Bug 2003170
| Summary: | Instruction in compliancecheckresults ocp4-cis-configure-network-policies-namespaces is wrong | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Matt <mtcolman> |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.7 | CC: | josorior, mrogers, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-10 07:37:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Just a quick note: the JQ filter is used in both instructions and in the actual rule OVAL check[1] and stored in the rule definition[2] as a variable, so I'm not sure just amending the filter would work or if it would break the rule itself. If this is tripping users up, we can hard-code the instructions in the rule definition, but just saying that it's not a matter of amending the filter blindly. [1] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml [2] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/rule.yml [Bug_Verification]
Looks good. The instruction has updated json query which reports list of all the non-control plane namespaces.
Verified on:
4.9.0-0.nightly-2021-10-22-102153 + compliance-operator.v0.1.44
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.9.0-0.nightly-2021-10-22-102153 True False 4h29m Cluster version is 4.9.0-0.nightly-2021-10-22-102153
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.44 Compliance Operator 0.1.44 Succeeded
elasticsearch-operator.5.2.3-5 OpenShift Elasticsearch Operator 5.2.3-5 Succeeded
$ oc get rules ocp4-configure-network-policies-namespaces -ojsonpath={.instructions}
Verify that the every non-control plane namespace has an appropriate
NetworkPolicy.
To get all the non-control plane namespaces, you can do the
following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
To get all the non-control plane namespaces with a NetworkPolicy, you can do the
following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'
Make sure that the namespaces displayed in the commands of the commands match.
$ oc create ns ocp-32456
namespace/ocp-32456 created
$ oc create ns bz2003170
namespace/bz2003170 created
$ oc create ns test1
namespace/test1 created
$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: moderate-test
> profiles:
> - apiGroup: compliance.openshift.io/v1alpha1
> kind: Profile
> name: ocp4-moderate
> settingsRef:
> apiGroup: compliance.openshift.io/v1alpha1
> kind: ScanSetting
> name: default
> EOF
scansettingbinding.compliance.openshift.io/moderate-test created
$ oc get pods
NAME READY STATUS RESTARTS AGE
aggregator-pod-ocp4-moderate 0/1 Completed 0 44s
compliance-operator-59d44fb857-4d67g 1/1 Running 1 (18m ago) 19m
ocp4-moderate-api-checks-pod 0/2 Completed 0 94s
ocp4-openshift-compliance-pp-789f969db-9bk7v 1/1 Running 0 18m
rhcos4-openshift-compliance-pp-7f88cf4598-qrts9 1/1 Running 0 18m
$ oc get suite
NAME PHASE RESULT
moderate-test DONE NON-COMPLIANT
$ oc get checkresult ocp4-moderate-configure-network-policies-namespaces -o=jsonpath={.instructions}
Verify that the every non-control plane namespace has an appropriate
NetworkPolicy.
To get all the non-control plane namespaces, you can do the
following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
To get all the non-control plane namespaces with a NetworkPolicy, you can do the
following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'
Make sure that the namespaces displayed in the commands of the commands match.
$ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
[
"bz2003170",
"ocp-32456",
"test1"
]
$ oc create -f -<<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
> name: allow-same-namespace
> namespace: test1
> spec:
> podSelector:
> ingress:
> - from:
> - podSelector: {}
> EOF
networkpolicy.networking.k8s.io/allow-same-namespace created
$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'
[
"test1"
]
$ oc delete NetworkPolicy allow-same-namespace -ntest1
networkpolicy.networking.k8s.io "allow-same-namespace" deleted
$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'
[]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4530 |
Description of problem: If you perform: oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' from the compliancecheckresults ocp4-cis-configure-network-policies-namespaces instruction (obtained via `oc get compliancecheckresults ocp4-cis-configure-network-policies-namespaces -oyaml | grep instructions -A 10`) you don't get a list of namespaces. Instead you get masses of json output. This is because the command is missing the statement to only show `.metadata.name`. Version-Release number of selected component (if applicable): - Compliance Operator 0.1.39 - OpenShift: 4.7.23 (IBM Cloud ROKS) How reproducible: everytime Steps to Reproduce: 1. Perform `oc get compliancecheckresults ocp4-cis-configure-network-policies-namespaces -oyaml | grep instructions -A 10` 2. Perform instruction to "get all non-control plane namespaces" 3. Actual results: Lots of json Expected results: A list of namespace names Additional info: The command needs to be: ``` oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]' ```