2105878 – Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset

Bug 2105878 - Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset

Summary: Rule ocp4-kubelet-enable-streaming-connections not working as expected when v...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Compliance Operator
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Vincent Shen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-11 04:07 UTC by xiyuan
Modified:	2022-11-02 16:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The rule for checking idle streaming timeouts didn't take into account default values. Consequence: The rule reported inaccurately. Fix: Upgrade the compliance operator to version 0.1.55, which includes more robust checking of default configuration values at runtime. Result: Increased accuracy in results based on default configuration values.
Clone Of:
Environment:
Last Closed:	2022-11-02 16:00:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ComplianceAsCode content pull 9135	0	None	open	BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections	2022-07-12 14:57:57 UTC
Red Hat Product Errata	RHBA-2022:6657	0	None	None	None	2022-11-02 16:01:00 UTC

Description xiyuan 2022-07-11 04:07:09 UTC

*Description of problem:*
Rule ocp4-kubelet-enable-streaming-connections not working as expected when variable is set while streamingConnectionIdleTimeout in kubeletconfig unset

*How reproducible:*
 Always

*Steps to Reproduce:*
Install CO v0.1.53-2
Check there streamingConnectionIdleTimeout in kubeletconfig unset:
$ for i in `oc get node -l node-role.kubernetes.io/worker= --no-headers | awk '{print $1}'`;do oc debug node/$i -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf; done
Starting pod/ip-10-0-131-126us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...
error: non-zero exit code from debug container
Starting pod/ip-10-0-167-112us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...
error: non-zero exit code from debug container
Starting pod/ip-10-0-205-97us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`

Removing debug pod ...
error: non-zero exit code from debug container
Create tailored profile for rule and perform scan with the tailored profile:
$ oc apply -f-<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: mod-node
spec:
  title: My modified profile
  description: test
  enableRules:
    - name: ocp4-kubelet-enable-streaming-connections
      rationale: platform
  setValues:
  - name: ocp4-var-streaming-connection-timeouts
    rationale: test
    value: 5m
EOF
tailoredprofile.compliance.openshift.io/mod-node created

$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: mod-node
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
Actual result:
Although the value in streamingConnectionIdleTimeout in kubeletconfig unset, not equals to the value in variable ocp4-var-streaming-connection-timeouts, the rule return PASS
$ oc get rule ocp4-kubelet-enable-streaming-connections -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf
The output should return .
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          COMPLIANT
test   DONE          COMPLIANT
^C$ oc get ccr
NAME                                                   STATUS   SEVERITY
mod-node-master-kubelet-enable-streaming-connections   PASS     medium
mod-node-worker-kubelet-enable-streaming-connections   PASS     medium


Expected result:
As the value streamingConnectionIdleTimeout in kubeletconfig unset, not equals to the value in variable ocp4-var-streaming-connection-timeouts, the rule should FAIL

Comment 1 Lance Bragstad 2022-07-12 13:46:36 UTC

Discussed during the sprint (and the QE process for 0.1.53). Setting the reviewed-in-sprint flag.

Comment 5 xiyuan 2022-09-26 03:04:49 UTC

Verification pass with 4.12.0-0.nightly-2022-09-25-071630 + compliance-operator.v0.1.55
$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-09-25-071630   True        False         54m     Cluster version is 4.12.0-0.nightly-2022-09-25-071630
$ oc get ip
NAME            CSV                           APPROVAL    APPROVED
install-qdw2g   compliance-operator.v0.1.55   Automatic   true
$ oc get csv
NAME                            DISPLAY                            VERSION   REPLACES                       PHASE
compliance-operator.v0.1.55     Compliance Operator                0.1.55                                   Succeeded

$ oc get rule ocp4-kubelet-enable-streaming-connections -o=jsonpath={.instructions}
Run the following command on the kubelet node(s):
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
The output should return .
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
  "streamingConnectionIdleTimeout": "4h0m0s",
  "streamingConnectionIdleTimeout": "4h0m0s",
  "streamingConnectionIdleTimeout": "4h0m0s",
  "streamingConnectionIdleTimeout": "4h0m0s",
  "streamingConnectionIdleTimeout": "4h0m0s",
  "streamingConnectionIdleTimeout": "4h0m0s",

####################create tailoreprofile and set ocp4-var-streaming-connection-timeouts to 5h0m0s, and scan
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: testprofile
  namespace: openshift-compliance
spec:
  description: test
  title: test
  enableRules:
    - name: ocp4-kubelet-enable-streaming-connections
      rationale: test
  setValues:
    - name: ocp4-var-streaming-connection-timeouts
      value: "5h0m0s"
      rationale: test
EOF
tailoredprofile.compliance.openshift.io/testprofile created
$ oc get tp
NAME          STATE
testprofile   READY
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: test
profiles:
  - apiGroup: compliance.openshift.io/v1alpha1
    kind: TailoredProfile
    name: testprofile
> settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default
EOF
scansettingbinding.compliance.openshift.io/test created
$ oc get scan -w
NAME          PHASE     RESULT
testprofile   RUNNING   NOT-AVAILABLE
testprofile   AGGREGATING   NOT-AVAILABLE
testprofile   AGGREGATING   NOT-AVAILABLE
testprofile   DONE          NON-COMPLIANT
^C
$ oc get ccr
NAME                                               STATUS   SEVERITY
testprofile-kubelet-enable-streaming-connections   FAIL     medium


#####################configure ocp4-var-streaming-connection-timeouts to 4h0m0s, and rescan
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: testprofile
  namespace: openshift-compliance
spec:
  description: test
  title: test
  enableRules:
    - name: ocp4-kubelet-enable-streaming-connections
      rationale: test
  setValues:
    - name: ocp4-var-streaming-connection-timeouts
      value: "4h0m0s"
>       rationale: test
EOF
tailoredprofile.compliance.openshift.io/testprofile configured
$ oc get tp
NAME          STATE
testprofile   READY
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': testprofile
Re-running scan 'openshift-compliance/testprofile'
$ oc get scan -w
NAME          PHASE     RESULT
testprofile   RUNNING   NOT-AVAILABLE
testprofile   AGGREGATING   NOT-AVAILABLE
testprofile   DONE          COMPLIANT
^
$ oc get ccr
NAME                                               STATUS   SEVERITY
testprofile-kubelet-enable-streaming-connections   PASS     medium

Comment 7 errata-xmlrpc 2022-11-02 16:00:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6657

Note You need to log in before you can comment on or make changes to this bug.