.rdr-vard-ocp-411l-upi.ibm.com   Ready                         master          130m   v1.24.6+5157800lon06-worker-0.rdr-vard-ocp-411l-upi.ibm.com   NotReady,SchedulingDisabled   worker          113m   v1.24.6+5157800lon06-worker-1.rdr-vard-ocp-411l-upi.ibm.com   Ready                         worker,wrscan   111m   v1.24.6+5157800lon06-worker-2.rdr-vard-ocp-411l-upi.ibm.com   Ready                         worker          110m   v1.24.6+5157800

Expected results:

All Nodes should updated and healthy.

Additional info:

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

must-gather.tar.gz
14.79 MB
2022/11/18 7:54 AM
Steps-to-produce-bug.txt
22 kB
2022/11/18 8:17 AM

links to

ComplianceAsCode/compliance-operator#189: OCPBUGS-3864: ssb: Error if attempting to use a non-default pool but the pool variables are not set

mentioned on

Merge request - Updated 2 upstream sources

Merge request - Updated US source to: c278069 Release v1.0.0

Assignee:: Jakub Hrozek (Inactive)

Reporter:: Varad Ahirwadkar (Inactive)

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2022/11/18 8:27 AM

Updated:: 2023/03/28 7:09 PM

Resolved:: 2023/02/22 8:42 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates