2058631 – Compliance rule: ocp4-api-server-no-adm-ctrl-plugins-disabled, is failing.

Bug 2058631 - Compliance rule: ocp4-api-server-no-adm-ctrl-plugins-disabled, is failing. [NEEDINFO]

Summary: Compliance rule: ocp4-api-server-no-adm-ctrl-plugins-disabled, is failing.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Vincent Shen
QA Contact:	Prashant Dhamdhere
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-25 13:17 UTC by Mithilesh Kaur Bagga
Modified:	2022-08-02 09:16 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: ocp4-api-server-no-adm-ctrl-plugins-disabled rule didn't properly check for a list of empty admission controller plugins Consequence: The rule would always fail, even if all admission plugins were enabled Fix: Use the new content that has more robust checking for disabled admission controllers plugins Result: The rule will accurately pass when all admission controller plugins are enabled
Clone Of:
Environment:
Last Closed:	2022-04-18 07:54:00 UTC
Target Upstream Version:
Flags:	wenshen: needinfo? (shchan)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ComplianceAsCode content pull 8201	None	Merged	OCP4: Fix api_server_no_adm_ctrl_plugins_disabled jq filter	2022-02-28 17:18:53 UTC
Red Hat Knowledge Base (Solution)	6970062	None	None	None	2022-08-02 09:16:01 UTC
Red Hat Product Errata	RHBA-2022:1148	None	None	None	2022-04-18 07:54:10 UTC

Comment 7 Prashant Dhamdhere 2022-03-28 14:10:26 UTC

[Bug_Verification]

It looks good. The rule ocp4-api-server-no-adm-ctrl-plugins-disabled is getting PASS when
the list of disabled admission plugins is empty.


Verified on:

4.10.0-0.nightly-2022-03-27-074444 + compliance-operator.v0.1.49


$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-03-27-074444   True        False         113m    Cluster version is 4.10.0-0.nightly-2022-03-27-074444


$ oc get csv
NAME                               DISPLAY                            VERSION     REPLACES   PHASE
compliance-operator.v0.1.49        Compliance Operator                0.1.49                 Succeeded
elasticsearch-operator.5.4.0-123   OpenShift Elasticsearch Operator   5.4.0-123              Succeeded


$ oc get pods
NAME                                              READY   STATUS    RESTARTS      AGE
compliance-operator-9bf58698f-w7sq9               1/1     Running   1 (73m ago)   74m
ocp4-openshift-compliance-pp-59cd7665d6-xlzl8     1/1     Running   0             72m
rhcos4-openshift-compliance-pp-5c85d4d5c8-78dsn   1/1     Running   0             72m


$ oc get rules ocp4-api-server-no-adm-ctrl-plugins-disabled -ojsonpath={.instructions}
To verify that the list of disabled admission plugins is empty, run the following command:
$oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]'


$ oc create -f - << EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default 
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created


$ oc get suite -w
NAME       PHASE     RESULT
my-ssb-r   RUNNING   NOT-AVAILABLE
my-ssb-r   AGGREGATING   NOT-AVAILABLE
my-ssb-r   DONE          NON-COMPLIANT
my-ssb-r   DONE          NON-COMPLIANT


$ oc get suite 
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT


$ oc get scan
NAME       PHASE   RESULT
ocp4-cis   DONE    NON-COMPLIANT


$ oc get pods
NAME                                              READY   STATUS      RESTARTS      AGE
aggregator-pod-ocp4-cis                           0/1     Completed   0             34s
compliance-operator-9bf58698f-w7sq9               1/1     Running     1 (87m ago)   87m
ocp4-cis-api-checks-pod                           0/2     Completed   0             64s
ocp4-openshift-compliance-pp-59cd7665d6-xlzl8     1/1     Running     0             86m
rhcos4-openshift-compliance-pp-5c85d4d5c8-78dsn   1/1     Running     0             86m


$ oc get ccr ocp4-cis-api-server-no-adm-ctrl-plugins-disabled
NAME                                               STATUS   SEVERITY
ocp4-cis-api-server-no-adm-ctrl-plugins-disabled   PASS     medium


$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | select(.apiServerArguments."disable-admission-plugins"!=["PodSecurity"] and .apiServerArguments."disable-admission-plugins"!=[]) | .apiServerArguments."disable-admission-plugins"]'
[]

$ oc -n openshift-kube-apiserver get configmap config -o json | jq -r '[.data."config.yaml" | fromjson | .apiServerArguments | select(has("disable-admission-plugins")) | if ."disable-admission-plugins" != ["PodSecurity"] then ."disable-admission-plugins" else empty end]'
[]

Comment 9 errata-xmlrpc 2022-04-18 07:54:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1148

Note You need to log in before you can comment on or make changes to this bug.