Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7355

Some rules will FAIL after auto remediation applied as the windows nodes not skipped

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • 4.12.z
    • Compliance Operator
    • None
    • Moderate
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      On a cluster with windows nodes, some rules will  FAIL after auto remediation applied as the windows nodes not skipped

      Version-Release number of selected component (if applicable):

      4.12.0-0.nightly-2023-02-04-034821 + compliance-operator.v0.1.60-3

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install compliance operator on a cluster with windows nodes
      2. $ oc compliance bind -N my-ssb-r -S default-auto-apply profile/ocp4-high profile/ocp4-high-node
      3. After several rounds of rescan, check the ccr status after all autoremediations applied

      Actual results:

       

      Some rules still failed after the auto-remediation applied. It may due to the windows nodes not skipped.
      $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
      NAME                                                            STATUS   SEVERITY
      ocp4-high-kubelet-configure-tls-cipher-suites                   FAIL medium
      ocp4-high-kubelet-configure-tls-min-version                     FAIL medium
      ocp4-high-kubelet-enable-streaming-connections                  FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree   FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-hard-memory-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree   FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-soft-memory-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-available FAIL medium
      ocp4-high-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree FAIL medium
      #####For rule ocp4-kubelet-configure-tls-min-version
      $ oc get ccr ocp4-high-kubelet-configure-tls-min-version -o=jsonpath={.instructions}
      Run the following command on the kubelet node(s):
      $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done
      The output shows the configured TLS minimum version which should be
      TLSv1.2 or newer.[xiyuan@MiWiFi-RA69-srv win]$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsMinVersion'; done
      null
      null
      "VersionTLS12"
      "VersionTLS12"
      "VersionTLS12"
      "VersionTLS12"
      "VersionTLS12"
      "VersionTLS12"
      ######For rule ocp4-kubelet-enable-streaming-connections
      $ oc get ccr ocp4-high-kubelet-enable-streaming-connections -o=jsonpath={.instructions}
      Run the following command on the kubelet node(s):
      $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
      The output should return .
      $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
        "streamingConnectionIdleTimeout": "4h0m0s",
        "streamingConnectionIdleTimeout": "4h0m0s",
        "streamingConnectionIdleTimeout": "5m0s",
        "streamingConnectionIdleTimeout": "5m0s",
        "streamingConnectionIdleTimeout": "5m0s",
        "streamingConnectionIdleTimeout": "5m0s",
        "streamingConnectionIdleTimeout": "5m0s",
        "streamingConnectionIdleTimeout": "5m0s",
       
      

      Expected results:

      The windows nodes should be skipped. The rules should PASS after remediation applied

      Additional info:

       

              wsato@redhat.com Watson Sato
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: