Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-50858

Custom rule custom-rule-configure-network-policies-namespaces-cel always reports

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.19.0
    • Compliance Operator
    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      With/without no non-control-plane namespaces created, the custom rule custom-rule-configure-network-policies-namespaces-cel always reports FAIL    

      Version-Release number of selected component (if applicable):

      4.18.0-0.nightly-2025-02-11-060301 + Compliance Operator build from https://github.com/ComplianceAsCode/compliance-operator/pull/671    

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install Compliance operator with PR [https://github.com/ComplianceAsCode/compliance-operator/pull/671

      ]

      1. For customrule custom-rule-configure-network-policies-namespaces-cel in the demo, create a tp with customrule custom-rule-configure-network-policies-namespaces-cel, and create a ssb with the tp.
      2. Create two new namespaces test1 and test2, edit the variable and set the value to test1|test2, and then retrigger the scan for custom rule custom-rule-configure-network-policies-namespaces-cel

      Actual results:

      With/without no non-control-plane namespaces created, the custom rule custom-rule-configure-network-policies-namespaces-cel always reports FAIL    

      Expected results:

      With/without no non-control-plane namespaces created, the custom rule custom-rule-configure-network-policies-namespaces-cel should report PASS    

      Additional info:
      I updated the custom rule as below, it works.

       

       expression: >
   size(
    nl.items
    .filter(ns, !ns.metadata.name.matches(e.value)) 
    .filter(ns, !ns.metadata.name.matches("openshift"))
    .filter(ns, !ns.metadata.name.matches("kube-"))
    .filter(ns, !ns.metadata.name.matches("default"))
  ) == 0 ||
  size(
    nl.items
    .filter(ns, !ns.metadata.name.matches(e.value))
    .filter(ns, !ns.metadata.name.matches("openshift"))
    .filter(ns, !ns.metadata.name.matches("kube-"))
    .filter(ns, !ns.metadata.name.matches("default"))
    .filter(ns, npl.items.exists(np, np.metadata.namespace == ns.metadata.name))
  ) == size(
    nl.items
    .filter(ns, !ns.metadata.name.matches(e.value)) 
    .filter(ns, !ns.metadata.name.matches("openshift"))
    .filter(ns, !ns.metadata.name.matches("kube-"))
    .filter(ns, !ns.metadata.name.matches("default"))
  )
 inputs:
   - name: nl
     type: KubeGroupVersionResource
     apiGroup: ""
     version: v1
     resource: namespaces
     namespaces: "*"  # Query all namespaces
   - name: npl
     type: KubeGroupVersionResource
     apiGroup: networking.k8s.io
     version: v1
     resource: networkpolicies
     namespaces: "*"  # Query all namespaces

       

              wenshen@redhat.com Vincent Shen
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: