Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
4.12
-
None
-
Rejected
-
False
-
Description
Description of problem:
The compliance operator contains logic to evaluate rules against default kubelet configuration values. This was implemented in 0.1.57 as listed in the release notes: https://docs.openshift.com/container-platform/4.11/security/compliance_operator/compliance-operator-release-notes.html#compliance-operator-release-notes-0-1-57 However, some rules are failing even though they have the proper default values.
Version-Release number of selected component (if applicable):
0.1.57
How reproducible:
Always
Steps to Reproduce:
1. Create a scansettingbinding for CIS 2. Wait for it to finish 3. Observe that the results failed This is the binding I used: $ cat binding.yaml apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: cis-compliance namespace: openshift-compliance profiles: - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1
Actual results:
$ oc get ccr -n openshift-compliance | grep kubelet-eviction-threshold ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available FAIL medium ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree FAIL medium Even though the defaults are acceptable: $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done "100Mi" "100Mi" "100Mi" "100Mi" "100Mi" "100Mi"
Expected results:
Expected result is that each of the above rules would have passed instead of failed.
Additional info:
This was tracked in bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2075041 but I'm converting it to a Jira issue so we can track it here and reopen it.