2222146 – ODF Nooba creates route which OpenShift compliance operator marks as non-compliant

Bug 2222146 - ODF Nooba creates route which OpenShift compliance operator marks as non-compliant

Summary: ODF Nooba creates route which OpenShift compliance operator marks as non-comp...

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	Multi-Cloud Object Gateway
Sub Component:
Version:	4.13
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jacky Albo
QA Contact:	krishnaram Karthick
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-12 00:38 UTC by Novonil Choudhuri
Modified:	2023-08-09 16:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Novonil Choudhuri 2023-07-12 00:38:36 UTC

Description of problem (please be detailed as possible and provide log
snippests): 

ODF generates this route which the OCP compliance operator flags as non-complaint as it scans only `insecureEdgeTerminationPolicy: None | Redirect` but not `Allow` 

Compliance code : https://github.com/ComplianceAsCode/content/commit/1de41ddd8b2dad9b182d9fdc5b8fac3ef5bf2987#diff-449e1d7f982cf0a61ed9e0f3d8899d022efedf8c7e20a5e44c53aae27cf58c86R23
 
~~~
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  creationTimestamp: "2023-06-28T19:45:56Z"
  labels:
    app: noobaa
  name: s3
  namespace: openshift-storage
  ownerReferences:
  - apiVersion: noobaa.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: NooBaa
    name: noobaa
    uid: c328db12-fe02-40e6-8424-873a36f71c53
  resourceVersion: "264239411"
  uid: f25864ed-ed87-4fdd-b10d-f39e2395d18b
spec:
  host: s3-openshift-storage.apps.serenity.k8s.local
  port:
    targetPort: s3-https
  tls:
    insecureEdgeTerminationPolicy: Allow
    termination: reencrypt
  to:
    kind: Service
    name: s3
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2023-06-28T19:45:56Z"
      status: "True"
      type: Admitted
    host: s3-openshift-storage.apps.serenity.k8s.local
    routerCanonicalHostname: router-default.apps.serenity.k8s.local
    routerName: default
    wildcardPolicy: None
~~~


Version of all relevant components (if applicable): OCP 4.13 https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-release-notes.html


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)? Yes , Since OpenShift complaince operator marks ODF route to be non-compliant so it makes some customers and partners ODF installations non-compliant.


Is there any workaround available to the best of your knowledge? No


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)? 3


Can this issue reproducible? Yes


Can this issue reproduce from the UI? Yes


If this is a regression, please provide more details to justify this: N/A


Steps to Reproduce:
1. Install OCP 4.13 and ODF latest version 
2. Install OCP compliance operator
3. Run scan https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-scans.html


Actual results: Scan marks the route described above as non-complaint


Expected results: ODF should not create route with spec `insecureEdgeTerminationPolicy: Allow`


Additional info: N/A

Note You need to log in before you can comment on or make changes to this bug.