Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-6827

Unable to create compliance scan while using TailoredProfile and non-default MachineConfigPool

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 4.10.z
    • Compliance Operator
    • Proposed
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      Unable to create compliance scan while using TailoredProfile and non-default MachineConfigPool. I have tried the scenario on OCP 4.10 cluster on Power

      Version-Release number of selected component (if applicable):

      0.1.60

      How reproducible:

      Every time

      Steps to Reproduce:

      1. Deploy Compliance operator using index image: registry-proxy.engineering.redhat.com/rh-osbs/iib:421196
      
      # oc get csv
      NAME                          DISPLAY               VERSION   REPLACES   PHASE
      compliance-operator.v0.1.60   Compliance Operator   0.1.60               Succeeded
      
      # oc get pods
      NAME                                              READY   STATUS    RESTARTS      AGE
      compliance-operator-796cf58b9c-vx5jm              1/1     Running   1 (24m ago)   24m
      ocp4-openshift-compliance-pp-588f7498d7-2ksn4     1/1     Running   0             24m
      rhcos4-openshift-compliance-pp-6684c8b559-wsxgm   1/1     Running   0             24m
      
      # oc get prof
      NAME                AGE
      ocp4-cis            23m
      ocp4-cis-node       23m
      ocp4-pci-dss        23m
      ocp4-pci-dss-node   23m
      
      2. create custom mcp wscan
      # oc label node worker-0 node-role.kubernetes.io/wscan=
      node/worker-0 labeled
      
      # oc label node worker-1 node-role.kubernetes.io/wscan=
      node/worker-1 labeled
      
      # oc create -f - <<EOF
      > apiVersion: machineconfiguration.openshift.io/v1
      > kind: MachineConfigPool
      > metadata:
      >   name: wscan
      >   labels:
      >     pools.operator.machineconfiguration.openshift.io/wrscan: ''
      > spec:
      >   machineConfigSelector:
      >     matchExpressions:
      >       - {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,wscan]}
      >   nodeSelector:
      >     matchLabels:
      >       node-role.kubernetes.io/wscan: ""
      > EOF machineconfigpool.machineconfiguration.openshift.io/wscan created
      
      # oc get mcp
      NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
      master   rendered-master-8866b8d8af41af969accc579f782dae5   True      False      False      3              3                   3                     0                      74m
      worker   rendered-worker-d927aa5e6b762eef4b939c46783a2d94   True      False      False      0              0                   0                     0                      74m
      wscan    rendered-wscan-d927aa5e6b762eef4b939c46783a2d94    True      False      False      2              2                   2                     0                      24m
      
      2. Create TailoredProfile
      # oc apply -f -<<EOF
      > apiVersion: compliance.openshift.io/v1alpha1
      > kind: TailoredProfile
      > metadata:
      >   name: cis-wscan-tp
      > spec:
        extends: ocp4-cis
        title: My modified nist profile with a custom value
      >   extends: ocp4-cis
      >   title: My modified nist profile with a custom value
      >   setValues:
      >   - name: ocp4-var-role-master
      >     value: wscan
      >     rationale: test for wscan nodes
      >   - name: ocp4-var-role-worker
      >     value: wscan
          rationale: test for wscan nodes
      >     rationale: test for wscan nodes
      >   description: cis-wscan-scan
      > EOF 
      tailoredprofile.compliance.openshift.io/cis-wscan-tp created 
      
      3. Create a ScanSetting and trigger a scan for wscan mcp:
      # oc apply -f -<<EOF
      > apiVersion: compliance.openshift.io/v1alpha1
      > kind: ScanSetting
      > metadata:
      >   name: test
        - ReadWriteOnce
      >   namespace: openshift-compliance
      > rawResultStorage:
      >   nodeSelector:
      >     node-role.kubernetes.io/master: ""
      >   pvAccessModes:
      >   - ReadWriteOnce
      >   rotation: 3
      >   size: 1Gi
      >   tolerations:
      >   - effect: NoSchedule
      >     key: node-role.kubernetes.io/master
      >     operator: Exists
      >   - effect: NoExecute
      >     key: node.kubernetes.io/not-ready
      >     operator: Exists
      >     tolerationSeconds: 300
      >   - effect: NoExecute
      >     key: node.kubernetes.io/unreachable
      >     operator: Exists
      >     tolerationSeconds: 300
      >   - effect: NoSchedule
      >     key: node.kubernetes.io/memory-pressure
      >     operator: Exists
      > roles:
      > - wscan
      > scanTolerations:
      > - operator: Exists
      > schedule: 0 1 * * *
      > showNotApplicable: false
      > strictNodeScan: true
      > scanLimits: {
      >   "cpu": "150m",
      >   "memory": "512Mi"
      autoApplyRemediations: true
      > }
      > debug: true
      > autoApplyRemediations: true
      > autoUpdateRemediations: true
      > EOF
      scansetting.compliance.openshift.io/test created
      
      4. Create ScanSettingBinding
      # oc apply -f -<<EOF
      > apiVersion: compliance.openshift.io/v1alpha1
      > kind: ScanSettingBinding
      > metadata:
      >   name: my-ssb-r-2
      > profiles:
      >   - name: ocp4-cis-node
      >     kind: Profile
      >     apiGroup: compliance.openshift.io/v1alpha1
      >   - name: cis-wscan-tp
      >     kind: TailoredProfile
      >     apiGroup: compliance.openshift.io/v1alpha1
      > settingsRef:
      >   name: test
      >   kind: ScanSetting
      >   apiGroup: compliance.openshift.io/v1alpha1
      > EOF 
      scansettingbinding.compliance.openshift.io/my-ssb-r-2 created 

      Actual results:

      # oc get ssb my-ssb-r-2 -o=jsonpath={.status.conditions} | jq -r
      [
        {
          "lastTransitionTime": "2023-01-31T10:28:16Z",
          "message": "The scanSetting references a non-default role, but either no tailored profile is set or the role variables are not set",
          "reason": "Invalid",
          "status": "False",
          "type": "Ready"
        }
      ]
      

      Expected results:

      Compliance scans should be created

      Additional info:

      Must gather logs: https://drive.google.com/file/d/1ftNbozSYjGmD5-pF7yEGPoglbU5WLilS/view?usp=sharing

      Attachments

        Activity

          People

            jhrozek@redhat.com Jakub Hrozek
            vahirwad Varad Ahirwadkar
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: