Description of problem: The rule ocp4-configure-network-policies is checking network policies with below command. Per https://github.com/ComplianceAsCode/content/pull/8524/files, it will pass when the network type contains OpenShiftSDN or OVN. However, the instructions and description couldn’t show it. $ oc get networks.operator.openshift.io cluster -o json | jq '.spec.defaultNetwork.type' "OVNKubernetes $ oc get rule ocp4-configure-network-policies -o=jsonpath={.instructions} Verify on OpenShift that the NetworkPolicy plugin is being used: $ oc explain networkpolicy The resulting output should be an explanation of the NetworkPolicy resource. $ oc get rule ocp4-configure-network-policies -o=jsonpath={.description} There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy using a Kubernetes Container Network Interface (CNI) plug-in. Version-Release number of selected component (if applicable): 4.11.0-0.nightly-2022-05-25-193227 How reproducible: Always Steps to Reproduce: Install Compliance operator Actual results: Seen from description Expected results: The rule should clear instructions. Additional info: For SDN and ovn env, the rule did show pass with compliance-operator-v0.1.52
Fair comment, we should improve the instructions.
Moving to Lance who touched the rules last.
Verification pass with latest content and 4.11.0-0.nightly-2022-06-30-005428 # git log | head commit d80493d6cc07cf3a531b387b9c56cdc1e48f9de7 Author: Jakub Hrozek <jhrozek> Date: Tue Jun 28 20:50:04 2022 +0200 OCP4: configure_network_policies: Calico also supports NetworkPolicies We used to check only for OpenShiftSDN and OVN. It seems like Calico also supports NetworkPolicies, so let's add it to the list. Also fixes the OCIL test that was not reflecting what the rule actually # ./utils/build_ds_container.py -c -p 2022-07-01 20:04:07,412:INFO: Building content for ocp4, rhcos4 2022-07-01 20:04:37,423:INFO: Build status: Running 2022-07-01 20:04:41,197:INFO: Build status: Running 2022-07-01 20:04:44,974:INFO: Build status: Running 2022-07-01 20:04:48,721:INFO: Build status: Running 2022-07-01 20:04:52,526:INFO: Build status: Running 2022-07-01 20:04:56,296:INFO: Build status: Running 2022-07-01 20:05:00,072:INFO: Build status: Running 2022-07-01 20:05:03,830:INFO: Build status: Running 2022-07-01 20:05:07,618:INFO: Build status: Running 2022-07-01 20:05:11,367:INFO: Build status: Running 2022-07-01 20:05:15,115:INFO: Build status: Running 2022-07-01 20:05:18,889:INFO: Build status: Running 2022-07-01 20:05:22,658:INFO: Build status: Running 2022-07-01 20:05:26,400:INFO: Build status: Running 2022-07-01 20:05:30,172:INFO: Build status: Running 2022-07-01 20:05:33,961:INFO: Build status: Running 2022-07-01 20:05:37,705:INFO: Build status: Running 2022-07-01 20:05:41,478:INFO: Build status: Running 2022-07-01 20:05:45,247:INFO: Build status: Running 2022-07-01 20:05:49,005:INFO: Build status: Running 2022-07-01 20:05:52,902:INFO: Build status: Running 2022-07-01 20:05:56,677:INFO: Build status: Running 2022-07-01 20:06:00,429:INFO: Build status: Running 2022-07-01 20:06:04,198:INFO: Build status: Running 2022-07-01 20:06:07,962:INFO: Build status: Running 2022-07-01 20:06:11,781:INFO: Build status: Running 2022-07-01 20:06:15,573:INFO: Build status: Running 2022-07-01 20:06:19,342:INFO: Build status: Running 2022-07-01 20:06:23,131:INFO: Build status: Running 2022-07-01 20:06:27,738:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds 2022-07-01 20:06:30,837:INFO: Created profile bundles for ocp4, rhcos4 # oc get pb NAME CONTENTIMAGE CONTENTFILE STATUS ocp4 quay.io/compliance-operator/compliance-operator-content:latest ssg-ocp4-ds.xml VALID rhcos4 quay.io/compliance-operator/compliance-operator-content:latest ssg-rhcos4-ds.xml VALID upstream-ocp4 openscap-ocp4-ds:latest ssg-ocp4-ds.xml PENDING upstream-rhcos4 openscap-ocp4-ds:latest ssg-rhcos4-ds.xml PENDING # oc get pod NAME READY STATUS RESTARTS AGE compliance-operator-77d4b9d479-7bh6m 1/1 Running 1 (8h ago) 8h ocp4-openshift-compliance-pp-56f48b69d5-kcs9l 1/1 Running 0 3h55m openscap-ocp4-ds-1-build 0/1 Completed 0 4m25s rhcos4-openshift-compliance-pp-5d95675dfc-7z62r 1/1 Running 0 3h55m upstream-ocp4-openshift-compliance-pp-bb7fb777d-k94f5 1/1 Running 0 2m10s upstream-rhcos4-openshift-compliance-pp-74bbd945b6-rm5x5 1/1 Running 0 2m9s # oc get pb NAME CONTENTIMAGE CONTENTFILE STATUS ocp4 quay.io/compliance-operator/compliance-operator-content:latest ssg-ocp4-ds.xml VALID rhcos4 quay.io/compliance-operator/compliance-operator-content:latest ssg-rhcos4-ds.xml VALID upstream-ocp4 openscap-ocp4-ds:latest ssg-ocp4-ds.xml VALID upstream-rhcos4 openscap-ocp4-ds:latest ssg-rhcos4-ds.xml VALID # oc get profile.compliance NAME AGE ocp4-cis 3h56m ocp4-cis-node 3h56m ocp4-e8 3h56m ocp4-high 3h56m ocp4-high-node 3h56m ocp4-moderate 3h56m ocp4-moderate-node 3h56m ocp4-nerc-cip 3h56m ocp4-nerc-cip-node 3h56m ocp4-pci-dss 3h56m ocp4-pci-dss-node 3h56m ocp4-stig 3h56m ocp4-stig-node 3h56m rhcos4-anssi-bp28-enhanced 3h56m rhcos4-anssi-bp28-high 3h56m rhcos4-anssi-bp28-intermediary 3h56m rhcos4-anssi-bp28-minimal 3h56m rhcos4-e8 3h56m rhcos4-high 3h56m rhcos4-moderate 3h56m rhcos4-nerc-cip 3h56m upstream-ocp4-cis 3m1s upstream-ocp4-cis-node 3m1s upstream-ocp4-e8 3m1s upstream-ocp4-high 3m upstream-ocp4-high-node 3m upstream-ocp4-moderate 3m upstream-ocp4-moderate-node 3m upstream-ocp4-nerc-cip 3m upstream-ocp4-nerc-cip-node 3m upstream-ocp4-pci-dss 3m upstream-ocp4-pci-dss-node 3m upstream-ocp4-stig 3m upstream-ocp4-stig-node 3m upstream-rhcos4-anssi-bp28-enhanced 2m55s upstream-rhcos4-anssi-bp28-high 2m55s upstream-rhcos4-anssi-bp28-intermediary 2m55s upstream-rhcos4-anssi-bp28-minimal 2m55s upstream-rhcos4-e8 2m55s upstream-rhcos4-high 2m55s upstream-rhcos4-moderate 2m55s upstream-rhcos4-nerc-cip 2m55s # oc apply -f -<<EOF > apiVersion: compliance.openshift.io/v1alpha1 > kind: ScanSettingBinding > metadata: > name: my-ssb-r > profiles: > - name: upstream-ocp4-cis > kind: Profile > apiGroup: compliance.openshift.io/v1alpha1 > settingsRef: > name: default > kind: ScanSetting > apiGroup: compliance.openshift.io/v1alpha1 > EOF scansettingbinding.compliance.openshift.io/my-ssb-r created # oc get suite NAME PHASE RESULT my-ssb-r DONE NON-COMPLIANT ^C[root@MiWiFi-RA69-srv content]# oc get rule ocp4-configure-network-policies -o=jsonpath={.instructions} Verify on OpenShift that the NetworkPolicy plugin is being used: $ oc explain networkpolicy The resulting output should be an explanation of the NetworkPolicy resource.[root@MiWiFi-RA69-srv content]# ^C # oc get rule | grep configure-network-policies ocp4-configure-network-policies 4h2m ocp4-configure-network-policies-namespaces 4h2m upstream-ocp4-configure-network-policies 8m58s upstream-ocp4-configure-network-policies-namespaces 8m58s # oc get rule upstream-ocp4-configure-network-policies -o=jsonpath={.instructions} Verify that your CNI plugin supports NetworkPolicies: $ oc get network cluster -oyaml -ojsonpath='{.spec.networkType}' The result should list a CNI plugin that supports NetworkPolicies, currently the plugins in the rule's pass list are OpenShiftSDN, OVN and Calico. # oc get ccr upstream-ocp4-cis-configure-network-policies NAME STATUS SEVERITY upstream-ocp4-cis-configure-network-policies PASS high # oc get network cluster -oyaml -ojsonpath='{.spec.networkType}' OpenShiftSDN
Verification pass with 4.12.0-0.nightly-2022-09-22-153054 and compliance-operator.v0.1.55 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.nightly-2022-09-22-153054 True False 119m Cluster version is 4.12.0-0.nightly-2022-09-22-153054 $ oc get ip NAME CSV APPROVAL APPROVED install-fkwmr compliance-operator.v0.1.55 Automatic true $ oc get rules ocp4-configure-network-policies -o=jsonpath={.instructions} Verify that your CNI plugin supports NetworkPolicies: $ oc get network cluster -oyaml -ojsonpath='{.spec.networkType}' The result should list a CNI plugin that supports NetworkPolicies, currently the plugins in the rule's pass list are OpenShiftSDN, OVN and Calico. $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: test namespace: openshift-compliance spec: description: test title: test enableRules: - name: ocp4-configure-network-policies rationale: test EOF tailoredprofile.compliance.openshift.io/test created $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-ssb-r profiles: - name: test kind: TailoredProfile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF scansettingbinding.compliance.openshift.io/my-ssb-r created [xiyuan@MiWiFi-RA69-srv 412]$ oc get suite $ oc get suite -w NAME PHASE RESULT my-ssb-r RUNNING NOT-AVAILABLE my-ssb-r AGGREGATING NOT-AVAILABLE my-ssb-r DONE COMPLIANT my-ssb-r DONE COMPLIANT ^C $oc get network cluster -oyaml -ojsonpath='{.spec.networkType}'}' OVNKubernetes
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:6657