Closed Vincent056 closed 7 months ago
@Vincent056: This pull request references Jira Issue OCPBUGS-29272, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
Looks great, just a few comments inline about testing.
/retest
/retest
/retest
/retest
/hold for test
Verification passed with 4.16.0-0.nightly-2024-02-17-094036 + complance-operator from PR #492 code
$ oc compliance bind -N test -S default-auto-apply profile/ocp4-cis profile/ocp4-pci-dss
Creating ScanSettingBinding test
$ oc get ssb
NAME STATUS
test READY
$ oc get suite
NAME PHASE RESULT
test RUNNING NOT-AVAILABLE
$ oc get pods
NAME READY STATUS RESTARTS AGE
compliance-operator-79b7bfcdf-jq7wm 1/1 Running 1 (4m19s ago) 4m23s
ocp4-cis-api-checks-pod 0/2 PodInitializing 0 11s
ocp4-cis-rs-6b5c4977f7-zfgns 1/1 Running 0 11s
ocp4-openshift-compliance-pp-54cfbb648f-wddgb 1/1 Running 0 4m17s
ocp4-pci-dss-api-checks-pod 0/2 PodInitializing 0 13s
ocp4-pci-dss-rs-75dc5b8f8c-s8qfk 1/1 Running 0 13s
rhcos4-openshift-compliance-pp-7bb9b68b7-6lfzc 1/1 Running 0 4m17s
$ oc get suite -w
NAME PHASE RESULT
test DONE NON-COMPLIANT
^C$ oc get suite
NAME PHASE RESULT
test DONE NON-COMPLIANT
$ oc get scan
NAME PHASE RESULT
ocp4-cis DONE NON-COMPLIANT
ocp4-pci-dss DONE NON-COMPLIANT
$ oc get ccr
NAME STATUS SEVERITY
ocp4-cis-accounts-restrict-service-account-tokens MANUAL medium
ocp4-cis-accounts-unique-service-account MANUAL medium
ocp4-cis-api-server-admission-control-plugin-alwaysadmit PASS medium
ocp4-cis-api-server-admission-control-plugin-alwayspullimages PASS high
ocp4-cis-api-server-admission-control-plugin-namespacelifecycle PASS medium
ocp4-cis-api-server-admission-control-plugin-noderestriction PASS medium
ocp4-cis-api-server-admission-control-plugin-scc PASS medium
ocp4-cis-api-server-admission-control-plugin-service-account PASS medium
ocp4-cis-api-server-anonymous-auth PASS medium
ocp4-cis-api-server-api-priority-gate-enabled FAIL medium
ocp4-cis-api-server-audit-log-maxbackup PASS low
ocp4-cis-api-server-audit-log-maxsize PASS medium
ocp4-cis-api-server-audit-log-path PASS high
ocp4-cis-api-server-auth-mode-no-aa PASS medium
ocp4-cis-api-server-auth-mode-rbac PASS medium
ocp4-cis-api-server-basic-auth PASS medium
ocp4-cis-api-server-bind-address PASS low
ocp4-cis-api-server-client-ca PASS medium
ocp4-cis-api-server-encryption-provider-cipher PASS medium
ocp4-cis-api-server-etcd-ca PASS medium
ocp4-cis-api-server-etcd-cert PASS medium
ocp4-cis-api-server-etcd-key PASS medium
ocp4-cis-api-server-https-for-kubelet-conn PASS medium
ocp4-cis-api-server-insecure-bind-address PASS medium
ocp4-cis-api-server-kubelet-certificate-authority PASS high
ocp4-cis-api-server-oauth-https-serving-cert PASS medium
ocp4-cis-api-server-openshift-https-serving-cert PASS medium
ocp4-cis-api-server-profiling-protected-by-rbac PASS medium
ocp4-cis-api-server-request-timeout PASS medium
ocp4-cis-api-server-service-account-lookup PASS medium
ocp4-cis-api-server-service-account-public-key PASS medium
ocp4-cis-api-server-tls-cert PASS medium
ocp4-cis-api-server-tls-cipher-suites PASS medium
ocp4-cis-api-server-tls-private-key PASS medium
ocp4-cis-api-server-token-auth PASS high
ocp4-cis-audit-log-forwarding-enabled FAIL medium
ocp4-cis-audit-profile-set PASS medium
ocp4-cis-configure-network-policies PASS high
ocp4-cis-configure-network-policies-namespaces FAIL high
ocp4-cis-controller-insecure-port-disabled PASS low
ocp4-cis-controller-secure-port PASS low
ocp4-cis-controller-service-account-ca PASS medium
ocp4-cis-controller-service-account-private-key PASS medium
ocp4-cis-controller-use-service-account PASS medium
ocp4-cis-etcd-auto-tls PASS medium
ocp4-cis-etcd-cert-file PASS medium
ocp4-cis-etcd-client-cert-auth PASS medium
ocp4-cis-etcd-key-file PASS medium
ocp4-cis-etcd-peer-auto-tls PASS medium
ocp4-cis-etcd-peer-cert-file PASS medium
ocp4-cis-etcd-peer-client-cert-auth PASS medium
ocp4-cis-etcd-peer-key-file PASS medium
ocp4-cis-general-apply-scc MANUAL medium
ocp4-cis-general-default-namespace-use MANUAL medium
ocp4-cis-general-default-seccomp-profile MANUAL medium
ocp4-cis-general-namespaces-in-use MANUAL medium
ocp4-cis-idp-is-configured PASS medium
ocp4-cis-kubeadmin-removed FAIL medium
ocp4-cis-kubelet-disable-readonly-port PASS medium
ocp4-cis-ocp-allowed-registries FAIL medium
ocp4-cis-ocp-allowed-registries-for-import FAIL medium
ocp4-cis-ocp-api-server-audit-log-maxbackup PASS low
ocp4-cis-ocp-api-server-audit-log-maxsize PASS medium
ocp4-cis-ocp-insecure-allowed-registries-for-import PASS medium
ocp4-cis-ocp-insecure-registries PASS medium
ocp4-cis-openshift-api-server-audit-log-path PASS high
ocp4-cis-rbac-debug-role-protects-pprof PASS medium
ocp4-cis-rbac-least-privilege MANUAL high
ocp4-cis-rbac-limit-cluster-admin MANUAL medium
ocp4-cis-rbac-limit-secrets-access MANUAL medium
ocp4-cis-rbac-pod-creation-access MANUAL medium
ocp4-cis-rbac-wildcard-use MANUAL medium
ocp4-cis-scc-drop-container-capabilities MANUAL medium
ocp4-cis-scc-limit-container-allowed-capabilities PASS medium
ocp4-cis-scc-limit-ipc-namespace MANUAL medium
ocp4-cis-scc-limit-net-raw-capability MANUAL medium
ocp4-cis-scc-limit-network-namespace MANUAL medium
ocp4-cis-scc-limit-privilege-escalation MANUAL medium
ocp4-cis-scc-limit-privileged-containers MANUAL medium
ocp4-cis-scc-limit-process-id-namespace MANUAL medium
ocp4-cis-scc-limit-root-containers MANUAL medium
ocp4-cis-scheduler-profiling-protected-by-rbac PASS medium
ocp4-cis-scheduler-service-protected-by-rbac PASS medium
ocp4-cis-secrets-consider-external-storage MANUAL medium
ocp4-cis-secrets-no-environment-variables MANUAL medium
ocp4-pci-dss-accounts-restrict-service-account-tokens MANUAL medium
ocp4-pci-dss-accounts-unique-service-account MANUAL medium
ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages PASS high
ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-noderestriction PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-scc PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-service-account PASS medium
ocp4-pci-dss-api-server-anonymous-auth PASS medium
ocp4-pci-dss-api-server-api-priority-gate-enabled FAIL medium
ocp4-pci-dss-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-api-server-audit-log-path PASS high
ocp4-pci-dss-api-server-auth-mode-no-aa PASS medium
ocp4-pci-dss-api-server-auth-mode-rbac PASS medium
ocp4-pci-dss-api-server-basic-auth PASS medium
ocp4-pci-dss-api-server-bind-address PASS low
ocp4-pci-dss-api-server-client-ca PASS medium
ocp4-pci-dss-api-server-encryption-provider-cipher PASS medium
ocp4-pci-dss-api-server-etcd-ca PASS medium
ocp4-pci-dss-api-server-etcd-cert PASS medium
ocp4-pci-dss-api-server-etcd-key PASS medium
ocp4-pci-dss-api-server-https-for-kubelet-conn PASS medium
ocp4-pci-dss-api-server-insecure-bind-address PASS medium
ocp4-pci-dss-api-server-kubelet-certificate-authority PASS high
ocp4-pci-dss-api-server-oauth-https-serving-cert PASS medium
ocp4-pci-dss-api-server-openshift-https-serving-cert PASS medium
ocp4-pci-dss-api-server-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-api-server-request-timeout PASS medium
ocp4-pci-dss-api-server-service-account-lookup PASS medium
ocp4-pci-dss-api-server-service-account-public-key PASS medium
ocp4-pci-dss-api-server-tls-cert PASS medium
ocp4-pci-dss-api-server-tls-cipher-suites PASS medium
ocp4-pci-dss-api-server-tls-private-key PASS medium
ocp4-pci-dss-api-server-token-auth PASS high
ocp4-pci-dss-audit-log-forwarding-enabled FAIL medium
ocp4-pci-dss-audit-profile-set PASS medium
ocp4-pci-dss-configure-network-policies PASS high
ocp4-pci-dss-configure-network-policies-namespaces FAIL high
ocp4-pci-dss-controller-insecure-port-disabled PASS low
ocp4-pci-dss-controller-secure-port PASS low
ocp4-pci-dss-controller-service-account-ca PASS medium
ocp4-pci-dss-controller-service-account-private-key PASS medium
ocp4-pci-dss-controller-use-service-account PASS medium
ocp4-pci-dss-etcd-auto-tls PASS medium
ocp4-pci-dss-etcd-cert-file PASS medium
ocp4-pci-dss-etcd-check-cipher-suite PASS medium
ocp4-pci-dss-etcd-client-cert-auth PASS medium
ocp4-pci-dss-etcd-key-file PASS medium
ocp4-pci-dss-etcd-peer-auto-tls PASS medium
ocp4-pci-dss-etcd-peer-cert-file PASS medium
ocp4-pci-dss-etcd-peer-client-cert-auth PASS medium
ocp4-pci-dss-etcd-peer-key-file PASS medium
ocp4-pci-dss-file-integrity-exists FAIL medium
ocp4-pci-dss-file-integrity-notification-enabled FAIL medium
ocp4-pci-dss-general-apply-scc MANUAL medium
ocp4-pci-dss-general-default-namespace-use MANUAL medium
ocp4-pci-dss-general-default-seccomp-profile MANUAL medium
ocp4-pci-dss-general-namespaces-in-use MANUAL medium
ocp4-pci-dss-idp-is-configured PASS medium
ocp4-pci-dss-kubeadmin-removed FAIL medium
ocp4-pci-dss-kubelet-disable-readonly-port PASS medium
ocp4-pci-dss-machine-volume-encrypted PASS high
ocp4-pci-dss-ocp-allowed-registries FAIL medium
ocp4-pci-dss-ocp-allowed-registries-for-import FAIL medium
ocp4-pci-dss-ocp-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-ocp-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-ocp-insecure-allowed-registries-for-import PASS medium
ocp4-pci-dss-ocp-insecure-registries PASS medium
ocp4-pci-dss-ocp-no-ldap-insecure PASS high
ocp4-pci-dss-openshift-api-server-audit-log-path PASS high
ocp4-pci-dss-rbac-cluster-roles-defined PASS medium
ocp4-pci-dss-rbac-debug-role-protects-pprof PASS medium
ocp4-pci-dss-rbac-least-privilege MANUAL high
ocp4-pci-dss-rbac-limit-cluster-admin MANUAL medium
ocp4-pci-dss-rbac-limit-secrets-access MANUAL medium
ocp4-pci-dss-rbac-pod-creation-access MANUAL medium
ocp4-pci-dss-rbac-roles-defined PASS medium
ocp4-pci-dss-rbac-wildcard-use MANUAL medium
ocp4-pci-dss-routes-protected-by-tls PASS medium
ocp4-pci-dss-scansettingbinding-exists PASS medium
ocp4-pci-dss-scc-drop-container-capabilities MANUAL medium
ocp4-pci-dss-scc-limit-container-allowed-capabilities PASS medium
ocp4-pci-dss-scc-limit-ipc-namespace MANUAL medium
ocp4-pci-dss-scc-limit-net-raw-capability MANUAL medium
ocp4-pci-dss-scc-limit-network-namespace MANUAL medium
ocp4-pci-dss-scc-limit-privilege-escalation MANUAL medium
ocp4-pci-dss-scc-limit-privileged-containers MANUAL medium
ocp4-pci-dss-scc-limit-process-id-namespace MANUAL medium
ocp4-pci-dss-scc-limit-root-containers MANUAL medium
ocp4-pci-dss-scheduler-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-scheduler-service-protected-by-rbac PASS medium
ocp4-pci-dss-secrets-consider-external-storage MANUAL medium
ocp4-pci-dss-secrets-no-environment-variables MANUAL medium
ocp4-pci-dss-storageclass-encryption-enabled PASS high
ocp4-pci-dss-tls-version-check-apiserver PASS medium
ocp4-pci-dss-tls-version-check-router PASS medium
$ oc get ssb -oyaml &> ssb.yaml
$ cat ssb.yaml
apiVersion: v1
items:
- apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
creationTimestamp: "2024-02-19T07:45:02Z"
generation: 1
name: test
namespace: openshift-compliance
resourceVersion: "68535"
uid: 2ecf5aca-2767-4220-aa7c-4b42c7dae4f8
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-pci-dss
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default-auto-apply
status:
conditions:
- lastTransitionTime: "2024-02-19T07:45:03Z"
message: The scan setting binding was successfully processed
reason: Processed
status: "True"
type: Ready
outputRef:
apiGroup: compliance.openshift.io
kind: ComplianceSuite
name: test
phase: READY
kind: List
metadata:
resourceVersion: ""
$ oc apply -f ssb.yaml
Warning: resource scansettingbindings/test is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
scansettingbinding.compliance.openshift.io/test configured
$ oc get ssb
NAME STATUS
test READY
$ oc get suite
NAME PHASE RESULT
test DONE NON-COMPLIANT
$ oc get scan
NAME PHASE RESULT
ocp4-pci-dss DONE NON-COMPLIANT
$ oc get ssb test -oyaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"compliance.openshift.io/v1alpha1","kind":"ScanSettingBinding","metadata":{"annotations":{},"creationTimestamp":"2024-02-19T07:45:02Z","generation":1,"name":"test","namespace":"openshift-compliance","resourceVersion":"68535","uid":"2ecf5aca-2767-4220-aa7c-4b42c7dae4f8"},"profiles":[{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"Profile","name":"ocp4-pci-dss"}],"settingsRef":{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"ScanSetting","name":"default-auto-apply"},"status":{"conditions":[{"lastTransitionTime":"2024-02-19T07:45:03Z","message":"The scan setting binding was successfully processed","reason":"Processed","status":"True","type":"Ready"}],"outputRef":{"apiGroup":"compliance.openshift.io","kind":"ComplianceSuite","name":"test"},"phase":"READY"}}
creationTimestamp: "2024-02-19T07:45:02Z"
generation: 2
name: test
namespace: openshift-compliance
resourceVersion: "95335"
uid: 2ecf5aca-2767-4220-aa7c-4b42c7dae4f8
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-pci-dss
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default-auto-apply
status:
conditions:
- lastTransitionTime: "2024-02-19T07:45:03Z"
message: The scan setting binding was successfully processed
reason: Processed
status: "True"
type: Ready
outputRef:
apiGroup: compliance.openshift.io
kind: ComplianceSuite
name: test
phase: READY
$ oc get scan
NAME PHASE RESULT
ocp4-pci-dss DONE NON-COMPLIANT
$ oc get ccr
NAME STATUS SEVERITY
ocp4-pci-dss-accounts-restrict-service-account-tokens MANUAL medium
ocp4-pci-dss-accounts-unique-service-account MANUAL medium
ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages PASS high
ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-noderestriction PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-scc PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-service-account PASS medium
ocp4-pci-dss-api-server-anonymous-auth PASS medium
ocp4-pci-dss-api-server-api-priority-gate-enabled FAIL medium
ocp4-pci-dss-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-api-server-audit-log-path PASS high
ocp4-pci-dss-api-server-auth-mode-no-aa PASS medium
ocp4-pci-dss-api-server-auth-mode-rbac PASS medium
ocp4-pci-dss-api-server-basic-auth PASS medium
ocp4-pci-dss-api-server-bind-address PASS low
ocp4-pci-dss-api-server-client-ca PASS medium
ocp4-pci-dss-api-server-encryption-provider-cipher PASS medium
ocp4-pci-dss-api-server-etcd-ca PASS medium
ocp4-pci-dss-api-server-etcd-cert PASS medium
ocp4-pci-dss-api-server-etcd-key PASS medium
ocp4-pci-dss-api-server-https-for-kubelet-conn PASS medium
ocp4-pci-dss-api-server-insecure-bind-address PASS medium
ocp4-pci-dss-api-server-kubelet-certificate-authority PASS high
ocp4-pci-dss-api-server-oauth-https-serving-cert PASS medium
ocp4-pci-dss-api-server-openshift-https-serving-cert PASS medium
ocp4-pci-dss-api-server-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-api-server-request-timeout PASS medium
ocp4-pci-dss-api-server-service-account-lookup PASS medium
ocp4-pci-dss-api-server-service-account-public-key PASS medium
ocp4-pci-dss-api-server-tls-cert PASS medium
ocp4-pci-dss-api-server-tls-cipher-suites PASS medium
ocp4-pci-dss-api-server-tls-private-key PASS medium
ocp4-pci-dss-api-server-token-auth PASS high
ocp4-pci-dss-audit-log-forwarding-enabled FAIL medium
ocp4-pci-dss-audit-profile-set PASS medium
ocp4-pci-dss-configure-network-policies PASS high
ocp4-pci-dss-configure-network-policies-namespaces FAIL high
ocp4-pci-dss-controller-insecure-port-disabled PASS low
ocp4-pci-dss-controller-secure-port PASS low
ocp4-pci-dss-controller-service-account-ca PASS medium
ocp4-pci-dss-controller-service-account-private-key PASS medium
ocp4-pci-dss-controller-use-service-account PASS medium
ocp4-pci-dss-etcd-auto-tls PASS medium
ocp4-pci-dss-etcd-cert-file PASS medium
ocp4-pci-dss-etcd-check-cipher-suite PASS medium
ocp4-pci-dss-etcd-client-cert-auth PASS medium
ocp4-pci-dss-etcd-key-file PASS medium
ocp4-pci-dss-etcd-peer-auto-tls PASS medium
ocp4-pci-dss-etcd-peer-cert-file PASS medium
ocp4-pci-dss-etcd-peer-client-cert-auth PASS medium
ocp4-pci-dss-etcd-peer-key-file PASS medium
ocp4-pci-dss-file-integrity-exists FAIL medium
ocp4-pci-dss-file-integrity-notification-enabled FAIL medium
ocp4-pci-dss-general-apply-scc MANUAL medium
ocp4-pci-dss-general-default-namespace-use MANUAL medium
ocp4-pci-dss-general-default-seccomp-profile MANUAL medium
ocp4-pci-dss-general-namespaces-in-use MANUAL medium
ocp4-pci-dss-idp-is-configured PASS medium
ocp4-pci-dss-kubeadmin-removed FAIL medium
ocp4-pci-dss-kubelet-disable-readonly-port PASS medium
ocp4-pci-dss-machine-volume-encrypted PASS high
ocp4-pci-dss-ocp-allowed-registries FAIL medium
ocp4-pci-dss-ocp-allowed-registries-for-import FAIL medium
ocp4-pci-dss-ocp-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-ocp-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-ocp-insecure-allowed-registries-for-import PASS medium
ocp4-pci-dss-ocp-insecure-registries PASS medium
ocp4-pci-dss-ocp-no-ldap-insecure PASS high
ocp4-pci-dss-openshift-api-server-audit-log-path PASS high
ocp4-pci-dss-rbac-cluster-roles-defined PASS medium
ocp4-pci-dss-rbac-debug-role-protects-pprof PASS medium
ocp4-pci-dss-rbac-least-privilege MANUAL high
ocp4-pci-dss-rbac-limit-cluster-admin MANUAL medium
ocp4-pci-dss-rbac-limit-secrets-access MANUAL medium
ocp4-pci-dss-rbac-pod-creation-access MANUAL medium
ocp4-pci-dss-rbac-roles-defined PASS medium
ocp4-pci-dss-rbac-wildcard-use MANUAL medium
ocp4-pci-dss-routes-protected-by-tls PASS medium
ocp4-pci-dss-scansettingbinding-exists PASS medium
ocp4-pci-dss-scc-drop-container-capabilities MANUAL medium
ocp4-pci-dss-scc-limit-container-allowed-capabilities PASS medium
ocp4-pci-dss-scc-limit-ipc-namespace MANUAL medium
ocp4-pci-dss-scc-limit-net-raw-capability MANUAL medium
ocp4-pci-dss-scc-limit-network-namespace MANUAL medium
ocp4-pci-dss-scc-limit-privilege-escalation MANUAL medium
ocp4-pci-dss-scc-limit-privileged-containers MANUAL medium
ocp4-pci-dss-scc-limit-process-id-namespace MANUAL medium
ocp4-pci-dss-scc-limit-root-containers MANUAL medium
ocp4-pci-dss-scheduler-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-scheduler-service-protected-by-rbac PASS medium
ocp4-pci-dss-secrets-consider-external-storage MANUAL medium
ocp4-pci-dss-secrets-no-environment-variables MANUAL medium
ocp4-pci-dss-storageclass-encryption-enabled PASS high
ocp4-pci-dss-tls-version-check-apiserver PASS medium
ocp4-pci-dss-tls-version-check-router PASS medium
$ oc compliance bind -N test1 -S default-auto-apply profile/ocp4-cis
Creating ScanSettingBinding test1
$ oc get ssb
NAME STATUS
test READY
test1 READY
$ oc get suite
NAME PHASE RESULT
test DONE NON-COMPLIANT
test1 RUNNING NOT-AVAILABLE
$ oc get scan
NAME PHASE RESULT
ocp4-cis RUNNING NOT-AVAILABLE
ocp4-pci-dss DONE NON-COMPLIANT
$ oc get suite -w
NAME PHASE RESULT
test DONE NON-COMPLIANT
test1 RUNNING NOT-AVAILABLE
test1 AGGREGATING NOT-AVAILABLE
test1 DONE NON-COMPLIANT
test1 DONE NON-COMPLIANT
$ oc get ssb
NAME STATUS
test READY
test1 READY
$ oc get suite
NAME PHASE RESULT
test DONE NON-COMPLIANT
test1 DONE NON-COMPLIANT
$ oc get scan
NAME PHASE RESULT
ocp4-cis DONE NON-COMPLIANT
ocp4-pci-dss DONE NON-COMPLIANT
$ oc get ccr
NAME STATUS SEVERITY
ocp4-cis-accounts-restrict-service-account-tokens MANUAL medium
ocp4-cis-accounts-unique-service-account MANUAL medium
ocp4-cis-api-server-admission-control-plugin-alwaysadmit PASS medium
ocp4-cis-api-server-admission-control-plugin-alwayspullimages PASS high
ocp4-cis-api-server-admission-control-plugin-namespacelifecycle PASS medium
ocp4-cis-api-server-admission-control-plugin-noderestriction PASS medium
ocp4-cis-api-server-admission-control-plugin-scc PASS medium
ocp4-cis-api-server-admission-control-plugin-service-account PASS medium
ocp4-cis-api-server-anonymous-auth PASS medium
ocp4-cis-api-server-api-priority-gate-enabled FAIL medium
ocp4-cis-api-server-audit-log-maxbackup PASS low
ocp4-cis-api-server-audit-log-maxsize PASS medium
ocp4-cis-api-server-audit-log-path PASS high
ocp4-cis-api-server-auth-mode-no-aa PASS medium
ocp4-cis-api-server-auth-mode-rbac PASS medium
ocp4-cis-api-server-basic-auth PASS medium
ocp4-cis-api-server-bind-address PASS low
ocp4-cis-api-server-client-ca PASS medium
ocp4-cis-api-server-encryption-provider-cipher PASS medium
ocp4-cis-api-server-etcd-ca PASS medium
ocp4-cis-api-server-etcd-cert PASS medium
ocp4-cis-api-server-etcd-key PASS medium
ocp4-cis-api-server-https-for-kubelet-conn PASS medium
ocp4-cis-api-server-insecure-bind-address PASS medium
ocp4-cis-api-server-kubelet-certificate-authority PASS high
ocp4-cis-api-server-oauth-https-serving-cert PASS medium
ocp4-cis-api-server-openshift-https-serving-cert PASS medium
ocp4-cis-api-server-profiling-protected-by-rbac PASS medium
ocp4-cis-api-server-request-timeout PASS medium
ocp4-cis-api-server-service-account-lookup PASS medium
ocp4-cis-api-server-service-account-public-key PASS medium
ocp4-cis-api-server-tls-cert PASS medium
ocp4-cis-api-server-tls-cipher-suites PASS medium
ocp4-cis-api-server-tls-private-key PASS medium
ocp4-cis-api-server-token-auth PASS high
ocp4-cis-audit-log-forwarding-enabled FAIL medium
ocp4-cis-audit-profile-set PASS medium
ocp4-cis-configure-network-policies PASS high
ocp4-cis-configure-network-policies-namespaces FAIL high
ocp4-cis-controller-insecure-port-disabled PASS low
ocp4-cis-controller-secure-port PASS low
ocp4-cis-controller-service-account-ca PASS medium
ocp4-cis-controller-service-account-private-key PASS medium
ocp4-cis-controller-use-service-account PASS medium
ocp4-cis-etcd-auto-tls PASS medium
ocp4-cis-etcd-cert-file PASS medium
ocp4-cis-etcd-client-cert-auth PASS medium
ocp4-cis-etcd-key-file PASS medium
ocp4-cis-etcd-peer-auto-tls PASS medium
ocp4-cis-etcd-peer-cert-file PASS medium
ocp4-cis-etcd-peer-client-cert-auth PASS medium
ocp4-cis-etcd-peer-key-file PASS medium
ocp4-cis-general-apply-scc MANUAL medium
ocp4-cis-general-default-namespace-use MANUAL medium
ocp4-cis-general-default-seccomp-profile MANUAL medium
ocp4-cis-general-namespaces-in-use MANUAL medium
ocp4-cis-idp-is-configured PASS medium
ocp4-cis-kubeadmin-removed FAIL medium
ocp4-cis-kubelet-disable-readonly-port PASS medium
ocp4-cis-ocp-allowed-registries FAIL medium
ocp4-cis-ocp-allowed-registries-for-import FAIL medium
ocp4-cis-ocp-api-server-audit-log-maxbackup PASS low
ocp4-cis-ocp-api-server-audit-log-maxsize PASS medium
ocp4-cis-ocp-insecure-allowed-registries-for-import PASS medium
ocp4-cis-ocp-insecure-registries PASS medium
ocp4-cis-openshift-api-server-audit-log-path PASS high
ocp4-cis-rbac-debug-role-protects-pprof PASS medium
ocp4-cis-rbac-least-privilege MANUAL high
ocp4-cis-rbac-limit-cluster-admin MANUAL medium
ocp4-cis-rbac-limit-secrets-access MANUAL medium
ocp4-cis-rbac-pod-creation-access MANUAL medium
ocp4-cis-rbac-wildcard-use MANUAL medium
ocp4-cis-scc-drop-container-capabilities MANUAL medium
ocp4-cis-scc-limit-container-allowed-capabilities PASS medium
ocp4-cis-scc-limit-ipc-namespace MANUAL medium
ocp4-cis-scc-limit-net-raw-capability MANUAL medium
ocp4-cis-scc-limit-network-namespace MANUAL medium
ocp4-cis-scc-limit-privilege-escalation MANUAL medium
ocp4-cis-scc-limit-privileged-containers MANUAL medium
ocp4-cis-scc-limit-process-id-namespace MANUAL medium
ocp4-cis-scc-limit-root-containers MANUAL medium
ocp4-cis-scheduler-profiling-protected-by-rbac PASS medium
ocp4-cis-scheduler-service-protected-by-rbac PASS medium
ocp4-cis-secrets-consider-external-storage MANUAL medium
ocp4-cis-secrets-no-environment-variables MANUAL medium
ocp4-pci-dss-accounts-restrict-service-account-tokens MANUAL medium
ocp4-pci-dss-accounts-unique-service-account MANUAL medium
ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages PASS high
ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-noderestriction PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-scc PASS medium
ocp4-pci-dss-api-server-admission-control-plugin-service-account PASS medium
ocp4-pci-dss-api-server-anonymous-auth PASS medium
ocp4-pci-dss-api-server-api-priority-gate-enabled FAIL medium
ocp4-pci-dss-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-api-server-audit-log-path PASS high
ocp4-pci-dss-api-server-auth-mode-no-aa PASS medium
ocp4-pci-dss-api-server-auth-mode-rbac PASS medium
ocp4-pci-dss-api-server-basic-auth PASS medium
ocp4-pci-dss-api-server-bind-address PASS low
ocp4-pci-dss-api-server-client-ca PASS medium
ocp4-pci-dss-api-server-encryption-provider-cipher PASS medium
ocp4-pci-dss-api-server-etcd-ca PASS medium
ocp4-pci-dss-api-server-etcd-cert PASS medium
ocp4-pci-dss-api-server-etcd-key PASS medium
ocp4-pci-dss-api-server-https-for-kubelet-conn PASS medium
ocp4-pci-dss-api-server-insecure-bind-address PASS medium
ocp4-pci-dss-api-server-kubelet-certificate-authority PASS high
ocp4-pci-dss-api-server-oauth-https-serving-cert PASS medium
ocp4-pci-dss-api-server-openshift-https-serving-cert PASS medium
ocp4-pci-dss-api-server-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-api-server-request-timeout PASS medium
ocp4-pci-dss-api-server-service-account-lookup PASS medium
ocp4-pci-dss-api-server-service-account-public-key PASS medium
ocp4-pci-dss-api-server-tls-cert PASS medium
ocp4-pci-dss-api-server-tls-cipher-suites PASS medium
ocp4-pci-dss-api-server-tls-private-key PASS medium
ocp4-pci-dss-api-server-token-auth PASS high
ocp4-pci-dss-audit-log-forwarding-enabled FAIL medium
ocp4-pci-dss-audit-profile-set PASS medium
ocp4-pci-dss-configure-network-policies PASS high
ocp4-pci-dss-configure-network-policies-namespaces FAIL high
ocp4-pci-dss-controller-insecure-port-disabled PASS low
ocp4-pci-dss-controller-secure-port PASS low
ocp4-pci-dss-controller-service-account-ca PASS medium
ocp4-pci-dss-controller-service-account-private-key PASS medium
ocp4-pci-dss-controller-use-service-account PASS medium
ocp4-pci-dss-etcd-auto-tls PASS medium
ocp4-pci-dss-etcd-cert-file PASS medium
ocp4-pci-dss-etcd-check-cipher-suite PASS medium
ocp4-pci-dss-etcd-client-cert-auth PASS medium
ocp4-pci-dss-etcd-key-file PASS medium
ocp4-pci-dss-etcd-peer-auto-tls PASS medium
ocp4-pci-dss-etcd-peer-cert-file PASS medium
ocp4-pci-dss-etcd-peer-client-cert-auth PASS medium
ocp4-pci-dss-etcd-peer-key-file PASS medium
ocp4-pci-dss-file-integrity-exists FAIL medium
ocp4-pci-dss-file-integrity-notification-enabled FAIL medium
ocp4-pci-dss-general-apply-scc MANUAL medium
ocp4-pci-dss-general-default-namespace-use MANUAL medium
ocp4-pci-dss-general-default-seccomp-profile MANUAL medium
ocp4-pci-dss-general-namespaces-in-use MANUAL medium
ocp4-pci-dss-idp-is-configured PASS medium
ocp4-pci-dss-kubeadmin-removed FAIL medium
ocp4-pci-dss-kubelet-disable-readonly-port PASS medium
ocp4-pci-dss-machine-volume-encrypted PASS high
ocp4-pci-dss-ocp-allowed-registries FAIL medium
ocp4-pci-dss-ocp-allowed-registries-for-import FAIL medium
ocp4-pci-dss-ocp-api-server-audit-log-maxbackup PASS low
ocp4-pci-dss-ocp-api-server-audit-log-maxsize PASS medium
ocp4-pci-dss-ocp-insecure-allowed-registries-for-import PASS medium
ocp4-pci-dss-ocp-insecure-registries PASS medium
ocp4-pci-dss-ocp-no-ldap-insecure PASS high
ocp4-pci-dss-openshift-api-server-audit-log-path PASS high
ocp4-pci-dss-rbac-cluster-roles-defined PASS medium
ocp4-pci-dss-rbac-debug-role-protects-pprof PASS medium
ocp4-pci-dss-rbac-least-privilege MANUAL high
ocp4-pci-dss-rbac-limit-cluster-admin MANUAL medium
ocp4-pci-dss-rbac-limit-secrets-access MANUAL medium
ocp4-pci-dss-rbac-pod-creation-access MANUAL medium
ocp4-pci-dss-rbac-roles-defined PASS medium
ocp4-pci-dss-rbac-wildcard-use MANUAL medium
ocp4-pci-dss-routes-protected-by-tls PASS medium
ocp4-pci-dss-scansettingbinding-exists PASS medium
ocp4-pci-dss-scc-drop-container-capabilities MANUAL medium
ocp4-pci-dss-scc-limit-container-allowed-capabilities PASS medium
ocp4-pci-dss-scc-limit-ipc-namespace MANUAL medium
ocp4-pci-dss-scc-limit-net-raw-capability MANUAL medium
ocp4-pci-dss-scc-limit-network-namespace MANUAL medium
ocp4-pci-dss-scc-limit-privilege-escalation MANUAL medium
ocp4-pci-dss-scc-limit-privileged-containers MANUAL medium
ocp4-pci-dss-scc-limit-process-id-namespace MANUAL medium
ocp4-pci-dss-scc-limit-root-containers MANUAL medium
ocp4-pci-dss-scheduler-profiling-protected-by-rbac PASS medium
ocp4-pci-dss-scheduler-service-protected-by-rbac PASS medium
ocp4-pci-dss-secrets-consider-external-storage MANUAL medium
ocp4-pci-dss-secrets-no-environment-variables MANUAL medium
ocp4-pci-dss-storageclass-encryption-enabled PASS high
ocp4-pci-dss-tls-version-check-apiserver PASS medium
ocp4-pci-dss-tls-version-check-router PASS medium
$ oc get scan ocp4-cis -oyaml | grep -A 2 ComplianceSuite
kind: ComplianceSuite
name: test1
uid: 0eccc05f-360d-4dbb-9b3c-647b781cca27
$ oc get scan ocp4-pci-dss -oyaml | grep -A 2 ComplianceSuite
kind: ComplianceSuite
name: test
uid: 587ec865-14d4-4300-87bc-78e0fc94838d
/unhold /label qe-approved
/retest
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: rhmdnd, Vincent056
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@Vincent056: Jira Issue OCPBUGS-29272: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-29272 has been moved to the MODIFIED state.
This pr fixes a issue when a profile gets removed from scansettingbinding, the old scan was not deleted when a profile is removed from the existing scansettingbinding, this pr checks that and does the removal so that new scan using that profile can be launch correctly. check OCPBUGS-29272: https://issues.redhat.com/browse/OCPBUGS-29272