Bug 2092913
| Summary: | When debug is setting to true, the pod generated by scansettingbinding won’t get deleted when the scansettingbinding get deleted | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan |
| Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.12 | CC: | jhrozek, lbragsta, mrogers, vahirwad, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | 4.12.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
hmm, I'm almost sure I broke this while fixing the autoscaler issue *** Bug 2113991 has been marked as a duplicate of this bug. *** Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55
$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched
$ oc get ss default -o=jsonpath={.debug}
true
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: test
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite
test DONE NON-COMPLIANT
$ oc get pod
NAME READY STATUS RESTARTS AGE
aggregator-pod-ocp4-cis 0/1 Completed 0 2m4s
aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 34s
aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 43s
compliance-operator-7489d57b55-5k8ft 1/1 Running 0 131m
ocp4-cis-api-checks-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod 0/2 Completed 0 3m18s
ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 131m
openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46 0/2 Completed 0 3m14s
openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe 0/2 Completed 0 3m14s
openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a 0/2 Completed 0 3m14s
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 124m
$ oc delete ssb test
scansettingbinding.compliance.openshift.io "test" deleted
$ oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-7489d57b55-5k8ft 1/1 Running 0 132m
ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 132m
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 125m
Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55
$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched
$ oc get ss default -o=jsonpath={.debug}
true
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: test
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite
test DONE NON-COMPLIANT
$ oc get pod
NAME READY STATUS RESTARTS AGE
aggregator-pod-ocp4-cis 0/1 Completed 0 2m4s
aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 34s
aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 43s
compliance-operator-7489d57b55-5k8ft 1/1 Running 0 131m
ocp4-cis-api-checks-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod 0/2 Completed 0 3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod 0/2 Completed 0 3m18s
ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 131m
openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46 0/2 Completed 0 3m14s
openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe 0/2 Completed 0 3m14s
openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a 0/2 Completed 0 3m14s
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 124m
$ oc delete ssb test
scansettingbinding.compliance.openshift.io "test" deleted
$ oc get pod
NAME READY STATUS RESTARTS AGE
compliance-operator-7489d57b55-5k8ft 1/1 Running 0 132m
ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 132m
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 125m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |
Description: When debug is setting to true, the pod won’t get deleted when the belonging scansettingbinding deleted Version-Release number of selected component (if applicable): Compliance Operator v0.1.52 Step to Reproduce: Install Compliance Operator Setting debug to true: $ oc patch scansetting default -p '{"debug":true}' --type='merge' scansetting.compliance.openshift.io/default patched $ oc get ss default -o=jsonpath={.debug} true Create ssb: $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-cis > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > - name: ocp4-cis-node > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created 4. When the scan done, delete the ssb: $ oc get suite NAME PHASE RESULT my-ssb-r DONE NON-COMPLIANT $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 8m41s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 8m41s aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 8m41s compliance-operator-f468c9f64-xgcw5 1/1 Running 0 93m ocp4-cis-api-checks-pod 0/2 Completed 0 9m24s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod 0/2 Completed 0 9m11s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod 0/2 Completed 0 9m11s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod 0/2 Completed 0 9m11s ocp4-openshift-compliance-pp-5cd896b74c-tswxv 1/1 Running 0 91m rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2 1/1 Running 0 91m $ oc delete ssb my-ssb-r scansettingbinding.compliance.openshift.io "my-ssb-r" deleted Actual Result: The pods generated by scansettingbinding my-ssb-r won’t be deleted when the ssb my-ssb-r get deleted $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 9m aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 9m aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 9m compliance-operator-f468c9f64-xgcw5 1/1 Running 0 93m ocp4-cis-api-checks-pod 0/2 Completed 0 9m43s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod 0/2 Completed 0 9m30s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod 0/2 Completed 0 9m30s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod 0/2 Completed 0 9m30s ocp4-openshift-compliance-pp-5cd896b74c-tswxv 1/1 Running 0 92m rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2 1/1 Running 0 92m Expected result: The pods generated by scansettingbinding my-ssb-r should be deleted when the ssb my-ssb-r get deleted