Bug 2003170
Summary: | Instruction in compliancecheckresults ocp4-cis-configure-network-policies-namespaces is wrong | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Matt <mtcolman> |
Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.7 | CC: | josorior, mrogers, xiyuan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-10 07:37:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matt
2021-09-10 14:07:16 UTC
Just a quick note: the JQ filter is used in both instructions and in the actual rule OVAL check[1] and stored in the rule definition[2] as a variable, so I'm not sure just amending the filter would work or if it would break the rule itself. If this is tripping users up, we can hard-code the instructions in the rule definition, but just saying that it's not a matter of amending the filter blindly. [1] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml [2] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/rule.yml [Bug_Verification] Looks good. The instruction has updated json query which reports list of all the non-control plane namespaces. Verified on: 4.9.0-0.nightly-2021-10-22-102153 + compliance-operator.v0.1.44 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-10-22-102153 True False 4h29m Cluster version is 4.9.0-0.nightly-2021-10-22-102153 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.44 Compliance Operator 0.1.44 Succeeded elasticsearch-operator.5.2.3-5 OpenShift Elasticsearch Operator 5.2.3-5 Succeeded $ oc get rules ocp4-configure-network-policies-namespaces -ojsonpath={.instructions} Verify that the every non-control plane namespace has an appropriate NetworkPolicy. To get all the non-control plane namespaces, you can do the following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' To get all the non-control plane namespaces with a NetworkPolicy, you can do the following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' Make sure that the namespaces displayed in the commands of the commands match. $ oc create ns ocp-32456 namespace/ocp-32456 created $ oc create ns bz2003170 namespace/bz2003170 created $ oc create ns test1 namespace/test1 created $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: moderate-test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: ocp4-moderate > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/moderate-test created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-moderate 0/1 Completed 0 44s compliance-operator-59d44fb857-4d67g 1/1 Running 1 (18m ago) 19m ocp4-moderate-api-checks-pod 0/2 Completed 0 94s ocp4-openshift-compliance-pp-789f969db-9bk7v 1/1 Running 0 18m rhcos4-openshift-compliance-pp-7f88cf4598-qrts9 1/1 Running 0 18m $ oc get suite NAME PHASE RESULT moderate-test DONE NON-COMPLIANT $ oc get checkresult ocp4-moderate-configure-network-policies-namespaces -o=jsonpath={.instructions} Verify that the every non-control plane namespace has an appropriate NetworkPolicy. To get all the non-control plane namespaces, you can do the following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' To get all the non-control plane namespaces with a NetworkPolicy, you can do the following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' Make sure that the namespaces displayed in the commands of the commands match. $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' [ "bz2003170", "ocp-32456", "test1" ] $ oc create -f -<<EOF > kind: NetworkPolicy > apiVersion: networking.k8s.io/v1 > metadata: > name: allow-same-namespace > namespace: test1 > spec: > podSelector: > ingress: > - from: > - podSelector: {} > EOF networkpolicy.networking.k8s.io/allow-same-namespace created $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' [ "test1" ] $ oc delete NetworkPolicy allow-same-namespace -ntest1 networkpolicy.networking.k8s.io "allow-same-namespace" deleted $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' [] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4530 |