Just a quick note: the JQ filter is used in both instructions and in the actual rule OVAL check[1] and stored in the rule definition[2] as a variable, so I'm not sure just amending the filter would work or if it would break the rule itself. If this is tripping users up, we can hard-code the instructions in the rule definition, but just saying that it's not a matter of amending the filter blindly.

[1] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml
[2] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/rule.yml

https://github.com/ComplianceAsCode/content/pull/7746

[Bug_Verification]


Looks good. The instruction has updated json query which reports list of all the non-control plane namespaces.


Verified on:
4.9.0-0.nightly-2021-10-22-102153 + compliance-operator.v0.1.44


$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-10-22-102153   True        False         4h29m   Cluster version is 4.9.0-0.nightly-2021-10-22-102153

$ oc get csv
NAME                             DISPLAY                            VERSION   REPLACES   PHASE
compliance-operator.v0.1.44      Compliance Operator                0.1.44               Succeeded
elasticsearch-operator.5.2.3-5   OpenShift Elasticsearch Operator   5.2.3-5              Succeeded


$ oc get rules ocp4-configure-network-policies-namespaces -ojsonpath={.instructions}
Verify that the every non-control plane namespace has an appropriate
NetworkPolicy.

To get all the non-control plane namespaces, you can do the
following command oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'

To get all the non-control plane namespaces with a NetworkPolicy, you can do the
following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'

Make sure that the namespaces displayed in the commands of the commands match.


$ oc create ns ocp-32456
namespace/ocp-32456 created

$ oc create ns bz2003170
namespace/bz2003170 created
 
$ oc create ns test1
namespace/test1 created


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: moderate-test
> profiles:
> - apiGroup: compliance.openshift.io/v1alpha1
>   kind: Profile
>   name: ocp4-moderate
> settingsRef:
>   apiGroup: compliance.openshift.io/v1alpha1
>   kind: ScanSetting
>   name: default
> EOF
scansettingbinding.compliance.openshift.io/moderate-test created


$ oc get pods
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-moderate                      0/1     Completed   0             44s
compliance-operator-59d44fb857-4d67g              1/1     Running     1 (18m ago)   19m
ocp4-moderate-api-checks-pod                      0/2     Completed   0             94s
ocp4-openshift-compliance-pp-789f969db-9bk7v      1/1     Running     0             18m
rhcos4-openshift-compliance-pp-7f88cf4598-qrts9   1/1     Running     0             18m


$ oc get suite
NAME            PHASE   RESULT
moderate-test   DONE    NON-COMPLIANT

$ oc get checkresult ocp4-moderate-configure-network-policies-namespaces -o=jsonpath={.instructions}
Verify that the every non-control plane namespace has an appropriate
NetworkPolicy.

To get all the non-control plane namespaces, you can do the
following command oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'

To get all the non-control plane namespaces with a NetworkPolicy, you can do the
following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'

Make sure that the namespaces displayed in the commands of the commands match.


$ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
[
  "bz2003170",
  "ocp-32456",
  "test1"
]


$ oc create -f -<<EOF
> kind: NetworkPolicy
> apiVersion: networking.k8s.io/v1
> metadata:
>   name: allow-same-namespace
>   namespace: test1
> spec:
>   podSelector:
>   ingress:
>   - from:
>     - podSelector: {}
> EOF
networkpolicy.networking.k8s.io/allow-same-namespace created


$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'

[
  "test1"
]

$ oc delete NetworkPolicy allow-same-namespace -ntest1
networkpolicy.networking.k8s.io "allow-same-namespace" deleted

$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique'
[]

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4530