-
Bug
-
Resolution: Done
-
Minor
-
None
-
4.12.z
-
None
Description of problem:
On a cluster with windows nodes, some rules will FAIL after auto remediation applied as the windows nodes not skipped
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2023-02-04-034821 + compliance-operator.v0.1.60-3
How reproducible:
Always
Steps to Reproduce:
- Install compliance operator on a cluster with windows nodes
- $ oc compliance bind -N my-ssb-r -S default-auto-apply profile/ocp4-high profile/ocp4-high-node
- After several rounds of rescan, check the ccr status after all autoremediations applied
Actual results:
Some rules still failed after the auto-remediation applied. It may due to the windows nodes not skipped. $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL NAME STATUS SEVERITY ocp4-high-kubelet-configure-tls-cipher-suites FAIL medium ocp4-high-kubelet-configure-tls-min-version FAIL medium ocp4-high-kubelet-enable-streaming-connections FAIL medium ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree FAIL medium ocp4-high-kubelet-eviction-thresholds-set-hard-memory-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree FAIL medium ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree FAIL medium ocp4-high-kubelet-eviction-thresholds-set-soft-memory-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-available FAIL medium ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree FAIL medium #####For rule ocp4-kubelet-configure-tls-min-version $ oc get ccr ocp4-high-kubelet-configure-tls-min-version -o=jsonpath={.instructions} Run the following command on the kubelet node(s): $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done The output shows the configured TLS minimum version which should be TLSv1.2 or newer.[xiyuan@MiWiFi-RA69-srv win]$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done null null "VersionTLS12" "VersionTLS12" "VersionTLS12" "VersionTLS12" "VersionTLS12" "VersionTLS12" ######For rule ocp4-kubelet-enable-streaming-connections $ oc get ccr ocp4-high-kubelet-enable-streaming-connections -o=jsonpath={.instructions} Run the following command on the kubelet node(s): $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done The output should return . $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done "streamingConnectionIdleTimeout": "4h0m0s", "streamingConnectionIdleTimeout": "4h0m0s", "streamingConnectionIdleTimeout": "5m0s", "streamingConnectionIdleTimeout": "5m0s", "streamingConnectionIdleTimeout": "5m0s", "streamingConnectionIdleTimeout": "5m0s", "streamingConnectionIdleTimeout": "5m0s", "streamingConnectionIdleTimeout": "5m0s",
Expected results:
The windows nodes should be skipped. The rules should PASS after remediation applied
Additional info:
- links to
(1 links to)