Bug 2060726
| Summary: | Compliance operator does not generate alert notification for non-control namespace | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Prashant Dhamdhere <pdhamdhe> |
| Component: | Compliance Operator | Assignee: | Matt Rogers <mrogers> |
| Status: | CLOSED ERRATA | QA Contact: | xiyuan |
| Severity: | low | Docs Contact: | Jeana Routh <jrouth> |
| Priority: | low | ||
| Version: | 4.10 | CC: | jhrozek, jrouth, lbragsta, mrogers, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
* Previously, the Compliance Operator hard-coded notifications to the default namespace. As a result, notifications from the Operator would not appear if the Operator was installed in a different namespace. This issue is fixed in this release.
(link:https://bugzilla.redhat.com/show_bug.cgi?id=2060726[*BZ#2060726*])
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Prashant Dhamdhere
2022-03-04 06:15:17 UTC
It seems that everything should be created in the operator's namespace already, at least looking at the patches that added the alerts I don't see an obvious reason why it shouldn't work. Matt would know better, probably, though. That said, why do we try to test this use-case? IIRC even with ACM integration, the operator is installed into openshift-compliance just watches resources in other namespaces, right? Lowering severity and unsetting blocker because this doesn't seem to be a super common use-case. Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55
#######1. install operator in a non-control namespace:
$ oc apply -f -<<EOF
apiVersion: v1
kind: Namespace
metadata:
name: co
labels:
openshift.io/cluster-monitoring: "true"
security.openshift.io/scc.podSecurityLabelSync: "false"
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: openshift-compliance-abcd
namespace: co
spec:
targetNamespaces:
- co
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-compliance-operator
namespace: co
spec:
channel: "release-0.1"
Approval: Automatic
name: compliance-operator
source: qe-app-registry
sourceNamespace: openshift-marketplace
EOF
namespace/co created
operatorgroup.operators.coreos.com/openshift-compliance-abcd created
subscription.operators.coreos.com/openshift-compliance-operator created
$ oc project co
Now using project "co" on server "https://api.xiyuan23-1.qe.azure.devcluster.openshift.com:6443".
$ oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-75c4687f47-thjdr 1/1 Running 1 (22m ago) 3m
ocp4-co-pp-746bfb6c5c-d4c5h 1/1 Running 0 3m
rhcos4-co-pp-7c5946fdb9-d5bdb 1/1 Running 0 3m
#############2. create ssb:
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb-r
profiles:
- name: ocp4-moderate
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
$ oc get suite
NAME PHASE RESULT
my-ssb-r DONE NON-COMPLIANT
##########3. check alert:
$ oc get route alertmanager-main -n openshift-monitoring
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
alertmanager-main alertmanager-main-openshift-monitoring.apps.xiyuan23-1.qe.azure.devcluster.openshift.com /api alertmanager-main web reencrypt/Redirect None
$ ALERT_MANAGER=$(oc get route alertmanager-main -n openshift-monitoring -o jsonpath='{@.spec.host}')
$ curl -k -H "Authorization: Bearer $(oc create token prometheus-k8s -n openshift-monitoring)" https://$ALERT_MANAGER/api/v1/alerts |jq '.data[] | select(.labels.alertname | contains("NonCompliant"))'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5490 0 5490 0 0 3188 0 --:--:-- 0:00:01 --:--:-- 3188
{
"labels": {
"alertname": "NonCompliant",
"endpoint": "metrics-co",
"instance": "10.130.0.75:8585",
"job": "metrics",
"name": "my-ssb-r",
"namespace": "co",
"openshift_io_alert_source": "platform",
"pod": "compliance-operator-75c4687f47-thjdr",
"prometheus": "openshift-monitoring/k8s",
"service": "metrics",
"severity": "warning"
},
"annotations": {
"description": "The compliance suite my-ssb-r returned as NON-COMPLIANT, ERROR, or INCONSISTENT",
"summary": "The cluster is out-of-compliance"
},
"startsAt": "2022-09-23T05:52:22.939Z",
"endsAt": "2022-09-23T05:57:52.939Z",
"generatorURL": "https:///console-openshift-console.apps.xiyuan23-1.qe.azure.devcluster.openshift.com/monitoring/graph?g0.expr=compliance_operator_compliance_state%7Bname%3D~%22.%2B%22%7D+%3E+0&g0.tab=1",
"status": {
"state": "active",
"silencedBy": null,
"inhibitedBy": null
},
"receivers": [
"Default"
],
"fingerprint": "0e7e6f43de393147"
}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |