1862969 – [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator

Bug 1862969 - [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator

Summary: [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-03 10:51 UTC by Prashant Dhamdhere
Modified:	2020-10-27 16:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:22:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4196	0	None	None	None	2020-10-27 16:23:00 UTC

Description Prashant Dhamdhere 2020-08-03 10:51:26 UTC

Description of problem 

The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator (0.1.12) 

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 
  openscap-ocp: 
    Container ID:  cri-o://302b128b111d20b463c1c3682ff0137b49cc45bcbf6bf628c12a44d3aee32091 
    Image:         quay.io/jhrozek/openscap-ocp:latest                         <<---- 
    Image ID:      quay.io/jhrozek/openscap-ocp@sha256:ce97c544ec38829938e04636274451cc30a79ccf335736edf0891c7500d97f9e 
    Port:          <none> 
    Host Port:     <none> 
    Command: 
      /scripts/openscap-container-entrypoint 
-- 
  Normal  Pulling         3m22s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Pulling image "quay.io/jhrozek/openscap-ocp:latest"  <<---- 
  Normal  Pulled          3m21s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Successfully pulled image "quay.io/jhrozek/openscap-ocp:latest" in 549.374915ms  <<---- 


Version-Release -Cluster version  

4.6.0-0.nightly-2020-08-02-091622 

How reproducible: 

Always  

Steps: 

1 clone compliance-operator git repo 

$ git clone https://github.com/openshift/compliance-operator.git 

2 Create 'openshift-compliance' namespace 

$ oc create -f compliance-operator/deploy/ns.yaml   

3 Switch to 'openshift-compliance' namespace 

$ oc project openshift-compliance 

4 Deploy CustomResourceDefinition. 

$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 

5. Deploy compliance-operator. 

$ oc create -f compliance-operator/deploy/ 

6. Deploy ComplianceSuite CR 

oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: example-compliancesuite 
spec: 
  autoApplyRemediations: false 
  schedule: "* 1 * * *" 
  scans: 
    - name: worker-scan 
      profile: xccdf_org.ssgproject.content_profile_moderate 
      content: ssg-rhcos4-ds.xml 
      contentImage: quay.io/complianceascode/ocp4:latest 
      nodeSelector: 
        node-role.kubernetes.io/worker: "" 
EOF 

7. Once the scan performs successfully 

$ oc get pods 
$ oc get compliancesuite 
$ oc describe compliancesuite example-compliancesuite|grep -A14 Status: 

8. Check scan pod details  

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 


Actual result: 

The scan pods use private repositories to get 'openscap-ocp' image. 

Expected results 

The scan pods should not use private repositories to get 'openscap-ocp' image in Compliance Operator. 

Additional info

Comment 1 Jakub Hrozek 2020-08-03 13:13:55 UTC

There are two issues:

1. The `latest` tag was not updated during release and so the latest tag was effectivelly pointing to the previous release...and between the previous and the current releases we have changed the environment variable name, so the deployment yaml was setting the new name, but the image was still only able to consume the old name. 

 - I retagged the `:latest` tag on quay.io to remediate tihs

2. The fallback images in the code were too old. 

 - I'll send a separate PR to address this

Comment 2 Jakub Hrozek 2020-08-03 13:47:21 UTC

PR: https://github.com/openshift/compliance-operator/pull/382

Comment 3 Jakub Hrozek 2020-08-04 12:00:34 UTC

Fixed upstream: https://github.com/openshift/compliance-operator/commit/4c46953f54a30c8494b1f0e4c7579c89eb0bf0bc

Comment 7 Prashant Dhamdhere 2020-08-27 05:54:51 UTC

It looks good, the scan pods use official repositories to get 'openscap-ocp' image.

Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13

$ grep "name:\|version" compliance-operator/deploy/olm-catalog/compliance-operator/0.1.13/compliance-operator.v0.1.13.clusterserviceversion.yaml |head -1
  name: compliance-operator.v0.1.13

$ oc get pods
NAME                                                         READY   STATUS      RESTARTS   AGE
aggregator-pod-worker-scan                                   0/1     Completed   0          7m56s
compliance-operator-869646dd4f-5vq7z                         1/1     Running     0          75m
ocp4-pp-7f89f556cc-zzmkj                                     1/1     Running     0          74m
rhcos4-pp-7c44999587-bckrn                                   1/1     Running     0          74m
worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod    0/2     Completed   0          10m
worker-scan-ip-10-0-177-228.us-east-2.compute.internal-pod   0/2     Completed   0          10m
worker-scan-ip-10-0-219-103.us-east-2.compute.internal-pod   0/2     Completed   0          10m

$ oc get compliancesuite 
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NON-COMPLIANT


$  oc describe pod worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod | grep -A4 "openscap-ocp" 
  openscap-ocp:
    Container ID:  cri-o://08a9552d3f46d231dcc6ffd7698b6299bdd07eeece8b7d938f3d54ac60d800fd
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3                 <<-------
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b  <<-------
    Port:          <none>
    Host Port:     <none>
    Command:
      /scripts/openscap-container-entrypoint
--
  Normal  Pulled          5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Container image "quay.io/compliance-operator/openscap-ocp:1.3.3" already present on machine
  Normal  Created         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Created container openscap-ocp
  Normal  Started         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Started container openscap-ocp

Comment 9 errata-xmlrpc 2020-10-27 16:22:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.