Bug 2091794
| Summary: | Instructions for rule ocp4-configure-network-policies not clear | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.11 | CC: | jhrozek, lbragsta, mrogers, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
xiyuan
2022-05-31 04:45:12 UTC
Fair comment, we should improve the instructions. Moving to Lance who touched the rules last. Verification pass with latest content and 4.11.0-0.nightly-2022-06-30-005428
# git log | head
commit d80493d6cc07cf3a531b387b9c56cdc1e48f9de7
Author: Jakub Hrozek <jhrozek>
Date: Tue Jun 28 20:50:04 2022 +0200
OCP4: configure_network_policies: Calico also supports NetworkPolicies
We used to check only for OpenShiftSDN and OVN. It seems like Calico
also supports NetworkPolicies, so let's add it to the list.
Also fixes the OCIL test that was not reflecting what the rule actually
# ./utils/build_ds_container.py -c -p
2022-07-01 20:04:07,412:INFO: Building content for ocp4, rhcos4
2022-07-01 20:04:37,423:INFO: Build status: Running
2022-07-01 20:04:41,197:INFO: Build status: Running
2022-07-01 20:04:44,974:INFO: Build status: Running
2022-07-01 20:04:48,721:INFO: Build status: Running
2022-07-01 20:04:52,526:INFO: Build status: Running
2022-07-01 20:04:56,296:INFO: Build status: Running
2022-07-01 20:05:00,072:INFO: Build status: Running
2022-07-01 20:05:03,830:INFO: Build status: Running
2022-07-01 20:05:07,618:INFO: Build status: Running
2022-07-01 20:05:11,367:INFO: Build status: Running
2022-07-01 20:05:15,115:INFO: Build status: Running
2022-07-01 20:05:18,889:INFO: Build status: Running
2022-07-01 20:05:22,658:INFO: Build status: Running
2022-07-01 20:05:26,400:INFO: Build status: Running
2022-07-01 20:05:30,172:INFO: Build status: Running
2022-07-01 20:05:33,961:INFO: Build status: Running
2022-07-01 20:05:37,705:INFO: Build status: Running
2022-07-01 20:05:41,478:INFO: Build status: Running
2022-07-01 20:05:45,247:INFO: Build status: Running
2022-07-01 20:05:49,005:INFO: Build status: Running
2022-07-01 20:05:52,902:INFO: Build status: Running
2022-07-01 20:05:56,677:INFO: Build status: Running
2022-07-01 20:06:00,429:INFO: Build status: Running
2022-07-01 20:06:04,198:INFO: Build status: Running
2022-07-01 20:06:07,962:INFO: Build status: Running
2022-07-01 20:06:11,781:INFO: Build status: Running
2022-07-01 20:06:15,573:INFO: Build status: Running
2022-07-01 20:06:19,342:INFO: Build status: Running
2022-07-01 20:06:23,131:INFO: Build status: Running
2022-07-01 20:06:27,738:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2022-07-01 20:06:30,837:INFO: Created profile bundles for ocp4, rhcos4
# oc get pb
NAME CONTENTIMAGE CONTENTFILE STATUS
ocp4 quay.io/compliance-operator/compliance-operator-content:latest ssg-ocp4-ds.xml VALID
rhcos4 quay.io/compliance-operator/compliance-operator-content:latest ssg-rhcos4-ds.xml VALID
upstream-ocp4 openscap-ocp4-ds:latest ssg-ocp4-ds.xml PENDING
upstream-rhcos4 openscap-ocp4-ds:latest ssg-rhcos4-ds.xml PENDING
# oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-77d4b9d479-7bh6m 1/1 Running 1 (8h ago) 8h
ocp4-openshift-compliance-pp-56f48b69d5-kcs9l 1/1 Running 0 3h55m
openscap-ocp4-ds-1-build 0/1 Completed 0 4m25s
rhcos4-openshift-compliance-pp-5d95675dfc-7z62r 1/1 Running 0 3h55m
upstream-ocp4-openshift-compliance-pp-bb7fb777d-k94f5 1/1 Running 0 2m10s
upstream-rhcos4-openshift-compliance-pp-74bbd945b6-rm5x5 1/1 Running 0 2m9s
# oc get pb
NAME CONTENTIMAGE CONTENTFILE STATUS
ocp4 quay.io/compliance-operator/compliance-operator-content:latest ssg-ocp4-ds.xml VALID
rhcos4 quay.io/compliance-operator/compliance-operator-content:latest ssg-rhcos4-ds.xml VALID
upstream-ocp4 openscap-ocp4-ds:latest ssg-ocp4-ds.xml VALID
upstream-rhcos4 openscap-ocp4-ds:latest ssg-rhcos4-ds.xml VALID
# oc get profile.compliance
NAME AGE
ocp4-cis 3h56m
ocp4-cis-node 3h56m
ocp4-e8 3h56m
ocp4-high 3h56m
ocp4-high-node 3h56m
ocp4-moderate 3h56m
ocp4-moderate-node 3h56m
ocp4-nerc-cip 3h56m
ocp4-nerc-cip-node 3h56m
ocp4-pci-dss 3h56m
ocp4-pci-dss-node 3h56m
ocp4-stig 3h56m
ocp4-stig-node 3h56m
rhcos4-anssi-bp28-enhanced 3h56m
rhcos4-anssi-bp28-high 3h56m
rhcos4-anssi-bp28-intermediary 3h56m
rhcos4-anssi-bp28-minimal 3h56m
rhcos4-e8 3h56m
rhcos4-high 3h56m
rhcos4-moderate 3h56m
rhcos4-nerc-cip 3h56m
upstream-ocp4-cis 3m1s
upstream-ocp4-cis-node 3m1s
upstream-ocp4-e8 3m1s
upstream-ocp4-high 3m
upstream-ocp4-high-node 3m
upstream-ocp4-moderate 3m
upstream-ocp4-moderate-node 3m
upstream-ocp4-nerc-cip 3m
upstream-ocp4-nerc-cip-node 3m
upstream-ocp4-pci-dss 3m
upstream-ocp4-pci-dss-node 3m
upstream-ocp4-stig 3m
upstream-ocp4-stig-node 3m
upstream-rhcos4-anssi-bp28-enhanced 2m55s
upstream-rhcos4-anssi-bp28-high 2m55s
upstream-rhcos4-anssi-bp28-intermediary 2m55s
upstream-rhcos4-anssi-bp28-minimal 2m55s
upstream-rhcos4-e8 2m55s
upstream-rhcos4-high 2m55s
upstream-rhcos4-moderate 2m55s
upstream-rhcos4-nerc-cip 2m55s
# oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
> name: my-ssb-r
> profiles:
> - name: upstream-ocp4-cis
> kind: Profile
> apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
> name: default
> kind: ScanSetting
> apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
# oc get suite
NAME PHASE RESULT
my-ssb-r DONE NON-COMPLIANT
^C[root@MiWiFi-RA69-srv content]# oc get rule ocp4-configure-network-policies -o=jsonpath={.instructions}
Verify on OpenShift that the NetworkPolicy plugin is being used:
$ oc explain networkpolicy
The resulting output should be an explanation of the NetworkPolicy resource.[root@MiWiFi-RA69-srv content]# ^C
# oc get rule | grep configure-network-policies
ocp4-configure-network-policies 4h2m
ocp4-configure-network-policies-namespaces 4h2m
upstream-ocp4-configure-network-policies 8m58s
upstream-ocp4-configure-network-policies-namespaces 8m58s
# oc get rule upstream-ocp4-configure-network-policies -o=jsonpath={.instructions}
Verify that your CNI plugin supports NetworkPolicies:
$ oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'
The result should list a CNI plugin that supports NetworkPolicies,
currently the plugins in the rule's pass list are OpenShiftSDN, OVN
and Calico.
# oc get ccr upstream-ocp4-cis-configure-network-policies
NAME STATUS SEVERITY
upstream-ocp4-cis-configure-network-policies PASS high
# oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'
OpenShiftSDN
Verification pass with 4.12.0-0.nightly-2022-09-22-153054 and compliance-operator.v0.1.55
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.12.0-0.nightly-2022-09-22-153054 True False 119m Cluster version is 4.12.0-0.nightly-2022-09-22-153054
$ oc get ip
NAME CSV APPROVAL APPROVED
install-fkwmr compliance-operator.v0.1.55 Automatic true
$ oc get rules ocp4-configure-network-policies -o=jsonpath={.instructions}
Verify that your CNI plugin supports NetworkPolicies:
$ oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'
The result should list a CNI plugin that supports NetworkPolicies,
currently the plugins in the rule's pass list are OpenShiftSDN, OVN
and Calico.
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: test
namespace: openshift-compliance
spec:
description: test
title: test
enableRules:
- name: ocp4-configure-network-policies
rationale: test
EOF
tailoredprofile.compliance.openshift.io/test created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: my-ssb-r
profiles:
- name: test
kind: TailoredProfile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
[xiyuan@MiWiFi-RA69-srv 412]$ oc get suite
$ oc get suite -w
NAME PHASE RESULT
my-ssb-r RUNNING NOT-AVAILABLE
my-ssb-r AGGREGATING NOT-AVAILABLE
my-ssb-r DONE COMPLIANT
my-ssb-r DONE COMPLIANT
^C
$oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'}'
OVNKubernetes
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |