Description of Problem: The compliancesuite object returns result as Error with ocp4-cis tailored profile Version-Release number of selected component (if applicable): 4.6.5-x86_64 How Reproducible: Always Steps to Reproduce: 1. install compliance operator 2. create tailoredprofile from ocp4-cis: $ oc create -f - <<EOF kind: TailoredProfile apiVersion: compliance.openshift.io/v1alpha1 metadata: name: ocp4-cis-custom spec: extends: ocp4-cis title: CIS node custom description: | This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark enableRules: - name: ocp4-scc-limit-root-containers rationale: We really need to enable this - name: ocp4-scheduler-no-bind-address rationale: We really need to enable this disableRules: - name: ocp4-api-server-encryption-provider-cipher rationale: This doesn’t apply to my cluster - name: ocp4-scc-drop-container-capabilities rationale: This doesn’t apply to my cluster EOF 3. create scansetting: oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSetting metadata: name: myss # Suite-specific settings autoApplyRemediations: true schedule: "0 1 * * *" # Scan-specific settings rawResultStorage: size: "2Gi" rotation: 5 # For each role, a separate scan will be created pointing # to a node-role specified in roles roles: - master EOF 4. Generate a compliancesuite through a new ScanSetting CR: $ oc create -f - << EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-companys-compliance-requirements profiles: # Node checks - name: ocp4-cis-custom kind: TailoredProfile apiGroup: compliance.openshift.io/v1alpha1 # Cluster checks - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: myss kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF Actual Results: The compliancesuite returns error due to"No profile matching suffix "xccdf_compliance.openshift.io_profile_ocp4-cis-custom" was found." $ oc get compliancesuite NAME PHASE RESULT my-companys-compliance-requirements DONE ERROR $ oc describe compliancesuite my-companys-compliance-requirements | tail Name: ocp4-cis-node-master Phase: DONE Result: COMPLIANT Results Storage: Name: ocp4-cis-node-master Namespace: openshift-compliance Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 51m (x2 over 51m) suitectrl The result is: ERROR $ oc get scansettingbindings.compliance.openshift.io ... Status: Phase: DONE Result: ERROR Scan Statuses: Errormsg: No profile matching suffix "xccdf_compliance.openshift.io_profile_ocp4-cis-custom" was found. Get available profiles using: $ oscap info "/content/ssg-ocp4-ds.xml" Name: ocp4-cis-custom Phase: DONE Result: ERROR Results Storage: Name: ocp4-cis-custom Namespace: openshift-compliance Name: ocp4-cis-node-master Phase: DONE Result: COMPLIANT Results Storage: Name: ocp4-cis-node-master Namespace: openshift-compliance Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 51m (x2 over 51m) suitectrl The result is: ERROR Expected Results: The compliansuite object report relevant result, it should be either COMPLIANT or NON-COMPLIANT Additional info: This should due to ocp4-cis is targeted for platform scan.
[PR Pre-Merge Testing] This looks good. Now, the compliance scan gets successfully performed with ocp4-cis tailored profile without any error. $ gh pr checkout 511 remote: Enumerating objects: 22, done. remote: Counting objects: 100% (22/22), done. remote: Compressing objects: 100% (3/3), done. remote: Total 22 (delta 18), reused 22 (delta 18), pack-reused 0 Unpacking objects: 100% (22/22), 3.48 KiB | 122.00 KiB/s, done. From https://github.com/openshift/compliance-operator * [new ref] refs/pull/511/head -> platform-tailor Switched to branch 'platform-tailor' $ git branch handle-products master * platform-tailor $ make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance unchanged podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 6108d7207bf73d3088c41058489867512a6c496324a355045ef48d486b924fa4 --> 6108d7207bf STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache 8ad547c085058b172380029a7687661e6f2f86dfa7bb12b0d029d8284a2a363b --> 8ad547c0850 STEP 4: COPY . . --> 6c71723d158 STEP 5: RUN make manager GOFLAGS=-mod=vendor GO111MODULE=auto go build -race -o /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator github.com/openshift/compliance-operator/cmd/manager --> a08eeb47225 STEP 6: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest STEP 7: ENV OPERATOR=/usr/local/bin/compliance-operator USER_UID=1001 USER_NAME=compliance-operator --> Using cache cad1dadf97338aae70599047dd47947ae3b08798b686224383ccf1c941ba9099 --> cad1dadf973 STEP 8: COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR} --> Using cache 7f73554cbe0f65eee012a1db2962383424374406d6e0f22ddb28b77f6b23d8ff --> 7f73554cbe0 STEP 9: COPY build/bin /usr/local/bin --> Using cache 02c463eb68fba9365dfb4ca747dc4c164059e575f8e96898907cd98eba658834 --> 02c463eb68f STEP 10: RUN /usr/local/bin/user_setup --> Using cache 95fe0a264956ccfd3149fd1b156df03d2b4725383d096a8735c5b2e353ecf192 --> 95fe0a26495 STEP 11: ENTRYPOINT ["/usr/local/bin/entrypoint"] --> Using cache 3432e444ec2a0494ce20072c5f67d0b0a1d0898365ddb93c05d3e9bacec7913a --> 3432e444ec2 STEP 12: USER ${USER_UID} --> Using cache e49ea743378a9b5182688c9f99fe13c04bbd3059026ae834a8a622a723ba1e19 STEP 13: COMMIT quay.io/compliance-operator/compliance-operator:latest --> e49ea743378 e49ea743378a9b5182688c9f99fe13c04bbd3059026ae834a8a622a723ba1e19 podman build -t quay.io/compliance-operator/compliance-operator-bundle:latest -f bundle.Dockerfile . STEP 1: FROM scratch STEP 2: LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 --> Using cache 19c0108d23041f78bd69b187edc43c2d37942056cef1ba1244589a1109aaf843 --> 19c0108d230 STEP 3: LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ --> Using cache 43cc33cfe59fca6121f3eb97f0b1e6960afb1d326d47db4a2f5b0d2a065a2baa --> 43cc33cfe59 STEP 4: LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ --> Using cache c6a1f3681bc55bb1a5bf64593bece6376fedbffe2f915cb02fba57f78985902f --> c6a1f3681bc STEP 5: LABEL operators.operatorframework.io.bundle.package.v1=compliance-operator --> Using cache 96f8773deabdd5ccb35bda484adda75fdbf7edc3bf6386e3fd9617364a1fae6d --> 96f8773deab STEP 6: LABEL operators.operatorframework.io.bundle.channels.v1=alpha --> Using cache 9ecf452b4b6165399b9645a8d26b0ff859859dbae006fd46f0392991b834b21b --> 9ecf452b4b6 STEP 7: LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha --> Using cache 8bab849fcbff2df5620eac82b541e22bd61c9fd71f5e077e330576f7a3feeb16 --> 8bab849fcbf STEP 8: COPY deploy/olm-catalog/compliance-operator/manifests /manifests/ --> Using cache 464e899b365cacf8e56f131f99ba449cc0dce46eb32c2d314659a6e4e5433d3e --> 464e899b365 STEP 9: COPY deploy/olm-catalog/compliance-operator/metadata /metadata/ --> Using cache 96419a63bae05d86bcaa1f55295cc929592ad6852ccaf971865ad4167014da96 STEP 10: COMMIT quay.io/compliance-operator/compliance-operator-bundle:latest --> 96419a63bae 96419a63bae05d86bcaa1f55295cc929592ad6852ccaf971865ad4167014da96 Temporarily exposing the default route to the image registry config.imageregistry.operator.openshift.io/cluster patched (no change) Pushing image quay.io/compliance-operator/compliance-operator:latest to the image registry IMAGE_REGISTRY_HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}'); \ podman login "--tls-verify=false" -u kubeadmin -p sha256~_7DelGZ9vhV-RXChSr_gReftxD7CxTdx07fYNYOnWq4 ${IMAGE_REGISTRY_HOST}; \ podman push "--tls-verify=false" quay.io/compliance-operator/compliance-operator:latest ${IMAGE_REGISTRY_HOST}/openshift/compliance-operator:latest Login Succeeded! Getting image source signatures Copying blob 9b1c9ecc4bf9 done Copying blob be32102a0cb4 done Copying blob f80c95f61fff done Copying blob 67e9782edeaa done Copying blob eddba477a8ae done Copying config e49ea74337 done Writing manifest to image destination Copying config e49ea74337 [--------------------------------------] 0.0b / 3.2KiB Writing manifest to image destination Storing signatures Removing the route from the image registry config.imageregistry.operator.openshift.io/cluster patched IMAGE_FORMAT variable missing. We're in local enviornment. Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/compliancecheckresults.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/complianceremediations.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/compliancescans.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/compliancesuites.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/profilebundles.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/profiles.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/rules.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/scansettingbindings.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/scansettings.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/tailoredprofiles.compliance.openshift.io configured Warning: oc apply should be used on resource created by either oc create --save-config or oc apply customresourcedefinition.apiextensions.k8s.io/variables.compliance.openshift.io configured sed -i 's%quay.io/compliance-operator/compliance-operator:latest%image-registry.openshift-image-registry.svc:5000/openshift/compliance-operator:latest%' deploy/operator.yaml namespace/openshift-compliance unchanged deployment.apps/compliance-operator created role.rbac.authorization.k8s.io/compliance-operator created clusterrole.rbac.authorization.k8s.io/compliance-operator created role.rbac.authorization.k8s.io/resultscollector created role.rbac.authorization.k8s.io/api-resource-collector created role.rbac.authorization.k8s.io/remediation-aggregator created role.rbac.authorization.k8s.io/rerunner created role.rbac.authorization.k8s.io/profileparser created clusterrole.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/compliance-operator created clusterrolebinding.rbac.authorization.k8s.io/compliance-operator created rolebinding.rbac.authorization.k8s.io/resultscollector created rolebinding.rbac.authorization.k8s.io/remediation-aggregator created clusterrolebinding.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/rerunner created rolebinding.rbac.authorization.k8s.io/profileparser created serviceaccount/compliance-operator created serviceaccount/resultscollector created serviceaccount/remediation-aggregator created serviceaccount/rerunner created serviceaccount/api-resource-collector created serviceaccount/profileparser created $ oc get pods NAME READY STATUS RESTARTS AGE compliance-operator-8d6f976cf-f4tb5 1/1 Running 0 3m3s ocp4-openshift-compliance-pp-7cd9f6b64f-csqhk 1/1 Running 0 2m18s rhcos4-openshift-compliance-pp-999fd896f-z7ccg 1/1 Running 0 2m18s $ oc create -f - <<EOF > kind: TailoredProfile > apiVersion: compliance.openshift.io/v1alpha1 > metadata: > name: ocp4-cis-custom > spec: > extends: ocp4-cis > title: CIS node custom > description: | > This profile defines a baseline that aligns to the Center for Internet Security® > Red Hat OpenShift Container Platform 4 Benchmark > enableRules: > - name: ocp4-scc-limit-root-containers > rationale: We really need to enable this > - name: ocp4-scheduler-no-bind-address > rationale: We really need to enable this > disableRules: > - name: ocp4-api-server-encryption-provider-cipher > rationale: This doesn’t apply to my cluster > - name: ocp4-scc-drop-container-capabilities > rationale: This doesn’t apply to my cluster > EOF tailoredprofile.compliance.openshift.io/ocp4-cis-custom created $ oc get TailoredProfile NAME STATE ocp4-cis-custom READY $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSetting > metadata: > name: myss > # Suite-specific settings > autoApplyRemediations: true > schedule: "0 1 * * *" > # Scan-specific settings > rawResultStorage: > size: "2Gi" > rotation: 5 > # For each role, a separate scan will be created pointing > # to a node-role specified in roles > roles: > - master > EOF scansetting.compliance.openshift.io/myss created $ oc get ScanSetting NAME AGE default 4m28s myss 7s $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-companys-compliance-requirements > profiles: > # Node checks > - name: ocp4-cis-custom > kind: TailoredProfile > apiGroup: compliance.openshift.io/v1alpha1 > # Cluster checks > - name: ocp4-cis-node > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: myss > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-companys-compliance-requirements created $ oc get scansettingbindings.compliance.openshift.io NAME AGE my-companys-compliance-requirements 3m20s $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis-custom 0/1 Completed 0 69s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 69s compliance-operator-8d6f976cf-f4tb5 1/1 Running 0 7m29s ocp4-cis-custom-api-checks-pod 0/2 Completed 0 99s ocp4-openshift-compliance-pp-7cd9f6b64f-csqhk 1/1 Running 0 6m44s openscap-pod-01277a3ea89d63f0732b215d9473d70cbe1b3a92 0/2 Completed 0 99s openscap-pod-7e06f2a926e17134a406f56a4493ef39450cee9d 0/2 Completed 0 99s openscap-pod-f438aed9ffa726e60eac6e7867b544ecdf878bb7 0/2 Completed 0 99s rhcos4-openshift-compliance-pp-999fd896f-z7ccg 1/1 Running 0 6m44s $ oc get compliancescan NAME PHASE RESULT ocp4-cis-custom DONE NON-COMPLIANT ocp4-cis-node-master DONE NON-COMPLIANT $ oc get compliancesuite NAME PHASE RESULT my-companys-compliance-requirements DONE NON-COMPLIANT $ oc describe scansettingbindings my-companys-compliance-requirements |tail -15 API Group: compliance.openshift.io/v1alpha1 Kind: TailoredProfile Name: ocp4-cis-custom API Group: compliance.openshift.io/v1alpha1 Kind: Profile Name: ocp4-cis-node Settings Ref: API Group: compliance.openshift.io/v1alpha1 Kind: ScanSetting Name: myss Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuiteCreated 5m18s scansettingbindingctrl ComplianceSuite openshift-compliance/my-companys-compliance-requirements created Normal ResultAvailable 4m3s (x2 over 4m4s) scansettingbindingctrl The result is: NON-COMPLIANT $ oc describe compliancesuite my-companys-compliance-requirements | tail -20 Status: Phase: DONE Result: NON-COMPLIANT Scan Statuses: Name: ocp4-cis-custom Phase: DONE Result: NON-COMPLIANT Results Storage: Name: ocp4-cis-custom Namespace: openshift-compliance Name: ocp4-cis-node-master Phase: DONE Result: NON-COMPLIANT Results Storage: Name: ocp4-cis-node-master Namespace: openshift-compliance Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal ResultAvailable 4m34s (x6 over 4m36s) suitectrl The result is: NON-COMPLIANT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7 compliance-operator image update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0435