Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.10.z
Component/s: Compliance Operator
Labels:
- P-QE

Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

Compliance check results are missing for rules available in TailoredProfile. I have tried the scenario on OCP 4.10 cluster on Power.

Version-Release number of selected component (if applicable):

Compliance operator v0.1.60

How reproducible:

Every time

Steps to Reproduce:

1. Install compliance operator using index image:  registry-proxy.engineering.redhat.com/rh-osbs/iib:421196
# oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.60   Compliance Operator   0.1.60               Succeeded# oc get pods
NAME                                              READY   STATUS    RESTARTS      AGE
compliance-operator-796cf58b9c-vx5jm              1/1     Running   1 (19h ago)   19h
ocp4-openshift-compliance-pp-588f7498d7-2ksn4     1/1     Running   0             19h
rhcos4-openshift-compliance-pp-6684c8b559-wsxgm   1/1     Running   0             19h# oc get prof
NAME                AGE
ocp4-cis            19h
ocp4-cis-node       19h
ocp4-pci-dss        19h
ocp4-pci-dss-node   19h

2. create a tailored profile:
# oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: TailoredProfile
> metadata:
>   name: testprofile
>   namespace: openshift-compliance
> spec:
>   description: test
>   title: test
>   enableRules:
>     - name: ocp4-kubelet-anonymous-auth
>       rationale: test
>     - name: ocp4-kubelet-authorization-mode
>       rationale: test
>     - name: ocp4-kubelet-configure-client-ca
>       rationale: test
>     - name: ocp4-kubelet-configure-event-creation
>       rationale: test
>     - name: ocp4-kubelet-configure-tls-cipher-suites
>       rationale: test
>     - name: ocp4-kubelet-enable-cert-rotation
>       rationale: test
>     - name: ocp4-kubelet-enable-iptables-util-chains
>       rationale: test
>     - name: ocp4-kubelet-enable-server-cert-rotation
>       rationale: test
>     - name: ocp4-kubelet-enable-streaming-connections
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-hard-memory-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-hard-nodefs-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree
>       rationale: test
      rationale: test
    - name: ocp4-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree
>     - name: ocp4-kubelet-eviction-thresholds-set-soft-imagefs-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-soft-memory-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-soft-nodefs-available
>       rationale: test
>     - name: ocp4-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree
>       rationale: test
>   setValues:
>     - name: ocp4-var-streaming-connection-timeouts
>       value: "5h0m0s"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionhard-imagefs-available
>       value: "15%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionhard-imagefs-inodesfree
>       value: "5%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionhard-memory-available
>       value: "300Mi"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionhard-nodefs-available
      rationale: test
>       value: "10%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionhard-nodefs-inodesfree
>       value: "5%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionsoft-imagefs-available
>       value: "15%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionsoft-imagefs-inodesfree
>       value: "11%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionsoft-memory-available
>       value: "600Mi"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionsoft-nodefs-available
>       value: "10%"
>       rationale: test
>     - name: ocp4-var-kubelet-evictionsoft-nodefs-inodesfree
>       value: "5%"
>       rationale: test
>       setValues:
>     - name: ocp4-var-kubelet-tls-cipher-suites-regex
>       rationale: Node
>       value: '^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)$'
>     - name: ocp4-var-kubelet-tls-cipher-suites
>       rationale: Platform
>       value: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
> EOF
oc get ttailoredprofile.compliance.openshift.io/testprofile created

3. crate a ssb with the tailored profile:
# oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: testprofile
>     kind: TailoredProfile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default-auto-apply
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

# oc get suite -w
NAME       PHASE     RESULT
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
^C

Actual results:

Check ComplianceCheckResult

# oc get ccr
NAME                                                                  STATUS   SEVERITY
testprofile-kubelet-configure-event-creation                          PASS     medium
testprofile-kubelet-eviction-thresholds-set-hard-imagefs-available    PASS     medium
testprofile-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree   FAIL     medium
testprofile-kubelet-eviction-thresholds-set-hard-memory-available     FAIL     medium
testprofile-kubelet-eviction-thresholds-set-hard-nodefs-available     PASS     medium
testprofile-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree    PASS     medium
testprofile-kubelet-eviction-thresholds-set-soft-imagefs-available    FAIL     medium
testprofile-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree   FAIL     medium
testprofile-kubelet-eviction-thresholds-set-soft-memory-available     FAIL     medium
testprofile-kubelet-eviction-thresholds-set-soft-nodefs-available     FAIL     medium
testprofile-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree    FAIL     medium

Following are the 8 missing CCR:
testprofile-kubelet-anonymous-auth                                         medium
testprofile-kubelet-authorization-mode                                     medium
testprofile-kubelet-configure-client-ca                                    medium
testprofile-kubelet-configure-tls-cipher-suites                            medium
testprofile-kubelet-enable-cert-rotation                                   medium
testprofile-kubelet-enable-iptables-util-chains                            medium
testprofile-kubelet-enable-server-cert-rotation                            medium
testprofile-kubelet-enable-streaming-connections                           medium

Expected results:

ComplianceCheckResult should be available for all the rules specified in TailoredProfile

Additional info:

Must gather logs:https://drive.google.com/file/d/1VD0x09eltT_zFkhEMKZAShU2iY9nKlth/view?usp=share_link

Assignee:: Vincent Shen

Reporter:: Varad Ahirwadkar

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/02/01 11:31 AM

Updated:: 2023/02/06 6:38 AM

Resolved:: 2023/02/06 6:31 AM

Details

Description

Attachments

Activity

People

Dates