Bug 1907410
| Summary: | [OCP v47] Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Prashant Dhamdhere <pdhamdhe> | |
| Component: | Compliance Operator | Assignee: | Juan Antonio Osorio <josorior> | |
| Status: | CLOSED ERRATA | QA Contact: | Prashant Dhamdhere <pdhamdhe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.7 | CC: | jhrozek, josorior, mrogers, xiyuan | |
| Target Milestone: | --- | Keywords: | UpcomingSprint | |
| Target Release: | 4.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1907414 (view as bug list) | Environment: | ||
| Last Closed: | 2021-02-24 19:45:20 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1907414 | |||
Now, the complianceSuite object creates a separate machineConfig for all remediations rules to get applied on nodes and the status of all rules shows Applied in ComplianceRemediations object as well. However, the machineConfig object has prefix "75-worker-scan-worker-scan-" but I would prefer have complianceSuite object name along with complianceScan name as prefix to avoid conflict. Also there are total 102 remediations rules for which the complianceSuite created 102 machineConfig objects but we do not have way to delete them at once. We should add complianceSuite object name in machineConfig object name. Verified on: 4.7.0-0.nightly-2020-12-14-165231 $ gh pr checkout 527 remote: Enumerating objects: 15, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (4/4), done. remote: Total 18 (delta 11), reused 15 (delta 11), pack-reused 3 Unpacking objects: 100% (18/18), 5.05 KiB | 397.00 KiB/s, done. From https://github.com/openshift/compliance-operator * [new ref] refs/pull/527/head -> fresh-rems Switched to branch 'fresh-rems' A new release of gh is available: 1.3.0 → v1.3.1 https://github.com/cli/cli/releases/tag/v1.3.1 $ git branch * fresh-rems handle-products master platform-tailor $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2020-12-14-165231 True False 141m Cluster version is 4.7.0-0.nightly-2020-12-14-165231 $ make deploy-local Creating 'openshift-compliance' namespace/project namespace/openshift-compliance created podman build -t quay.io/compliance-operator/compliance-operator:latest -f build/Dockerfile . STEP 1: FROM golang:1.15 AS builder STEP 2: WORKDIR /go/src/github.com/openshift/compliance-operator --> Using cache 6108d7207bf73d3088c41058489867512a6c496324a355045ef48d486b924fa4 --> 6108d7207bf STEP 3: ENV GOFLAGS=-mod=vendor --> Using cache 8ad547c085058b172380029a7687661e6f2f86dfa7bb12b0d029d8284a2a363b --> 8ad547c0850 STEP 4: COPY . . --> 1cc6c042852 STEP 5: RUN make manager GOFLAGS=-mod=vendor GO111MODULE=auto go build -race -o /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator github.com/openshift/compliance-operator/cmd/manager --> 2c7ae05a46f STEP 6: FROM registry.access.redhat.com/ubi8/ubi-minimal:latest STEP 7: ENV OPERATOR=/usr/local/bin/compliance-operator USER_UID=1001 USER_NAME=compliance-operator --> Using cache cad1dadf97338aae70599047dd47947ae3b08798b686224383ccf1c941ba9099 --> cad1dadf973 STEP 8: COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR} --> 4881983c3f2 STEP 9: COPY build/bin /usr/local/bin --> c40b1532c6c STEP 10: RUN /usr/local/bin/user_setup + mkdir -p /root + chown 1001:0 /root + chmod ug+rwx /root + chmod g+rw /etc/passwd + rm /usr/local/bin/user_setup --> bcde91a4cdc STEP 11: ENTRYPOINT ["/usr/local/bin/entrypoint"] --> 950a4f25b3a STEP 12: USER ${USER_UID} STEP 13: COMMIT quay.io/compliance-operator/compliance-operator:latest --> 8d16e63e56c 8d16e63e56c62db85f77a44386609348a2d3942b4b40286ad7251ad195fca577 podman build -t quay.io/compliance-operator/compliance-operator-bundle:latest -f bundle.Dockerfile . STEP 1: FROM scratch STEP 2: LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 --> Using cache 19c0108d23041f78bd69b187edc43c2d37942056cef1ba1244589a1109aaf843 --> 19c0108d230 STEP 3: LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ --> Using cache 43cc33cfe59fca6121f3eb97f0b1e6960afb1d326d47db4a2f5b0d2a065a2baa --> 43cc33cfe59 STEP 4: LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ --> Using cache c6a1f3681bc55bb1a5bf64593bece6376fedbffe2f915cb02fba57f78985902f --> c6a1f3681bc STEP 5: LABEL operators.operatorframework.io.bundle.package.v1=compliance-operator --> Using cache 96f8773deabdd5ccb35bda484adda75fdbf7edc3bf6386e3fd9617364a1fae6d --> 96f8773deab STEP 6: LABEL operators.operatorframework.io.bundle.channels.v1=alpha --> Using cache 9ecf452b4b6165399b9645a8d26b0ff859859dbae006fd46f0392991b834b21b --> 9ecf452b4b6 STEP 7: LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha --> Using cache 8bab849fcbff2df5620eac82b541e22bd61c9fd71f5e077e330576f7a3feeb16 --> 8bab849fcbf STEP 8: COPY deploy/olm-catalog/compliance-operator/manifests /manifests/ --> Using cache 6d6dc877962ed1f9dcb1dfcab6be26d47dd548eeccf40666463f100fdec60527 --> 6d6dc877962 STEP 9: COPY deploy/olm-catalog/compliance-operator/metadata /metadata/ --> Using cache 94ac4283cb230bfed10fb256ebbaa65ba793d136972140c5c7e613f4cfc877c1 STEP 10: COMMIT quay.io/compliance-operator/compliance-operator-bundle:latest --> 94ac4283cb2 94ac4283cb230bfed10fb256ebbaa65ba793d136972140c5c7e613f4cfc877c1 Temporarily exposing the default route to the image registry config.imageregistry.operator.openshift.io/cluster patched Pushing image quay.io/compliance-operator/compliance-operator:latest to the image registry IMAGE_REGISTRY_HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}'); \ podman login "--tls-verify=false" -u kubeadmin -p sha256~ARRe0o9yuCOFshyhOjrUcNHxVmp6trPN6LbnBIG6DJ0 ${IMAGE_REGISTRY_HOST}; \ podman push "--tls-verify=false" quay.io/compliance-operator/compliance-operator:latest ${IMAGE_REGISTRY_HOST}/openshift/compliance-operator:latest Login Succeeded! Getting image source signatures Copying blob c699d221ac5d done Copying blob 4a9bb8bc454d done Copying blob d1ef0556fedb done Copying blob f80c95f61fff done Copying blob eddba477a8ae done Copying config 8d16e63e56 done Writing manifest to image destination Copying config 8d16e63e56 [--------------------------------------] 0.0b / 3.2KiB Writing manifest to image destination Storing signatures Removing the route from the image registry config.imageregistry.operator.openshift.io/cluster patched IMAGE_FORMAT variable missing. We're in local enviornment. customresourcedefinition.apiextensions.k8s.io/compliancecheckresults.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/complianceremediations.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/compliancescans.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/compliancesuites.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/profilebundles.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/profiles.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/rules.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/scansettingbindings.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/scansettings.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/tailoredprofiles.compliance.openshift.io created customresourcedefinition.apiextensions.k8s.io/variables.compliance.openshift.io created sed -i 's%quay.io/compliance-operator/compliance-operator:latest%image-registry.openshift-image-registry.svc:5000/openshift/compliance-operator:latest%' deploy/operator.yaml namespace/openshift-compliance unchanged deployment.apps/compliance-operator created role.rbac.authorization.k8s.io/compliance-operator created clusterrole.rbac.authorization.k8s.io/compliance-operator created role.rbac.authorization.k8s.io/resultscollector created role.rbac.authorization.k8s.io/api-resource-collector created role.rbac.authorization.k8s.io/remediation-aggregator created role.rbac.authorization.k8s.io/rerunner created role.rbac.authorization.k8s.io/profileparser created clusterrole.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/compliance-operator created clusterrolebinding.rbac.authorization.k8s.io/compliance-operator created rolebinding.rbac.authorization.k8s.io/resultscollector created rolebinding.rbac.authorization.k8s.io/remediation-aggregator created clusterrolebinding.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/api-resource-collector created rolebinding.rbac.authorization.k8s.io/rerunner created rolebinding.rbac.authorization.k8s.io/profileparser created serviceaccount/compliance-operator created serviceaccount/resultscollector created serviceaccount/remediation-aggregator created serviceaccount/rerunner created serviceaccount/api-resource-collector created serviceaccount/profileparser created deployment.apps/compliance-operator triggers updated $ oc get pod -nopenshift-compliance NAME READY STATUS RESTARTS AGE compliance-operator-66584bc57f-q7vb9 1/1 Running 0 3m28s ocp4-openshift-compliance-pp-7cd9f6b64f-qc22b 1/1 Running 0 2m42s rhcos4-openshift-compliance-pp-999fd896f-scvhj 1/1 Running 0 2m42s $ oc create -f /tmp/e2e-test-compliance-zsiwoivl-db68w-uqpxgui1isc-config.json compliancesuite.compliance.openshift.io/worker-compliancesuite created $ oc get pods -nopenshift-compliance NAME READY STATUS RESTARTS AGE aggregator-pod-worker-scan 0/1 Completed 0 50s compliance-operator-66584bc57f-q7vb9 1/1 Running 0 12m ocp4-openshift-compliance-pp-7cd9f6b64f-qc22b 1/1 Running 0 11m rhcos4-openshift-compliance-pp-999fd896f-scvhj 1/1 Running 0 11m worker-scan-ip-10-0-135-113.us-east-2.compute.internal-pod 0/2 Completed 0 4m30s worker-scan-ip-10-0-163-50.us-east-2.compute.internal-pod 0/2 Completed 0 4m30s worker-scan-ip-10-0-195-157.us-east-2.compute.internal-pod 0/2 Completed 0 4m30s $ oc get compliancesuite -nopenshift-compliance NAME PHASE RESULT worker-compliancesuite DONE NON-COMPLIANT $ oc get complianceremediations -nopenshift-compliance |grep -v "NAME" worker-scan-audit-rules-dac-modification-chmod Applied worker-scan-audit-rules-dac-modification-chown Applied worker-scan-audit-rules-dac-modification-fchmod Applied worker-scan-audit-rules-dac-modification-fchmodat Applied worker-scan-audit-rules-dac-modification-fchown Applied worker-scan-audit-rules-dac-modification-fchownat Applied worker-scan-audit-rules-dac-modification-fremovexattr Applied worker-scan-audit-rules-dac-modification-fsetxattr Applied worker-scan-audit-rules-dac-modification-lchown Applied worker-scan-audit-rules-dac-modification-lremovexattr Applied worker-scan-audit-rules-dac-modification-lsetxattr Applied worker-scan-audit-rules-dac-modification-removexattr Applied worker-scan-audit-rules-dac-modification-setxattr Applied worker-scan-audit-rules-execution-chcon Applied worker-scan-audit-rules-execution-restorecon Applied worker-scan-audit-rules-execution-semanage Applied worker-scan-audit-rules-execution-setfiles Applied worker-scan-audit-rules-execution-setsebool Applied worker-scan-audit-rules-execution-seunshare Applied worker-scan-audit-rules-login-events-faillock Applied worker-scan-audit-rules-login-events-lastlog Applied worker-scan-audit-rules-login-events-tallylog Applied worker-scan-audit-rules-media-export Applied worker-scan-audit-rules-networkconfig-modification Applied worker-scan-audit-rules-privileged-commands-at Applied worker-scan-audit-rules-privileged-commands-chage Applied worker-scan-audit-rules-privileged-commands-chsh Applied worker-scan-audit-rules-privileged-commands-crontab Applied worker-scan-audit-rules-privileged-commands-gpasswd Applied worker-scan-audit-rules-privileged-commands-mount Applied worker-scan-audit-rules-privileged-commands-newgidmap Applied worker-scan-audit-rules-privileged-commands-newgrp Applied worker-scan-audit-rules-privileged-commands-newuidmap Applied worker-scan-audit-rules-privileged-commands-pam-timestamp-check Applied worker-scan-audit-rules-privileged-commands-passwd Applied worker-scan-audit-rules-privileged-commands-postdrop Applied worker-scan-audit-rules-privileged-commands-postqueue Applied worker-scan-audit-rules-privileged-commands-pt-chown Applied worker-scan-audit-rules-privileged-commands-ssh-keysign Applied worker-scan-audit-rules-privileged-commands-su Applied worker-scan-audit-rules-privileged-commands-sudo Applied worker-scan-audit-rules-privileged-commands-sudoedit Applied worker-scan-audit-rules-privileged-commands-umount Applied worker-scan-audit-rules-privileged-commands-unix-chkpwd Applied worker-scan-audit-rules-privileged-commands-userhelper Applied worker-scan-audit-rules-privileged-commands-usernetctl Applied worker-scan-auditd-name-format Applied worker-scan-coredump-disable-backtraces Applied worker-scan-coredump-disable-storage Applied worker-scan-coreos-audit-backlog-limit-kernel-argument Applied worker-scan-coreos-audit-option Applied worker-scan-coreos-page-poison-kernel-argument Applied worker-scan-coreos-pti-kernel-argument Applied worker-scan-coreos-vsyscall-kernel-argument Applied worker-scan-disable-ctrlaltdel-burstaction Applied worker-scan-disable-users-coredumps Applied worker-scan-kernel-module-atm-disabled Applied worker-scan-kernel-module-bluetooth-disabled Applied worker-scan-kernel-module-can-disabled Applied worker-scan-kernel-module-cramfs-disabled Applied worker-scan-kernel-module-firewire-core-disabled Applied worker-scan-kernel-module-freevxfs-disabled Applied worker-scan-kernel-module-hfs-disabled Applied worker-scan-kernel-module-hfsplus-disabled Applied worker-scan-kernel-module-jffs2-disabled Applied worker-scan-kernel-module-sctp-disabled Applied worker-scan-kernel-module-squashfs-disabled Applied worker-scan-kernel-module-tipc-disabled Applied worker-scan-kernel-module-udf-disabled Applied worker-scan-kernel-module-usb-storage-disabled Applied worker-scan-kernel-module-vfat-disabled Applied worker-scan-no-direct-root-logins Applied worker-scan-no-empty-passwords Applied worker-scan-no-tmux-in-shells Applied worker-scan-service-systemd-coredump-disabled Applied worker-scan-sshd-set-idle-timeout Applied worker-scan-sshd-set-keepalive Applied worker-scan-sysctl-kernel-dmesg-restrict Applied worker-scan-sysctl-kernel-kexec-load-disabled Applied worker-scan-sysctl-kernel-perf-event-paranoid Applied worker-scan-sysctl-kernel-unprivileged-bpf-disabled Applied worker-scan-sysctl-kernel-yama-ptrace-scope Applied worker-scan-sysctl-net-core-bpf-jit-harden Applied worker-scan-sysctl-net-ipv4-conf-all-accept-redirects Applied worker-scan-sysctl-net-ipv4-conf-all-log-martians Applied worker-scan-sysctl-net-ipv4-conf-all-secure-redirects Applied worker-scan-sysctl-net-ipv4-conf-all-send-redirects Applied worker-scan-sysctl-net-ipv4-conf-default-accept-redirects Applied worker-scan-sysctl-net-ipv4-conf-default-accept-source-route Applied worker-scan-sysctl-net-ipv4-conf-default-log-martians Applied worker-scan-sysctl-net-ipv4-conf-default-rp-filter Applied worker-scan-sysctl-net-ipv4-conf-default-secure-redirects Applied worker-scan-sysctl-net-ipv4-conf-default-send-redirects Applied worker-scan-sysctl-net-ipv4-icmp-echo-ignore-broadcasts Applied worker-scan-sysctl-net-ipv4-icmp-ignore-bogus-error-responses Applied worker-scan-sysctl-net-ipv4-tcp-syncookies Applied worker-scan-sysctl-net-ipv6-conf-all-accept-ra Applied worker-scan-sysctl-net-ipv6-conf-all-accept-redirects Applied worker-scan-sysctl-net-ipv6-conf-all-accept-source-route Applied worker-scan-sysctl-net-ipv6-conf-default-accept-ra Applied worker-scan-sysctl-net-ipv6-conf-default-accept-redirects Applied worker-scan-sysctl-net-ipv6-conf-default-accept-source-route Applied $ oc get mc |grep "75-worker-scan" 75-worker-scan-worker-scan-audit-rules-dac-modification-chmod 3.1.0 4m45s 75-worker-scan-worker-scan-audit-rules-dac-modification-chown 3.1.0 4m36s 75-worker-scan-worker-scan-audit-rules-dac-modification-fchmod 3.1.0 4m45s 75-worker-scan-worker-scan-audit-rules-dac-modification-fchmodat 3.1.0 4m39s 75-worker-scan-worker-scan-audit-rules-dac-modification-fchown 3.1.0 4m37s 75-worker-scan-worker-scan-audit-rules-dac-modification-fchownat 3.1.0 4m39s 75-worker-scan-worker-scan-audit-rules-dac-modification-fremovexattr 3.1.0 4m44s 75-worker-scan-worker-scan-audit-rules-dac-modification-fsetxattr 3.1.0 4m35s 75-worker-scan-worker-scan-audit-rules-dac-modification-lchown 3.1.0 4m45s 75-worker-scan-worker-scan-audit-rules-dac-modification-lremovexattr 3.1.0 4m40s 75-worker-scan-worker-scan-audit-rules-dac-modification-lsetxattr 3.1.0 4m44s 75-worker-scan-worker-scan-audit-rules-dac-modification-removexattr 3.1.0 4m40s 75-worker-scan-worker-scan-audit-rules-dac-modification-setxattr 3.1.0 4m46s 75-worker-scan-worker-scan-audit-rules-execution-chcon 3.1.0 4m42s 75-worker-scan-worker-scan-audit-rules-execution-restorecon 3.1.0 4m38s 75-worker-scan-worker-scan-audit-rules-execution-semanage 3.1.0 4m43s 75-worker-scan-worker-scan-audit-rules-execution-setfiles 3.1.0 4m38s 75-worker-scan-worker-scan-audit-rules-execution-setsebool 3.1.0 4m35s 75-worker-scan-worker-scan-audit-rules-execution-seunshare 3.1.0 4m40s 75-worker-scan-worker-scan-audit-rules-login-events-faillock 3.1.0 4m38s 75-worker-scan-worker-scan-audit-rules-login-events-lastlog 3.1.0 4m39s 75-worker-scan-worker-scan-audit-rules-login-events-tallylog 3.1.0 4m47s 75-worker-scan-worker-scan-audit-rules-media-export 3.1.0 4m43s 75-worker-scan-worker-scan-audit-rules-networkconfig-modification 3.1.0 4m45s 75-worker-scan-worker-scan-audit-rules-privileged-commands-at 3.1.0 4m48s 75-worker-scan-worker-scan-audit-rules-privileged-commands-chage 3.1.0 4m47s 75-worker-scan-worker-scan-audit-rules-privileged-commands-chsh 3.1.0 4m47s 75-worker-scan-worker-scan-audit-rules-privileged-commands-crontab 3.1.0 4m36s 75-worker-scan-worker-scan-audit-rules-privileged-commands-gpasswd 3.1.0 4m37s 75-worker-scan-worker-scan-audit-rules-privileged-commands-mount 3.1.0 4m38s 75-worker-scan-worker-scan-audit-rules-privileged-commands-newgidmap 3.1.0 4m41s 75-worker-scan-worker-scan-audit-rules-privileged-commands-newgrp 3.1.0 4m44s 75-worker-scan-worker-scan-audit-rules-privileged-commands-newuidmap 3.1.0 4m35s 75-worker-scan-worker-scan-audit-rules-privileged-commands-pam-timestamp-check 3.1.0 4m44s 75-worker-scan-worker-scan-audit-rules-privileged-commands-passwd 3.1.0 4m34s 75-worker-scan-worker-scan-audit-rules-privileged-commands-postdrop 3.1.0 4m48s 75-worker-scan-worker-scan-audit-rules-privileged-commands-postqueue 3.1.0 4m34s 75-worker-scan-worker-scan-audit-rules-privileged-commands-pt-chown 3.1.0 4m41s 75-worker-scan-worker-scan-audit-rules-privileged-commands-ssh-keysign 3.1.0 4m37s 75-worker-scan-worker-scan-audit-rules-privileged-commands-su 3.1.0 4m36s 75-worker-scan-worker-scan-audit-rules-privileged-commands-sudo 3.1.0 4m40s 75-worker-scan-worker-scan-audit-rules-privileged-commands-sudoedit 3.1.0 4m35s 75-worker-scan-worker-scan-audit-rules-privileged-commands-umount 3.1.0 4m37s 75-worker-scan-worker-scan-audit-rules-privileged-commands-unix-chkpwd 3.1.0 4m40s 75-worker-scan-worker-scan-audit-rules-privileged-commands-userhelper 3.1.0 4m47s 75-worker-scan-worker-scan-audit-rules-privileged-commands-usernetctl 3.1.0 4m47s 75-worker-scan-worker-scan-auditd-name-format 3.1.0 4m46s 75-worker-scan-worker-scan-coredump-disable-backtraces 3.1.0 4m37s 75-worker-scan-worker-scan-coredump-disable-storage 3.1.0 4m45s 75-worker-scan-worker-scan-coreos-audit-backlog-limit-kernel-argument 3.1.0 4m44s 75-worker-scan-worker-scan-coreos-audit-option 3.1.0 4m36s 75-worker-scan-worker-scan-coreos-page-poison-kernel-argument 3.1.0 4m43s 75-worker-scan-worker-scan-coreos-pti-kernel-argument 3.1.0 4m34s 75-worker-scan-worker-scan-coreos-vsyscall-kernel-argument 3.1.0 4m47s 75-worker-scan-worker-scan-disable-ctrlaltdel-burstaction 3.1.0 4m39s 75-worker-scan-worker-scan-disable-users-coredumps 3.1.0 4m42s 75-worker-scan-worker-scan-kernel-module-atm-disabled 3.1.0 4m44s 75-worker-scan-worker-scan-kernel-module-bluetooth-disabled 3.1.0 4m34s 75-worker-scan-worker-scan-kernel-module-can-disabled 3.1.0 4m36s 75-worker-scan-worker-scan-kernel-module-cramfs-disabled 3.1.0 4m38s 75-worker-scan-worker-scan-kernel-module-firewire-core-disabled 3.1.0 4m41s 75-worker-scan-worker-scan-kernel-module-freevxfs-disabled 3.1.0 4m39s 75-worker-scan-worker-scan-kernel-module-hfs-disabled 3.1.0 4m39s 75-worker-scan-worker-scan-kernel-module-hfsplus-disabled 3.1.0 4m47s 75-worker-scan-worker-scan-kernel-module-jffs2-disabled 3.1.0 4m38s 75-worker-scan-worker-scan-kernel-module-sctp-disabled 3.1.0 4m42s 75-worker-scan-worker-scan-kernel-module-squashfs-disabled 3.1.0 4m42s 75-worker-scan-worker-scan-kernel-module-tipc-disabled 3.1.0 4m47s 75-worker-scan-worker-scan-kernel-module-udf-disabled 3.1.0 4m43s 75-worker-scan-worker-scan-kernel-module-usb-storage-disabled 3.1.0 4m38s 75-worker-scan-worker-scan-kernel-module-vfat-disabled 3.1.0 4m46s 75-worker-scan-worker-scan-no-direct-root-logins 3.1.0 4m41s 75-worker-scan-worker-scan-no-empty-passwords 3.1.0 4m35s 75-worker-scan-worker-scan-no-tmux-in-shells 3.1.0 4m40s 75-worker-scan-worker-scan-service-systemd-coredump-disabled 3.1.0 4m46s 75-worker-scan-worker-scan-sshd-set-idle-timeout 3.1.0 4m46s 75-worker-scan-worker-scan-sshd-set-keepalive 3.1.0 4m37s 75-worker-scan-worker-scan-sysctl-kernel-dmesg-restrict 3.1.0 4m45s 75-worker-scan-worker-scan-sysctl-kernel-kexec-load-disabled 3.1.0 4m38s 75-worker-scan-worker-scan-sysctl-kernel-perf-event-paranoid 3.1.0 4m38s 75-worker-scan-worker-scan-sysctl-kernel-unprivileged-bpf-disabled 3.1.0 4m46s 75-worker-scan-worker-scan-sysctl-kernel-yama-ptrace-scope 3.1.0 4m48s 75-worker-scan-worker-scan-sysctl-net-core-bpf-jit-harden 3.1.0 4m48s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-all-accept-redirects 3.1.0 4m46s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-all-log-martians 3.1.0 4m47s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-all-secure-redirects 3.1.0 4m47s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-all-send-redirects 3.1.0 4m41s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-accept-redirects 3.1.0 4m38s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-accept-source-route 3.1.0 4m34s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-log-martians 3.1.0 4m47s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-rp-filter 3.1.0 4m42s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-secure-redirects 3.1.0 4m43s 75-worker-scan-worker-scan-sysctl-net-ipv4-conf-default-send-redirects 3.1.0 4m38s 75-worker-scan-worker-scan-sysctl-net-ipv4-icmp-echo-ignore-broadcasts 3.1.0 4m42s 75-worker-scan-worker-scan-sysctl-net-ipv4-icmp-ignore-bogus-error-responses 3.1.0 4m38s 75-worker-scan-worker-scan-sysctl-net-ipv4-tcp-syncookies 3.1.0 4m35s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-all-accept-ra 3.1.0 4m36s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-all-accept-redirects 3.1.0 4m48s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-all-accept-source-route 3.1.0 4m43s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-ra 3.1.0 4m45s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-redirects 3.1.0 4m35s 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-source-route 3.1.0 4m46s $ oc get complianceremediations -nopenshift-compliance |grep -v "NAME"|wc -l 102 $ oc get mc |grep "75-worker-scan" |wc -l 102 $ oc describe mc 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-source-route Name: 75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-source-route Namespace: Labels: machineconfiguration.openshift.io/role=worker Annotations: compliance.openshift.io/remediation: API Version: machineconfiguration.openshift.io/v1 Kind: MachineConfig Metadata: Creation Timestamp: 2020-12-15T10:23:53Z Generation: 1 Managed Fields: API Version: machineconfiguration.openshift.io/v1 Fields Type: FieldsV1 fieldsV1: f:metadata: f:annotations: .: f:compliance.openshift.io/remediation: f:labels: .: f:machineconfiguration.openshift.io/role: f:spec: .: f:config: .: f:ignition: .: f:version: f:storage: .: f:files: Manager: compliance-operator Operation: Update Time: 2020-12-15T10:23:53Z Resource Version: 99213 Self Link: /apis/machineconfiguration.openshift.io/v1/machineconfigs/75-worker-scan-worker-scan-sysctl-net-ipv6-conf-default-accept-source-route UID: 66bff68f-f49f-4fb2-af6d-d4ef507a3039 Spec: Config: Ignition: Version: 3.1.0 Storage: Files: Contents: Source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A Mode: 420 Path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf Events: <none> $ oc get mcp -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-6583f0ae6de55dbebf2a3e8748900bec True False False 3 3 3 0 3h56m worker rendered-worker-9a6148536abebf8777e5fbc34e9af6aa False True False 3 2 2 0 3h56m worker rendered-worker-ed4d6dd94974c1b8aadb205a44936493 True False False 3 3 3 0 3h58m $ oc get compliancescan -nopenshift-compliance NAME PHASE RESULT worker-scan DONE NON-COMPLIANT $ oc annotate compliancescans/worker-scan compliance.openshift.io/rescan= compliancescan.compliance.openshift.io/worker-scan annotated $ oc get compliancescan -w -nopenshift-compliance NAME PHASE RESULT worker-scan RUNNING NOT-AVAILABLE worker-scan AGGREGATING NOT-AVAILABLE worker-scan DONE NON-COMPLIANT $ oc get compliancesuite -nopenshift-compliance NAME PHASE RESULT worker-compliancesuite DONE NON-COMPLIANT $ oc get complianceremediations -nopenshift-compliance|grep "Applied" |wc -l 102 [PR Pre-Merge Testing continued..]
LGTM. All remediations are getting applied now and the machineConfig objects are created for each
remediation rule with the prefix "75-worker-scan-" in name and the complianceSuite object name in
the label. i.e "compliance.openshift.io/scan-name=worker-compliancesuite". Also, we are able to
delete all of those machineConfig objects at once using the label.
Verified on:
4.7.0-0.nightly-2020-12-14-165231
$ git log|head -1
commit fe3b29a28ffcafdcfdb958864d05457196f2d3a5
$ oc get pods
NAME READY STATUS RESTARTS AGE
compliance-operator-679699f476-wsdlb 1/1 Running 0 10m
ocp4-openshift-compliance-pp-7cd9f6b64f-dl42p 1/1 Running 0 9m33s
rhcos4-openshift-compliance-pp-999fd896f-ls7w2 1/1 Running 0 9m33s
$ oc create -f /tmp/e2e-test-compliance-zsiwoivl-db68w-uqpxgui1isc-config.json
compliancesuite.compliance.openshift.io/worker-compliancesuite created
$ oc get pods -nopenshift-compliance
NAME READY STATUS RESTARTS AGE
aggregator-pod-worker-scan 0/1 Completed 0 69s
compliance-operator-679699f476-wsdlb 1/1 Running 0 15m
ocp4-openshift-compliance-pp-7cd9f6b64f-dl42p 1/1 Running 0 14m
rhcos4-openshift-compliance-pp-999fd896f-ls7w2 1/1 Running 0 14m
worker-scan-ip-10-0-135-113.us-east-2.compute.internal-pod 0/2 Completed 0 4m20s
worker-scan-ip-10-0-163-50.us-east-2.compute.internal-pod 0/2 Completed 0 4m20s
worker-scan-ip-10-0-195-157.us-east-2.compute.internal-pod 0/2 Completed 0 4m20s
$ oc get compliancesuite -w
NAME PHASE RESULT
worker-compliancesuite AGGREGATING NOT-AVAILABLE
worker-compliancesuite DONE NON-COMPLIANT
$ oc get complianceremediations -nopenshift-compliance |grep "Applied" |wc -l
102
$ oc get complianceremediations -nopenshift-compliance |head
NAME STATE
worker-scan-audit-rules-dac-modification-chmod Applied
worker-scan-audit-rules-dac-modification-chown Applied
worker-scan-audit-rules-dac-modification-fchmod Applied
worker-scan-audit-rules-dac-modification-fchmodat Applied
worker-scan-audit-rules-dac-modification-fchown Applied
worker-scan-audit-rules-dac-modification-fchownat Applied
worker-scan-audit-rules-dac-modification-fremovexattr Applied
worker-scan-audit-rules-dac-modification-fsetxattr Applied
worker-scan-audit-rules-dac-modification-lchown Applied
$ oc get mc |grep "75-worker-scan" |wc -l
102
$ oc get mc |grep "75-worker-scan" |head
75-worker-scan-audit-rules-dac-modification-chmod 3.1.0 9m2s
75-worker-scan-audit-rules-dac-modification-chown 3.1.0 9m4s
75-worker-scan-audit-rules-dac-modification-fchmod 3.1.0 8m57s
75-worker-scan-audit-rules-dac-modification-fchmodat 3.1.0 9m7s
75-worker-scan-audit-rules-dac-modification-fchown 3.1.0 9m9s
75-worker-scan-audit-rules-dac-modification-fchownat 3.1.0 9m
75-worker-scan-audit-rules-dac-modification-fremovexattr 3.1.0 9m8s
75-worker-scan-audit-rules-dac-modification-fsetxattr 3.1.0 9m7s
75-worker-scan-audit-rules-dac-modification-lchown 3.1.0 9m
75-worker-scan-audit-rules-dac-modification-lremovexattr 3.1.0 9m3s
$ oc describe mc 75-worker-scan-audit-rules-dac-modification-chmod
Name: 75-worker-scan-audit-rules-dac-modification-chmod
Namespace:
Labels: compliance.openshift.io/scan-name=worker-compliancesuite
machineconfiguration.openshift.io/role=worker
Annotations: compliance.openshift.io/remediation:
API Version: machineconfiguration.openshift.io/v1
Kind: MachineConfig
Metadata:
Creation Timestamp: 2020-12-15T13:12:44Z
Generation: 1
Managed Fields:
API Version: machineconfiguration.openshift.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:compliance.openshift.io/remediation:
f:labels:
.:
f:compliance.openshift.io/scan-name:
f:machineconfiguration.openshift.io/role:
f:spec:
.:
f:config:
.:
f:ignition:
.:
f:version:
f:storage:
.:
f:files:
Manager: compliance-operator
Operation: Update
Time: 2020-12-15T13:12:44Z
Resource Version: 173123
Self Link: /apis/machineconfiguration.openshift.io/v1/machineconfigs/75-worker-scan-audit-rules-dac-modification-chmod
UID: 506ce324-26d8-4fe7-98cf-5d98dcab987d
Spec:
Config:
Ignition:
Version: 3.1.0
Storage:
Files:
Contents:
Source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
Mode: 420
Path: /etc/audit/rules.d/75-chmod_dac_modification.rules
Events: <none>
$ oc get compliancescan -nopenshift-compliance
NAME PHASE RESULT
worker-scan DONE NON-COMPLIANT
$ oc get mc --show-labels |grep "75-worker-scan" |head
75-worker-scan-audit-rules-dac-modification-chmod 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-chown 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fchmod 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fchmodat 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fchown 3.1.0 20m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fchownat 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fremovexattr 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-fsetxattr 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-lchown 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
75-worker-scan-audit-rules-dac-modification-lremovexattr 3.1.0 19m compliance.openshift.io/scan-name=worker-compliancesuite,machineconfiguration.openshift.io/role=worker
$ oc get mc --selector=compliance.openshift.io/scan-name=worker-compliancesuite |head
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
75-worker-scan-audit-rules-dac-modification-chmod 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-chown 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fchmod 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fchmodat 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fchown 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fchownat 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fremovexattr 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-fsetxattr 3.1.0 18m
75-worker-scan-audit-rules-dac-modification-lchown 3.1.0 18m
$ oc delete mc --selector=compliance.openshift.io/scan-name=worker-compliancesuite
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-chmod" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-chown" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fchmod" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fchmodat" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fchown" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fchownat" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fremovexattr" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-fsetxattr" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-lchown" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-lremovexattr" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-lsetxattr" deleted
machineconfig.machineconfiguration.openshift.io "75-worker-scan-audit-rules-dac-modification-removexattr" deleted
....
$ oc get mc --selector=compliance.openshift.io/scan-name=worker-compliancesuite
No resources found
$ oc get mcp -w
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-6583f0ae6de55dbebf2a3e8748900bec True False False 3 3 3 0 7h15m
worker rendered-worker-ed4d6dd94974c1b8aadb205a44936493 False True False 3 2 2 0 7h15m
worker rendered-worker-9a6148536abebf8777e5fbc34e9af6aa True False False 3 3 3 0 7h16m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7 compliance-operator image update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0435 |
Description of problem: Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-worker-scan 0/1 Completed 0 2m33s compliance-operator-8d6f976cf-9zlrm 1/1 Running 0 145m ocp4-openshift-compliance-pp-7cd9f6b64f-wrr7k 1/1 Running 0 15m rhcos4-openshift-compliance-pp-999fd896f-j7d4p 1/1 Running 0 15m worker-scan-ip-10-0-57-244.us-east-2.compute.internal-pod 0/2 Completed 0 6m14s worker-scan-ip-10-0-72-126.us-east-2.compute.internal-pod 0/2 Completed 0 6m13s $ cat /tmp/e2e-test-compliance-zsiwoivl-db68w-uqpxgui1isc-config.json { "kind": "List", "apiVersion": "v1", "metadata": {}, "items": [ { "apiVersion": "compliance.openshift.io/v1alpha1", "kind": "ComplianceSuite", "metadata": { "name": "worker-compliancesuite", "namespace": "openshift-compliance" }, "spec": { "autoApplyRemediations": true, "scans": [ { "content": "ssg-rhcos4-ds.xml", "contentImage": "quay.io/complianceascode/ocp4:latest", "debug": true, "name": "worker-scan", "noExternalResources": false, "nodeSelector": { "node-role.kubernetes.io/wscan": "" }, "profile": "xccdf_org.ssgproject.content_profile_moderate", "rawResultStorage": { "rotation": 0, "size": "" }, "rule": "", "scanType": "" } ], "schedule": "0 1 * * *" } } ] } $ oc get compliancesuite NAME PHASE RESULT worker-compliancesuite DONE NON-COMPLIANT $ oc get compliancesuite worker-compliancesuite -o yaml apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: creationTimestamp: "2020-12-09T06:42:02Z" finalizers: - suite.finalizers.compliance.openshift.io generation: 2 managedFields: - apiVersion: compliance.openshift.io/v1alpha1 fieldsType: FieldsV1 fieldsV1: f:spec: .: {} f:autoApplyRemediations: {} f:schedule: {} .... manager: compliance-operator operation: Update time: "2020-12-09T06:46:31Z" name: worker-compliancesuite namespace: openshift-compliance resourceVersion: "115397" selfLink: /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/compliancesuites/worker-compliancesuite uid: f137ce65-93d1-4889-8188-d95196e54642 spec: autoApplyRemediations: true scans: - content: ssg-rhcos4-ds.xml contentImage: quay.io/complianceascode/ocp4:latest debug: true name: worker-scan nodeSelector: node-role.kubernetes.io/wscan: "" profile: xccdf_org.ssgproject.content_profile_moderate rawResultStorage: pvAccessModes: - ReadWriteOnce rotation: 3 size: 1Gi scanTolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists scanType: Node schedule: 0 1 * * * status: phase: DONE result: NON-COMPLIANT scanStatuses: - name: worker-scan phase: DONE result: NON-COMPLIANT resultsStorage: name: worker-scan namespace: openshift-compliance The complianceremediations object output shows all rules are Applied but some of those rules are not available in machineConfig $ oc get complianceremediations |tail worker-scan-sysctl-net-ipv4-conf-default-send-redirects Applied worker-scan-sysctl-net-ipv4-icmp-echo-ignore-broadcasts Applied worker-scan-sysctl-net-ipv4-icmp-ignore-bogus-error-responses Applied worker-scan-sysctl-net-ipv4-tcp-syncookies Applied worker-scan-sysctl-net-ipv6-conf-all-accept-ra Applied worker-scan-sysctl-net-ipv6-conf-all-accept-redirects Applied worker-scan-sysctl-net-ipv6-conf-all-accept-source-route Applied worker-scan-sysctl-net-ipv6-conf-default-accept-ra Applied worker-scan-sysctl-net-ipv6-conf-default-accept-redirects Applied worker-scan-sysctl-net-ipv6-conf-default-accept-source-route Applied $ oc get mc NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 00-master d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 00-worker d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 01-master-container-runtime d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 01-master-kubelet d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 01-worker-container-runtime d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 01-worker-kubelet d6b5d1922d848885cf5d2737306ab14323b7783a 3.2.0 3h13m 75-worker-scan-worker-compliancesuite 3.1.0 2m25s $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-default-accept-source-route" $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-default-accept-redirects" $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-default-accept-ra" remediation/worker-scan-sysctl-net-ipv6-conf-default-accept-ra: "2" f:remediation/worker-scan-sysctl-net-ipv6-conf-default-accept-ra: {} $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-all-accept-source-route" $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-all-accept-redirects" $ oc get mc 75-worker-scan-worker-compliancesuite -o yaml |grep "worker-scan-sysctl-net-ipv6-conf-all-accept-ra" remediation/worker-scan-sysctl-net-ipv6-conf-all-accept-ra: "2" f:remediation/worker-scan-sysctl-net-ipv6-conf-all-accept-ra: {} Version-Release number of selected component (if applicable): 4.7.0-0.nightly-2020-12-14-035110 How reproducible: Always Steps to Reproduce: 1. Deploy Compliance Operator 2. Create ComplianceSuite object CR $ oc create -f /tmp/e2e-test-compliance-zsiwoivl-db68w-uqpxgui1isc-config.json 3. Monitor scan pods $ oc get pods -w -nopenshift-compliance 4. Check for compliance scan result through compliancesuite object $ oc get compliancesuite 5. Check complianceRemediations output which shows all rules are Applied $ oc get complianceremediations 6. Check machineconfig and verify all rules are available in it $ oc get mc oc get mc 75-worker-scan-worker-compliancesuite -o yaml Actual results: Not all remediations get applied through machineConfig although the status of all rules shows Applied in ComplianceRemediations object Expected results: All remediations should get applied through machineConfig as well and the status of all rules shows Applied in ComplianceRemediations object Additional info: inspecting the created machineConfig (the 75-XXXX), it seems like some remediations are simply missing