Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3581

SCC `insights-runtime-extractor-scc` should be added to default allowed list of SCCs to prevent rule failure

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • Compliance Operator
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

      When performing compliance scan on 4.19 cluster or higher, rule `scc-limit-container-allowed-capabilities` will fail, because there is a required SCC `insights-runtime-extractor-scc` present on the cluster that is not being included in the variable `var_sccs_with_allowed_capabilities_regex.var` in the default regex list of the SCCs that are permitted to set the allowedCapabilities attribute. `insights-runtime-extractor-scc` is a required SCC of the OpenShift Insights Runtime Extractor feature, which is part of OpensShift Insights Operator https://github.com/openshift/insights-runtime-extractor 

      $ oc get ccr |grep limit-container-allowed-capabilitiesocp4-cis-scc-limit-container-allowed-capabilities                 FAIL     medium

$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'[  "insights-runtime-extractor-scc"]

$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2${code}
Version-Release number of selected component (if applicable):
{code:none}

      How reproducible:

       Always

      Steps to Reproduce:

      1. Install CO
2. Create ssb with ocp4-cis profile and default setting
$  oc compliance bind -N test profile/ocp4-cisCreating ScanSettingBinding test
3. Wait for the scan to finish
4. Get the result for the rule 
$ oc get ccr |grep limit-container-allowed-capabilitiesocp4-cis-scc-limit-container-allowed-capabilities                 FAIL     medium
5. See what is the default variable value  
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$
6. Check what is the scc that is preventing the rule to pass
$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'[  "insights-runtime-extractor-scc"]

      Actual results:

      SCC "insights-runtime-extractor-scc" is not listed in the default value of the variable var_sccs_with_allowed_capabilities_regex.var

      Expected results:

      SCC "insights-runtime-extractor-scc" should be listed in the default value of the variable var_sccs_with_allowed_capabilities_regex.var, as it is a required scc for the cluster

      Additional info:

              Unassigned Unassigned
              rh-ee-akoudelk Anna Koudelkova
              Xiaojie Yuan Xiaojie Yuan
              Maria Simon Marcos Maria Simon Marcos
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: