Bug 1964243
Summary: | The `oc compliance fetch-raw` doesn’t work for disconnected cluster | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | xiyuan |
Component: | oc-compliance | Assignee: | Juan Antonio Osorio <josorior> |
Status: | CLOSED ERRATA | QA Contact: | xiyuan |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.8 | CC: | jhrozek, mrogers, pdhamdhe |
Target Milestone: | --- | ||
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-07 11:29:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Verified with oc-compliance build https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1627531 with payload 4.8.0-0.nightly-2021-06-10-224448 1. extract to get the oc-compliance binary. # mkdir oc-compliance # oc image extract registry-proxy.engineering.redhat.com/rh-osbs/openshift-oc-compliance@sha256:07d6c4ab7388584f13e7d207349d948327de7c235173f2c5dded56d7d41d1390 --path /:oc-compliance W0611 20:35:46.486903 11354 manifest.go:440] Chose linux/amd64 manifest from the manifest list. # cp ./oc-compliance/bin/oc-compliance ~/func/ 2. Test with oc-compliance #cd ~/func # $ oc project openshift-compliance Now using project "openshift-compliance" on server "https://api.xiyuan111.qe.devcluster.openshift.com:6443". $ oc get ip NAME CSV APPROVAL APPROVED install-2wc52 compliance-operator.v0.1.33 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.33 Compliance Operator 0.1.33 Succeeded ##bind ./oc-compliance bind -N mybinding profile/ocp4-cis profile/ocp4-cis-node Creating ScanSettingBinding mybinding $ oc get suite -w NAME PHASE RESULT mybinding RUNNING NOT-AVAILABLE mybinding RUNNING NOT-AVAILABLE mybinding RUNNING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding AGGREGATING NOT-AVAILABLE mybinding DONE NON-COMPLIANT mybinding DONE NON-COMPLIANT ##fetch-raw $ ./oc-compliance fetch-raw scansettingbindings mybinding -o ./test1 Fetching results for mybinding scans: ocp4-cis, ocp4-cis-node-worker, ocp4-cis-node-master Fetching raw compliance results for scan 'ocp4-cis'................ The raw compliance results are avaliable in the following directory: test1/ocp4-cis Fetching raw compliance results for scan 'ocp4-cis-node-worker'........... The raw compliance results are avaliable in the following directory: test1/ocp4-cis-node-worker Fetching raw compliance results for scan 'ocp4-cis-node-master'............... The raw compliance results are avaliable in the following directory: test1/ocp4-cis-node-master $ bunzip2 -c ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml.bzip2 > ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml ]$ cat ./test1/ocp4-cis/ocp4-cis-api-checks-pod.xml | head <?xml version="1.0" encoding="UTF-8"?> <arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"> <core:relationships xmlns:arfvocab="http://scap.nist.gov/specifications/arf/vocabulary/relationships/1.0#"> <core:relationship type="arfvocab:createdFor" subject="xccdf1"> <core:ref>collection1</core:ref> </core:relationship> <core:relationship type="arfvocab:isAbout" subject="xccdf1"> <core:ref>asset0</core:ref> </core:relationship> </core:relationships> ##controls $ ./oc-compliance controls profile ocp4-cis | head +-------------+----------+ | FRAMEWORK | CONTROLS | +-------------+----------+ | CIS-OCP | 1.2.1 | + +----------+ | | 1.2.10 | + +----------+ | | 1.2.11 | + +----------+ ##fetch-fixes $ mkdir cis $ ./oc-compliance fetch-fixes profile ocp4-cis -o cis No fixes to persist for rule 'ocp4-accounts-restrict-service-account-tokens' No fixes to persist for rule 'ocp4-accounts-unique-service-account' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-alwaysadmit' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-alwayspullimages' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-namespacelifecycle' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-noderestriction' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-scc' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-securitycontextdeny' No fixes to persist for rule 'ocp4-api-server-admission-control-plugin-serviceaccount' No fixes to persist for rule 'ocp4-api-server-anonymous-auth' No fixes to persist for rule 'ocp4-api-server-api-priority-flowschema-catch-all' No fixes to persist for rule 'ocp4-api-server-api-priority-gate-enabled' No fixes to persist for rule 'ocp4-api-server-api-priority-v1alpha1-flowschema-catch-all' No fixes to persist for rule 'ocp4-api-server-audit-log-maxbackup' Persisted rule fix to cis/ocp4-api-server-audit-log-maxsize.yaml No fixes to persist for rule 'ocp4-api-server-audit-log-path' No fixes to persist for rule 'ocp4-api-server-auth-mode-no-aa' No fixes to persist for rule 'ocp4-api-server-auth-mode-node' No fixes to persist for rule 'ocp4-api-server-auth-mode-rbac' No fixes to persist for rule 'ocp4-api-server-basic-auth' No fixes to persist for rule 'ocp4-api-server-bind-address' No fixes to persist for rule 'ocp4-api-server-client-ca' Persisted rule fix to cis/ocp4-api-server-encryption-provider-cipher.yaml Persisted rule fix to cis/ocp4-api-server-encryption-provider-config.yaml ##rerun-now $ ./oc-compliance rerun-now compliancescan ocp4-cis Re-running scan 'openshift-compliance/ocp4-cis' $ oc get compliancesuite NAME PHASE RESULT mybinding RUNNING NOT-AVAILABLE $ oc get scans -w NAME PHASE RESULT ocp4-cis RUNNING NOT-AVAILABLE ocp4-cis-node-master DONE NON-COMPLIANT ocp4-cis-node-worker DONE NON-COMPLIANT ocp4-cis AGGREGATING NOT-AVAILABLE ocp4-cis DONE NON-COMPLIANT ##view-result $ oc get compliancecheckresults | head NAME STATUS SEVERITY ocp4-cis-accounts-restrict-service-account-tokens MANUAL medium ocp4-cis-accounts-unique-service-account MANUAL medium ocp4-cis-api-server-admission-control-plugin-alwaysadmit PASS medium ocp4-cis-api-server-admission-control-plugin-alwayspullimages PASS high ocp4-cis-api-server-admission-control-plugin-namespacelifecycle PASS medium ocp4-cis-api-server-admission-control-plugin-noderestriction PASS medium ocp4-cis-api-server-admission-control-plugin-scc PASS medium ocp4-cis-api-server-admission-control-plugin-securitycontextdeny PASS medium ocp4-cis-api-server-admission-control-plugin-serviceaccount PASS medium $ ./oc-compliance view-result ocp4-cis-accounts-restrict-service-account-tokens +----------------------+---------------------------------------------------+ | KEY | VALUE | +----------------------+---------------------------------------------------+ | Title | Restrict Automounting of | | | Service Account Tokens | +----------------------+---------------------------------------------------+ | Status | MANUAL | +----------------------+---------------------------------------------------+ | Severity | medium | +----------------------+---------------------------------------------------+ | Description | Service accounts tokens | | | should not be mounted in pods | | | except where the workload | | | running in the pod explicitly | | | needs to communicate with | | | the API server. To ensure | | | pods do not automatically | | | mount tokens, set | | | automountServiceAccountToken | | | to false. | +----------------------+---------------------------------------------------+ | Rationale | Mounting service account | | | tokens inside pods can provide | | | an avenue for privilege | | | escalation attacks where an | | | attacker is able to compromise | | | a single pod in the cluster. | +----------------------+---------------------------------------------------+ | Instructions | For each pod in the cluster, | | | review the pod specification | | | and | | | | | | ensure that pods that do not | | | need to explicitly communicate | | | with | | | | | | the API server have | | | automountServiceAccountToken | | | | | | configured to false. | +----------------------+---------------------------------------------------+ | CIS-OCP Controls | 5.1.6 | +----------------------+---------------------------------------------------+ | NIST-800-53 Controls | CM-6, CM-6(1) | +----------------------+---------------------------------------------------+ | Available Fix | No | +----------------------+---------------------------------------------------+ | Result Object Name | ocp4-cis-accounts-restrict-service-account-tokens | +----------------------+---------------------------------------------------+ | Rule Object Name | ocp4-accounts-restrict-service-account-tokens | +----------------------+---------------------------------------------------+ | Remediation Created | No | +----------------------+---------------------------------------------------+ Wrong info in https://bugzilla.redhat.com/show_bug.cgi?id=1964243#c2 Verified again with oc-compliance build https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1636982 with payload 4.8.0-rc.0 Verification pass. 1. extract to get the oc-compliance binary. # mkdir oc-compliance $ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/openshift-oc-compliance@sha256:8bc020fd665463759409dfbd17ad78771c4f161a2ebd2640b70eab8bbf4246b5 --path /:oc-compliance W0617 16:58:47.362673 21646 manifest.go:442] Chose linux/amd64 manifest from the manifest list. # cp ./oc-compliance/bin/oc-compliance ~/func/ 2. Test with oc-compliance $ oc get ip NAME CSV APPROVAL APPROVED install-48mzw compliance-operator.v0.1.35 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.35 Compliance Operator 0.1.35 Succeeded # oc image mirror registry.access.redhat.com/ubi8/ubi:latest=jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi:latest --insecure --skip-verification --filter-by-os='.*' --keep-manifest-list=true -a mirror_docker.conf jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ ubi8/ubi blobs: registry.access.redhat.com/ubi8/ubi sha256:f0ae454850a78759fbe98a9a9a4ef80ec09ee189226fa5cd67778ed84917a33e 1.757KiB registry.access.redhat.com/ubi8/ubi sha256:6e93ccf954dbe437da775ff549d57892e65ea1da5e8e3b4f8cc3da8f67b1dd43 1.759KiB registry.access.redhat.com/ubi8/ubi sha256:1f70400f2cbb8632be0d5263902035586c00caa7390a7c996ae2499b8fdeb6fa 1.76KiB registry.access.redhat.com/ubi8/ubi sha256:4caf920c423fe74873b8826410065a9a1be15600903fe9ca67c5ab14d9190700 1.761KiB registry.access.redhat.com/ubi8/ubi sha256:0bd4479b7fde61e10a7cfae51325cf1e92c7edb63c8cee0c7016f6551cf38b48 4.303KiB registry.access.redhat.com/ubi8/ubi sha256:6c102deffb40443bc11b863f5dd125a6814e5cc7abf0efa0b0d43eabf8ca70f7 4.304KiB registry.access.redhat.com/ubi8/ubi sha256:272209ff0ae5fe54c119b9c32a25887e13625c9035a1599feba654aa7638262d 4.307KiB registry.access.redhat.com/ubi8/ubi sha256:10d370320da838d26c0688a81388462801886e5826b330394795604b184c2fd8 4.316KiB registry.access.redhat.com/ubi8/ubi sha256:2c78bfa46176be5253f5800cc7a44ca476433d2cc2315fe220003082a254bbbf 76.84MiB registry.access.redhat.com/ubi8/ubi sha256:e040660a77fef752b3e522c1f0da378f19923b604a41a08cf56cf6aa4de10577 78.55MiB registry.access.redhat.com/ubi8/ubi sha256:053724d29990664154df415f4b3da5ce8bb20a0651f52a16a35963280770cb85 79.62MiB registry.access.redhat.com/ubi8/ubi sha256:196fe1e51dc336fa1151ed06612e5be07317d842d5a3af69cd31f00958f3a437 87.1MiB manifests: sha256:2349c135a60dea58776c48a78af490b97f0eb52c501b396fcd65e717c0be3cf5 sha256:77623387101abefbf83161c7d5a0378379d0424b2244009282acb39d42f1fe13 sha256:8700abccd028d684ab67759bc6fb62ff4b717c910a9f3ba53179cf5b6594789a sha256:9425620a6b0f28c45e9ece9447e79bb856b645da2f7977c0c3cf01a59c8eabc9 sha256:b910cfaa9815a4ca41d33de37798c6e389a88ff1de4da7584a3e3409c7c69861 sha256:2349c135a60dea58776c48a78af490b97f0eb52c501b396fcd65e717c0be3cf5 -> latest stats: shared=0 unique=12 size=322.1MiB ratio=1.00 phase 0: jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000 ubi8/ubi blobs=12 mounts=0 manifests=6 shared=0 info: Planning completed in 9.12s uploading: jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:053724d29990664154df415f4b3da5ce8bb20a0651f52a16a35963280770cb85 79.62MiB uploading: jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:2c78bfa46176be5253f5800cc7a44ca476433d2cc2315fe220003082a254bbbf 76.84MiB uploading: jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:196fe1e51dc336fa1151ed06612e5be07317d842d5a3af69cd31f00958f3a437 87.1MiB uploading: jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:e040660a77fef752b3e522c1f0da378f19923b604a41a08cf56cf6aa4de10577 78.55MiB sha256:8700abccd028d684ab67759bc6fb62ff4b717c910a9f3ba53179cf5b6594789a jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:b910cfaa9815a4ca41d33de37798c6e389a88ff1de4da7584a3e3409c7c69861 jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:77623387101abefbf83161c7d5a0378379d0424b2244009282acb39d42f1fe13 jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:9425620a6b0f28c45e9ece9447e79bb856b645da2f7977c0c3cf01a59c8eabc9 jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi sha256:2349c135a60dea58776c48a78af490b97f0eb52c501b396fcd65e717c0be3cf5 jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi:latest info: Mirroring completed in 1m17.73s (4.346MB/s) $ oc get ssb NAME AGE my-ssb-r 4h21m $ oc get suite NAME PHASE RESULT my-ssb-r DONE NON-COMPLIANT $ oc get scan NAME PHASE RESULT ocp4-cis DONE NON-COMPLIANT ocp4-cis-node-master DONE NON-COMPLIANT $ ./oc-compliance fetch-raw --help 'fetch-raw' fetches the raw results for a scan or set of scans. This command allows you to download archives of the raw (ARF) results from a ComplianceScan, ComplianceSuite, or ScanSettingBinding to a specified directory. Usage: oc-compliance fetch-raw {compliancescan | compliancesuite | scansettingbindings} <resource-name> -o <output path> [flags] Examples: # Fetch from compliancescan named "myscan" into /tmp oc compliance fetch-raw compliancescan myscan -o /tmp # Fetch from compliancesuite named "mysuite" into /tmp oc compliance fetch-raw compliancesuite mysuite -o /tmp # Fetch from scansettingbinding named "mybinding" into /tmp oc compliance fetch-raw scansettingbindings mybinding -o /tmp Flags: --as string Username to impersonate for the operation --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --cache-dir string Default cache directory (default "/home/xiyuan/.kube/cache") --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS --cluster string The name of the kubeconfig cluster to use --context string The name of the kubeconfig context to use -h, --help help for fetch-raw --html Whether to render the raw results to HTML (Requires the 'oscap' command) -i, --image string The container image to use to fetch the raw results from the compliance scan. Must contain the cp and tar commands. (default "registry.access.redhat.com/ubi8/ubi:latest") --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, the namespace scope for this CLI request -o, --output string The path where you want to persist the raw results to (default ".") --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") -s, --server string The address and port of the Kubernetes API server --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used --token string Bearer token for authentication to the API server --user string The name of the kubeconfig user to use $ mkdir tmp $ ./oc-compliance fetch-raw scansettingbindings my-ssb-r -i jliu-eus46.mirror-registry.qe.gcp.devcluster.openshift.com:5000/ubi8/ubi:latest -o tmp Fetching results for my-ssb-r scans: ocp4-cis, ocp4-cis-node-master Fetching raw compliance results for scan 'ocp4-cis'. The raw compliance results are avaliable in the following directory: tmp/ocp4-cis Fetching raw compliance results for scan 'ocp4-cis-node-master'....... The raw compliance results are avaliable in the following directory: tmp/ocp4-cis-node-master $ ls -ltr tmp/ocp4-cis/ total 164 -rw-r--r--. 1 xiyuan group1 166837 Jun 17 18:12 ocp4-cis-api-checks-pod.xml.bzip2 $ bunzip2 -c tmp/ocp4-cis/ocp4-cis-api-checks-pod.xml.bzip2 > tmp/ocp4-cis/ocp4-cis-api-checks-pod.xml $ cat tmp/ocp4-cis/ocp4-cis-api-checks-pod.xml | head <?xml version="1.0" encoding="UTF-8"?> <arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"> <core:relationships xmlns:arfvocab="http://scap.nist.gov/specifications/arf/vocabulary/relationships/1.0#"> <core:relationship type="arfvocab:createdFor" subject="xccdf1"> <core:ref>collection1</core:ref> </core:relationship> <core:relationship type="arfvocab:isAbout" subject="xccdf1"> <core:ref>asset0</core:ref> </core:relationship> </core:relationships> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Initial release of the oc-compliance plug-in), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:2489 |
Description of problem: The `oc compliance fetch-raw` doesn’t work for disconnected cluster Version-Release number of selected component (if applicable): 4.8.0-0.nightly-2021-05-21-233425+compliance-operator.v0.1.32 How reproducible: Always Steps to Reproduce: Install compliance operator for disconnected cluster Create a scansettingbinding: oc create -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-ssb-r profiles: - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF Mirror the image used by `oc compliance fetch-raw` command: # oc image mirror registry.access.redhat.com/ubi8/ubi:latest=xiyuan244.mirror-registry.qe.azure.devcluster.openshift.com:5000/ubi8/ubi:latest --insecure --skip-verification --filter-by-os='.*' --keep-manifest-list=true -a .dockerconfigjson # cat <<EOF | oc apply -f - > apiVersion: operator.openshift.io/v1alpha1 > kind: ImageContentSourcePolicy > metadata: > name: co-ubi > spec: > repositoryDigestMirrors: > - mirrors: > - registry.access.redhat.com/ubi8/ubi:latest > source: xiyuan244.mirror-registry.qe.azure.devcluster.openshift.com:5000/ubi8/ubi:latest > EOF imagecontentsourcepolicy.operator.openshift.io/co-ubi created Try to fetch raw result with `oc compliance fetch-raw` command: Actual results: The raw result could not be fetched with `oc compliance fetch-raw` command. It returned error “ The extractor pod wasn't ready before the timeout” # oc compliance fetch-raw scansettingbinding my-ssb-r -o tmp/ Fetching results for my-ssb-r scans: ocp4-cis, ocp4-cis-node-worker, ocp4-cis-node-master Fetching raw compliance results for scan 'ocp4-cis'.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... Error: Unable to process results from suite my-ssb-r: The extractor pod wasn't ready before the timeout Expected results: The raw result could be fetched with `oc compliance fetch-raw` command. Additional information: If patched the image manually for each raw-result-extractor pod, the raw result could be fetched successfully # oc get pod -w NAME READY STATUS RESTARTS AGE compliance-operator-96fd56c96-smk4s 1/1 Running 0 5m51s ocp4-openshift-compliance-pp-5cc745cd98-dlhgx 1/1 Running 0 5m55s raw-result-extractor-jcwpd 0/1 ContainerCreating 0 24s rhcos4-openshift-compliance-pp-6db6c6bf94-lc48z 1/1 Running 0 5m52s raw-result-extractor-jcwpd 0/1 ErrImagePull 0 80s # oc patch pod raw-result-extractor-jcwpd -p '{"spec":{"containers":[{"name":"pv-extract-pod","image":"xiyuan244.mirror-registry.qe.azure.devcluster.openshift.com:5000/ubi8/ubi:latest"}]}}' pod/raw-result-extractor-jcwpd patched # oc get pod -w NAME READY STATUS RESTARTS AGE compliance-operator-96fd56c96-smk4s 1/1 Running 0 12m ocp4-openshift-compliance-pp-5cc745cd98-dlhgx 1/1 Running 0 12m raw-result-extractor-kn8fw 0/1 ContainerCreating 0 0s rhcos4-openshift-compliance-pp-6db6c6bf94-lc48z 1/1 Running 0 12m # oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-96fd56c96-smk4s 1/1 Running 0 13m ocp4-openshift-compliance-pp-5cc745cd98-dlhgx 1/1 Running 0 13m raw-result-extractor-kn8fw 0/1 ContainerCreating 0 54s rhcos4-openshift-compliance-pp-6db6c6bf94-lc48z 1/1 Running 0 13m # oc patch pod raw-result-extractor-kn8fw -p '{"spec":{"containers":[{"name":"pv-extract-pod","image":"xiyuan244.mirror-registry.qe.azure.devcluster.openshift.com:5000/ubi8/ubi:latest"}]}}' pod/raw-result-extractor-kn8fw patched # oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-96fd56c96-smk4s 1/1 Running 0 13m ocp4-openshift-compliance-pp-5cc745cd98-dlhgx 1/1 Running 0 13m raw-result-extractor-kn8fw 0/1 ContainerCreating 0 78s rhcos4-openshift-compliance-pp-6db6c6bf94-lc48z 1/1 Running 0 13m # oc get pod -w NAME READY STATUS RESTARTS AGE compliance-operator-96fd56c96-smk4s 1/1 Running 0 13m ocp4-openshift-compliance-pp-5cc745cd98-dlhgx 1/1 Running 0 13m raw-result-extractor-kn8fw 1/1 Running 0 86s rhcos4-openshift-compliance-pp-6db6c6bf94-lc48z 1/1 Running 0 13m raw-result-extractor-kn8fw 1/1 Terminating 0 87s raw-result-extractor-kn8fw 1/1 Terminating 0 87s raw-result-extractor-s2l8s 0/1 Pending 0 0s raw-result-extractor-s2l8s 0/1 Pending 0 0s raw-result-extractor-s2l8s 0/1 ContainerCreating 0 0s raw-result-extractor-s2l8s 0/1 ContainerCreating 0 0s raw-result-extractor-s2l8s 0/1 ContainerCreating 0 10s # oc patch pod raw-result-extractor-s2l8s -p '{"spec":{"containers":[{"name":"pv-extract-pod","image":"xiyuan244.mirror-registry.qe.azure.devcluster.openshift.com:5000/ubi8/ubi:last"}]}}' pod/raw-result-extractor-s2l8s patched # rm -rf tmp # mkdir tmp # oc compliance fetch-raw scansettingbinding my-ssb-r -o tmp/ Fetching results for my-ssb-r scans: ocp4-cis, ocp4-cis-node-worker, ocp4-cis-node-master Fetching raw compliance results for scan 'ocp4-cis'......................................................................................................................................................................................................... The raw compliance results are avaliable in the following directory: tmp/ocp4-cis Fetching raw compliance results for scan 'ocp4-cis-node-worker'......................................... The raw compliance results are avaliable in the following directory: tmp/ocp4-cis-node-worker Fetching raw compliance results for scan 'ocp4-cis-node-master'..................................... The raw compliance results are avaliable in the following directory: tmp/ocp4-cis-node-master