Bug 1880411 - [OCP v46] The ComplianceSuite reports scan result 'Error' when it deploys with TailoredProfile
Summary: [OCP v46] The ComplianceSuite reports scan result 'Error' when it deploys wit...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.0
Assignee: Jakub Hrozek
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-18 13:11 UTC by Prashant Dhamdhere
Modified: 2020-10-27 16:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:42:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:43:32 UTC

Description Prashant Dhamdhere 2020-09-18 13:11:01 UTC
Description of problem: 


The ComplianceSuite reports scan result 'Error' when it deploys with TailoredProfile. However, 
the configmap shows scan successfully complete on nodes with exit code 2 i.e Non-Compliant 


$ oc get pods  
NAME                                                     READY   STATUS      RESTARTS   AGE 
aggregator-pod-ocp4-e8-custom                            0/1     Completed   0          62s 
compliance-operator-869646dd4f-xj5hj                     1/1     Running     0          11m 
ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod   0/2     Completed   0          2m57s 
ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod   0/2     Completed   0          2m58s 
ocp4-pp-6786c5f5b-dfc6f                                  1/1     Running     0          10m 
rhcos4-pp-78c8cc9d44-fj6ks                               1/1     Running     0          10m 


$ oc get compliancesuite 
NAME                           PHASE   RESULT 
mixed-compliancesuite-ocp-e8   DONE    ERROR 


$ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep "Error" 
Errormsg:  the ConfigMap 'ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod' annotation was missing the result key <<------ 


$ oc get cm 
NAME                                                     DATA   AGE 
compliance-operator-lock                                 0      11m 
ocp4-e8-custom-openscap-container-entrypoint             1      4m1s 
ocp4-e8-custom-openscap-env-map                          6      4m 
ocp4-e8-custom-openscap-env-map-platform                 4      4m 
ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod   2      2m11s   
ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod   2      2m15s 
ocp4-e8-tp-tp                                            1      5m8s 
tp-ocp4-e8-custom                                        1      3m53s 


$ oc describe cm ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod|head -20 
Name:         ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-25q65-pod 
Namespace:    openshift-compliance 
Labels:       compliance.openshift.io/scan-name=ocp4-e8-custom 
              complianceoperator.openshift.io/scan-result= 
Annotations:  compliance-remediations/processed:  
              compliance.openshift.io/scan-error-msg:  
              compliance.openshift.io/scan-result: NON-COMPLIANT   <<------ 
              openscap-scan-result/node: pdhamdhe-vsp1809-r8667-worker-25q65 
Data 
==== 
exit-code: 
---- 
2    <<------ 
results: 
---- 
<?xml version="1.0" encoding="UTF-8"?> 
<TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_compliance.openshift.io_profile_ocp4-e8-tp" start-time="2020-09-18T10:15:47+00:00" end-time="2020-09-18T10:15:47+00:00" version="0.1.52" test-system="cpe:/a:redhat:openscap:1.3.3"> 
          <benchmark href="/content/ssg-rhcos4-ds.xml" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"/> 
          <title>OSCAP Scan Result</title> 


Version-Release number of selected component (if applicable): 

4.6.0-0.nightly-2020-09-16-000734 


How reproducible: 

Always 


Steps to Reproduce: 

1 clone compliance-operator git repo   

$ git clone https://github.com/openshift/compliance-operator.git   

2 Create 'openshift-compliance' namespace   

$ oc create -f compliance-operator/deploy/ns.yaml     

3 Switch to 'openshift-compliance' namespace   

$ oc project openshift-compliance   

4 Deploy CustomResourceDefinition.   

$ for f in $(ls -1 compliance-operator/deploy/crds/*crd.yaml); do oc create -f $f; done   

5. Deploy compliance-operator.   

$ oc create -f compliance-operator/deploy/   

6. Create tailoredprofile and check the configmap generates. 

$ oc create -f - <<EOF 
kind: TailoredProfile 
apiVersion: compliance.openshift.io/v1alpha1 
metadata: 
  name: ocp4-e8-tp 
spec: 
  extends: ocp4-e8 
  title: | 
    NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux 
    CoreOS customized for this deployment 
  description: | 
    This compliance profile reflects the core set of Moderate-Impact 
    Baseline configuration settings for deployment of Red Hat 
    Enterprise 
    … 
  enableRules: 
    - name: ocp4-ocp-allowed-registries-for-import 
      rationale: We really need to enable this 
  disableRules: 
    - name: ocp4-ocp-idp-no-htpasswd 
      rationale: This doesn’t apply to my cluster 
EOF 


7. Generate a compliancesuite with the TailoredProfile 

$ oc create -f - <<EOF 
apiVersion: compliance.openshift.io/v1alpha1 
kind: ComplianceSuite 
metadata: 
  name: mixed-compliancesuite-ocp-e8 
spec: 
  scans: 
  - content: ssg-rhcos4-ds.xml 
    contentImage: quay.io/complianceascode/ocp4:latest 
    debug: true 
    name: ocp4-e8-custom 
    nodeSelector: 
      node-role.kubernetes.io/worker: "" 
    profile: xccdf_compliance.openshift.io_profile_ocp4-e8-tp 
    rawResultStorageRotation: 10 
    rawResultStorageSize: 2Gi 
    scanTolerations: 
    - effect: NoSchedule 
      key: node-role.kubernetes.io/master 
      operator: Exists 
    scanType: Node 
    tailoringConfigMap: 
      name: ocp4-e8-tp-tp 
EOF 

8. Wait until the scan gets complete and then check the scan result  

$ oc get pods -w 

$ oc get compliancesuite 

$ oc get compliancescan 


Actual results: 

The ComplianceSuite reports the scan result 'Error' with the following error message when it deploys with TailoredProfile 

$ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep "Error" 
Errormsg:  the ConfigMap 'ocp4-e8-custom-pdhamdhe-vsp1809-r8667-worker-rj2wn-pod' annotation was missing the result key 

Expected results: 

The ComplianceSuite should report the actual scan result instead of 'Error' when it deploys with TailoredProfile

Additional info:

Comment 1 Jakub Hrozek 2020-09-18 16:03:32 UTC
PR: https://github.com/openshift/compliance-operator/pull/453

Comment 4 Prashant Dhamdhere 2020-09-24 14:18:34 UTC
This looks good and now, the ComplianceSuite reports proper scan result i.e NON-COMPLIANT
without an error.

Verified on: 
4.6.0-0.nightly-2020-09-23-022756
Compliance Operator v0.1.17


$ oc get pods
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-869646dd4f-cfl8d   1/1     Running   0          17m
ocp4-pp-6786c5f5b-wxczd                1/1     Running   0          16m
rhcos4-pp-78c8cc9d44-gcbhc             1/1     Running   0          16m

$ oc create -f - <<EOF 
> kind: TailoredProfile 
> apiVersion: compliance.openshift.io/v1alpha1 
> metadata: 
>   name: ocp4-e8-tp 
> spec: 
>   extends: ocp4-e8 
>   title: | 
>     NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux 
>     CoreOS customized for this deployment 
>   description: | 
>     This compliance profile reflects the core set of Moderate-Impact 
>     Baseline configuration settings for deployment of Red Hat 
>     Enterprise 
>     … 
>   enableRules: 
>     - name: ocp4-ocp-allowed-registries-for-import 
>       rationale: We really need to enable this 
>   disableRules: 
>     - name: ocp4-ocp-idp-no-htpasswd 
>       rationale: This doesn’t apply to my cluster 
> EOF
tailoredprofile.compliance.openshift.io/ocp4-e8-tp created

$ oc get TailoredProfile
NAME         STATE
ocp4-e8-tp   READY


$ oc create -f - <<EOF 
> apiVersion: compliance.openshift.io/v1alpha1 
> kind: ComplianceSuite 
> metadata: 
>   name: mixed-compliancesuite-ocp-e8 
> spec: 
>   scans: 
>   - content: ssg-rhcos4-ds.xml 
>     contentImage: quay.io/complianceascode/ocp4:latest 
>     debug: true 
>     name: ocp4-e8-custom 
>     nodeSelector: 
>       node-role.kubernetes.io/worker: "" 
>     profile: xccdf_compliance.openshift.io_profile_ocp4-e8-tp 
>     rawResultStorageRotation: 10 
>     rawResultStorageSize: 2Gi 
>     scanTolerations: 
>     - effect: NoSchedule 
>       key: node-role.kubernetes.io/master 
>       operator: Exists 
>     scanType: Node 
>     tailoringConfigMap: 
>       name: ocp4-e8-tp-tp 
> EOF
compliancesuite.compliance.openshift.io/mixed-compliancesuite-ocp-e8 created

$ oc get pods
NAME                                                  READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-e8-custom                         0/1     Completed   0          45s
compliance-operator-869646dd4f-cfl8d                  1/1     Running     0          20m
ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-0-pod   0/2     Completed   0          95s
ocp4-e8-custom-pdhamdhe-2409-01-6vgjg-compute-1-pod   0/2     Completed   0          95s
ocp4-pp-6786c5f5b-wxczd                               1/1     Running     0          20m
rhcos4-pp-78c8cc9d44-gcbhc                            1/1     Running     0          20m

$ oc get compliancesuite 
NAME                           PHASE   RESULT
mixed-compliancesuite-ocp-e8   DONE    NON-COMPLIANT <<------

$ oc get compliancescan
NAME             PHASE   RESULT
ocp4-e8-custom   DONE    NON-COMPLIANT

$ oc describe compliancesuite mixed-compliancesuite-ocp-e8|grep -A15 "Status:"
Status:
  Phase:   DONE
  Result:  NON-COMPLIANT
  Scan Statuses:
    Name:    ocp4-e8-custom
    Phase:   DONE
    Result:  NON-COMPLIANT
    Results Storage:
      Name:       ocp4-e8-custom
      Namespace:  openshift-compliance
Events:
  Type    Reason           Age   From       Message
  ----    ------           ----  ----       -------
  Normal  ResultAvailable  3m3s  suitectrl  The result is: NON-COMPLIANT

Comment 7 errata-xmlrpc 2020-10-27 16:42:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.