Bug 2082151
| Summary: | DAC_OVERRIDE capability is required by Compliance Operator | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Shailendra Singh <shaising> |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.8 | CC: | aditi.jadhav1, antaylor, jmittapa, lbragsta, mrogers, sreber, suprs, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-06 14:39:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Shailendra Singh
2022-05-05 13:34:52 UTC
As for right now, DAC_OVERRIDE is needed for our scanner to perform a platform scan, however, a fix patch PR is purposed: https://github.com/ComplianceAsCode/compliance-operator/pull/15. It will be available in the 4.11 release or our next Compliance Operator release. verification pass with 4.11.0-0.nightly-2022-05-25-193227 and compliance-operator.v0.1.52
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.0-0.nightly-2022-05-25-193227 True False 9h Cluster version is 4.11.0-0.nightly-2022-05-25-193227
$ oc get ip
NAME CSV APPROVAL APPROVED
install-88n4p compliance-operator.v0.1.52 Automatic true
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.52 Compliance Operator 0.1.52 Succeeded
elasticsearch-operator.5.4.2 OpenShift Elasticsearch Operator 5.4.2 Succeeded
oc
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb-r
profiles:
- name: ocp4-moderate-node
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
- name: ocp4-cis
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
- name: ocp4-cis-node
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
$ oc get suite -w
NAME PHASE RESULT
my-ssb-r AGGREGATING NOT-AVAILABLE
my-ssb-r AGGREGATING NOT-AVAILABLE
my-ssb-r DONE NON-COMPLIANT
my-ssb-r DONE NON-COMPLIANT
^C[xiyuan@MiWiFi-RA69-srv func]$ oc get pod
NAME READY STATUS RESTARTS AGE
aggregator-pod-ocp4-cis 0/1 Completed 0 79s
aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 89s
aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 99s
aggregator-pod-ocp4-moderate-node-master 0/1 Completed 0 2m9s
aggregator-pod-ocp4-moderate-node-worker 0/1 Completed 0 2m9s
compliance-operator-59b569f68d-nzt96 1/1 Running 0 5h12m
ocp4-cis-api-checks-pod 0/2 Completed 0 2m9s
ocp4-openshift-compliance-pp-5cd896b74c-zfmg4 1/1 Running 0 5h12m
openscap-pod-21922ec3049a0c51505213220479bb7bcddcdf27 0/2 Completed 0 3m
openscap-pod-2a950c2252f82a87fa0bfa0c1315d3f0665f3a03 0/2 Completed 0 3m6s
openscap-pod-2d79298421fcff2f0ae485f605f1229af412a1c3 0/2 Completed 0 2m10s
openscap-pod-2da7af0e42f11f0b250aa439b7283ee21680b970 0/2 Completed 0 2m10s
openscap-pod-322d334c4fb70733a853905f31b8a764e2cfeae2 0/2 Completed 0 3m6s
openscap-pod-4953187ed5203309285dcd48e1702276dea0df2b 0/2 Completed 0 2m10s
openscap-pod-57749d280bb87de1b20878cf8b083ded57116b94 0/2 Completed 0 2m10s
openscap-pod-5c8537ea476ca1b0c887b9ed24714121dceae10c 0/2 Completed 0 3m
openscap-pod-688e459e8cd71b31bb0aac1a086952b7049d7590 0/2 Completed 0 2m10s
openscap-pod-a960a5bd3bbfc6c336a2ab10005eebd2463f1ce2 0/2 Completed 0 3m
openscap-pod-ee23ed76be40a5842d463f001b5d3680a7d2ac45 0/2 Completed 0 3m6s
openscap-pod-fe8ea3ec722771b8ffd019433aaab1d819e00efd 0/2 Completed 0 2m10s
rhcos4-openshift-compliance-pp-78bf7c5bf9-mhhkk 1/1 Running 0 5h12m
$ oc logs pod/ocp4-cis-api-checks-pod -c scanner
HOSTROOT not set, using normal oscap
cat: /app/scap_version: No such file or directory
Running oscap-chroot as oscap xccdf eval --verbose INFO --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis --results-arf /tmp/report-arf.xml /content/ssg-ocp4-ds.xml
The scanner returned 2
I: oscap: Identified document type: data-stream-collection
I: oscap: Created a new XCCDF session from a SCAP Source Datastream '/content/ssg-ocp4-ds.xml'.
I: oscap: Validating XML signature.
I: oscap: Signature node not found
I: oscap: Identified document type: Benchmark
I: oscap: Identified document type: cpe-list
I: oscap: Started new OVAL agent ssg-ocp4-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: I will run system_info_probe_main:
I: oscap: Evaluating a XCCDF policy with selected 'xccdf_org.ssgproject.content_profile_cis' profile.
Title Restrict Automounting of Service Account Tokens
Rule xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'.
I: oscap: Started new OVAL agent ssg-ocp4-cpe-oval.xml.
I: oscap: Querying system information.
I: oscap: Starting probe on URI 'queue://system_info'.
I: oscap: I will run system_info_probe_main:
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap: Evaluating yamlfilecontent test 'oval:ssg-test_ocp4:tst:1': Find one match.
I: oscap: Querying yamlfilecontent object 'oval:ssg-object_ocp4:obj:1', flags: 0.
I: oscap: Creating new syschar for yamlfilecontent_object 'oval:ssg-object_ocp4:obj:1'.
I: oscap: Starting probe on URI 'queue://yamlfilecontent'.
I: oscap: Object 'oval:ssg-object_ocp4:obj:1' references variable 'oval:ssg-ocp4_dump_location:var:1' in 'filepath' field.
I: oscap: Querying variable 'oval:ssg-ocp4_dump_location:var:1'.
I: oscap: Variable 'oval:ssg-ocp4_dump_location:var:1' has values "/kubernetes-api-resources/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver".
...
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1': Red Hat OpenShift Container network 4 on OpenShiftSDN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_hypershift:def:1': Red Hat OpenShift Container Platform.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_hypershift:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1': Red Hat OpenShift Container network 4 on OpenShiftSDN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1' evaluated as false.
I: oscap: Rule 'xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig' is not applicable.
Result notapplicable
The rds-split operation returned 0
$ oc get -o yaml po/ocp4-cis-api-checks-pod -n openshift-compliance | grep scc
openshift.io/scc: restricted-v2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4657 *** Bug 2102025 has been marked as a duplicate of this bug. *** |