Bug 1880411
| Summary: | [OCP v46] The ComplianceSuite reports scan result 'Error' when it deploys with TailoredProfile | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Prashant Dhamdhere <pdhamdhe> |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.6 | CC: | josorior, mrogers, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:42:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Merged as https://github.com/openshift/compliance-operator/commit/94054e2c0318d85ee24b7b2086d768c344c23804 This looks good and now, the ComplianceSuite reports proper scan result i.e NON-COMPLIANT without an error. Verified on: 4.6.0-0.nightly-2020-09-23-022756 Compliance Operator v0.1.17 $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-869646dd4f-cfl8d 1/1 Running 0 17m ocp4-pp-6786c5f5b-wxczd 1/1 Running 0 16m rhcos4-pp-78c8cc9d44-gcbhc 1/1 Running 0 16m $ oc create -f - <<EOF > kind: TailoredProfile > apiVersion: compliance.openshift.io/v1alpha1 > metadata: > name: ocp4-e8-tp > spec: > extends: ocp4-e8 > title: | > NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux > CoreOS customized for this deployment > description: | > This compliance profile reflects the core set of Moderate-Impact > Baseline configuration settings for deployment of Red Hat > Enterprise > … > enableRules: > - name: ocp4-ocp-allowed-registries-for-import > rationale: We really need to enable this > disableRules: > - name: ocp4-ocp-idp-no-htpasswd > rationale: This doesn’t apply to my cluster > EOF tailoredprofile.compliance.openshift.io/ocp4-e8-tp created $ oc get TailoredProfile NAME STATE ocp4-e8-tp READY $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ComplianceSuite > metadata: > name: mixed-compliancesuite-ocp-e8 > spec: > scans: > - content: ssg-rhcos4-ds.xml > contentImage: quay.io/complianceascode/ocp4:latest > debug: true > name: ocp4-e8-custom > nodeSelector: > node-role.kubernetes.io/worker: "" > profile: xccdf_compliance.openshift.io_profile_ocp4-e8-tp > rawResultStorageRotation: 10 > rawResultStorageSize: 2Gi > scanTolerations: > - effect: NoSchedule > key: node-role.kubernetes.io/master > operator: Exists > scanType: Node > tailoringConfigMap: > name: ocp4-e8-tp-tp > EOF compliancesuite.compliance.openshift.io/mixed-compliancesuite-ocp-e8 created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-e8-custom 0/1 Completed 0 45s compliance-operator-869646dd4f-cfl8d 1/1 Running 0 20m ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-0-pod 0/2 Completed 0 95s ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-1-pod 0/2 Completed 0 95s ocp4-pp-6786c5f5b-wxczd 1/1 Running 0 20m rhcos4-pp-78c8cc9d44-gcbhc 1/1 Running 0 20m $ oc get compliancesuite NAME PHASE RESULT mixed-compliancesuite-ocp-e8 DONE NON-COMPLIANT <<------ $ oc get compliancescan NAME PHASE RESULT ocp4-e8-custom DONE NON-COMPLIANT $ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep -A15 "Status:" Status: Phase: DONE Result: NON-COMPLIANT Scan Statuses: Name: ocp4-e8-custom Phase: DONE Result: NON-COMPLIANT Results Storage: Name: ocp4-e8-custom Namespace: openshift-compliance Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 3m3s suitectrl The result is: NON-COMPLIANT Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: The ComplianceSuite reports scan result 'Error' when it deploys with TailoredProfile. However, the configmap shows scan successfully complete on nodes with exit code 2 i.e Non-Compliant $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-e8-custom 0/1 Completed 0 62s compliance-operator-869646dd4f-xj5hj 1/1 Running 0 11m ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod 0/2 Completed 0 2m57s ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod 0/2 Completed 0 2m58s ocp4-pp-6786c5f5b-dfc6f 1/1 Running 0 10m rhcos4-pp-78c8cc9d44-fj6ks 1/1 Running 0 10m $ oc get compliancesuite NAME PHASE RESULT mixed-compliancesuite-ocp-e8 DONE ERROR $ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep "Error" Errormsg: the ConfigMap 'ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod' annotation was missing the result key <<------ $ oc get cm NAME DATA AGE compliance-operator-lock 0 11m ocp4-e8-custom-openscap-container-entrypoint 1 4m1s ocp4-e8-custom-openscap-env-map 6 4m ocp4-e8-custom-openscap-env-map-platform 4 4m ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod 2 2m11s ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod 2 2m15s ocp4-e8-tp-tp 1 5m8s tp-ocp4-e8-custom 1 3m53s $ oc describe cm ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod|head -20 Name: ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod Namespace: openshift-compliance Labels: compliance.openshift.io/scan-name=ocp4-e8-custom complianceoperator.openshift.io/scan-result= Annotations: compliance-remediations/processed: compliance.openshift.io/scan-error-msg: compliance.openshift.io/scan-result: NON-COMPLIANT <<------ openscap-scan-result/node: pdhamdhe-vsp1809-r8667-worker-25q65 Data ==== exit-code: ---- 2 <<------ results: ---- <?xml version="1.0" encoding="UTF-8"?> <TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_compliance.openshift.io_profile_ocp4-e8-tp" start-time="2020-09-18T10:15:47+00:00" end-time="2020-09-18T10:15:47+00:00" version="0.1.52" test-system="cpe:/a:redhat:openscap:1.3.3"> <benchmark href="/content/ssg-rhcos4-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"/> <title>OSCAP Scan Result</title> Version-Release number of selected component (if applicable): 4.6.0-0.nightly-2020-09-16-000734 How reproducible: Always Steps to Reproduce: 1 clone compliance-operator git repo $ git clone https://github.com/openshift/compliance-operator.git 2 Create 'openshift-compliance' namespace $ oc create -f compliance-operator/deploy/ns.yaml 3 Switch to 'openshift-compliance' namespace $ oc project openshift-compliance 4 Deploy CustomResourceDefinition. $ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 5. Deploy compliance-operator. $ oc create -f compliance-operator/deploy/ 6. Create tailoredprofile and check the configmap generates. $ oc create -f - <<EOF kind: TailoredProfile apiVersion: compliance.openshift.io/v1alpha1 metadata: name: ocp4-e8-tp spec: extends: ocp4-e8 title: | NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS customized for this deployment description: | This compliance profile reflects the core set of Moderate-Impact Baseline configuration settings for deployment of Red Hat Enterprise … enableRules: - name: ocp4-ocp-allowed-registries-for-import rationale: We really need to enable this disableRules: - name: ocp4-ocp-idp-no-htpasswd rationale: This doesn’t apply to my cluster EOF 7. Generate a compliancesuite with the TailoredProfile $ oc create -f - <<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: mixed-compliancesuite-ocp-e8 spec: scans: - content: ssg-rhcos4-ds.xml contentImage: quay.io/complianceascode/ocp4:latest debug: true name: ocp4-e8-custom nodeSelector: node-role.kubernetes.io/worker: "" profile: xccdf_compliance.openshift.io_profile_ocp4-e8-tp rawResultStorageRotation: 10 rawResultStorageSize: 2Gi scanTolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists scanType: Node tailoringConfigMap: name: ocp4-e8-tp-tp EOF 8. Wait until the scan gets complete and then check the scan result $ oc get pods -w $ oc get compliancesuite $ oc get compliancescan Actual results: The ComplianceSuite reports the scan result 'Error' with the following error message when it deploys with TailoredProfile $ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep "Error" Errormsg: the ConfigMap 'ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod' annotation was missing the result key Expected results: The ComplianceSuite should report the actual scan result instead of 'Error' when it deploys with TailoredProfile Additional info: