Bug 1880411
Summary: | [OCP v46] The ComplianceSuite reports scan result 'Error' when it deploys with TailoredProfile | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Prashant Dhamdhere <pdhamdhe> |
Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.6 | CC: | josorior, mrogers, xiyuan |
Target Milestone: | --- | ||
Target Release: | 4.6.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-27 16:42:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Prashant Dhamdhere
2020-09-18 13:11:01 UTC
Merged as https://github.com/openshift/compliance-operator/commit/94054e2c0318d85ee24b7b2086d768c344c23804 This looks good and now, the ComplianceSuite reports proper scan result i.e NON-COMPLIANT without an error. Verified on: 4.6.0-0.nightly-2020-09-23-022756 Compliance Operator v0.1.17 $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-869646dd4f-cfl8d 1/1 Running 0 17m ocp4-pp-6786c5f5b-wxczd 1/1 Running 0 16m rhcos4-pp-78c8cc9d44-gcbhc 1/1 Running 0 16m $ oc create -f - <<EOF > kind: TailoredProfile > apiVersion: compliance.openshift.io/v1alpha1 > metadata: > name: ocp4-e8-tp > spec: > extends: ocp4-e8 > title: | > NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux > CoreOS customized for this deployment > description: | > This compliance profile reflects the core set of Moderate-Impact > Baseline configuration settings for deployment of Red Hat > Enterprise > … > enableRules: > - name: ocp4-ocp-allowed-registries-for-import > rationale: We really need to enable this > disableRules: > - name: ocp4-ocp-idp-no-htpasswd > rationale: This doesn’t apply to my cluster > EOF tailoredprofile.compliance.openshift.io/ocp4-e8-tp created $ oc get TailoredProfile NAME STATE ocp4-e8-tp READY $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ComplianceSuite > metadata: > name: mixed-compliancesuite-ocp-e8 > spec: > scans: > - content: ssg-rhcos4-ds.xml > contentImage: quay.io/complianceascode/ocp4:latest > debug: true > name: ocp4-e8-custom > nodeSelector: > node-role.kubernetes.io/worker: "" > profile: xccdf_compliance.openshift.io_profile_ocp4-e8-tp > rawResultStorageRotation: 10 > rawResultStorageSize: 2Gi > scanTolerations: > - effect: NoSchedule > key: node-role.kubernetes.io/master > operator: Exists > scanType: Node > tailoringConfigMap: > name: ocp4-e8-tp-tp > EOF compliancesuite.compliance.openshift.io/mixed-compliancesuite-ocp-e8 created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-e8-custom 0/1 Completed 0 45s compliance-operator-869646dd4f-cfl8d 1/1 Running 0 20m ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-0-pod 0/2 Completed 0 95s ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-1-pod 0/2 Completed 0 95s ocp4-pp-6786c5f5b-wxczd 1/1 Running 0 20m rhcos4-pp-78c8cc9d44-gcbhc 1/1 Running 0 20m $ oc get compliancesuite NAME PHASE RESULT mixed-compliancesuite-ocp-e8 DONE NON-COMPLIANT <<------ $ oc get compliancescan NAME PHASE RESULT ocp4-e8-custom DONE NON-COMPLIANT $ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep -A15 "Status:" Status: Phase: DONE Result: NON-COMPLIANT Scan Statuses: Name: ocp4-e8-custom Phase: DONE Result: NON-COMPLIANT Results Storage: Name: ocp4-e8-custom Namespace: openshift-compliance Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 3m3s suitectrl The result is: NON-COMPLIANT Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |