Bug 2058631 - Compliance rule: ocp4-api-server-no-adm-ctrl-plugins-disabled, is failing.
Summary: Compliance rule: ocp4-api-server-no-adm-ctrl-plugins-disabled, is failing.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Vincent Shen
QA Contact: Prashant Dhamdhere
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-25 13:17 UTC by Mithilesh Kaur Bagga
Modified: 2023-09-15 01:52 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: ocp4-api-server-no-adm-ctrl-plugins-disabled rule didn't properly check for a list of empty admission controller plugins Consequence: The rule would always fail, even if all admission plugins were enabled Fix: Use the new content that has more robust checking for disabled admission controllers plugins Result: The rule will accurately pass when all admission controller plugins are enabled
Clone Of:
Environment:
Last Closed: 2022-04-18 07:54:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 8201 0 None Merged OCP4: Fix api_server_no_adm_ctrl_plugins_disabled jq filter 2022-02-28 17:18:53 UTC
Red Hat Knowledge Base (Solution) 6970062 0 None None None 2022-08-02 09:16:01 UTC
Red Hat Product Errata RHBA-2022:1148 0 None None None 2022-04-18 07:54:10 UTC

Comment 7 Prashant Dhamdhere 2022-03-28 14:10:26 UTC 
[Bug_Verification]

It looks good. The rule ocp4-api-server-no-adm-ctrl-plugins-disabled is getting PASS when
the list of disabled admission plugins is empty.


Verified on:

4.10.0-0.nightly-2022-03-27-074444 + compliance-operator.v0.1.49


$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-03-27-074444   True        False         113m    Cluster version is 4.10.0-0.nightly-2022-03-27-074444


$ oc get csv
NAME                               DISPLAY                            VERSION     REPLACES   PHASE
compliance-operator.v0.1.49        Compliance Operator                0.1.49                 Succeeded
elasticsearch-operator.5.4.0-123   OpenShift Elasticsearch Operator   5.4.0-123              Succeeded


$ oc get pods
NAME                                              READY   STATUS    RESTARTS      AGE
compliance-operator-9bf58698f-w7sq9               1/1     Running   1 (73m ago)   74m
ocp4-openshift-compliance-pp-59cd7665d6-xlzl8     1/1     Running   0             72m
rhcos4-openshift-compliance-pp-5c85d4d5c8-78dsn   1/1     Running   0             72m


$ oc get rules ocp4-api-server-no-adm-ctrl-plugins-disabled -ojsonpath={.instructions}
To verify that the list of disabled admission plugins is empty, run the following command:
$oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]'


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default 
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


$ oc get suite -w
NAME       PHASE     RESULT
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
my-ssb-r   DONE          NON-COMPLIANT


$ oc get suite 
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


$ oc get scan
NAME       PHASE   RESULT
ocp4-cis   DONE    NON-COMPLIANT


$ oc get pods
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-cis                           0/1     Completed   0             34s
compliance-operator-9bf58698f-w7sq9               1/1     Running     1 (87m ago)   87m
ocp4-cis-api-checks-pod                           0/2     Completed   0             64s
ocp4-openshift-compliance-pp-59cd7665d6-xlzl8     1/1     Running     0             86m
rhcos4-openshift-compliance-pp-5c85d4d5c8-78dsn   1/1     Running     0             86m


$ oc get ccr ocp4-cis-api-server-no-adm-ctrl-plugins-disabled
NAME                                               STATUS   SEVERITY
ocp4-cis-api-server-no-adm-ctrl-plugins-disabled   PASS     medium


$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | select(.apiServerArguments."disable-admission-plugins"!=["PodSecurity"] and .apiServerArguments."disable-admission-plugins"!=[]) | .apiServerArguments."disable-admission-plugins"]'
[]

$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]'
[]
Comment 9 errata-xmlrpc 2022-04-18 07:54:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1148
Comment 10 Red Hat Bugzilla 2023-09-15 01:52:15 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days
Note You need to log in before you can comment on or make changes to this bug.