Description of problem: If you perform: oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' from the compliancecheckresults ocp4-cis-configure-network-policies-namespaces instruction (obtained via `oc get compliancecheckresults ocp4-cis-configure-network-policies-namespaces -oyaml | grep instructions -A 10`) you don't get a list of namespaces. Instead you get masses of json output. This is because the command is missing the statement to only show `.metadata.name`. Version-Release number of selected component (if applicable): - Compliance Operator 0.1.39 - OpenShift: 4.7.23 (IBM Cloud ROKS) How reproducible: everytime Steps to Reproduce: 1. Perform `oc get compliancecheckresults ocp4-cis-configure-network-policies-namespaces -oyaml | grep instructions -A 10` 2. Perform instruction to "get all non-control plane namespaces" 3. Actual results: Lots of json Expected results: A list of namespace names Additional info: The command needs to be: ``` oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name]' ```
Just a quick note: the JQ filter is used in both instructions and in the actual rule OVAL check[1] and stored in the rule definition[2] as a variable, so I'm not sure just amending the filter would work or if it would break the rule itself. If this is tripping users up, we can hard-code the instructions in the rule definition, but just saying that it's not a matter of amending the filter blindly. [1] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/oval/shared.xml [2] https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/configure_network_policies_namespaces/rule.yml
https://github.com/ComplianceAsCode/content/pull/7746
[Bug_Verification] Looks good. The instruction has updated json query which reports list of all the non-control plane namespaces. Verified on: 4.9.0-0.nightly-2021-10-22-102153 + compliance-operator.v0.1.44 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-10-22-102153 True False 4h29m Cluster version is 4.9.0-0.nightly-2021-10-22-102153 $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.44 Compliance Operator 0.1.44 Succeeded elasticsearch-operator.5.2.3-5 OpenShift Elasticsearch Operator 5.2.3-5 Succeeded $ oc get rules ocp4-configure-network-policies-namespaces -ojsonpath={.instructions} Verify that the every non-control plane namespace has an appropriate NetworkPolicy. To get all the non-control plane namespaces, you can do the following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' To get all the non-control plane namespaces with a NetworkPolicy, you can do the following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' Make sure that the namespaces displayed in the commands of the commands match. $ oc create ns ocp-32456 namespace/ocp-32456 created $ oc create ns bz2003170 namespace/bz2003170 created $ oc create ns test1 namespace/test1 created $ oc create -f - << EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: moderate-test > profiles: > - apiGroup: compliance.openshift.io/v1alpha1 > kind: Profile > name: ocp4-moderate > settingsRef: > apiGroup: compliance.openshift.io/v1alpha1 > kind: ScanSetting > name: default > EOF scansettingbinding.compliance.openshift.io/moderate-test created $ oc get pods NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-moderate 0/1 Completed 0 44s compliance-operator-59d44fb857-4d67g 1/1 Running 1 (18m ago) 19m ocp4-moderate-api-checks-pod 0/2 Completed 0 94s ocp4-openshift-compliance-pp-789f969db-9bk7v 1/1 Running 0 18m rhcos4-openshift-compliance-pp-7f88cf4598-qrts9 1/1 Running 0 18m $ oc get suite NAME PHASE RESULT moderate-test DONE NON-COMPLIANT $ oc get checkresult ocp4-moderate-configure-network-policies-namespaces -o=jsonpath={.instructions} Verify that the every non-control plane namespace has an appropriate NetworkPolicy. To get all the non-control plane namespaces, you can do the following command oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' To get all the non-control plane namespaces with a NetworkPolicy, you can do the following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' Make sure that the namespaces displayed in the commands of the commands match. $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' [ "bz2003170", "ocp-32456", "test1" ] $ oc create -f -<<EOF > kind: NetworkPolicy > apiVersion: networking.k8s.io/v1 > metadata: > name: allow-same-namespace > namespace: test1 > spec: > podSelector: > ingress: > - from: > - podSelector: {} > EOF networkpolicy.networking.k8s.io/allow-same-namespace created $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' [ "test1" ] $ oc delete NetworkPolicy allow-same-namespace -ntest1 networkpolicy.networking.k8s.io "allow-same-namespace" deleted $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.namespace] | unique' []
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4530