-
Bug
-
Resolution: Done
-
Minor
-
None
-
4.12.z
-
None
Description of problem:
On a cluster with windows nodes, some rules will FAIL after auto remediation applied as the windows nodes not skipped
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2023-02-04-034821 + compliance-operator.v0.1.60-3
How reproducible:
Always
Steps to Reproduce:
- Install compliance operator on a cluster with windows nodes
- $ oc compliance bind -N my-ssb-r -S default-auto-apply profile/ocp4-high profile/ocp4-high-node
- After several rounds of rescan, check the ccr status after all autoremediations applied
Actual results:
Some rules still failed after the auto-remediation applied. It may due to the windows nodes not skipped.
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME STATUS SEVERITY
ocp4-high-kubelet-configure-tls-cipher-suites FAIL medium
ocp4-high-kubelet-configure-tls-min-version FAIL medium
ocp4-high-kubelet-enable-streaming-connections FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-hard-memory-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-soft-memory-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-available FAIL medium
ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree FAIL medium
#####For rule ocp4-kubelet-configure-tls-min-version
$ oc get ccr ocp4-high-kubelet-configure-tls-min-version -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done
The output shows the configured TLS minimum version which should be
TLSv1.2 or newer.[xiyuan@MiWiFi-RA69-srv win]$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done
null
null
"VersionTLS12"
"VersionTLS12"
"VersionTLS12"
"VersionTLS12"
"VersionTLS12"
"VersionTLS12"
######For rule ocp4-kubelet-enable-streaming-connections
$ oc get ccr ocp4-high-kubelet-enable-streaming-connections -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
The output should return .
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "5m0s",
"streamingConnectionIdleTimeout": "5m0s",
"streamingConnectionIdleTimeout": "5m0s",
"streamingConnectionIdleTimeout": "5m0s",
"streamingConnectionIdleTimeout": "5m0s",
"streamingConnectionIdleTimeout": "5m0s",
Expected results:
The windows nodes should be skipped. The rules should PASS after remediation applied
Additional info:
- links to
(1 links to)