Bug 2092913
Summary: | When debug is setting to true, the pod generated by scansettingbinding won’t get deleted when the scansettingbinding get deleted | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | xiyuan |
Component: | Compliance Operator | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 4.12 | CC: | jhrozek, lbragsta, mrogers, vahirwad, wenshen, xiyuan |
Target Milestone: | --- | ||
Target Release: | 4.12.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
hmm, I'm almost sure I broke this while fixing the autoscaler issue *** Bug 2113991 has been marked as a duplicate of this bug. *** Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55 $ oc patch scansetting default -p '{"debug":true}' --type='merge' scansetting.compliance.openshift.io/default patched $ oc get ss default -o=jsonpath={.debug} true $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite test DONE NON-COMPLIANT $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 2m4s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 34s aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 43s compliance-operator-7489d57b55-5k8ft 1/1 Running 0 131m ocp4-cis-api-checks-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod 0/2 Completed 0 3m18s ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 131m openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46 0/2 Completed 0 3m14s openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe 0/2 Completed 0 3m14s openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a 0/2 Completed 0 3m14s rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 124m $ oc delete ssb test scansettingbinding.compliance.openshift.io "test" deleted $ oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-7489d57b55-5k8ft 1/1 Running 0 132m ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 132m rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 125m Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55 $ oc patch scansetting default -p '{"debug":true}' --type='merge' scansetting.compliance.openshift.io/default patched $ oc get ss default -o=jsonpath={.debug} true $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite test DONE NON-COMPLIANT $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 2m4s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 34s aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 43s compliance-operator-7489d57b55-5k8ft 1/1 Running 0 131m ocp4-cis-api-checks-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod 0/2 Completed 0 3m18s ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod 0/2 Completed 0 3m18s ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 131m openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46 0/2 Completed 0 3m14s openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe 0/2 Completed 0 3m14s openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a 0/2 Completed 0 3m14s rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 124m $ oc delete ssb test scansettingbinding.compliance.openshift.io "test" deleted $ oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-7489d57b55-5k8ft 1/1 Running 0 132m ocp4-openshift-compliance-pp-58cf8d4479-pmshm 1/1 Running 0 132m rhcos4-openshift-compliance-pp-677fb765ff-4xl5c 1/1 Running 0 125m Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |
Description: When debug is setting to true, the pod won’t get deleted when the belonging scansettingbinding deleted Version-Release number of selected component (if applicable): Compliance Operator v0.1.52 Step to Reproduce: Install Compliance Operator Setting debug to true: $ oc patch scansetting default -p '{"debug":true}' --type='merge' scansetting.compliance.openshift.io/default patched $ oc get ss default -o=jsonpath={.debug} true Create ssb: $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: ocp4-cis > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > - name: ocp4-cis-node > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created 4. When the scan done, delete the ssb: $ oc get suite NAME PHASE RESULT my-ssb-r DONE NON-COMPLIANT $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 8m41s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 8m41s aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 8m41s compliance-operator-f468c9f64-xgcw5 1/1 Running 0 93m ocp4-cis-api-checks-pod 0/2 Completed 0 9m24s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod 0/2 Completed 0 9m11s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod 0/2 Completed 0 9m11s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod 0/2 Completed 0 9m11s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod 0/2 Completed 0 9m11s ocp4-openshift-compliance-pp-5cd896b74c-tswxv 1/1 Running 0 91m rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2 1/1 Running 0 91m $ oc delete ssb my-ssb-r scansettingbinding.compliance.openshift.io "my-ssb-r" deleted Actual Result: The pods generated by scansettingbinding my-ssb-r won’t be deleted when the ssb my-ssb-r get deleted $ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 9m aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 9m aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 9m compliance-operator-f468c9f64-xgcw5 1/1 Running 0 93m ocp4-cis-api-checks-pod 0/2 Completed 0 9m43s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod 0/2 Completed 0 9m30s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod 0/2 Completed 0 9m30s ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod 0/2 Completed 0 9m30s ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod 0/2 Completed 0 9m30s ocp4-openshift-compliance-pp-5cd896b74c-tswxv 1/1 Running 0 92m rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2 1/1 Running 0 92m Expected result: The pods generated by scansettingbinding my-ssb-r should be deleted when the ssb my-ssb-r get deleted