Bug 1371225

Summary: The Compliance policy does not actually annotate the Openshift image
Product: Red Hat CloudForms Management Engine Reporter: Erez Freiberger <efreiber>
Component: SmartState AnalysisAssignee: Mooli Tayer <mtayer>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Zagalsky <pzagalsk>
Severity: high Docs Contact:
Priority: high    
Version: 5.7.0CC: bazulay, cpelland, efreiber, fsimonce, jhardy, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly
Target Release: 5.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: container
Fixed In Version: 5.8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1410792 (view as bug list) Environment:
Last Closed: 2017-06-12 17:24:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:
Bug Depends On: 1434833    
Bug Blocks: 1410792    

Description Erez Freiberger 2016-08-29 16:10:07 UTC
Description of problem:
The compliance policy is suppose to prevent running an image that fails its test by annotating this image in openshift but this annotation never actually happens.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Scan a non-compliant image with the policy
2. 
3.

Actual results:
No new annotation in openshift for that image

Expected results:
That specific image should be annotated with "images.openshift.io/deny-execution"

Additional info:

Comment 2 Federico Simoncelli 2016-08-31 09:28:15 UTC
This is currently blocked on upstream OpenShift issues:

 https://trello.com/c/HOWz6ejY
 https://github.com/kubernetes/kubernetes/issues/31621

Comment 3 Mooli Tayer 2016-12-25 13:37:32 UTC
This is now working due to parsing changes done in 12711. Code changes present in master, Darga and Euwe.

5.7.0 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1400615
Code change: https://github.com/ManageIQ/manageiq/pull/12711/files#diff-0324981fdb3019ce6d98f9c86d97f2bb
Code change Darga: https://github.com/ManageIQ/manageiq/pull/13142

Federico I'm not sure how to handle this since it was already included in 5.7.0.
Change version? Move to modified?

Comment 4 Federico Simoncelli 2016-12-27 16:07:08 UTC
Mooli we need a clone for the z-stream (request is already present). Keyword TestOnly so that we know it just requires QE (no patches attached).

Comment 5 Mooli Tayer 2017-01-05 11:58:46 UTC
Chris I assume this bug needs to move to POST|MODIFIED now (TestOnly, No code changes) and only then we can get the clone? 

which one is it? (MOVING TO POST for now)

Comment 7 Erez Freiberger 2017-04-24 08:24:53 UTC
Pavel,
Run this on Openshift:
oc import-image registry.access.redhat.com/rhscl/s2i-base-rhel7 --confirm
Then refresh the ManageIQ provider to see this image there and scan it.

Currently this one is non compliant but this might change soon. You could visit registry.access.redhat.com and see all the images.