Description of problem: The ComplianceSuite and ComplianceScan status do not show any result in RESULT field if the nodeSelector is not matching with any node label. However after deploying ComplianceSuite CR, it creates worker-scan and aggregator pods inside openshift-compliance namespace. $ oc get compliancesuite NAME PHASE RESULT example-compliancesuite DONE $ oc get compliancescan NAME PHASE RESULT workers-scan DONE $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-workers-scan 0/1 Completed 0 28s <<---- compliance-operator-6bcbf66d5b-6rdmj 1/1 Running 0 102m compliance-operator-6bcbf66d5b-gwxh5 1/1 Running 0 102m compliance-operator-6bcbf66d5b-qlrxn 1/1 Running 0 102m workers-scan-rs-67cdd66c7b-5dzgf 1/1 Running 0 28s <<--- Version-Release number of selected component (if applicable): 4.5.0-0.nightly-2020-07-02-002923 How reproducible: Always Steps to Reproduce: 1. clone compliance-operator git repo $ git clone https://github.com/openshift/compliance-operator.git 2. Create 'openshift-compliance' namespace $ oc create -f compliance-operator/deploy/ns.yaml 3. Switch to 'openshift-compliance' namespace $ oc project openshift-compliance 4. Deploy CustomResourceDefinition. $ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 5. Deploy compliance-operator. $ oc create -f compliance-operator/deploy/ 6. Deploy ComplianceSuite CR with nodeSelector which is not matching with nodes $ oc create -f - <<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: example-compliancesuite spec: autoApplyRemediations: false schedule: "0 1 * * *" scans: - name: workers-scan profile: xccdf_org.ssgproject.content_profile_ncp content: ssg-rhcos4-ds.xml contentImage: quay.io/complianceascode/ocp4:latest debug: true nodeSelector: node-role.kubernetes.io/rhel: "" <<--- [make sure label is not matching with nodes label] EOF Actual results: The ComplianceSuite & ComplianceScan do not show any scan result if the nodeSelector is not matching, it shows the RESULT field empty $ oc describe compliancesuite example-compliancesuite Name: example-compliancesuite Namespace: openshift-compliance Labels: <none> Annotations: <none> API Version: compliance.openshift.io/v1alpha1 Kind: ComplianceSuite .. ... Self Link: /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite UID: 2dc33471-6f3e-41d4-a268-6dc96e7e125f Spec: Scans: Content: ssg-rhcos4-ds.xml Content Image: quay.io/complianceascode/ocp4:latest Debug: true Name: workers-scan Node Selector: node-role.kubernetes.io/rhel: Profile: xccdf_org.ssgproject.content_profile_ncp Raw Result Storage Rotation: 3 Raw Result Storage Size: 1Gi Scan Tolerations: Effect: NoSchedule Key: node-role.kubernetes.io/master Operator: Exists Schedule: 0 1 * * * Status: Aggregated Phase: DONE Scan Statuses: Name: workers-scan Phase: DONE Results Storage: Name: workers-scan Namespace: openshift-compliance Events: <none> $ oc get compliancesuite NAME PHASE RESULT example-compliancesuite DONE $ oc get compliancescan NAME PHASE RESULT workers-scan DONE Expected results: The ComplianceSuite & ComplianceScan should show some result in RESULT field if the nodeSelector is not matching with any node label. Like as NOT-AVAILABLE or NOT-APPLICABLE Additional info:
This looks good now, The ComplianceSuite & ComplianceScan show the scan result is NOT-APPLICABLE if the nodeSelector is not matching with any node label. Verified on: OCP 4.6.0-0.nightly-2020-08-27-005538 compliance-operator.v0.1.13 $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ComplianceSuite > metadata: > name: example-compliancesuite > spec: > autoApplyRemediations: false > schedule: "0 1 * * *" > scans: > - name: workers-scan > profile: xccdf_org.ssgproject.content_profile_ncp > content: ssg-rhcos4-ds.xml > contentImage: quay.io/complianceascode/ocp4:latest > debug: true > nodeSelector: > node-role.kubernetes.io/rhel: "" > EOF compliancesuite.compliance.openshift.io/example-compliancesuite created $ oc get pods -w NAME READY STATUS RESTARTS AGE compliance-operator-869646dd4f-5vq7z 1/1 Running 0 99m ocp4-pp-7f89f556cc-zzmkj 1/1 Running 0 98m rhcos4-pp-7c44999587-bckrn 1/1 Running 0 98m $ oc get compliancesuite NAME PHASE RESULT example-compliancesuite DONE NOT-APPLICABLE $ oc describe compliancesuite example-compliancesuite |grep -A14 "Status:" Status: Error Message: The suite result is not applicable, please check if you're using the correct platform Phase: DONE Result: NOT-APPLICABLE Scan Statuses: Name: workers-scan Phase: DONE Result: NOT-APPLICABLE Results Storage: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 116s suitectrl ComplianceSuite's result is: NOT-APPLICABLE Normal SuiteNotApplicable 116s suitectrl The suite result is not applicable, please check if you're using the correct platform $ oc get compliancescan NAME PHASE RESULT workers-scan DONE NOT-APPLICABLE $ oc describe compliancescan workers-scan |grep -A14 "Status:" Status: Phase: DONE Result: NOT-APPLICABLE Results Storage: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Warning NoMatchingNodes 2m43s scanctrl No nodes matched the nodeSelector Normal ResultAvailable 2m43s scanctrl ComplianceScan's result is: NOT-APPLICABLE Warning ScanNotApplicable 2m43s scanctrl The scan result is not applicable, please check if you're using the correct platform or if the nodeSelector matches nodes.