Bug 1853585

Summary: [OCP V45] ComplianceSuite & ComplianceScan should report some result if the nodeSelector is not matching
Product: OpenShift Container Platform Reporter: Prashant Dhamdhere <pdhamdhe>
Component: Compliance OperatorAssignee: Juan Antonio Osorio <josorior>
Status: CLOSED CURRENTRELEASE QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: josorior, mrogers, nkinder, xiyuan
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-21 09:02:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Prashant Dhamdhere 2020-07-03 08:50:17 UTC 
Description of problem:

The ComplianceSuite and ComplianceScan status do not show any result in RESULT 
field if the nodeSelector is not matching with any node label. However after 
deploying ComplianceSuite CR, it creates worker-scan and aggregator pods inside 
openshift-compliance namespace. 

$ oc get compliancesuite 
NAME                      PHASE   RESULT 
example-compliancesuite   DONE     

$ oc get compliancescan 
NAME           PHASE   RESULT 
workers-scan   DONE     

$ oc get pods 
NAME                                   READY   STATUS      RESTARTS   AGE 
aggregator-pod-workers-scan            0/1     Completed   0          28s <<----
compliance-operator-6bcbf66d5b-6rdmj   1/1     Running     0          102m 
compliance-operator-6bcbf66d5b-gwxh5   1/1     Running     0          102m 
compliance-operator-6bcbf66d5b-qlrxn   1/1     Running     0          102m 
workers-scan-rs-67cdd66c7b-5dzgf       1/1     Running     0          28s  <<---

Version-Release number of selected component (if applicable):

4.5.0-0.nightly-2020-07-02-002923 

How reproducible:

Always

Steps to Reproduce:

1. clone compliance-operator git repo 
$ git clone https://github.com/openshift/compliance-operator.git 

2. Create 'openshift-compliance' namespace 
$ oc create -f compliance-operator/deploy/ns.yaml   

3. Switch to 'openshift-compliance' namespace 
$ oc project openshift-compliance 

4. Deploy CustomResourceDefinition. 
$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 

5. Deploy compliance-operator. 
$ oc create -f compliance-operator/deploy/ 

6. Deploy ComplianceSuite CR with nodeSelector which is not matching with nodes 
$ oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: example-compliancesuite 
spec: 
  autoApplyRemediations: false 
  schedule: "0 1 * * *" 
  scans: 
    - name: workers-scan 
      profile: xccdf_org.ssgproject.content_profile_ncp 
      content: ssg-rhcos4-ds.xml 
      contentImage: quay.io/complianceascode/ocp4:latest 
      debug: true 
      nodeSelector: 
        node-role.kubernetes.io/rhel: ""  <<--- [make sure label is not matching with nodes label] 
EOF 

Actual results:

The ComplianceSuite & ComplianceScan do not show any scan result if the nodeSelector 
is not matching, it shows the RESULT field empty

$ oc describe compliancesuite example-compliancesuite 
Name:         example-compliancesuite 
Namespace:    openshift-compliance 
Labels:       <none> 
Annotations:  <none> 
API Version:  compliance.openshift.io/v1alpha1 
Kind:         ComplianceSuite 
..
...
  Self Link:         /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite 
  UID:               2dc33471-6f3e-41d4-a268-6dc96e7e125f 
Spec: 
  Scans: 
    Content:        ssg-rhcos4-ds.xml 
    Content Image:  quay.io/complianceascode/ocp4:latest 
    Debug:          true 
    Name:           workers-scan 
    Node Selector: 
      node-role.kubernetes.io/rhel:   
    Profile:                         xccdf_org.ssgproject.content_profile_ncp 
    Raw Result Storage Rotation:     3 
    Raw Result Storage Size:         1Gi 
    Scan Tolerations: 
      Effect:    NoSchedule 
      Key:       node-role.kubernetes.io/master 
      Operator:  Exists 
  Schedule:      0 1 * * * 
Status: 
  Aggregated Phase:  DONE 
  Scan Statuses: 
    Name:   workers-scan 
    Phase:  DONE 
    Results Storage: 
      Name:       workers-scan 
      Namespace:  openshift-compliance 
Events:           <none> 

$ oc get compliancesuite 
NAME                      PHASE   RESULT 
example-compliancesuite   DONE     

$ oc get compliancescan 
NAME           PHASE   RESULT 
workers-scan   DONE     

Expected results:

The ComplianceSuite & ComplianceScan should show some result in RESULT field if the 
nodeSelector is not matching with any node label. Like as NOT-AVAILABLE or NOT-APPLICABLE 

Additional info:
Comment 5 Prashant Dhamdhere 2020-08-27 06:38:58 UTC 
This looks good now, The ComplianceSuite & ComplianceScan show the scan result is NOT-APPLICABLE
if the nodeSelector is not matching with any node label. 


Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13


$ oc create -f - <<EOF 
> apiVersion: compliance.openshift.io/v1alpha1 
> kind: ComplianceSuite 
> metadata: 
>   name: example-compliancesuite 
> spec: 
>   autoApplyRemediations: false 
>   schedule: "0 1 * * *" 
>   scans: 
>     - name: workers-scan 
>       profile: xccdf_org.ssgproject.content_profile_ncp 
>       content: ssg-rhcos4-ds.xml 
>       contentImage: quay.io/complianceascode/ocp4:latest 
>       debug: true 
>       nodeSelector: 
>         node-role.kubernetes.io/rhel: ""
> EOF
compliancesuite.compliance.openshift.io/example-compliancesuite created

$ oc get pods -w
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-869646dd4f-5vq7z   1/1     Running   0          99m
ocp4-pp-7f89f556cc-zzmkj               1/1     Running   0          98m
rhcos4-pp-7c44999587-bckrn             1/1     Running   0          98m

$ oc get compliancesuite
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NOT-APPLICABLE


$ oc describe compliancesuite example-compliancesuite |grep -A14 "Status:"
Status:
  Error Message:  The suite result is not applicable, please check if you're using the correct platform
  Phase:          DONE
  Result:         NOT-APPLICABLE
  Scan Statuses:
    Name:    workers-scan
    Phase:   DONE
    Result:  NOT-APPLICABLE
    Results Storage:
Events:
  Type    Reason              Age   From       Message
  ----    ------              ----  ----       -------
  Normal  ResultAvailable     116s  suitectrl  ComplianceSuite's result is: NOT-APPLICABLE
  Normal  SuiteNotApplicable  116s  suitectrl  The suite result is not applicable, please check if you're using the correct platform


$ oc get compliancescan
NAME           PHASE   RESULT
workers-scan   DONE    NOT-APPLICABLE


$ oc describe compliancescan workers-scan |grep -A14 "Status:"
Status:
  Phase:   DONE
  Result:  NOT-APPLICABLE
  Results Storage:
Events:
  Type     Reason             Age    From      Message
  ----     ------             ----   ----      -------
  Warning  NoMatchingNodes    2m43s  scanctrl  No nodes matched the nodeSelector
  Normal   ResultAvailable    2m43s  scanctrl  ComplianceScan's result is: NOT-APPLICABLE
  Warning  ScanNotApplicable  2m43s  scanctrl  The scan result is not applicable, please check if you're using the correct platform or if the nodeSelector matches nodes.