Description of problem: When defining scans in a ComplianceSuite, if you omit the "containerImage" field, by default the scan pod init containers will pull content from the upstream content image. It should use the downstream content image instead. You can see this on the scan pod: initContainerStatuses: - containerID: cri-o://09588b10edb68a10abf6b5dfe797fcbcedec0386d6640fc9a34a371ef01403eb image: quay.io/complianceascode/ocp4:latest imageID: quay.io/complianceascode/ocp4@sha256:c7306989297ed3455c1d224614a4860d25de8de457bfd96adf12514518c50f14 lastState: {} name: content-container ready: true restartCount: 0 state: As a workaround, the downstream content image can be placed in containerImage: image-registry.openshift-image-registry.svc:5000/openshift/compliance-operator@sha256:d4b3a3ffd3527e2f25de110de0ad9b6b5efad6b2f8530a9fb93fa4064bd02e39 Addressed upstream by: https://github.com/openshift/compliance-operator/pull/544
Fixed in master with https://github.com/openshift/compliance-operator/commit/5a706908807b138d05cb9855b8d46a7227526c96
[ Bug Verification ] It looks good to me. By default the scan pod init containers was pulling content from the upstream content image in earlier CO version but now, with the latest version it uses the downstream content image. Verified on: 4.6.0-0.nightly-2021-01-30-211400 compliance-operator.v0.1.25 [ Tested on compliance-operator.v0.1.24 ] $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.24 Compliance Operator 0.1.24 Succeeded elasticsearch-operator.4.6.0-202101300140.p0 OpenShift Elasticsearch Operator 4.6.0-202101300140.p0 Succeeded $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ComplianceSuite > metadata: > name: example-compliancesuite > spec: > autoApplyRemediations: false > schedule: "0 1 * * *" > scans: > - name: worker-scan > profile: xccdf_org.ssgproject.content_profile_moderate > content: ssg-rhcos4-ds.xml > rule: "xccdf_org.ssgproject.content_rule_no_empty_passwords" > debug: true > nodeSelector: > node-role.kubernetes.io/worker: "" > EOF compliancesuite.compliance.openshift.io/example-compliancesuite created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-worker-scan 0/1 Completed 0 24s compliance-operator-5f95bfd5b8-qlwqm 1/1 Running 0 4m10s ocp4-compliance-test-pp-5998d78c76-rlfbl 1/1 Running 0 3m18s rhcos4-compliance-test-pp-6cbdd748c8-jq582 1/1 Running 0 3m18s worker-scan-ip-10-0-150-230.us-east-2.compute.internal-pod 0/2 Completed 0 84s worker-scan-ip-10-0-180-200.us-east-2.compute.internal-pod 0/2 Completed 0 84s worker-scan-ip-10-0-194-66.us-east-2.compute.internal-pod 0/2 Completed 0 84s $ oc get compliancesuite NAME PHASE RESULT example-compliancesuite DONE NON-COMPLIANT $ oc describe pod worker-scan-ip-10-0-150-230.us-east-2.compute.internal-pod |grep -A 5 "Init Containers" Init Containers: content-container: Container ID: cri-o://29f401a7ba2fc609156cd4b48bcf3b9c1f2bf0e232de27b2fa21b7119a39a30b Image: quay.io/complianceascode/ocp4:latest <<------ [upstream content image] Image ID: quay.io/complianceascode/ocp4@sha256:a495364a4188974e4af25ad6e953c8590a254c10c61eeb97ea1b7e685e4c7e16 <<------ [upstream content image] Port: <none> [ Tested on compliance-operator.v0.1.25 ] $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.25 Compliance Operator 0.1.25 Succeeded elasticsearch-operator.4.6.0-202101300140.p0 OpenShift Elasticsearch Operator 4.6.0-202101300140.p0 Succeeded $ oc create -f - <<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ComplianceSuite > metadata: > name: example-compliancesuite > spec: > autoApplyRemediations: false > schedule: "0 1 * * *" > scans: > - name: worker-scan > profile: xccdf_org.ssgproject.content_profile_moderate > content: ssg-rhcos4-ds.xml > rule: "xccdf_org.ssgproject.content_rule_no_empty_passwords" > debug: true > nodeSelector: > node-role.kubernetes.io/worker: "" > EOF compliancesuite.compliance.openshift.io/example-compliancesuite created $ oc get compliancesuite NAME PHASE RESULT example-compliancesuite DONE NON-COMPLIANT $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-worker-scan 0/1 Completed 0 16m compliance-operator-6995fbbf5b-km9f4 1/1 Running 0 31m ocp4-openshift-compliance-pp-c4898f8b-nvwwj 1/1 Running 0 30m rhcos4-openshift-compliance-pp-86d8d69446-ncztq 1/1 Running 0 30m worker-scan-ip-10-0-150-230.us-east-2.compute.internal-pod 0/2 Completed 0 17m worker-scan-ip-10-0-180-200.us-east-2.compute.internal-pod 0/2 Completed 0 17m worker-scan-ip-10-0-194-66.us-east-2.compute.internal-pod 0/2 Completed 0 17m $ oc describe pod worker-scan-ip-10-0-194-66.us-east-2.compute.internal-pod |grep -A 5 "Init Containers" Init Containers: content-container: Container ID: cri-o://90de760ca6ddb3166a4eb1a83fe19c7f85764265d4073dd7bd841103d23f5422 Image: registry-proxy.engineering.redhat.com/rh-osbs/compliance-content-container@sha256:3ac7eb91636e175ac6cb84507880bffc02798b46336b373e95b18da8cd9bdac6 <<------ [downstream content image] Image ID: registry-proxy.engineering.redhat.com/rh-osbs/compliance-content-container@sha256:3ac7eb91636e175ac6cb84507880bffc02798b46336b373e95b18da8cd9bdac6 <<------ [downstream content image] Port: <none>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0436