Bug 2082416 - The rule: ocp4-kubelet-configure-event-creation is failing after auto remediation applied
Summary: The rule: ocp4-kubelet-configure-event-creation is failing after auto remedia...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Compliance Operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Vincent Shen
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-06 06:08 UTC by Mithilesh Kaur Bagga
Modified: 2023-03-08 17:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
If this bug requires documentation, please select an appropriate Doc Type value.
Clone Of:
Environment:
Last Closed: 2022-11-02 16:00:53 UTC
Target Upstream Version:
Embargoed:
wenshen: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ComplianceAsCode content pull 9265 0 None open OCP: Fix rule kubelet_configure_event_creation 2022-07-29 03:28:28 UTC
Red Hat Knowledge Base (Solution) 6970058 0 None None None 2022-08-05 05:46:15 UTC
Red Hat Product Errata RHBA-2022:6657 0 None None None 2022-11-02 16:01:09 UTC

Comment 1 Jakub Hrozek 2022-06-02 18:09:14 UTC
Seems like a legit bug.

Comment 7 xiyuan 2022-09-23 15:07:07 UTC
Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55 
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite -w
NAME   PHASE       RESULT
test   LAUNCHING   NOT-AVAILABLE
test   LAUNCHING   NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   RUNNING     NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
^C
$ oc get scan
NAME                   PHASE   RESULT
ocp4-cis               DONE    NON-COMPLIANT
ocp4-cis-node-master   DONE    NON-COMPLIANT
ocp4-cis-node-worker   DONE    NON-COMPLIANT
$ oc get ccr | grep creation
ocp4-cis-kubelet-configure-event-creation                             PASS     medium
ocp4-cis-rbac-pod-creation-access                                     MANUAL   medium
$ oc get ccr ocp4-cis-kubelet-configure-event-creation -o yaml
apiVersion: compliance.openshift.io/v1alpha1
description: |-
  Kubelet - Ensure Event Creation Is Configured
  It is important to capture all events and not restrict event creation.
  Events are an important source of security information and analytics that
  ensure that your environment is consistently monitored using the event
  data.
id: xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation
instructions: |-
  Run the following command on the kubelet node(s):
  $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done
  The output should return .
kind: ComplianceCheckResult
metadata:
  annotations:
    compliance.openshift.io/rule: kubelet-configure-event-creation
  creationTimestamp: "2022-09-23T15:01:35Z"
  generation: 1
  labels:
    compliance.openshift.io/automated-remediation: ""
    compliance.openshift.io/check-severity: medium
    compliance.openshift.io/check-status: PASS
    compliance.openshift.io/scan-name: ocp4-cis
    compliance.openshift.io/suite: test
  name: ocp4-cis-kubelet-configure-event-creation
  namespace: openshift-compliance
  ownerReferences:
  - apiVersion: compliance.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: ComplianceScan
    name: ocp4-cis
    uid: d1e57965-2a23-4f08-812d-ab34e850aaa0
  resourceVersion: "213996"
  uid: 252da054-ed3c-4762-bb29-27f3ef0673eb
severity: medium
status: PASS
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done
  "eventRecordQPS": 5,
  "eventRecordQPS": 5,
  "eventRecordQPS": 5,
  "eventRecordQPS": 5,
  "eventRecordQPS": 5,
  "eventRecordQPS": 5,

Comment 9 errata-xmlrpc 2022-11-02 16:00:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6657


Note You need to log in before you can comment on or make changes to this bug.