Bug 1791673
| Summary: | [OCP 4.4] The ComplianceSuite should show the result if the cluster is Compliant or Non-Compliant like as ComplianceScan. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Prashant Dhamdhere <pdhamdhe> |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.5 | CC: | eparis, jhrozek, jialiu, jokerman, josorior, mrogers, nkinder, nstielau, scuppett, skuznets, sponnaga, wsun, xtian, xxia |
| Target Milestone: | --- | Keywords: | UpcomingSprint |
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | v0.1.9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 15:54:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe this can be closed. With a current CO version, I see:
$ oc get compliancesuites
NAME PHASE RESULT
workers-compliancesuite DONE NON-COMPLIANT
and in the full YAML output:
status:
aggregatedPhase: DONE
aggregatedResult: NON-COMPLIANT
scanStatuses:
- name: workers-scan
phase: DONE
result: NON-COMPLIANT
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Prashant, do you agree?
Hi Jakub,
Yes, the issue has been fixed and I can see the ComplianceSuite is showing the result in scan status.
Verified on : 4.5.0-0.nightly-2020-06-23-020504
$ oc get compliancesuites
NAME PHASE RESULT
example-compliancesuite DONE NON-COMPLIANT
$ oc get compliancesuites -o yaml |grep -B 6 "result"
status:
aggregatedPhase: DONE
aggregatedResult: NON-COMPLIANT
scanStatuses:
- name: workers-scan
phase: DONE
result: NON-COMPLIANT
Verified on: 4.5.0-0.nightly-2020-07-06-211538
$ oc get compliancesuites
NAME PHASE RESULT
example-compliancesuite DONE NON-COMPLIANT
$ oc get compliancesuites -o yaml |grep -B 6 "result"
status:
aggregatedPhase: DONE
aggregatedResult: NON-COMPLIANT
scanStatuses:
- name: workers-scan
phase: DONE
result: NON-COMPLIANT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: The ComplianceSuite should show the result in scan status if the OCP cluster is Compliant or Non-Compliant like as ComplianceScan. Refer the below ComplianceScan output which is showing the result in status, the node is Non-Compliant. $ oc describe compliancescan|grep -A 2 "Name:\|Status" |grep -v "Labels\|UID\|Resource" Name: example-compliancescan Namespace: openshift-compliance -- Status: Phase: DONE Result: NON-COMPLIANT <<---- -- Name: masters-scan Namespace: openshift-compliance -- Name: example-compliancesuite -- Status: Phase: DONE Result: NON-COMPLIANT <<---- -- Name: workers-scan Namespace: openshift-compliance -- Name: example-compliancesuite -- Status: Phase: DONE Result: NON-COMPLIANT <<---- Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-01-16-013633 How reproducible: Always Steps to Reproduce: 1. clone git repo $ git clone https://github.com/openshift/compliance-operator.git 2. Deploy CustomResourceDefinition. $ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 3. Deploy compliance-operator. $ oc create -f compliance-operator/deploy/ 4. Switch to openshift-compliance namespace $ oc project openshift-compliance 5. Deploy CRs ComplianceRemediation, ComplianceSuite, ComplianceScan $ for f in $(ls -1 compliance-operator/deploy/crds/*cr.yaml); do oc create -f $f; done Actual results: The ComplianceSuite is not showing the result in status if the cluster is Compliant or Non-Compliant like as ComplianceScan. $ oc describe compliancesuite Name: example-compliancesuite Namespace: openshift-compliance Labels: <none> Annotations: <none> API Version: complianceoperator.compliance.openshift.io/v1alpha1 Kind: ComplianceSuite Metadata: Creation Timestamp: 2020-01-16T06:10:46Z Generation: 1 Resource Version: 33059 Self Link: /apis/complianceoperator.compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite UID: fb9990bf-da11-4653-b8de-589dd78b382d Spec: Auto Apply Remediations: true Scans: Content: ssg-ocp4-ds.xml Content Image: quay.io/jhrozek/ocp4-openscap-content:remediation_demo Name: workers-scan Node Selector: node-role.kubernetes.io/worker: Profile: xccdf_org.ssgproject.content_profile_coreos-ncp Content: ssg-ocp4-ds.xml Content Image: quay.io/jhrozek/ocp4-openscap-content:remediation_demo Name: masters-scan Node Selector: node-role.kubernetes.io/master: Profile: xccdf_org.ssgproject.content_profile_coreos-ncp Status: Remediation Overview: Apply: false Remediation Name: workers-scan-no-direct-root-logins Scan Name: workers-scan Type: MachineConfig Apply: false Remediation Name: workers-scan-no-empty-passwords Scan Name: workers-scan Type: MachineConfig Apply: false Remediation Name: masters-scan-no-direct-root-logins Scan Name: masters-scan Type: MachineConfig Apply: false Remediation Name: masters-scan-no-empty-passwords Scan Name: masters-scan Type: MachineConfig Scan Statuses: Name: workers-scan Phase: DONE Name: masters-scan Phase: DONE Events: <none> Expected results: The ComplianceSuite should show the result in status if the cluster is Compliant or Non-Compliant like as ComplianceScan. Additional info: