Bug 2102511
Summary: | [OSD] mcp puase status stuck at true issue as Compliance Operator failed to check if kubeletconfig custom-kubelet is subset of rendered MC 99-worker-generated-kubelet | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | xiyuan |
Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | Jeana Routh <jrouth> |
Priority: | high | ||
Version: | 4.11 | CC: | lbragsta, mrogers, wenshen, xiyuan |
Target Milestone: | --- | ||
Target Release: | 4.12.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
* Previously, the Compliance Operator held machine configurations in a stuck state because it could not determine the relationship between machine configurations and kubelet configurations due to incorrect assumptions about machine configuration names. With this release, the Compliance Operator is able to determine if a kubelet configuration is a subset of a machine configuration.
(link:https://bugzilla.redhat.com/show_bug.cgi?id=2102511[*BZ#2102511*])
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-02 16:00:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
xiyuan
2022-06-30 05:30:10 UTC
Hi Jakub, Tried to verify with 4.12.0-0.nightly-2022-09-25-071630 and compliance-operator.v0.1.55, the alert still exists. Could you please help to double check? Thanks. $ token=`oc create token prometheus-k8s -n openshift-monitoring` $ oc -n openshift-compliance exec compliance-operator-7489d57b55-6c2j5 -- curl -k -H "Authorization: Bearer $token" 'https://prometheus-k8s.openshift-monitoring.svc:9091/api/v1/query?' --data-urlencode 'query=ALERTS{alertname="APIRemovedInNextEUSReleaseInUse",resource="cronjobs"}' | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 403 0 308 100 95 1974 608 --:--:-- --:--:-- --:--:-- 2583 { "status": "success", "data": { "resultType": "vector", "result": [ { "metric": { "__name__": "ALERTS", "alertname": "APIRemovedInNextEUSReleaseInUse", "alertstate": "pending", "group": "batch", "namespace": "openshift-kube-apiserver", "resource": "cronjobs", "severity": "info", "version": "v1beta1" }, "value": [ 1664161876.437, "1" ] } ] } } $ oc get apirequestcounts cronjobs.v1beta1.batch -o yaml apiVersion: apiserver.openshift.io/v1 kind: APIRequestCount metadata: creationTimestamp: "2022-09-26T02:35:22Z" generation: 1 name: cronjobs.v1beta1.batch resourceVersion: "66324" uid: 4ff4faaf-1b43-4ed6-8523-54bbd1d83e66 spec: numberOfUsersToReport: 10 status: currentHour: byNode: - byUser: - byVerb: - requestCount: 1 verb: watch requestCount: 1 userAgent: compliance-operator/v0.0.0 username: system:serviceaccount:openshift-compliance:compliance-operator nodeName: 10.0.0.6 requestCount: 1 requestCount: 1 last24h: - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - byUser: - byVerb: - requestCount: 2 verb: create - requestCount: 1 verb: delete - requestCount: 1 verb: list - requestCount: 4 verb: watch requestCount: 8 userAgent: compliance-operator/v0.0.0 username: system:serviceaccount:openshift-compliance:compliance-operator nodeName: 10.0.0.6 requestCount: 8 requestCount: 8 - byNode: - byUser: - byVerb: - requestCount: 1 verb: watch requestCount: 1 userAgent: compliance-operator/v0.0.0 username: system:serviceaccount:openshift-compliance:compliance-operator nodeName: 10.0.0.6 requestCount: 1 requestCount: 1 - requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 - byNode: - nodeName: 10.0.0.6 requestCount: 0 requestCount: 0 removedInRelease: "1.25" requestCount: 9 $ oc explain cronjobs KIND: CronJob VERSION: batch/v1 DESCRIPTION: CronJob represents the configuration of a single cron job. ... Sorry, please ignore https://bugzilla.redhat.com/show_bug.cgi?id=2102511#c5. It is for another bug https://bugzilla.redhat.com/show_bug.cgi?id=2098581 Hi Vincent, The remediation could be applied successfully with 4.11.5 + compliance-operator.v0.1.56 (as osd latest version is based on 4.11.5) Generally it is good. The only problem is why it still using existing kubeletconfigs, no new kubeletconfig compliance-operator-kubelet-xxx created. Is it working as expected? Thanks. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.5 True False 130m Cluster version is 4.11.5 $ oc get ip NAME CSV APPROVAL APPROVED install-rhncj compliance-operator.v0.1.56 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.56 Compliance Operator 0.1.56 Succeeded route-monitor-operator.v0.1.422-151be96 Route Monitor Operator 0.1.422-151be96 route-monitor-operator.v0.1.408-c2256a2 Succeeded $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-cis-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default-auto-apply EOF scansettingbinding.compliance.openshift.io/test created $ oc get suite -w NAME PHASE RESULT test LAUNCHING NOT-AVAILABLE test LAUNCHING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE NON-COMPLIANT ^C $ oc get mcp -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-f176aaeeca17140975a4208e9be91bde False True False 3 0 0 0 129m worker rendered-worker-0cbdbabc44618577397e4c3c703fec8f False True False 4 0 0 0 129m ^C $ oc get kubeletconfigs.machineconfiguration.openshift.io NAME AGE custom-kubelet 108m $ oc get kubeletconfigs.machineconfiguration.openshift.io custom-kubelet -o yaml apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig metadata: annotations: machineconfiguration.openshift.io/mc-name-suffix: "" creationTimestamp: "2022-09-29T02:01:10Z" finalizers: - 99-worker-generated-kubelet - 99-master-generated-kubelet generation: 19 labels: hive.openshift.io/managed: "true" name: custom-kubelet resourceVersion: "120217" uid: f46db966-eee4-4f28-a7d9-97c845224346 spec: autoSizingReserved: true kubeletConfig: evictionHard: imagefs.available: 10% imagefs.inodesFree: 5% memory.available: 200Mi nodefs.available: 5% nodefs.inodesFree: 4% evictionPressureTransitionPeriod: 0s evictionSoft: imagefs.available: 15% imagefs.inodesFree: 10% memory.available: 500Mi nodefs.available: 10% nodefs.inodesFree: 5% evictionSoftGracePeriod: imagefs.available: 1m30s imagefs.inodesFree: 1m30s memory.available: 1m30s nodefs.available: 1m30s nodefs.inodesFree: 1m30s streamingConnectionIdleTimeout: 5m0s tlsCipherSuites: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 machineConfigPoolSelector: matchExpressions: - key: machineconfiguration.openshift.io/mco-built-in operator: Exists status: conditions: - lastTransitionTime: "2022-09-29T03:49:26Z" message: Success status: "True" type: Success $ oc get mc -l compliance.openshift.io/suite=test NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 75-ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl 3.1.0 9m7s 75-ocp4-cis-node-worker-kubelet-enable-protect-kernel-sysctl 3.1.0 9m7s $ oc get mcp NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-98f138b8996404f337889556551f1f89 True False False 3 3 3 0 145m worker rendered-worker-ea6756515bf26eca29412dae0f3d65e4 True False False 4 4 4 0 145m $ oc get cr NAME STATE ocp4-cis-api-server-encryption-provider-cipher Applied ocp4-cis-api-server-encryption-provider-config Applied ocp4-cis-audit-profile-set Applied ocp4-cis-kubelet-configure-tls-cipher-suites Applied ocp4-cis-kubelet-configure-tls-cipher-suites-1 Applied ocp4-cis-kubelet-enable-streaming-connections Applied ocp4-cis-kubelet-enable-streaming-connections-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-4 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-5 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-4 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-5 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-4 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-5 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults MissingDependencies ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl Applied ocp4-cis-node-worker-kubelet-enable-protect-kernel-defaults MissingDependencies ocp4-cis-node-worker-kubelet-enable-protect-kernel-sysctl Applied $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': ocp4-cis, ocp4-cis-node-master, ocp4-cis-node-worker Re-running scan 'openshift-compliance/ocp4-cis' Re-running scan 'openshift-compliance/ocp4-cis-node-master' Re-running scan 'openshift-compliance/ocp4-cis-node-worker' $ oc get mcp -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-98f138b8996404f337889556551f1f89 False True False 3 0 0 0 148m worker rendered-worker-ea6756515bf26eca29412dae0f3d65e4 False True False 4 0 0 0 148m ... As https://bugzilla.redhat.com/show_bug.cgi?id=2102511#c7 not related to the bug, move it to verified. If there is issue about existing/new kubeletconfig, new bug will be raised. Added the final result for https://bugzilla.redhat.com/show_bug.cgi?id=2102511#c7. After two rounds of remediation and another round of rescan, all auto-remediation will be applied: $ oc compliance rerun-now scansettingbinding test Rerunning scans from 'test': ocp4-cis, ocp4-cis-node-master, ocp4-cis-node-worker Re-running scan 'openshift-compliance/ocp4-cis' Re-running scan 'openshift-compliance/ocp4-cis-node-master' Re-running scan 'openshift-compliance/ocp4-cis-node-worker' $ oc get suite NAME PHASE RESULT test DONE NON-COMPLIANT $ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL No resources found in openshift-compliance namespace. (In reply to xiyuan from comment #7) > Hi Vincent, > The remediation could be applied successfully with 4.11.5 + > compliance-operator.v0.1.56 (as osd latest version is based on 4.11.5) > Generally it is good. > The only problem is why it still using existing kubeletconfigs, no new > kubeletconfig compliance-operator-kubelet-xxx created. > Is it working as expected? Thanks. > > $ oc get clusterversion > NAME VERSION AVAILABLE PROGRESSING SINCE STATUS > version 4.11.5 True False 130m Cluster version is > 4.11.5 > > $ oc get ip > NAME CSV APPROVAL APPROVED > install-rhncj compliance-operator.v0.1.56 Automatic true > $ oc get csv > NAME DISPLAY VERSION > REPLACES PHASE > compliance-operator.v0.1.56 Compliance Operator 0.1.56 > Succeeded > route-monitor-operator.v0.1.422-151be96 Route Monitor Operator > 0.1.422-151be96 route-monitor-operator.v0.1.408-c2256a2 Succeeded > $ oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: ocp4-cis > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: ocp4-cis-node > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default-auto-apply > EOF > scansettingbinding.compliance.openshift.io/test created > $ oc get suite -w > NAME PHASE RESULT > test LAUNCHING NOT-AVAILABLE > test LAUNCHING NOT-AVAILABLE > test RUNNING NOT-AVAILABLE > test RUNNING NOT-AVAILABLE > test RUNNING NOT-AVAILABLE > test AGGREGATING NOT-AVAILABLE > test AGGREGATING NOT-AVAILABLE > test AGGREGATING NOT-AVAILABLE > test DONE NON-COMPLIANT > ^C > $ oc get mcp -w > NAME CONFIG UPDATED > UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT > DEGRADEDMACHINECOUNT AGE > master rendered-master-f176aaeeca17140975a4208e9be91bde False True > False 3 0 0 0 > 129m > worker rendered-worker-0cbdbabc44618577397e4c3c703fec8f False True > False 4 0 0 0 > 129m > ^C > $ oc get kubeletconfigs.machineconfiguration.openshift.io > NAME AGE > custom-kubelet 108m > $ oc get kubeletconfigs.machineconfiguration.openshift.io custom-kubelet -o > yaml > apiVersion: machineconfiguration.openshift.io/v1 > kind: KubeletConfig > metadata: > annotations: > machineconfiguration.openshift.io/mc-name-suffix: "" > creationTimestamp: "2022-09-29T02:01:10Z" > finalizers: > - 99-worker-generated-kubelet > - 99-master-generated-kubelet > generation: 19 > labels: > hive.openshift.io/managed: "true" > name: custom-kubelet > resourceVersion: "120217" > uid: f46db966-eee4-4f28-a7d9-97c845224346 > spec: > autoSizingReserved: true > kubeletConfig: > evictionHard: > imagefs.available: 10% > imagefs.inodesFree: 5% > memory.available: 200Mi > nodefs.available: 5% > nodefs.inodesFree: 4% > evictionPressureTransitionPeriod: 0s > evictionSoft: > imagefs.available: 15% > imagefs.inodesFree: 10% > memory.available: 500Mi > nodefs.available: 10% > nodefs.inodesFree: 5% > evictionSoftGracePeriod: > imagefs.available: 1m30s > imagefs.inodesFree: 1m30s > memory.available: 1m30s > nodefs.available: 1m30s > nodefs.inodesFree: 1m30s > streamingConnectionIdleTimeout: 5m0s > tlsCipherSuites: > - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > machineConfigPoolSelector: > matchExpressions: > - key: machineconfiguration.openshift.io/mco-built-in > operator: Exists > status: > conditions: > - lastTransitionTime: "2022-09-29T03:49:26Z" > message: Success > status: "True" > type: Success > $ oc get mc -l compliance.openshift.io/suite=test > NAME > GENERATEDBYCONTROLLER IGNITIONVERSION AGE > 75-ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl > 3.1.0 9m7s > 75-ocp4-cis-node-worker-kubelet-enable-protect-kernel-sysctl > 3.1.0 9m7s > $ oc get mcp > NAME CONFIG UPDATED > UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT > DEGRADEDMACHINECOUNT AGE > master rendered-master-98f138b8996404f337889556551f1f89 True False > False 3 3 3 0 > 145m > worker rendered-worker-ea6756515bf26eca29412dae0f3d65e4 True False > False 4 4 4 0 > 145m > > > $ oc get cr > NAME STATE > ocp4-cis-api-server-encryption-provider-cipher Applied > ocp4-cis-api-server-encryption-provider-config Applied > ocp4-cis-audit-profile-set Applied > ocp4-cis-kubelet-configure-tls-cipher-suites Applied > ocp4-cis-kubelet-configure-tls-cipher-suites-1 Applied > ocp4-cis-kubelet-enable-streaming-connections Applied > ocp4-cis-kubelet-enable-streaming-connections-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-memory-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-4 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-available-5 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-4 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-memory-available-5 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-4 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-available-5 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied > ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied > ocp4-cis-node-master-kubelet-enable-protect-kernel-defaults > MissingDependencies > ocp4-cis-node-master-kubelet-enable-protect-kernel-sysctl Applied > ocp4-cis-node-worker-kubelet-enable-protect-kernel-defaults > MissingDependencies > ocp4-cis-node-worker-kubelet-enable-protect-kernel-sysctl Applied > $ oc compliance rerun-now scansettingbinding test > Rerunning scans from 'test': ocp4-cis, ocp4-cis-node-master, > ocp4-cis-node-worker > Re-running scan 'openshift-compliance/ocp4-cis' > Re-running scan 'openshift-compliance/ocp4-cis-node-master' > Re-running scan 'openshift-compliance/ocp4-cis-node-worker' > $ oc get mcp -w > NAME CONFIG UPDATED > UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT > DEGRADEDMACHINECOUNT AGE > master rendered-master-98f138b8996404f337889556551f1f89 False True > False 3 0 0 0 > 148m > worker rendered-worker-ea6756515bf26eca29412dae0f3d65e4 False True > False 4 0 0 0 > 148m > ... Yes, It is expected, If there is preexisting KubeletConfig Object, we will keep using that one Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |