Description of problem: When running a compliance scan using the Compliance Operator using the "ocp4-moderate" profile on a cluster in which CNV 4.11 is installed, a new compliance check fail is being added to the ComplianceCheckResults list: ocp4-moderate-routes-protected-by-tls FAIL medium This rule ensures that all the Route objects configured on the cluster has either "None" or "Redirect" under: .spec.tls.insecureEdgeTerminationPolicy CNV adds two routes into the cluster: 1. hyperconverged-cluster-cli-download 2. cdi-uploadproxy both of which are lacking the expected setting for insecureEdgeTerminationPolicy . This setting doesn't exist, which causes the compliance operator to complain about it. This query is running on a cluster where CNV is installed. CNV-related routes are the 2nd and the 3rd one: $ oc get routes -A -o json | jq '.items[] | "name: \(.metadata.name), namespace: \(.metadata.namespace), \(.spec.tls.insecureEdgeTerminationPolicy)"' "name: oauth-openshift, namespace: openshift-authentication, Redirect" "name: cdi-uploadproxy, namespace: openshift-cnv, null" "name: hyperconverged-cluster-cli-download, namespace: openshift-cnv, null" "name: console, namespace: openshift-console, Redirect" "name: downloads, namespace: openshift-console, Redirect" "name: canary, namespace: openshift-ingress-canary, Redirect" "name: alertmanager-main, namespace: openshift-monitoring, Redirect" "name: prometheus-k8s, namespace: openshift-monitoring, Redirect" "name: prometheus-k8s-federate, namespace: openshift-monitoring, Redirect" "name: thanos-querier, namespace: openshift-monitoring, Redirect" Version-Release number of selected component (if applicable): all versions, should be fixed for 4.11.1 and 4.12.0 How reproducible: 100% Steps to Reproduce: 1. Install the compliance operator (from redhat-operators catalog source) on a clean cluster 2. Run a compliance scan using the ocp4-moderate profile 3. Wait for the scan to finish and log the results 4. Install CNV 4.11 or 4.12 5. Repeat steps 2 and 3 6. Compare the ComplianceCheckResults from pre-CNV installation and post-CNV installation. See that a new fail has been added to the 2nd run. Actual results: See above Expected results: Compliance Scan run with and without CNV should return the same results. i.e. CNV shouldn't introduce a new compliance check fail into the cluster. Additional info: The compliance rule that is failing upon CNV installation: https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/networking/routes_protected_by_tls/rule.yml
Merged for HCO and CDI; the Routes should now be compliant and won't introduce a new compliance check fail in the "ocp4-moderate" profile.
Ran compliance check on a newly installed 4.11.1-20 cluster. "ocp4-moderate-routes-protected-by-tls" was not present in the scan failure results.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.11.1 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8750