Bug 2081952
| Summary: | The rule content_rule_oauth_or_oauthclient_inactivity_timeout is failing after setting "accessTokenInactivityTimeout: 10m0s" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Mithilesh Kaur Bagga <mbagga> |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.8 | CC: | eglottma, jhrozek, lbragsta, mrogers, suprs, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
Cause: content_rule_oauth_or_oauthclient_inactivity_timeout didn't account for a configurable timeout set by the deployment when assessing compliance for timeouts.
Consequence: This would result in the rule failing, even when the configured timeout what justified, or deemed valid.
Fix: Use an updated version of the compliance operator content that uses var_oauth_inactivity_timeout variable to set valid timeout length.
Result: The scan will report successful for deployments overriding the default timeout.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-14 12:40:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verification pass with compliance-operator.v0.1.53 + 4.11.0-rc.1 $ oc get ip NAME CSV APPROVAL APPROVED install-hksfh compliance-operator.v0.1.53 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.53 Compliance Operator 0.1.53 Succeeded elasticsearch-operator.v5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded 1. when value diff between the value set for the variable and rthe value on the cluster: $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > metadata: > name: test-oauth-inactivity-timeout > namespace: openshift-compliance > spec: > description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > enableRules: > - name: ocp4-oauth-or-oauthclient-inactivity-timeout > rationale: platform > setValues: > - name: ocp4-var-oauth-inactivity-timeout > rationale: platform > value: '15m0s' > EOF tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created $ oc get co authentication -w NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.11.0-rc.1 True True False 90m APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation... authentication 4.11.0-rc.1 True True False 91m APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation... authentication 4.11.0-rc.1 True True False 91m APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation authentication 4.11.0-rc.1 True False False 92m authentication 4.11.0-rc.1 True False False 92m authentication 4.11.0-rc.1 True False False 92m ^C$ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > name: test-oauth-inactivity-timeout > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite -w NAME PHASE RESULT test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE NON-COMPLIANT test DONE NON-COMPLIANT ^C$ oc get ccr NAME STATUS SEVERITY 2. when value equal between the value set for the variable and rthe value on the cluster: $ oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"15m0s"}}}' --type=merge oauth.config.openshift.io/cluster patched $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': test-oauth-inactivity-timeout Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout' $ oc get suite -w NAME PHASE RESULT test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE COMPLIANT test DONE COMPLIANT ^C $ oc get ccr NAME STATUS SEVERITY test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout PASS medium 3. Check the default remediation works or not: Delete tp and ssb and check when no variable set: $ oc delete ssb --all scansettingbinding.compliance.openshift.io "test" deleted $ oc delete tp --all tailoredprofile.compliance.openshift.io "test-oauth-inactivity-timeout" deleted $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: TailoredProfile > metadata: > name: test-oauth-inactivity-timeout > namespace: openshift-compliance > spec: > description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout > enableRules: > - name: ocp4-oauth-or-oauthclient-inactivity-timeout > rationale: platform > EOF tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: TailoredProfile name: test-oauth-inactivity-timeout settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite -w NAME PHASE RESULT test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE NON-COMPLIANT test DONE NON-COMPLIANT $ oc get cr NAME STATE test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout NotApplied $ oc patch ssb test -p '{"settingsRef":{"name":"default-auto-apply"}}' --type='merge' scansettingbinding.compliance.openshift.io/test patched $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': test-oauth-inactivity-timeout Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout' $ oc get cr NAME STATE test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout Applied $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': test-oauth-inactivity-timeout Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout' [xiyuan@MiWiFi-RA69-srv func]NAME PHASE RESULT test LAUNCHING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE COMPLIANT test DONE COMPLIANT ^C$ oc get ccr NAME STATUS SEVERITY test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout PASS medium $ oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}' 10m0s Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5537 |
Verification pass with 4.11.0-0.nightly-2022-06-30-005428 and latest cotent pull from quay.io/compliance-operator/compliance-operator-content:latest 1. when the variable value in tailored profile equals with the value on the cluster, the rule PASS: # oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"15m0s"}}}' --type=merge oauth.config.openshift.io/cluster patched $ oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}' 15m0s $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: test-oauth-inactivity-timeout namespace: openshift-compliance spec: description: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout title: set value for ocp4-nerc-cip-oauth-or-oauthclient-inactivity-timeout enableRules: - name: ocp4-oauth-or-oauthclient-inactivity-timeout rationale: platform setValues: - name: ocp4-var-oauth-inactivity-timeout rationale: platform value: '15m0s' EOF tailoredprofile.compliance.openshift.io/test-oauth-inactivity-timeout created $ oc get tp NAME STATE test-oauth-inactivity-timeout READY $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: TailoredProfile name: test-oauth-inactivity-timeout settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF scansettingbinding.compliance.openshift.io/test created $oc get suite NAME PHASE RESULT test DONE COMPLIANT $ oc get ccr NAME STATUS SEVERITY test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout PASS medium 2. when the variable value in tailored profile different from the value on the cluster, the rule FAIL: $ oc patch oauth cluster -p '{"spec":{"tokenConfig":{"accessTokenInactivityTimeout":"10m0s"}}}' --type=merge oauth.config.openshift.io/cluster patched $ oc get co authentication -w NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h52m APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 1/3 pods have been updated to the latest generation... authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h52m APIServerDeploymentProgressing: deployment/apiserver.openshift-oauth-apiserver: 2/3 pods have been updated to the latest generation... authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h53m OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h53m OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h54m OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h54m OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation authentication 4.11.0-0.nightly-2022-06-30-005428 True True False 6h54m OAuthServerDeploymentProgressing: deployment/oauth-openshift.openshift-authentication: 1/3 pods have been updated to the latest generation authentication 4.11.0-0.nightly-2022-06-30-005428 True False False 6h56m $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': test-oauth-inactivity-timeout Re-running scan 'openshift-compliance/test-oauth-inactivity-timeout' $ oc get suite NAME PHASE RESULT test DONE NON-COMPLIANT $ oc get ccr NAME STATUS SEVERITY test-oauth-inactivity-timeout-oauth-or-oauthclient-inactivity-timeout FAIL medium