Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-6780

compliance Operator: Removing profile reference from the ScanSettingBinding not removing compliance scan automatically

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 4.10.z
    • Compliance Operator
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • Rejected
    • CMP Sprint 63, CMP Sprint 64, CMP Sprint 65, CMP Sprint 66, CMP Sprint 67, CMP Sprint 68, CMP Sprint 69, CMP Sprint 70, CMP Sprint 71, CMP Sprint 72, CMP Sprint 73, CMP Sprint 74, CMP Sprint 75
    • 13
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Removing Profile Reference from the scansettingbinding, will not remove the compliancescan related to the removed profile, Even CCR and Complianceremediation remaining present. 

To remove all we need to delete the compliance scan manually, after that CCR and complianceremediation deleleted.

      Version-Release number of selected component (if applicable):

      Compliance Operator 0.1.59

      How reproducible:

       Yes it is reproducible

      Steps to Reproduce:

      1. Create SSB as follows:

[root@bastion auth]# oc create -f ssb
scansettingbinding.compliance.openshift.io/nist-moderate-modified created

[root@bastion auth]# oc get ssb
NAME                     AGE
nist-moderate-modified   2s

[root@bastion auth]# oc get compliancescan
NAME                     PHASE   RESULT
nist-moderate-modified   DONE    NON-COMPLIANT
ocp4-cis                 DONE    NON-COMPLIANT

[root@bastion auth]# oc get ssb -o yaml 
apiVersion: v1
items:
- apiVersion: compliance.openshift.io/v1alpha1
  kind: ScanSettingBinding
  metadata:
    creationTimestamp: "2023-01-30T11:28:12Z"
    generation: 1
    name: nist-moderate-modified
    namespace: openshift-compliance
    resourceVersion: "628602"
    uid: f0b374c7-fe6b-4fd3-8b97-ff4fa92c479a
  profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: nist-moderate-modified
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis
  settingsRef:
    apiGroup: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    name: default
  status:
    conditions:
    - lastTransitionTime: "2023-01-30T11:28:12Z"
      message: The scan setting binding was successfully processed
      reason: Processed
      status: "True"
      type: Ready
    outputRef:
      apiGroup: compliance.openshift.io
      kind: ComplianceSuite
      name: nist-moderate-modified
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
~~~

2. Edit the ScanSettingBinding and remove ocp4-cis profile reference as follows:
~~~
# oc edit ssb nist-moderate-modified -o yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  creationTimestamp: "2023-01-30T11:28:12Z"
  generation: 2
  name: nist-moderate-modified
  namespace: openshift-compliance
  resourceVersion: "630937"
  uid: f0b374c7-fe6b-4fd3-8b97-ff4fa92c479a
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: TailoredProfile
  name: nist-moderate-modified
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
status:
  conditions:
  - lastTransitionTime: "2023-01-30T11:28:12Z"
    message: The scan setting binding was successfully processed
    reason: Processed
    status: "True"
    type: Ready
  outputRef:
    apiGroup: compliance.openshift.io
    kind: ComplianceSuite
    name: nist-moderate-modified
~~~

3. And then watch or check compliancescan ocp4-cis would be present and not cleanup automatically:
~~~
[root@bastion auth]# oc get compliancescan -w
NAME                     PHASE   RESULT
nist-moderate-modified   DONE    NON-COMPLIANT
ocp4-cis                 DONE    NON-COMPLIANT
~~~

4. Even CCR and Complianceremediation generated with the above compliancescan would be present. Compliance Oprator not cleaning up the removed reference scan and it's result/remediations.

      Actual results:

      1. CCR and Complianceremediation generated with the above compliancescan would be present. Compliance Oprator not cleaning up the removed reference scan and its result/remediations. Even the ssb not containing the ProfileReference anymore

      Expected results:

      If CU removes the reference from scansettingbinding for any profile it means he might not need the profile scan/results/remediations anymore. So it would be cleaned up. 

One more thing we can give the note to the complianceoperator documentation: "If you remove the profile reference from the ssb then it will remove the complianceremediation and results too"

So that our CU would be aware of the changes if they intentionally removing the reference.

      Additional info:

      
One more suggestion we can give the note to the complianceoperator documentation: "If you remove the profile reference from the ssb then it will remove the complianceremediation and results too"

So that our CU would be aware of the changes if they intentionally removing the reference.

              lbragsta@redhat.com Lance Bragstad
              rhn-support-mbagga Mithilesh Bagga (Inactive)
              None
              None
              Xiaojie Yuan Xiaojie Yuan
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: