Bug 1853585 - [OCP V45] ComplianceSuite & ComplianceScan should report some result if the nodeSelector is not matching
Summary: [OCP V45] ComplianceSuite & ComplianceScan should report some result if the n...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Juan Antonio Osorio
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-03 08:50 UTC by Prashant Dhamdhere
Modified: 2020-09-21 09:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-21 09:02:32 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift compliance-operator pull 384 0 None closed Detect if nodeSelector doesn't match 2020-10-08 11:34:51 UTC

Description Prashant Dhamdhere 2020-07-03 08:50:17 UTC
Description of problem:

The ComplianceSuite and ComplianceScan status do not show any result in RESULT 
field if the nodeSelector is not matching with any node label. However after 
deploying ComplianceSuite CR, it creates worker-scan and aggregator pods inside 
openshift-compliance namespace. 

$ oc get compliancesuite 
NAME                      PHASE   RESULT 
example-compliancesuite   DONE     

$ oc get compliancescan 
NAME           PHASE   RESULT 
workers-scan   DONE     

$ oc get pods 
NAME                                   READY   STATUS      RESTARTS   AGE 
aggregator-pod-workers-scan            0/1     Completed   0          28s <<----
compliance-operator-6bcbf66d5b-6rdmj   1/1     Running     0          102m 
compliance-operator-6bcbf66d5b-gwxh5   1/1     Running     0          102m 
compliance-operator-6bcbf66d5b-qlrxn   1/1     Running     0          102m 
workers-scan-rs-67cdd66c7b-5dzgf       1/1     Running     0          28s  <<---

Version-Release number of selected component (if applicable):

4.5.0-0.nightly-2020-07-02-002923 

How reproducible:

Always

Steps to Reproduce:

1. clone compliance-operator git repo 
$ git clone https://github.com/openshift/compliance-operator.git 

2. Create 'openshift-compliance' namespace 
$ oc create -f compliance-operator/deploy/ns.yaml   

3. Switch to 'openshift-compliance' namespace 
$ oc project openshift-compliance 

4. Deploy CustomResourceDefinition. 
$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 

5. Deploy compliance-operator. 
$ oc create -f compliance-operator/deploy/ 

6. Deploy ComplianceSuite CR with nodeSelector which is not matching with nodes 
$ oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: example-compliancesuite 
spec: 
  autoApplyRemediations: false 
  schedule: "0 1 * * *" 
  scans: 
    - name: workers-scan 
      profile: xccdf_org.ssgproject.content_profile_ncp 
      content: ssg-rhcos4-ds.xml 
      contentImage: quay.io/complianceascode/ocp4:latest 
      debug: true 
      nodeSelector: 
        node-role.kubernetes.io/rhel: ""  <<--- [make sure label is not matching with nodes label] 
EOF 

Actual results:

The ComplianceSuite & ComplianceScan do not show any scan result if the nodeSelector 
is not matching, it shows the RESULT field empty

$ oc describe compliancesuite example-compliancesuite 
Name:         example-compliancesuite 
Namespace:    openshift-compliance 
Labels:       <none> 
Annotations:  <none> 
API Version:  compliance.openshift.io/v1alpha1 
Kind:         ComplianceSuite 
..
...
  Self Link:         /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/example-compliancesuite 
  UID:               2dc33471-6f3e-41d4-a268-6dc96e7e125f 
Spec: 
  Scans: 
    Content:        ssg-rhcos4-ds.xml 
    Content Image:  quay.io/complianceascode/ocp4:latest 
    Debug:          true 
    Name:           workers-scan 
    Node Selector: 
      node-role.kubernetes.io/rhel:   
    Profile:                         xccdf_org.ssgproject.content_profile_ncp 
    Raw Result Storage Rotation:     3 
    Raw Result Storage Size:         1Gi 
    Scan Tolerations: 
      Effect:    NoSchedule 
      Key:       node-role.kubernetes.io/master 
      Operator:  Exists 
  Schedule:      0 1 * * * 
Status: 
  Aggregated Phase:  DONE 
  Scan Statuses: 
    Name:   workers-scan 
    Phase:  DONE 
    Results Storage: 
      Name:       workers-scan 
      Namespace:  openshift-compliance 
Events:           <none> 

$ oc get compliancesuite 
NAME                      PHASE   RESULT 
example-compliancesuite   DONE     

$ oc get compliancescan 
NAME           PHASE   RESULT 
workers-scan   DONE     

Expected results:

The ComplianceSuite & ComplianceScan should show some result in RESULT field if the 
nodeSelector is not matching with any node label. Like as NOT-AVAILABLE or NOT-APPLICABLE 

Additional info:

Comment 5 Prashant Dhamdhere 2020-08-27 06:38:58 UTC
This looks good now, The ComplianceSuite & ComplianceScan show the scan result is NOT-APPLICABLE
if the nodeSelector is not matching with any node label. 


Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13


$ oc create -f - <<EOF 
> apiVersion: compliance.openshift.io/v1alpha1 
> kind: ComplianceSuite 
> metadata: 
>   name: example-compliancesuite 
> spec: 
>   autoApplyRemediations: false 
>   schedule: "0 1 * * *" 
>   scans: 
>     - name: workers-scan 
>       profile: xccdf_org.ssgproject.content_profile_ncp 
>       content: ssg-rhcos4-ds.xml 
>       contentImage: quay.io/complianceascode/ocp4:latest 
>       debug: true 
>       nodeSelector: 
>         node-role.kubernetes.io/rhel: ""
> EOF
compliancesuite.compliance.openshift.io/example-compliancesuite created

$ oc get pods -w
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-869646dd4f-5vq7z   1/1     Running   0          99m
ocp4-pp-7f89f556cc-zzmkj               1/1     Running   0          98m
rhcos4-pp-7c44999587-bckrn             1/1     Running   0          98m

$ oc get compliancesuite
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NOT-APPLICABLE


$ oc describe compliancesuite example-compliancesuite |grep -A14 "Status:"
Status:
  Error Message:  The suite result is not applicable, please check if you're using the correct platform
  Phase:          DONE
  Result:         NOT-APPLICABLE
  Scan Statuses:
    Name:    workers-scan
    Phase:   DONE
    Result:  NOT-APPLICABLE
    Results Storage:
Events:
  Type    Reason              Age   From       Message
  ----    ------              ----  ----       -------
  Normal  ResultAvailable     116s  suitectrl  ComplianceSuite's result is: NOT-APPLICABLE
  Normal  SuiteNotApplicable  116s  suitectrl  The suite result is not applicable, please check if you're using the correct platform


$ oc get compliancescan
NAME           PHASE   RESULT
workers-scan   DONE    NOT-APPLICABLE


$ oc describe compliancescan workers-scan |grep -A14 "Status:"
Status:
  Phase:   DONE
  Result:  NOT-APPLICABLE
  Results Storage:
Events:
  Type     Reason             Age    From      Message
  ----     ------             ----   ----      -------
  Warning  NoMatchingNodes    2m43s  scanctrl  No nodes matched the nodeSelector
  Normal   ResultAvailable    2m43s  scanctrl  ComplianceScan's result is: NOT-APPLICABLE
  Warning  ScanNotApplicable  2m43s  scanctrl  The scan result is not applicable, please check if you're using the correct platform or if the nodeSelector matches nodes.


Note You need to log in before you can comment on or make changes to this bug.