Bug 1791673 - [OCP 4.4] The ComplianceSuite should show the result if the cluster is Compliant or Non-Compliant like as ComplianceScan.
Summary: [OCP 4.4] The ComplianceSuite should show the result if the cluster is Compli...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Jakub Hrozek
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-16 11:05 UTC by Prashant Dhamdhere
Modified: 2020-10-27 15:55 UTC (History)
14 users (show)

Fixed In Version: v0.1.9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 15:54:52 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:55:19 UTC

Description Prashant Dhamdhere 2020-01-16 11:05:20 UTC
Description of problem:

The ComplianceSuite should show the result in scan status if the OCP cluster is Compliant or Non-Compliant 
like as ComplianceScan. Refer the below ComplianceScan output which is showing the result in status, the 
node is Non-Compliant.


$ oc describe compliancescan|grep -A 2 "Name:\|Status" |grep -v "Labels\|UID\|Resource"
Name:         example-compliancescan
Namespace:    openshift-compliance
--
Status:
  Phase:   DONE
  Result:  NON-COMPLIANT  <<----
--
Name:         masters-scan
Namespace:    openshift-compliance
--
    Name:                  example-compliancesuite
--
Status:
  Phase:   DONE
  Result:  NON-COMPLIANT  <<----
--
Name:         workers-scan
Namespace:    openshift-compliance
--
    Name:                  example-compliancesuite
--
Status:
  Phase:   DONE
  Result:  NON-COMPLIANT  <<----


Version-Release number of selected component (if applicable):

4.4.0-0.nightly-2020-01-16-013633

How reproducible:

Always

Steps to Reproduce:

1. clone git repo 
$ git clone https://github.com/openshift/compliance-operator.git 

2. Deploy CustomResourceDefinition. 
$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done

3. Deploy compliance-operator. 
$ oc create -f compliance-operator/deploy/

4. Switch to openshift-compliance namespace
$ oc project openshift-compliance

5. Deploy CRs ComplianceRemediation, ComplianceSuite, ComplianceScan
$ for f in $(ls -1 compliance-operator/deploy/crds/*cr.yaml); do oc create -f $f; done

Actual results:

The ComplianceSuite is not showing the result in status if the cluster is Compliant or Non-Compliant
like as ComplianceScan.

$ oc describe compliancesuite
Name:         example-compliancesuite
Namespace:    openshift-compliance
Labels:       <none>
Annotations:  <none>
API Version:  complianceoperator.compliance.openshift.io/v1alpha1
Kind:         ComplianceSuite
Metadata:
  Creation Timestamp:  2020-01-16T06:10:46Z
  Generation:          1
  Resource Version:    33059
  Self Link:           /apis/complianceoperator.compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite
  UID:                 fb9990bf-da11-4653-b8de-589dd78b382d
Spec:
  Auto Apply Remediations:  true
  Scans:
    Content:        ssg-ocp4-ds.xml
    Content Image:  quay.io/jhrozek/ocp4-openscap-content:remediation_demo
    Name:           workers-scan
    Node Selector:
      node-role.kubernetes.io/worker:  
    Profile:                           xccdf_org.ssgproject.content_profile_coreos-ncp
    Content:                           ssg-ocp4-ds.xml
    Content Image:                     quay.io/jhrozek/ocp4-openscap-content:remediation_demo
    Name:                              masters-scan
    Node Selector:
      node-role.kubernetes.io/master:  
    Profile:                           xccdf_org.ssgproject.content_profile_coreos-ncp
Status:
  Remediation Overview:
    Apply:             false
    Remediation Name:  workers-scan-no-direct-root-logins
    Scan Name:         workers-scan
    Type:              MachineConfig
    Apply:             false
    Remediation Name:  workers-scan-no-empty-passwords
    Scan Name:         workers-scan
    Type:              MachineConfig
    Apply:             false
    Remediation Name:  masters-scan-no-direct-root-logins
    Scan Name:         masters-scan
    Type:              MachineConfig
    Apply:             false
    Remediation Name:  masters-scan-no-empty-passwords
    Scan Name:         masters-scan
    Type:              MachineConfig
  Scan Statuses:
    Name:   workers-scan
    Phase:  DONE
    Name:   masters-scan
    Phase:  DONE
Events:     <none>

Expected results:

The ComplianceSuite should show the result in status if the cluster is Compliant or Non-Compliant 
like as ComplianceScan.

Additional info:

Comment 5 Jakub Hrozek 2020-06-18 16:52:18 UTC
I believe this can be closed. With a current CO version, I see:

$ oc get compliancesuites       
NAME                      PHASE   RESULT
workers-compliancesuite   DONE    NON-COMPLIANT

and in the full YAML output:
  status:
    aggregatedPhase: DONE
    aggregatedResult: NON-COMPLIANT
    scanStatuses:
    - name: workers-scan
      phase: DONE
      result: NON-COMPLIANT
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Prashant, do you agree?

Comment 6 Prashant Dhamdhere 2020-06-23 07:20:36 UTC
Hi Jakub,

Yes, the issue has been fixed and I can see the ComplianceSuite is showing the result in scan status.

Verified on : 4.5.0-0.nightly-2020-06-23-020504

$ oc get compliancesuites
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NON-COMPLIANT

$ oc get compliancesuites -o yaml |grep -B 6 "result"
  status:
    aggregatedPhase: DONE
    aggregatedResult: NON-COMPLIANT
    scanStatuses:
    - name: workers-scan
      phase: DONE
      result: NON-COMPLIANT

Comment 7 Prashant Dhamdhere 2020-07-07 14:35:33 UTC
Verified on: 4.5.0-0.nightly-2020-07-06-211538

$ oc get compliancesuites
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NON-COMPLIANT


$ oc get compliancesuites -o yaml |grep -B 6 "result"
  status:
    aggregatedPhase: DONE
    aggregatedResult: NON-COMPLIANT
    scanStatuses:
    - name: workers-scan
      phase: DONE
      result: NON-COMPLIANT

Comment 10 errata-xmlrpc 2020-10-27 15:54:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.