Bug 1817304

Summary: [OCP V4.5] The `aggregator-pod` goes in CrashLoopBackOff status and reports "Could not create remediation objects: scan example-compliancescan has no role assignment" error
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: josorior, mrogers, nkinder, xtian
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: v0.1.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 15:56:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Jakub Hrozek 2020-07-03 14:41:17 UTC 
Fixed upstream in https://github.com/openshift/compliance-operator/commit/623f800685b6b8afe1666cb03cc44bc40a668933
Comment 6 Prashant Dhamdhere 2020-07-27 12:07:00 UTC 
Verified on 4.6.0-0.nightly-2020-07-25-091217

The `aggregator-pod` does not report any error now. The compliancescan performed successfully and 
it is able to create remediation objects.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-07-25-091217   True        False         7h20m   Cluster version is 4.6.0-0.nightly-2020-07-25-091217


$ oc get pods
NAME                                                         READY   STATUS      RESTARTS   AGE
aggregator-pod-worker-scan                                   0/1     Completed   0          2m39s
compliance-operator-6784f9b59c-6pkpt                         1/1     Running     0          5h11m
compliance-operator-6784f9b59c-fcrw6                         1/1     Running     0          5h11m
compliance-operator-6784f9b59c-j6lxg                         1/1     Running     0          5h11m
ocp4-pp-dcb8bc5b5-tdxg8                                      1/1     Running     0          5h10m
rhcos4-pp-58466496cf-wwnd6                                   1/1     Running     0          5h10m
worker-scan-ip-10-0-140-38.us-east-2.compute.internal-pod    0/2     Completed   0          5m39s
worker-scan-ip-10-0-162-121.us-east-2.compute.internal-pod   0/2     Completed   0          5m39s
worker-scan-ip-10-0-214-158.us-east-2.compute.internal-pod   0/2     Completed   0          5m39s

$ oc logs aggregator-pod-worker-scan -c log-collector |tail
{"level":"info","ts":1595851099.7756462,"logger":"cmd","msg":"Creating object","kind":"","name":"worker-scan-audit-rules-unsuccessful-file-modification-openat-o-creat"}
{"level":"info","ts":1595851099.8279018,"logger":"cmd","msg":"Getting ComplianceCheckResult","ComplianceCheckResult.Name":"worker-scan-audit-rules-privileged-commands-passwd","ComplianceCheckResult.Namespace":"openshift-compliance"}
{"level":"info","ts":1595851099.8746994,"logger":"cmd","msg":"Creating object","kind":"","name":"worker-scan-audit-rules-privileged-commands-passwd"}
{"level":"info","ts":1595851099.927724,"logger":"cmd","msg":"Getting ComplianceRemediation","ComplianceRemediation.Name":"worker-scan-audit-rules-privileged-commands-passwd","ComplianceRemediation.Namespace":"openshift-compliance"}
{"level":"info","ts":1595851099.933761,"logger":"cmd","msg":"Creating object","kind":"","name":"worker-scan-audit-rules-privileged-commands-passwd"}
{"level":"info","ts":1595851099.9426033,"logger":"cmd","msg":"Getting ComplianceCheckResult","ComplianceCheckResult.Name":"worker-scan-wireless-disable-in-bios","ComplianceCheckResult.Namespace":"openshift-compliance"}
{"level":"info","ts":1595851099.9757414,"logger":"cmd","msg":"Creating object","kind":"","name":"worker-scan-wireless-disable-in-bios"}
{"level":"info","ts":1595851100.0286891,"logger":"cmd","msg":"Getting ComplianceCheckResult","ComplianceCheckResult.Name":"worker-scan-configure-usbguard-auditbackend","ComplianceCheckResult.Namespace":"openshift-compliance"}
{"level":"info","ts":1595851100.0747726,"logger":"cmd","msg":"Creating object","kind":"","name":"worker-scan-configure-usbguard-auditbackend"}
{"level":"info","ts":1595851100.128469,"logger":"cmd","msg":"Annotating ConfigMaps"}

]$ oc get compliancescan
NAME          PHASE   RESULT
worker-scan   DONE    NON-COMPLIANT
Comment 8 errata-xmlrpc 2020-10-27 15:56:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196