Description of problem: The ComplianceSuite should show the result in scan status if the OCP cluster is Compliant or Non-Compliant like as ComplianceScan. Refer the below ComplianceScan output which is showing the result in status, the node is Non-Compliant. $ oc describe compliancescan|grep -A 2 "Name:\|Status" |grep -v "Labels\|UID\|Resource" Name: example-compliancescan Namespace: openshift-compliance -- Status: Phase: DONE Result: NON-COMPLIANT <<---- -- Name: masters-scan Namespace: openshift-compliance -- Name: example-compliancesuite -- Status: Phase: DONE Result: NON-COMPLIANT <<---- -- Name: workers-scan Namespace: openshift-compliance -- Name: example-compliancesuite -- Status: Phase: DONE Result: NON-COMPLIANT <<---- Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-01-16-013633 How reproducible: Always Steps to Reproduce: 1. clone git repo $ git clone https://github.com/openshift/compliance-operator.git 2. Deploy CustomResourceDefinition. $ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 3. Deploy compliance-operator. $ oc create -f compliance-operator/deploy/ 4. Switch to openshift-compliance namespace $ oc project openshift-compliance 5. Deploy CRs ComplianceRemediation, ComplianceSuite, ComplianceScan $ for f in $(ls -1 compliance-operator/deploy/crds/*cr.yaml); do oc create -f $f; done Actual results: The ComplianceSuite is not showing the result in status if the cluster is Compliant or Non-Compliant like as ComplianceScan. $ oc describe compliancesuite Name: example-compliancesuite Namespace: openshift-compliance Labels: <none> Annotations: <none> API Version: complianceoperator.compliance.openshift.io/v1alpha1 Kind: ComplianceSuite Metadata: Creation Timestamp: 2020-01-16T06:10:46Z Generation: 1 Resource Version: 33059 Self Link: /apis/complianceoperator.compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite UID: fb9990bf-da11-4653-b8de-589dd78b382d Spec: Auto Apply Remediations: true Scans: Content: ssg-ocp4-ds.xml Content Image: quay.io/jhrozek/ocp4-openscap-content:remediation_demo Name: workers-scan Node Selector: node-role.kubernetes.io/worker: Profile: xccdf_org.ssgproject.content_profile_coreos-ncp Content: ssg-ocp4-ds.xml Content Image: quay.io/jhrozek/ocp4-openscap-content:remediation_demo Name: masters-scan Node Selector: node-role.kubernetes.io/master: Profile: xccdf_org.ssgproject.content_profile_coreos-ncp Status: Remediation Overview: Apply: false Remediation Name: workers-scan-no-direct-root-logins Scan Name: workers-scan Type: MachineConfig Apply: false Remediation Name: workers-scan-no-empty-passwords Scan Name: workers-scan Type: MachineConfig Apply: false Remediation Name: masters-scan-no-direct-root-logins Scan Name: masters-scan Type: MachineConfig Apply: false Remediation Name: masters-scan-no-empty-passwords Scan Name: masters-scan Type: MachineConfig Scan Statuses: Name: workers-scan Phase: DONE Name: masters-scan Phase: DONE Events: <none> Expected results: The ComplianceSuite should show the result in status if the cluster is Compliant or Non-Compliant like as ComplianceScan. Additional info:
I believe this can be closed. With a current CO version, I see: $ oc get compliancesuites NAME PHASE RESULT workers-compliancesuite DONE NON-COMPLIANT and in the full YAML output: status: aggregatedPhase: DONE aggregatedResult: NON-COMPLIANT scanStatuses: - name: workers-scan phase: DONE result: NON-COMPLIANT kind: List metadata: resourceVersion: "" selfLink: "" Prashant, do you agree?
Hi Jakub, Yes, the issue has been fixed and I can see the ComplianceSuite is showing the result in scan status. Verified on : 4.5.0-0.nightly-2020-06-23-020504 $ oc get compliancesuites NAME PHASE RESULT example-compliancesuite DONE NON-COMPLIANT $ oc get compliancesuites -o yaml |grep -B 6 "result" status: aggregatedPhase: DONE aggregatedResult: NON-COMPLIANT scanStatuses: - name: workers-scan phase: DONE result: NON-COMPLIANT
Verified on: 4.5.0-0.nightly-2020-07-06-211538 $ oc get compliancesuites NAME PHASE RESULT example-compliancesuite DONE NON-COMPLIANT $ oc get compliancesuites -o yaml |grep -B 6 "result" status: aggregatedPhase: DONE aggregatedResult: NON-COMPLIANT scanStatuses: - name: workers-scan phase: DONE result: NON-COMPLIANT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196