1965511 – Error: parsed key is not in key set: 'RuleFolder'

Bug 1965511 - Error: parsed key is not in key set: 'RuleFolder' [NEEDINFO]

Summary: Error: parsed key is not in key set: 'RuleFolder'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Jakub Hrozek
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-27 20:21 UTC by mchebbi@redhat.com
Modified:	2022-02-15 22:04 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, if your cluster was running OpenShift Container Platform 4.6 or earlier, remediations for USBGuard-related rules would fail for the moderate profile. This is because the remediations created by the Compliance Operator were based on an older version of USBGuard that did not support drop-in directories. Now, invalid remediations for USBGuard-related rules are not created for clusters running OpenShift Container Platform 4.6. If your cluster is using OpenShift Container Platform 4.6, you must manually create remediations for USBGuard-related rules. Additionally, remediations are created only for rules that satisfy minimum version requirements.
Clone Of:
Environment:
Last Closed:	2022-01-04 12:05:52 UTC
Target Upstream Version:
Flags:	jhrozek: needinfo? (nemiller)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift compliance-operator pull 740	0	None	open	Bug 1965511: Implement version applicability for remediations	2021-10-26 11:52:40 UTC
Red Hat Product Errata	RHBA-2022:0014	0	None	None	None	2022-01-04 12:05:56 UTC

Comment 3 Juan Antonio Osorio 2021-06-16 12:02:39 UTC

Note that the Compliance Operator doesn't support RHEL hosts. From what I could tell, this issue originated from trying to run a compliance remediation that was meant for RHCOS in RHEL.

Comment 5 mchebbi@redhat.com 2021-06-28 12:43:08 UTC

Hello,
customer confirm that he is running CoreOS on all our nodes.


cat /etc/redhat-release
Red Hat Enterprise Linux CoreOS release 4.7

Comment 23 Prashant Dhamdhere 2021-12-23 05:28:28 UTC

[Bug_Verification]

1] The remediation for rhcos4-configure-usbguard-auditbackend rule is getting skipped on OCP 4.6

Verified on:
4.6.0-0.nightly-2021-12-21-181142 + compliance-operator.v0.1.47 

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2021-12-21-181142   True        False         87m     Cluster version is 4.6.0-0.nightly-2021-12-21-181142

$ oc get csv
NAME                          DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v0.1.47   Compliance Operator   0.1.47               Succeeded

$ oc get pods -w
NAME                                              READY   STATUS     RESTARTS   AGE
compliance-operator-7c9766cc5d-6x6hd              1/1     Running    1          2m21s
ocp4-openshift-compliance-pp-54f5ffdd5b-vxtq9     1/1     Running    0          56s
rhcos4-openshift-compliance-pp-868bf9bd9b-kkkhb   0/1     Init:1/2   0          56s
rhcos4-openshift-compliance-pp-868bf9bd9b-kkkhb   0/1     PodInitializing   0          74s
rhcos4-openshift-compliance-pp-868bf9bd9b-kkkhb   1/1     Running           0          78s

$ oc get rules |grep auditbackend
rhcos4-configure-usbguard-auditbackend                                              63m

$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: ocp4-moderate-test
> profiles:
>   - name: rhcos4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default-auto-apply
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/ocp4-moderate-test created

$ oc get scan -w
NAME                     PHASE       RESULT
rhcos4-moderate-master   LAUNCHING   NOT-AVAILABLE
rhcos4-moderate-worker   LAUNCHING   NOT-AVAILABLE
rhcos4-moderate-master   LAUNCHING   NOT-AVAILABLE
rhcos4-moderate-worker   RUNNING     NOT-AVAILABLE
rhcos4-moderate-master   RUNNING     NOT-AVAILABLE
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   DONE          NON-COMPLIANT
rhcos4-moderate-worker   DONE          NON-COMPLIANT

$ oc get complianceremediations |grep auditbackend
$ oc get ccr |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              FAIL     medium
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              FAIL     medium

$ oc get events |grep auditbackend
4m16s       Warning   SkippingRemediation                compliancescan/rhcos4-moderate-master                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-master-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0
4m17s       Warning   SkippingRemediation                compliancescan/rhcos4-moderate-worker                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-worker-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0

$ oc get scan
NAME                     PHASE   RESULT
rhcos4-moderate-master   DONE    NON-COMPLIANT
rhcos4-moderate-worker   DONE    NON-COMPLIANT

$ oc get suite
NAME                 PHASE   RESULT
ocp4-moderate-test   DONE    NON-COMPLIANT

$ oc get pods
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-rhcos4-moderate-worker                   0/1     Completed   0          5m9s
compliance-operator-7c9766cc5d-nk2bf                    1/1     Running     0          2m31s
ocp4-openshift-compliance-pp-54f5ffdd5b-mlqb4           1/1     Running     0          2m31s
openscap-pod-1cc57c3066e87192fa5076c35da08d18cbccbc55   0/2     Completed   0          6m49s
openscap-pod-3fcd36df67d935062417552a2be4b58479ccb0bf   0/2     Completed   0          6m49s
openscap-pod-a14199e251659970cbe9a3f8de20a372a7376c28   0/2     Completed   0          6m49s
openscap-pod-f6f52c4466260d8142fddbe57bf2ffc3da9a7f2b   0/2     Completed   0          6m49s
rhcos4-openshift-compliance-pp-868bf9bd9b-glkds         1/1     Running     0          2m31s

$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-6dc4225ad427e5504e38e284699a554c   False     True       False      3              2                   2                     0                      63m
worker   rendered-worker-2fd5847b1c456affa7c6fce435091dc0   True      False      False      3              3                   3                     0                      63m
master   rendered-master-89d5eb704dfa6239d8e138975c7cce8d   True      False      False      3              3                   3                     0                      63m

$ oc get mcp 
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-89d5eb704dfa6239d8e138975c7cce8d   True      False      False      3              3                   3                     0                      63m
worker   rendered-worker-2fd5847b1c456affa7c6fce435091dc0   True      False      False      3              3                   3                     0                      63m

$ oc compliance rerun-now compliancesuite/ocp4-moderate-test
Rerunning scans from 'ocp4-moderate-test': rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'

$ oc get scan -w
NAME                     PHASE     RESULT
rhcos4-moderate-master   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-worker   DONE          NON-COMPLIANT

$ oget ccr |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              FAIL     medium
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              FAIL     medium

$ oc get events |grep auditbackend
33m         Warning   SkippingRemediation                compliancescan/rhcos4-moderate-master                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-master-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0
75s         Warning   SkippingRemediation                compliancescan/rhcos4-moderate-master                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-master-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0
33m         Warning   SkippingRemediation                compliancescan/rhcos4-moderate-worker                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-worker-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0
81s         Warning   SkippingRemediation                compliancescan/rhcos4-moderate-worker                                     Skipping ComplianceRemediation 'openshift-compliance/rhcos4-moderate-worker-configure-usbguard-auditbackend'. Cluster doesn't match version range >=4.7.0



2] The remediation for rhcos4-configure-usbguard-auditbackend rule is getting applied on OCP 4.10

Verified on:
4.10.0-0.nightly-2021-12-21-130047 + compliance-operator.v0.1.47 


$ oc get csv
NAME                             DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.47      Compliance Operator                0.1.47               Succeeded
elasticsearch-operator.5.3.2-5   OpenShift Elasticsearch Operator   5.3.2-5              Succeeded

$ oc get pods -w
NAME                                              READY   STATUS    RESTARTS       AGE
compliance-operator-55fd995f9-427rm               1/1     Running   1 (112s ago)   2m33s
ocp4-openshift-compliance-pp-54f5ffdd5b-65hcv     1/1     Running   0              75s
rhcos4-openshift-compliance-pp-868bf9bd9b-mkpd6   1/1     Running   0              75s


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: ocp4-moderate-test
> profiles:
>   - name: rhcos4-moderate
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default-auto-apply
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/ocp4-moderate-test created

$ oc get scan -w
NAME                     PHASE     RESULT
rhcos4-moderate-master   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   RUNNING   NOT-AVAILABLE
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   DONE          NON-COMPLIANT

$ oc get complianceremediations |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              MissingDependencies
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              MissingDependencies

$ oc get ccr |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              FAIL     medium
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              FAIL     medium


$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-8b279e1fc72dfeb033c61980f78667d4   False     True       False      3              1                   1                     0                      57m
worker   rendered-worker-2b9d1194d7e27b66cedcb4c839ff83de   False     True       False      3              1                   1                     0                      57m
worker   rendered-worker-2b9d1194d7e27b66cedcb4c839ff83de   False     True       False      3              1                   1                     0                      59m
master   rendered-master-8b279e1fc72dfeb033c61980f78667d4   False     True       False      3              1                   1                     0                      59m
worker   rendered-worker-2b9d1194d7e27b66cedcb4c839ff83de   False     True       False      3              1                   1                     0                      59m
master   rendered-master-8b279e1fc72dfeb033c61980f78667d4   False     True       False      3              1                   1                     0                      59m
master   rendered-master-8b279e1fc72dfeb033c61980f78667d4   False     True       False      3              1                   1                     0                      59m
worker   rendered-worker-2b9d1194d7e27b66cedcb4c839ff83de   False     True       False      3              2                   2                     0                      59m

$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-81dc118ed7716b5c66c8c1872c99702f   True      False      False      3              3                   3                     0                      81m
worker   rendered-worker-a508a6792ad6969bc19b4206efc72088   True      False      False      3              3                   3                     0                      81m

$ oc compliance rerun-now compliancesuite/ocp4-moderate-test
Rerunning scans from 'ocp4-moderate-test': rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'

$ oc get scan -w
NAME                     PHASE     RESULT
rhcos4-moderate-master   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   RUNNING   NOT-AVAILABLE
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   DONE          NON-COMPLIANT
rhcos4-moderate-worker   DONE          NON-COMPLIANT

$ oget complianceremediations |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              Applied
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              Applied


$ oc get ccr |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              FAIL     medium
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              FAIL     medium

$ oc get mc |grep auditbackend
75-rhcos4-moderate-master-configure-usbguard-auditbackend                                                                                         3.1.0             36m
75-rhcos4-moderate-worker-configure-usbguard-auditbackend                                                                                         3.1.0             36m


$ oc get events |grep auditbackend
53m         Warning   RemediationDependencyCannotBeMet   complianceremediation/rhcos4-moderate-master-configure-usbguard-auditbackend   The marked dependency xccdf_org.ssgproject.content_rule_package_usbguard_installed is missing and cannot be met as it's not part of the benchmark.
52m         Normal    RemediationDependencyCannotBeMet   complianceremediation/rhcos4-moderate-master-configure-usbguard-auditbackend   The dependency rhcos4-moderate-master-package-usbguard-installed not met, please apply its remediations and retry
35m         Normal    RemediationDependencyCannotBeMet   complianceremediation/rhcos4-moderate-master-configure-usbguard-auditbackend   The dependency rhcos4-moderate-master-package-usbguard-installed not met, please apply its remediations and retry
51m         Normal    RemediationDependencyCannotBeMet   complianceremediation/rhcos4-moderate-worker-configure-usbguard-auditbackend   The dependency rhcos4-moderate-master-package-usbguard-installed not met, please apply its remediations and retry
35m         Normal    RemediationDependencyCannotBeMet   complianceremediation/rhcos4-moderate-worker-configure-usbguard-auditbackend   The dependency rhcos4-moderate-master-package-usbguard-installed not met, please apply its remediations and retry

$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-81dc118ed7716b5c66c8c1872c99702f   False     False      False      3              0                   0                     0                      84m
worker   rendered-worker-a508a6792ad6969bc19b4206efc72088   False     False      False      3              0                   0                     0                      84m
...
master   rendered-master-81dc118ed7716b5c66c8c1872c99702f   False     True       False      3              1                   1                     0                      88m
master   rendered-master-81dc118ed7716b5c66c8c1872c99702f   False     True       False      3              1                   1                     0                      89m
worker   rendered-worker-a508a6792ad6969bc19b4206efc72088   False     True       False      3              2                   2                     0                      91m
worker   rendered-worker-a508a6792ad6969bc19b4206efc72088   False     True       False      3              2                   2                     0                      91m

$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-dea479d197217cf830a5ebf98db47fed   True      False      False      3              3                   3                     0                      102m
worker   rendered-worker-f42dfe48595969cfea1a5ca31ef0b827   True      False      False      3              3                   3                     0                      102m


$ oc compliance rerun-now compliancesuite/ocp4-moderate-test
Rerunning scans from 'ocp4-moderate-test': rhcos4-moderate-worker, rhcos4-moderate-master
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'

$ oc get scan -w
NAME                     PHASE       RESULT
rhcos4-moderate-master   LAUNCHING   NOT-AVAILABLE
rhcos4-moderate-worker   RUNNING     NOT-AVAILABLE
rhcos4-moderate-master   RUNNING     NOT-AVAILABLE
rhcos4-moderate-worker   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   AGGREGATING   NOT-AVAILABLE
rhcos4-moderate-master   DONE          NON-COMPLIANT
rhcos4-moderate-worker   DONE          NON-COMPLIANT


$ oc get ccr |grep auditbackend
rhcos4-moderate-master-configure-usbguard-auditbackend                                              PASS     medium
rhcos4-moderate-worker-configure-usbguard-auditbackend                                              PASS     medium

Comment 27 errata-xmlrpc 2022-01-04 12:05:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0014

Note You need to log in before you can comment on or make changes to this bug.