Bug 2072431
Summary: | ocp4-cis-modified-configure-network-policies can be verified and should not be manual | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Pamela Escorza <pescorza> |
Component: | Compliance Operator | Assignee: | Lance Bragstad <lbragsta> |
Status: | CLOSED ERRATA | QA Contact: | xiyuan |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.6 | CC: | jmittapa, lbragsta, mrogers, suprs, wenshen, xiyuan |
Target Milestone: | --- | Flags: | xiyuan:
needinfo-
|
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-06 14:39:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pamela Escorza
2022-04-06 09:47:10 UTC
I was able to recreate this using OCP 4.6 and 4.10, so it's certainly applicable to newer releases, too. This is the rule we would need to update to check the cluster configuration. https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies/rule.yml This fix requires patches to the content and the compliance-operator, but both are up for review. https://github.com/openshift/compliance-operator/pull/815 https://github.com/ComplianceAsCode/content/pull/8524 Both fixes landed. Moving to modified.
Hi Lance,
The ccr ocp4-cis-configure-network-policies is not manual now. It is PASS for SDN and OVN network. However, seems the instructions is not clear.
Do we need to update it? Thanks.
Current instruction:
$ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
The resulting output should be an explanation of the NetworkPolicy resource.
Actual command used:
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
Verification Details:
verified with payload 4.11.0-0.nightly-2022-05-25-193227 and compliance-operator.v0.1.52.
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.0-0.nightly-2022-05-25-193227 True False 3h15m Cluster version is 4.11.0-0.nightly-2022-05-25-193227
$ oc get ip
dNAME CSV APPROVAL APPROVED
install-prbqr compliance-operator.v0.1.52 Automatic true
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.52 Compliance Operator 0.1.52 Succeeded
elasticsearch-operator.5.4.2 OpenShift Elasticsearch Operator 5.4.2 Succeeded
$ oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-59b569f68d-67wtp 1/1 Running 1 (4m45s ago) 5m28s
ocp4-openshift-compliance-pp-5cd896b74c-gcfbr 1/1 Running 0 4m3s
rhcos4-openshift-compliance-pp-78bf7c5bf9-2hq7p 1/1 Running 0 4m3s
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: ocp4-cis
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
$ oc get suite -w
NAME PHASE RESULT
my-ssb-r RUNNING NOT-AVAILABLE
my-ssb-r AGGREGATING NOT-AVAILABLE
my-ssb-r DONE NON-COMPLIANT
my-ssb-r DONE NON-COMPLIANT
$ oc get ccr ocp4-cis-configure-network-policies
ocp4-cis-configure-network-policies PASS high
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OVNKubernetes"
The checkresult also pass for a sdn cluster:
$ oc get ccr ocp4-cis-configure-network-policies
NAME STATUS SEVERITY
ocp4-cis-configure-network-policies PASS high
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OpenShiftSDN"
$ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
$ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.description}
Ensure that the CNI in use supports Network Policies
Kubernetes network policies are enforced by the CNI plugin in use. As such
it is important to ensure that the CNI plugin supports both Ingress and
Egress network policies.
$ oc get ccr ocp4-cis-configure-network-policies -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
The resulting output should be an explanation of the NetworkPolicy resource.
verify with 4.6.58 + compliance-operator.v0.1.52
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.6.58 True False 4h48m Cluster version is 4.6.58
$ oc get ip
NAME CSV APPROVAL APPROVED
install-x5pl6 compliance-operator.v0.1.52 Automatic true
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: ocp4-cis
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
$ oc get ssb
NAME AGE
my-ssb-r 5s
$ oc get suite
my-ssb-r DONE NON-COMPLIANT
$ oc get ccr ocp4-cis-configure-network-policies
NAME STATUS SEVERITY
ocp4-cis-configure-network-policies PASS high
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OpenShiftSDN"
Per https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c12 and https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c13, move it to verified. for instructions issue, will create a new bug to track. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4657 |