2092913 – When debug is setting to true, the pod generated by scansettingbinding won’t get deleted when the scansettingbinding get deleted

Bug 2092913 - When debug is setting to true, the pod generated by scansettingbinding won’t get deleted when the scansettingbinding get deleted

Summary: When debug is setting to true, the pod generated by scansettingbinding won’t ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.12
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Jakub Hrozek
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2113991 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-02 14:19 UTC by xiyuan
Modified:	2022-11-02 16:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	If this bug requires documentation, please select an appropriate Doc Type value.
Clone Of:
Environment:
Last Closed:	2022-11-02 16:00:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ComplianceAsCode compliance-operator pull 94	0	None	open	bug 2092913: scan: Delete scan pods when deleting the scan itself and debug: true	2022-08-30 14:16:18 UTC
Red Hat Product Errata	RHBA-2022:6657	0	None	None	None	2022-11-02 16:01:09 UTC

Description xiyuan 2022-06-02 14:19:25 UTC

Description:
When debug is setting to true, the pod won’t get deleted when the belonging scansettingbinding deleted

Version-Release number of selected component (if applicable):
Compliance Operator v0.1.52


Step to Reproduce:
Install Compliance Operator


Setting debug to true:
$  oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched

$ oc get ss default -o=jsonpath={.debug}
true
Create ssb:
$ oc apply -f -<<EOF
> apiVersion: compliance.openshift.io/v1alpha1
> kind: ScanSettingBinding
> metadata:
>   name: my-ssb-r
> profiles:
>   - name: ocp4-cis
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
>   - name: ocp4-cis-node
>     kind: Profile
>     apiGroup: compliance.openshift.io/v1alpha1
> settingsRef:
>   name: default
>   kind: ScanSetting
>   apiGroup: compliance.openshift.io/v1alpha1
> EOF
scansettingbinding.compliance.openshift.io/my-ssb-r created
4. When the scan done, delete the ssb:
$ oc get suite
NAME       PHASE   RESULT
my-ssb-r   DONE    NON-COMPLIANT
$ oc get pod
NAME                                                           READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                        0/1     Completed   0          8m41s
aggregator-pod-ocp4-cis-node-master                            0/1     Completed   0          8m41s
aggregator-pod-ocp4-cis-node-worker                            0/1     Completed   0          8m41s
compliance-operator-f468c9f64-xgcw5                            1/1     Running     0          93m
ocp4-cis-api-checks-pod                                        0/2     Completed   0          9m24s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod           0/2     Completed   0          9m11s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod           0/2     Completed   0          9m11s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod           0/2     Completed   0          9m11s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod   0/2     Completed   0          9m11s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod   0/2     Completed   0          9m11s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod   0/2     Completed   0          9m11s
ocp4-openshift-compliance-pp-5cd896b74c-tswxv                  1/1     Running     0          91m
rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2                1/1     Running     0          91m


$ oc delete ssb my-ssb-r
scansettingbinding.compliance.openshift.io "my-ssb-r" deleted

Actual Result:
The pods generated  by scansettingbinding my-ssb-r won’t be deleted when the ssb my-ssb-r get deleted
$ oc get pod
NAME                                                           READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                        0/1     Completed   0          9m
aggregator-pod-ocp4-cis-node-master                            0/1     Completed   0          9m
aggregator-pod-ocp4-cis-node-worker                            0/1     Completed   0          9m
compliance-operator-f468c9f64-xgcw5                            1/1     Running     0          93m
ocp4-cis-api-checks-pod                                        0/2     Completed   0          9m43s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-0-pod           0/2     Completed   0          9m30s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-1-pod           0/2     Completed   0          9m30s
ocp4-cis-node-master-xiayuan-s410-hs7k8-master-2-pod           0/2     Completed   0          9m30s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-1-pod   0/2     Completed   0          9m30s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-2-pod   0/2     Completed   0          9m30s
ocp4-cis-node-worker-xiayuan-s410-hs7k8-worker-eastus2-3-pod   0/2     Completed   0          9m30s
ocp4-openshift-compliance-pp-5cd896b74c-tswxv                  1/1     Running     0          92m
rhcos4-openshift-compliance-pp-78bf7c5bf9-nvwq2                1/1     Running     0          92m

Expected result:
The pods generated  by scansettingbinding my-ssb-r should be deleted when the ssb my-ssb-r get deleted

Comment 1 Jakub Hrozek 2022-06-02 14:46:37 UTC

hmm, I'm almost sure I broke this while fixing the autoscaler issue

Comment 4 Jakub Hrozek 2022-08-02 15:03:47 UTC

*** Bug 2113991 has been marked as a duplicate of this bug. ***

Comment 7 xiyuan 2022-09-23 14:58:18 UTC

Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55 
$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched
$ oc get ss default -o=jsonpath={.debug}
true
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite
test   DONE          NON-COMPLIANT
$ oc get pod
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          2m4s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          34s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          43s
compliance-operator-7489d57b55-5k8ft                    1/1     Running     0          131m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod      0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod      0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod      0/2     Completed   0          3m18s
ocp4-openshift-compliance-pp-58cf8d4479-pmshm           1/1     Running     0          131m
openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46   0/2     Completed   0          3m14s
openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe   0/2     Completed   0          3m14s
openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a   0/2     Completed   0          3m14s
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c         1/1     Running     0          124m
$ oc delete ssb test
scansettingbinding.compliance.openshift.io "test" deleted
$ oc get pod
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-7489d57b55-5k8ft              1/1     Running   0          132m
ocp4-openshift-compliance-pp-58cf8d4479-pmshm     1/1     Running   0          132m
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c   1/1     Running   0          125m

Comment 8 xiyuan 2022-09-23 14:58:19 UTC

Verification pass with 4.12.0-0.nightly-2022-09-22-153054 + compliance-operator.v0.1.55 
$ oc patch scansetting default -p '{"debug":true}' --type='merge'
scansetting.compliance.openshift.io/default patched
$ oc get ss default -o=jsonpath={.debug}
true
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: Profile
    name: ocp4-cis-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get suite
test   DONE          NON-COMPLIANT
$ oc get pod
NAME                                                    READY   STATUS      RESTARTS   AGE
aggregator-pod-ocp4-cis                                 0/1     Completed   0          2m4s
aggregator-pod-ocp4-cis-node-master                     0/1     Completed   0          34s
aggregator-pod-ocp4-cis-node-worker                     0/1     Completed   0          43s
compliance-operator-7489d57b55-5k8ft                    1/1     Running     0          131m
ocp4-cis-api-checks-pod                                 0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-0-pod      0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-1-pod      0/2     Completed   0          3m18s
ocp4-cis-node-master-xiyuan23-2-66fxp-master-2-pod      0/2     Completed   0          3m18s
ocp4-openshift-compliance-pp-58cf8d4479-pmshm           1/1     Running     0          131m
openscap-pod-30c4fb35c535e3343641082e60400b84b0eb2e46   0/2     Completed   0          3m14s
openscap-pod-45ed1856686b72d5914beaf7e38e9a29f74ea8fe   0/2     Completed   0          3m14s
openscap-pod-75e50ce72e25b979caf07608ef4cbe602cc4502a   0/2     Completed   0          3m14s
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c         1/1     Running     0          124m
$ oc delete ssb test
scansettingbinding.compliance.openshift.io "test" deleted
$ oc get pod
NAME                                              READY   STATUS    RESTARTS   AGE
compliance-operator-7489d57b55-5k8ft              1/1     Running   0          132m
ocp4-openshift-compliance-pp-58cf8d4479-pmshm     1/1     Running   0          132m
rhcos4-openshift-compliance-pp-677fb765ff-4xl5c   1/1     Running   0          125m

Comment 10 errata-xmlrpc 2022-11-02 16:00:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6657

Note You need to log in before you can comment on or make changes to this bug.