Bug 1901760
| Summary: | The compliancesuite does not trigger when there are multiple rhcos4 profiles added in scansettingbinding object | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | xiyuan | |
| Component: | Compliance Operator | Assignee: | Juan Antonio Osorio <josorior> | |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.6 | CC: | josorior, mrogers, nkinder, xiyuan | |
| Target Milestone: | --- | Keywords: | UpcomingSprint | |
| Target Release: | 4.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1902634 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-24 19:45:20 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1902634 | |||
|
Description
xiyuan
2020-11-26 01:37:05 UTC
[PR Pre-Merge Testing] Looks good now, The compliancesuite object gets triggered even though there are multiple rhcos4 profiles added in scansettingbinding object of the same product. $ gh pr checkout 498 remote: Enumerating objects: 7, done. remote: Counting objects: 100% (7/7), done. remote: Total 7 (delta 6), reused 7 (delta 6), pack-reused 0 Unpacking objects: 100% (7/7), 1.01 KiB | 57.00 KiB/s, done. From https://github.com/openshift/compliance-operator * [new ref] refs/pull/498/head -> handle-products Switched to branch 'handle-products' $ git branch * handle-products master $ make deploy-local Creating 'openshift-compliance' namespace/project E1127 12:17:08.044103 191793 request.go:1001] Unexpected error when reading response body: net/http: request canceled (Client.Timeout or context cancellation while reading body) namespace/openshift-compliance unchanged podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder Getting image source signatures Copying blob d77915b4e630 done Copying blob 96b2c1e36db5 done Copying blob 756975cb9c7e done Copying blob 145393847161 done Copying blob 5f37a0a41b6b done Copying blob 71dfa979a65c done Copying blob 88a83f11b30a done Copying config 6d8772fbd2 done Writing manifest to image destination Storing signatures STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> 6108d7207bf STEP 3: ENV GOFLAGS=-mod=vendor --> 8ad547c0850 STEP 4: COPY . . --> 1ffc9582c98 STEP 5: RUN make manager GOFLAGS=-mod=vendor GO111MODULE=auto go build -race -o /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator github.com/openshift/compliance-operator/cmd/manager --> 8c5ed49bb3f STEP 6: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest STEP 7: ENV OPERATOR=/usr/local/bin/compliance-operator USER_UID=1001 USER_NAME=compliance-operator --> Using cache cad1dadf97338aae70599047dd47947ae3b08798b686224383ccf1c941ba9099 --> cad1dadf973 STEP 8: COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR} --> 89806dfcdec STEP 9: COPY build/bin /usr/local/bin --> da14b65353a STEP 10: RUN /usr/local/bin/user_setup + mkdir -p /root + chown 1001:0 /root + chmod ug+rwx /root + chmod g+rw /etc/passwd + rm /usr/local/bin/user_setup --> 272b69c245f STEP 11: ENTRYPOINT ["/usr/local/bin/entrypoint"] --> 92b892031fc STEP 12: USER ${USER_UID} STEP 13: COMMIT quay.io/compliance-operator/compliance-operator:latest --> 8ed9d615d70 8ed9d615d70a78779e9bef69b2c7d5a4a8f95272f1130ff678d813fab795c1dc podman build -t quay.io/compliance-operator/compliance-operator-bundle:latest -f bundle.Dockerfile . STEP 1: FROM scratch STEP 2: LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 --> 19c0108d230 STEP 3: LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ --> 43cc33cfe59 STEP 4: LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ --> c6a1f3681bc STEP 5: LABEL operators.operatorframework.io.bundle.package.v1=compliance-operator --> 96f8773deab STEP 6: LABEL operators.operatorframework.io.bundle.channels.v1=alpha --> 9ecf452b4b6 STEP 7: LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha --> 8bab849fcbf STEP 8: COPY deploy/olm-catalog/compliance-operator/manifests /manifests/ --> e74b1506dc1 STEP 9: COPY deploy/olm-catalog/compliance-operator/metadata /metadata/ STEP 10: COMMIT quay.io/compliance-operator/compliance-operator-bundle:latest --> 35241b478fd 35241b478fdace6349a4a6c6f91e1e0c0335dfb34ba07bb00df5647020f4dd1b Temporarily exposing the default route to the image registry config.imageregistry.operator.openshift.io/cluster patched Pushing image quay.io/compliance-operator/compliance-operator:latest to the image registry IMAGE_REGISTRY_HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}'); \ podman login "--tls-verify=false" -u kubeadmin -p sha256~UnUeldJZGA2h1axs4CYQRfB5c4t7fOVbOAL5yDdqmKs ${IMAGE_REGISTRY_HOST}; \ podman push "--tls-verify=false" quay.io/compliance-operator/compliance-operator:latest ${IMAGE_REGISTRY_HOST}/openshift/compliance-operator:latest Login Succeeded! Getting image source signatures Copying blob 3a57c2c9170a done Copying blob eddba477a8ae done Copying blob 2ac05b8a62fe done Copying blob f80c95f61fff done Copying blob 1641dfd817ac done Copying config 8ed9d615d7 done Writing manifest to image destination Copying config 8ed9d615d7 [--------------------------------------] 0.0b / 3.2KiB Writing manifest to image destination Storing signatures Removing the route from the image registry config.imageregistry.operator.openshift.io/cluster patched IMAGE_FORMAT variable missing. We're in local enviornment. customresourcedefinition.apiextensions.k8s.io/compliancecheckresults.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/complianceremediations.compliance.openshift.io unchanged E1127 12:26:34.283157 198601 request.go:1001] Unexpected error when reading response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) customresourcedefinition.apiextensions.k8s.io/compliancescans.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/compliancesuites.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/profilebundles.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/profiles.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/rules.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/scansettingbindings.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/scansettings.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/tailoredprofiles.compliance.openshift.io unchanged customresourcedefinition.apiextensions.k8s.io/variables.compliance.openshift.io unchanged sed -i 's%quay.io/compliance-operator/compliance-operator:latest%image-registry.openshift-image-registry.svc:5000/openshift/compliance-operator:latest%' deploy/operator.yaml E1127 12:28:21.806983 198776 request.go:1001] Unexpected error when reading response body: net/http: request canceled (Client.Timeout or context cancellation while reading body) namespace/openshift-compliance unchanged deployment.apps/compliance-operator created role.rbac.authorization.k8s.io/compliance-operator created clusterrole.rbac.authorization.k8s.io/compliance-operator unchanged role.rbac.authorization.k8s.io/resultscollector created role.rbac.authorization.k8s.io/api-resource-collector created role.rbac.authorization.k8s.io/remediation-aggregator created role.rbac.authorization.k8s.io/rerunner created role.rbac.authorization.k8s.io/profileparser created clusterrole.rbac.authorization.k8s.io/api-resource-collector unchanged rolebinding.rbac.authorization.k8s.io/compliance-operator created clusterrolebinding.rbac.authorization.k8s.io/compliance-operator unchanged rolebinding.rbac.authorization.k8s.io/resultscollector created rolebinding.rbac.authorization.k8s.io/remediation-aggregator created clusterrolebinding.rbac.authorization.k8s.io/api-resource-collector unchanged rolebinding.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/rerunner created rolebinding.rbac.authorization.k8s.io/profileparser created serviceaccount/compliance-operator created serviceaccount/resultscollector created serviceaccount/remediation-aggregator created serviceaccount/rerunner created serviceaccount/api-resource-collector created serviceaccount/profileparser created $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-8d6f976cf-6jpth 1/1 Running 0 2m47s ocp4-openshift-compliance-pp-7cd9f6b64f-5rdq5 1/1 Running 0 2m2s rhcos4-openshift-compliance-pp-999fd896f-ttmr4 1/1 Running 0 2m1s $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: rhcos4 > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-e8 > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-moderate > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: rhcos4-ncp > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/rhcos4 created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-rhcos4-e8-master 0/1 Completed 0 8m6s aggregator-pod-rhcos4-e8-worker 0/1 Completed 0 7m16s aggregator-pod-rhcos4-moderate-master 0/1 Completed 0 3m35s aggregator-pod-rhcos4-moderate-worker 0/1 Completed 0 2m56s aggregator-pod-rhcos4-ncp-master 0/1 Completed 0 3m55s aggregator-pod-rhcos4-ncp-worker 0/1 Completed 0 3m5s compliance-operator-8d6f976cf-6jpth 1/1 Running 0 13m ocp4-openshift-compliance-pp-7cd9f6b64f-5rdq5 1/1 Running 0 12m openscap-pod-3b808c8441d1f21b573fd578c2c27bba339ba1dc 0/2 Completed 0 9m28s openscap-pod-482407ccde1ad302d0c2e3629379caccd7da6951 0/2 Completed 0 9m27s openscap-pod-53fed41b8b545f26fa9073ff347af01946981ecb 0/2 Completed 0 9m26s openscap-pod-592cdd5dad5758218ed2fab05e6feafec56d6a25 0/2 Completed 0 9m28s openscap-pod-63f1ce6cb247b071856c2445b5415fb4e094f658 0/2 Completed 0 9m28s openscap-pod-7a148aceec795e997be9e2a5d9c9874f2ba4b4b5 0/2 Completed 0 9m27s openscap-pod-7bbe274eddede8ff39516e37e137b300dafe4728 0/2 Completed 0 9m27s openscap-pod-89223dca20aa6f0e6170c2be48c7a34b9503ccda 0/2 Completed 0 9m27s openscap-pod-b4c1967b0d56d7db318a6d860ec602fac9334671 0/2 Completed 0 9m27s openscap-pod-e6142d97b20d2da184f14be4e62a316bec0630fd 0/2 Completed 0 9m27s rhcos4-e8-master-ip-10-0-152-42.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-e8-master-ip-10-0-166-163.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-e8-master-ip-10-0-215-44.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-e8-worker-ip-10-0-155-209.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-e8-worker-ip-10-0-189-208.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-e8-worker-ip-10-0-220-208.us-east-2.compute.internal-pod 0/2 Completed 0 9m28s rhcos4-ncp-master-ip-10-0-152-42.us-east-2.compute.internal-pod 0/2 Completed 0 9m26s rhcos4-ncp-master-ip-10-0-215-44.us-east-2.compute.internal-pod 0/2 Completed 0 9m26s rhcos4-openshift-compliance-pp-999fd896f-ttmr4 1/1 Running 0 12m $ oc describe scansettingbindings.compliance.openshift.io rhcos4 Name: rhcos4 Namespace: openshift-compliance Labels: <none> Annotations: <none> API Version: compliance.openshift.io/v1alpha1 Kind: ScanSettingBinding Metadata: Creation Timestamp: 2020-11-27T07:02:15Z Generation: 1 Managed Fields: API Version: compliance.openshift.io/v1alpha1 Fields Type: FieldsV1 fieldsV1: f:profiles: f:settingsRef: .: f:apiGroup: f:kind: f:name: Manager: kubectl-create Operation: Update Time: 2020-11-27T07:02:15Z Resource Version: 120990 Self Link: /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/scansettingbindings/rhcos4 UID: 9290a2c8-70ed-4edd-b821-5861768fa1c1 Profiles: API Group: compliance.openshift.io/v1alpha1 Kind: Profile Name: rhcos4-e8 API Group: compliance.openshift.io/v1alpha1 Kind: Profile Name: rhcos4-moderate API Group: compliance.openshift.io/v1alpha1 Kind: Profile Name: rhcos4-ncp Settings Ref: API Group: compliance.openshift.io/v1alpha1 Kind: ScanSetting Name: default Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuiteCreated 24m scansettingbindingctrl ComplianceSuite openshift-compliance/rhcos4 created Normal ResultAvailable 17m (x2 over 17m) scansettingbindingctrl The result is: NON-COMPLIANT $ oc get compliancesuite NAME PHASE RESULT rhcos4 DONE NON-COMPLIANT Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7 compliance-operator image update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0435 |