Bug 2105878
| Summary: | Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan |
| Component: | Compliance Operator | Assignee: | Vincent Shen <wenshen> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.11 | CC: | lbragsta, mrogers, wenshen, xiyuan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The rule for checking idle streaming timeouts didn't take into account default values.
Consequence: The rule reported inaccurately.
Fix: Upgrade the compliance operator to version 0.1.55, which includes more robust checking of default configuration values at runtime.
Result: Increased accuracy in results based on default configuration values.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-02 16:00:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Discussed during the sprint (and the QE process for 0.1.53). Setting the reviewed-in-sprint flag. Verification pass with 4.12.0-0.nightly-2022-09-25-071630 + compliance-operator.v0.1.55
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.12.0-0.nightly-2022-09-25-071630 True False 54m Cluster version is 4.12.0-0.nightly-2022-09-25-071630
$ oc get ip
NAME CSV APPROVAL APPROVED
install-qdw2g compliance-operator.v0.1.55 Automatic true
$ oc get csv
NAME DISPLAY VERSION REPLACES PHASE
compliance-operator.v0.1.55 Compliance Operator 0.1.55 Succeeded
$ oc get rule ocp4-kubelet-enable-streaming-connections -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
The output should return .
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
"streamingConnectionIdleTimeout": "4h0m0s",
####################create tailoreprofile and set ocp4-var-streaming-connection-timeouts to 5h0m0s, and scan
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: testprofile
namespace: openshift-compliance
spec:
description: test
title: test
enableRules:
- name: ocp4-kubelet-enable-streaming-connections
rationale: test
setValues:
- name: ocp4-var-streaming-connection-timeouts
value: "5h0m0s"
rationale: test
EOF
tailoredprofile.compliance.openshift.io/testprofile created
$ oc get tp
NAME STATE
testprofile READY
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: test
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: testprofile
> settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get scan -w
NAME PHASE RESULT
testprofile RUNNING NOT-AVAILABLE
testprofile AGGREGATING NOT-AVAILABLE
testprofile AGGREGATING NOT-AVAILABLE
testprofile DONE NON-COMPLIANT
^C
$ oc get ccr
NAME STATUS SEVERITY
testprofile-kubelet-enable-streaming-connections FAIL medium
#####################configure ocp4-var-streaming-connection-timeouts to 4h0m0s, and rescan
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: testprofile
namespace: openshift-compliance
spec:
description: test
title: test
enableRules:
- name: ocp4-kubelet-enable-streaming-connections
rationale: test
setValues:
- name: ocp4-var-streaming-connection-timeouts
value: "4h0m0s"
> rationale: test
EOF
tailoredprofile.compliance.openshift.io/testprofile configured
$ oc get tp
NAME STATE
testprofile READY
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': testprofile
Re-running scan 'openshift-compliance/testprofile'
$ oc get scan -w
NAME PHASE RESULT
testprofile RUNNING NOT-AVAILABLE
testprofile AGGREGATING NOT-AVAILABLE
testprofile DONE COMPLIANT
^
$ oc get ccr
NAME STATUS SEVERITY
testprofile-kubelet-enable-streaming-connections PASS medium
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657 |
*Description of problem:* Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset *How reproducible:* Always *Steps to Reproduce:* Install CO v0.1.53-2 Check there streamingConnectionIdleTimeout in kubeletconfig unset: $ for i in `oc get node -l node-role.kubernetes.io/worker= --no-headers | awk '{print $1}'`;do oc debug node/$i -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf; done Starting pod/ip-10-0-131-126us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... error: non-zero exit code from debug container Starting pod/ip-10-0-167-112us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... error: non-zero exit code from debug container Starting pod/ip-10-0-205-97us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... error: non-zero exit code from debug container Create tailored profile for rule and perform scan with the tailored profile: $ oc apply -f-<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: mod-node spec: title: My modified profile description: test enableRules: - name: ocp4-kubelet-enable-streaming-connections rationale: platform setValues: - name: ocp4-var-streaming-connection-timeouts rationale: test value: 5m EOF tailoredprofile.compliance.openshift.io/mod-node created $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: test profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: TailoredProfile name: mod-node settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default EOF scansettingbinding.compliance.openshift.io/test created Actual result: Although the value in streamingConnectionIdleTimeout in kubeletconfig unset, not equals to the value in variable ocp4-var-streaming-connection-timeouts, the rule return PASS $ oc get rule ocp4-kubelet-enable-streaming-connections -o=jsonpath={.instructions} Run the following command on the kubelet node(s): $ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf The output should return . $ oc get suite -w NAME PHASE RESULT test RUNNING NOT-AVAILABLE test RUNNING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test AGGREGATING NOT-AVAILABLE test DONE COMPLIANT test DONE COMPLIANT ^C$ oc get ccr NAME STATUS SEVERITY mod-node-master-kubelet-enable-streaming-connections PASS medium mod-node-worker-kubelet-enable-streaming-connections PASS medium Expected result: As the value streamingConnectionIdleTimeout in kubeletconfig unset, not equals to the value in variable ocp4-var-streaming-connection-timeouts, the rule should FAIL