Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1902251

Summary: The compliancesuite object returns error with ocp4-cis tailored profile
Product: OpenShift Container Platform Reporter: xiyuan
Component: Compliance OperatorAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Prashant Dhamdhere <pdhamdhe>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: jhrozek, josorior, mrogers, nkinder, pdhamdhe, xiyuan
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1902249 Environment:
Last Closed: 2021-01-19 13:53:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1902249    
Bug Blocks:    

Description xiyuan 2020-11-27 13:40:41 UTC 
+++ This bug was initially created as a clone of Bug #1902249 +++

Description of Problem:
The compliancesuite object returns result as Error with ocp4-cis tailored profile

Version-Release number of selected component (if applicable):
4.6.5-x86_64

How Reproducible:
Always

Steps to Reproduce:
1. install compliance operator
2. create tailoredprofile from ocp4-cis:
$ oc create -f - <<EOF
kind: TailoredProfile
apiVersion: compliance.openshift.io/v1alpha1
metadata:
  name: ocp4-cis-custom
spec:
  extends: ocp4-cis
  title: CIS node custom
  description: |
    This profile defines a baseline that aligns to the Center for Internet Security®
    Red Hat OpenShift Container Platform 4 Benchmark
  enableRules:
    - name: ocp4-scc-limit-root-containers
      rationale: We really need to enable this
    - name: ocp4-scheduler-no-bind-address
      rationale: We really need to enable this
  disableRules:
    - name: ocp4-api-server-encryption-provider-cipher
      rationale: This doesn’t apply to my cluster
    - name: ocp4-scc-drop-container-capabilities
      rationale: This doesn’t apply to my cluster
EOF
3. create scansetting:
oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSetting
metadata:
  name: myss
# Suite-specific settings
autoApplyRemediations: true
schedule: "0 1 * * *"
# Scan-specific settings
rawResultStorage:
  size: "2Gi"
  rotation: 5
# For each role, a separate scan will be created pointing
# to a node-role specified in roles
roles:
  - master
EOF
4. Generate a compliancesuite through a new ScanSetting CR:

$ oc create -f - << EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: my-companys-compliance-requirements
profiles:
  # Node checks
  - name: ocp4-cis-custom
    kind: TailoredProfile
    apiGroup: compliance.openshift.io/v1alpha1
  # Cluster checks
  - name: ocp4-cis-node
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: myss
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
EOF

Actual Results:
The compliancesuite returns error due to"No profile matching suffix "xccdf_compliance.openshift.io_profile_ocp4-cis-custom" was found."
$ oc get compliancesuite
NAME                                  PHASE   RESULT
my-companys-compliance-requirements   DONE    ERROR
$ oc describe compliancesuite my-companys-compliance-requirements | tail
    Name:         ocp4-cis-node-master
    Phase:        DONE
    Result:       COMPLIANT
    Results Storage:
      Name:       ocp4-cis-node-master
      Namespace:  openshift-compliance
Events:
  Type    Reason           Age                From       Message
  ----    ------           ----               ----       -------
  Normal  ResultAvailable  51m (x2 over 51m)  suitectrl  The result is: ERROR


$ oc get scansettingbindings.compliance.openshift.io 
...
Status:
  Phase:   DONE
  Result:  ERROR
  Scan Statuses:
    Errormsg:  No profile matching suffix "xccdf_compliance.openshift.io_profile_ocp4-cis-custom" was found. Get available profiles using:
$ oscap info "/content/ssg-ocp4-ds.xml"

    Name:    ocp4-cis-custom
    Phase:   DONE
    Result:  ERROR
    Results Storage:
      Name:       ocp4-cis-custom
      Namespace:  openshift-compliance
    Name:         ocp4-cis-node-master
    Phase:        DONE
    Result:       COMPLIANT
    Results Storage:
      Name:       ocp4-cis-node-master
      Namespace:  openshift-compliance
Events:
  Type    Reason           Age                From       Message
  ----    ------           ----               ----       -------
  Normal  ResultAvailable  51m (x2 over 51m)  suitectrl  The result is: ERROR


Expected Results:
The compliansuite object report relevant result, it should be either COMPLIANT or NON-COMPLIANT

Additional info:
This should due to ocp4-cis is targeted for platform scan.
Comment 1 Jakub Hrozek 2020-12-03 13:45:38 UTC 
The fixes were merged as part of https://github.com/openshift/compliance-operator/pull/519
Comment 4 xiyuan 2020-12-07 13:57:51 UTC 
verified with  4.6.0-0.nightly-2020-12-06-095114 and compliance-operator.v0.1.22
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-12-06-095114   True        False         6h2m    Cluster version is 4.6.0-0.nightly-2020-12-06-095114
$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.22   Compliance Operator   0.1.22               Succeeded
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-6nldd   compliance-operator.v0.1.22   Automatic   true

$ oc create -f - <<EOF
> kind: TailoredProfile
> apiVersion: compliance.openshift.io/v1alpha1
> metadata:
>   name: ocp4-cis-custom
> spec:
>   extends: ocp4-cis
>   title: CIS node custom
>   description: |
>     This profile defines a baseline that aligns to the Center for Internet Security®
>     Red Hat OpenShift Container Platform 4 Benchmark
>   enableRules:
>     - name: ocp4-scc-limit-root-containers
>       rationale: We really need to enable this
>     - name: ocp4-scheduler-no-bind-address
>       rationale: We really need to enable this
>   disableRules:
>     - name: ocp4-api-server-encryption-provider-cipher
>       rationale: This doesn’t apply to my cluster
>     - name: ocp4-scc-drop-container-capabilities
>       rationale: This doesn’t apply to my cluster
> EOF
tailoredprofile.compliance.openshift.io/ocp4-cis-custom created
$ oc get tailoredprofiles
NAME              STATE
ocp4-cis-custom   READY

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> metadata:
>   name: myss
> # Suite-specific settings
> autoApplyRemediations: true
> schedule: "0 1 * * *"
> # Scan-specific settings
> rawResultStorage:
>   size: "2Gi"
>   rotation: 5
> # For each role, a separate scan will be created pointing
> # to a node-role specified in roles
> roles:
>   - master
> EOF
scansetting.compliance.openshift.io/myss created

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-companys-compliance-requirements
> profiles:
>   # Node checks
>   - name: ocp4-cis-custom
>     kind: TailoredProfile
>     apiGroup: compliance.openshift.io/v1alpha1
>   # Cluster checks
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: myss
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created

$ oc get compliancesuite
NAME                                  PHASE     RESULT
my-companys-compliance-requirements   RUNNING   NOT-AVAILABLE
$ oc get compliancesuite -w
NAME                                  PHASE     RESULT
my-companys-compliance-requirements   RUNNING   NOT-AVAILABLE
my-companys-compliance-requirements   RUNNING   NOT-AVAILABLE
my-companys-compliance-requirements   AGGREGATING   NOT-AVAILABLE
my-companys-compliance-requirements   AGGREGATING   NOT-AVAILABLE
my-companys-compliance-requirements   DONE          NON-COMPLIANT
$ oc describe compliancesuite my-companys-compliance-requirements | il 
    Name:         ocp4-cis-node-master
    Phase:        DONE
    Result:       NON-COMPLIANT
    Results Storage:
      Name:       ocp4-cis-node-master
      Namespace:  openshift-compliance
Events:
  Type    Reason           Age                  From       Message
  ----    ------           ----                 ----       -------
  Normal  ResultAvailable  114s (x2 over 114s)  suitectrl  The result is: NON-COMPLIANT

$ oc get scansettingbindings.compliance.openshift.io  | tail
NAME                                  AGE
my-companys-compliance-requirements   3m14s
Comment 8 errata-xmlrpc 2021-01-19 13:53:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0190