Loading...

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 4.12
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Priority Data:
PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

The compliance operator contains logic to evaluate rules against default kubelet configuration values. This was implemented in 0.1.57 as listed in the release notes: https://docs.openshift.com/container-platform/4.11/security/compliance_operator/compliance-operator-release-notes.html#compliance-operator-release-notes-0-1-57

However, some rules are failing even though they have the proper default values.

Version-Release number of selected component (if applicable):

0.1.57

How reproducible:

Always

Steps to Reproduce:

1. Create a scansettingbinding for CIS
2. Wait for it to finish
3. Observe that the results failed

This is the binding I used:

$ cat binding.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: ocp4-cis
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

Actual results:

$ oc get ccr -n openshift-compliance | grep kubelet-eviction-threshold
ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available       FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree      FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available        FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available        FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree       FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available       FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree      FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available        FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available        FAIL           medium
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree       FAIL           medium

Even though the defaults are acceptable:

$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done
"100Mi"
"100Mi"
"100Mi"
"100Mi"
"100Mi"
"100Mi"

Expected results:

Expected result is that each of the above rules would have passed instead of failed.

Additional info:
This was tracked in bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2075041 but I'm converting it to a Jira issue so we can track it here and reopen it.

Assignee:: Vincent Shen

Reporter:: Lance Bragstad

Need Info From:: None

Contributors:: None

QA Contact:: Xiaojie Yuan

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2022/11/23 8:43 PM

Updated:: 2025/09/13 3:30 AM

Resolved:: 2023/02/16 6:07 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide