Bug 2072431

I was able to recreate this using OCP 4.6 and 4.10, so it's certainly applicable to newer releases, too. This is the rule we would need to update to check the cluster configuration.

https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies/rule.yml

This fix requires patches to the content and the compliance-operator, but both are up for review.

https://github.com/openshift/compliance-operator/pull/815
https://github.com/ComplianceAsCode/content/pull/8524

Both fixes landed. Moving to modified.

Hi Lance,
The ccr ocp4-cis-configure-network-policies is not manual now. It is PASS for SDN and OVN network. However, seems the instructions is not clear. 
Do we need to update it? Thanks.

Current instruction:
$ oc get ccr ocp4-cis-configure-network-policies  -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
The resulting output should be an explanation of the NetworkPolicy resource.

Actual command used:
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'


Verification Details:
verified with payload 4.11.0-0.nightly-2022-05-25-193227 and compliance-operator.v0.1.52.

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-05-25-193227   True        False         3h15m   Cluster version is 4.11.0-0.nightly-2022-05-25-193227

$ oc get ip
dNAME            CSV                           APPROVAL    APPROVED
install-prbqr   compliance-operator.v0.1.52   Automatic   true
$ oc get csv
NAME                           DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.52    Compliance Operator                0.1.52               Succeeded
elasticsearch-operator.5.4.2   OpenShift Elasticsearch Operator   5.4.2                Succeeded
$ oc get pod
NAME                                              READY   STATUS    RESTARTS        AGE
compliance-operator-59b569f68d-67wtp              1/1     Running   1 (4m45s ago)   5m28s
ocp4-openshift-compliance-pp-5cd896b74c-gcfbr     1/1     Running   0               4m3s
rhcos4-openshift-compliance-pp-78bf7c5bf9-2hq7p   1/1     Running   0               4m3s
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created

$ oc get suite -w
NAME       PHASE     RESULT
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
my-ssb-r   DONE          NON-COMPLIANT

$ oc get ccr ocp4-cis-configure-network-policies
ocp4-cis-configure-network-policies                                PASS     high

$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OVNKubernetes"

The checkresult also pass for a sdn cluster:
$ oc get ccr ocp4-cis-configure-network-policies
NAME                                  STATUS   SEVERITY
ocp4-cis-configure-network-policies   PASS     high
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OpenShiftSDN"

$ oc get ccr ocp4-cis-configure-network-policies  -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy

$ oc get ccr ocp4-cis-configure-network-policies  -o=jsonpath={.description}
Ensure that the CNI in use supports Network Policies
Kubernetes network policies are enforced by the CNI plugin in use. As such
it is important to ensure that the CNI plugin supports both Ingress and
Egress network policies.

$ oc get ccr ocp4-cis-configure-network-policies  -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
The resulting output should be an explanation of the NetworkPolicy resource.

verify with 4.6.58 + compliance-operator.v0.1.52
$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.58    True        False         4h48m   Cluster version is 4.6.58
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-x5pl6   compliance-operator.v0.1.52   Automatic   true

$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
$ oc get ssb
NAME       AGE
my-ssb-r   5s
$ oc get suite
my-ssb-r   DONE          NON-COMPLIANT
$ oc get ccr ocp4-cis-configure-network-policies
NAME                                  STATUS   SEVERITY
ocp4-cis-configure-network-policies   PASS     high
$ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type'
"OpenShiftSDN"

Per https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c12 and https://bugzilla.redhat.com/show_bug.cgi?id=2072431#c13, move it to verified.
for instructions issue, will create a new bug to track.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4657