Bug 1862969 - [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator
Summary: [OCP v46] The scan pods use private repositories to get 'openscap-ocp' image ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Jakub Hrozek
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-03 10:51 UTC by Prashant Dhamdhere
Modified: 2020-10-27 16:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:22:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:23:00 UTC

Description Prashant Dhamdhere 2020-08-03 10:51:26 UTC
Description of problem 

The scan pods use private repositories to get 'openscap-ocp' image in Compliance Operator (0.1.12) 

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 
  openscap-ocp: 
    Container ID:  cri-o://302b128b111d20b463c1c3682ff0137b49cc45bcbf6bf628c12a44d3aee32091 
    Image:         quay.io/jhrozek/openscap-ocp:latest                         <<---- 
    Image ID:      quay.io/jhrozek/openscap-ocp@sha256:ce97c544ec38829938e04636274451cc30a79ccf335736edf0891c7500d97f9e 
    Port:          <none> 
    Host Port:     <none> 
    Command: 
      /scripts/openscap-container-entrypoint 
-- 
  Normal  Pulling         3m22s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Pulling image "quay.io/jhrozek/openscap-ocp:latest"  <<---- 
  Normal  Pulled          3m21s  kubelet, ip-10-0-205-114.us-east-2.compute.internal  Successfully pulled image "quay.io/jhrozek/openscap-ocp:latest" in 549.374915ms  <<---- 


Version-Release -Cluster version  

4.6.0-0.nightly-2020-08-02-091622 

How reproducible: 

Always  

Steps: 

1 clone compliance-operator git repo 

$ git clone https://github.com/openshift/compliance-operator.git 

2 Create 'openshift-compliance' namespace 

$ oc create -f compliance-operator/deploy/ns.yaml   

3 Switch to 'openshift-compliance' namespace 

$ oc project openshift-compliance 

4 Deploy CustomResourceDefinition. 

$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done 

5. Deploy compliance-operator. 

$ oc create -f compliance-operator/deploy/ 

6. Deploy ComplianceSuite CR 

oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: example-compliancesuite 
spec: 
  autoApplyRemediations: false 
  schedule: "* 1 * * *" 
  scans: 
    - name: worker-scan 
      profile: xccdf_org.ssgproject.content_profile_moderate 
      content: ssg-rhcos4-ds.xml 
      contentImage: quay.io/complianceascode/ocp4:latest 
      nodeSelector: 
        node-role.kubernetes.io/worker: "" 
EOF 

7. Once the scan performs successfully 

$ oc get pods 
$ oc get compliancesuite 
$ oc describe compliancesuite example-compliancesuite|grep -A14 Status: 

8. Check scan pod details  

$ oc describe pod worker-scan-ip-10-0-205-114.us-east-2.compute.internal-pod |grep -A4 "openscap-ocp" 


Actual result: 

The scan pods use private repositories to get 'openscap-ocp' image. 

Expected results 

The scan pods should not use private repositories to get 'openscap-ocp' image in Compliance Operator. 

Additional info

Comment 1 Jakub Hrozek 2020-08-03 13:13:55 UTC
There are two issues:

1. The `latest` tag was not updated during release and so the latest tag was effectivelly pointing to the previous release...and between the previous and the current releases we have changed the environment variable name, so the deployment yaml was setting the new name, but the image was still only able to consume the old name. 

 - I retagged the `:latest` tag on quay.io to remediate tihs

2. The fallback images in the code were too old. 

 - I'll send a separate PR to address this

Comment 2 Jakub Hrozek 2020-08-03 13:47:21 UTC
PR: https://github.com/openshift/compliance-operator/pull/382

Comment 7 Prashant Dhamdhere 2020-08-27 05:54:51 UTC
It looks good, the scan pods use official repositories to get 'openscap-ocp' image.

Verified on: 
OCP 4.6.0-0.nightly-2020-08-27-005538
compliance-operator.v0.1.13

$ grep "name:\|version" compliance-operator/deploy/olm-catalog/compliance-operator/0.1.13/compliance-operator.v0.1.13.clusterserviceversion.yaml |head -1
  name: compliance-operator.v0.1.13

$ oc get pods
NAME                                                         READY   STATUS      RESTARTS   AGE
aggregator-pod-worker-scan                                   0/1     Completed   0          7m56s
compliance-operator-869646dd4f-5vq7z                         1/1     Running     0          75m
ocp4-pp-7f89f556cc-zzmkj                                     1/1     Running     0          74m
rhcos4-pp-7c44999587-bckrn                                   1/1     Running     0          74m
worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod    0/2     Completed   0          10m
worker-scan-ip-10-0-177-228.us-east-2.compute.internal-pod   0/2     Completed   0          10m
worker-scan-ip-10-0-219-103.us-east-2.compute.internal-pod   0/2     Completed   0          10m

$ oc get compliancesuite 
NAME                      PHASE   RESULT
example-compliancesuite   DONE    NON-COMPLIANT


$  oc describe pod worker-scan-ip-10-0-150-92.us-east-2.compute.internal-pod | grep -A4 "openscap-ocp" 
  openscap-ocp:
    Container ID:  cri-o://08a9552d3f46d231dcc6ffd7698b6299bdd07eeece8b7d938f3d54ac60d800fd
    Image:         quay.io/compliance-operator/openscap-ocp:1.3.3                 <<-------
    Image ID:      quay.io/compliance-operator/openscap-ocp@sha256:fdc69e5d492a70100f40836e21f36ccb984ac134572fb5af9823c0e8fc88e11b  <<-------
    Port:          <none>
    Host Port:     <none>
    Command:
      /scripts/openscap-container-entrypoint
--
  Normal  Pulled          5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Container image "quay.io/compliance-operator/openscap-ocp:1.3.3" already present on machine
  Normal  Created         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Created container openscap-ocp
  Normal  Started         5m42s      kubelet, ip-10-0-150-92.us-east-2.compute.internal  Started container openscap-ocp

Comment 9 errata-xmlrpc 2020-10-27 16:22:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.