-
Bug
-
Resolution: Done
-
Normal
-
4.17, 4.18, 4.19
-
None
-
Quality / Stability / Reliability
-
False
-
-
2
-
Low
-
None
-
None
-
None
-
None
-
OSDOCS Sprint 267
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problems:
1. In https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-concepts/compliance-operator-crd.html#advance-compliance-scan-object_compliance-crd
the command to fetch the ComplianceScan events does not work correctly - returns ‘No resources found in openshift-compliance namespace.’ in OC CLI:
oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name of the suite>
It should be:
oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name of the Compliance Scan>
2. Also in https://docs.openshift.com/container-platform/4.17/security/compliance_operator/co-concepts/compliance-operator-crd.html#compliance-suite-object_compliance-crd in the ‘Example ComplianceSuite object’ the name in metadata is wrong.
Instead of:
apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: <name of the scan> spec: autoApplyRemediations: false schedule: "0 1 * * *" scans: - name: workers-scan scanType: Node profile: xccdf_org.ssgproject.content_profile_moderate content: ssg-rhcos4-ds.xml contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45dc... rule: "xccdf_org.ssgproject.content_rule_no_netrc_files" nodeSelector: node-role.kubernetes.io/worker: "" status: Phase: DONE Result: NON-COMPLIANT scanStatuses: - name: workers-scan phase: DONE result: NON-COMPLIANT
It should be:
apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: <name of the suite> spec: autoApplyRemediations: false schedule: "0 1 * * *" scans: - name: workers-scan scanType: Node profile: xccdf_org.ssgproject.content_profile_moderate content: ssg-rhcos4-ds.xml contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:45dc... rule: "xccdf_org.ssgproject.content_rule_no_netrc_files" nodeSelector: node-role.kubernetes.io/worker: "" status: Phase: DONE Result: NON-COMPLIANT scanStatuses: - name: workers-scan phase: DONE result: NON-COMPLIANT
How reproducible:
Always
Steps to Reproduce:
If the command from the documentation: oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name of the suite> is applied to a OC CLI it results into following error: ‘No resources found in openshift-compliance namespace.’
Actual results:
‘No resources found in openshift-compliance namespace.’ in the oc CLI output
Expected results:
1. The oc events command needs to be updated in the Advanced ComplianceScan Object section. involvedObject.name should be updated as <name of the scan> Events/results of the compliance scan should be available. If the name in involvedObject.name is replaced with the name of one of the compliance scans, it gives results: oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name of the Compliance Scan> LAST SEEN TYPE REASON OBJECT MESSAGE 4m49s Normal ResultAvailable compliancescan/ocp4-cis-node-1-5-master ComplianceScan's result is: NON-COMPLIANT 2. The name in metadata of 'Example ComplianceSuite object' should be <name of the suite>
Additional info:
- links to
