OCPBUGS-29272: Delete scan when SSB remove a profile

[Vincent056]

This pr fixes a issue when a profile gets removed from scansettingbinding, the old scan was not deleted when a profile is removed from the existing scansettingbinding, this pr checks that and does the removal so that new scan using that profile can be launch correctly. check OCPBUGS-29272: https://issues.redhat.com/browse/OCPBUGS-29272

[openshift-ci-robot]

@Vincent056: This pull request references Jira Issue OCPBUGS-29272, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/492): >This pr fixes a issue when a profile gets removed from scansettingbinding, the old scan was not deleted when a profile is removed from the existing scansettingbinding, this pr checks that and does the removal so that new scan using that profile can be launch correctly. check OCPBUGS-29272: https://issues.redhat.com/browse/OCPBUGS-29272 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=ComplianceAsCode%2Fcompliance-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[rhmdnd]

Looks great, just a few comments inline about testing.

[Vincent056]

/retest

[Vincent056]

/retest

[Vincent056]

/retest

[Vincent056]

/retest

[BhargaviGudi]

/hold for test

[BhargaviGudi]

Verification passed with 4.16.0-0.nightly-2024-02-17-094036 + complance-operator from PR #492 code

1. Install CO from code
2. Create ssb with profile/ocp4-cis profile/ocp4-pci-dss

   $ oc compliance bind -N test -S default-auto-apply profile/ocp4-cis profile/ocp4-pci-dss
   Creating ScanSettingBinding test
   $ oc get ssb
   NAME   STATUS
   test   READY
   $ oc get suite
   NAME   PHASE     RESULT
   test   RUNNING   NOT-AVAILABLE
   $ oc get pods
   NAME                                             READY   STATUS            RESTARTS        AGE
   compliance-operator-79b7bfcdf-jq7wm              1/1     Running           1 (4m19s ago)   4m23s
   ocp4-cis-api-checks-pod                          0/2     PodInitializing   0               11s
   ocp4-cis-rs-6b5c4977f7-zfgns                     1/1     Running           0               11s
   ocp4-openshift-compliance-pp-54cfbb648f-wddgb    1/1     Running           0               4m17s
   ocp4-pci-dss-api-checks-pod                      0/2     PodInitializing   0               13s
   ocp4-pci-dss-rs-75dc5b8f8c-s8qfk                 1/1     Running           0               13s
   rhcos4-openshift-compliance-pp-7bb9b68b7-6lfzc   1/1     Running           0               4m17s
   $ oc get suite -w
   NAME   PHASE   RESULT
   test   DONE    NON-COMPLIANT
   ^C$ oc get suite
   NAME   PHASE   RESULT
   test   DONE    NON-COMPLIANT
   $ oc get scan
   NAME           PHASE   RESULT
   ocp4-cis       DONE    NON-COMPLIANT
   ocp4-pci-dss   DONE    NON-COMPLIANT
   $ oc get ccr
   NAME                                                                  STATUS   SEVERITY
   ocp4-cis-accounts-restrict-service-account-tokens                     MANUAL   medium
   ocp4-cis-accounts-unique-service-account                              MANUAL   medium
   ocp4-cis-api-server-admission-control-plugin-alwaysadmit              PASS     medium
   ocp4-cis-api-server-admission-control-plugin-alwayspullimages         PASS     high
   ocp4-cis-api-server-admission-control-plugin-namespacelifecycle       PASS     medium
   ocp4-cis-api-server-admission-control-plugin-noderestriction          PASS     medium
   ocp4-cis-api-server-admission-control-plugin-scc                      PASS     medium
   ocp4-cis-api-server-admission-control-plugin-service-account          PASS     medium
   ocp4-cis-api-server-anonymous-auth                                    PASS     medium
   ocp4-cis-api-server-api-priority-gate-enabled                         FAIL     medium
   ocp4-cis-api-server-audit-log-maxbackup                               PASS     low
   ocp4-cis-api-server-audit-log-maxsize                                 PASS     medium
   ocp4-cis-api-server-audit-log-path                                    PASS     high
   ocp4-cis-api-server-auth-mode-no-aa                                   PASS     medium
   ocp4-cis-api-server-auth-mode-rbac                                    PASS     medium
   ocp4-cis-api-server-basic-auth                                        PASS     medium
   ocp4-cis-api-server-bind-address                                      PASS     low
   ocp4-cis-api-server-client-ca                                         PASS     medium
   ocp4-cis-api-server-encryption-provider-cipher                        PASS     medium
   ocp4-cis-api-server-etcd-ca                                           PASS     medium
   ocp4-cis-api-server-etcd-cert                                         PASS     medium
   ocp4-cis-api-server-etcd-key                                          PASS     medium
   ocp4-cis-api-server-https-for-kubelet-conn                            PASS     medium
   ocp4-cis-api-server-insecure-bind-address                             PASS     medium
   ocp4-cis-api-server-kubelet-certificate-authority                     PASS     high
   ocp4-cis-api-server-oauth-https-serving-cert                          PASS     medium
   ocp4-cis-api-server-openshift-https-serving-cert                      PASS     medium
   ocp4-cis-api-server-profiling-protected-by-rbac                       PASS     medium
   ocp4-cis-api-server-request-timeout                                   PASS     medium
   ocp4-cis-api-server-service-account-lookup                            PASS     medium
   ocp4-cis-api-server-service-account-public-key                        PASS     medium
   ocp4-cis-api-server-tls-cert                                          PASS     medium
   ocp4-cis-api-server-tls-cipher-suites                                 PASS     medium
   ocp4-cis-api-server-tls-private-key                                   PASS     medium
   ocp4-cis-api-server-token-auth                                        PASS     high
   ocp4-cis-audit-log-forwarding-enabled                                 FAIL     medium
   ocp4-cis-audit-profile-set                                            PASS     medium
   ocp4-cis-configure-network-policies                                   PASS     high
   ocp4-cis-configure-network-policies-namespaces                        FAIL     high
   ocp4-cis-controller-insecure-port-disabled                            PASS     low
   ocp4-cis-controller-secure-port                                       PASS     low
   ocp4-cis-controller-service-account-ca                                PASS     medium
   ocp4-cis-controller-service-account-private-key                       PASS     medium
   ocp4-cis-controller-use-service-account                               PASS     medium
   ocp4-cis-etcd-auto-tls                                                PASS     medium
   ocp4-cis-etcd-cert-file                                               PASS     medium
   ocp4-cis-etcd-client-cert-auth                                        PASS     medium
   ocp4-cis-etcd-key-file                                                PASS     medium
   ocp4-cis-etcd-peer-auto-tls                                           PASS     medium
   ocp4-cis-etcd-peer-cert-file                                          PASS     medium
   ocp4-cis-etcd-peer-client-cert-auth                                   PASS     medium
   ocp4-cis-etcd-peer-key-file                                           PASS     medium
   ocp4-cis-general-apply-scc                                            MANUAL   medium
   ocp4-cis-general-default-namespace-use                                MANUAL   medium
   ocp4-cis-general-default-seccomp-profile                              MANUAL   medium
   ocp4-cis-general-namespaces-in-use                                    MANUAL   medium
   ocp4-cis-idp-is-configured                                            PASS     medium
   ocp4-cis-kubeadmin-removed                                            FAIL     medium
   ocp4-cis-kubelet-disable-readonly-port                                PASS     medium
   ocp4-cis-ocp-allowed-registries                                       FAIL     medium
   ocp4-cis-ocp-allowed-registries-for-import                            FAIL     medium
   ocp4-cis-ocp-api-server-audit-log-maxbackup                           PASS     low
   ocp4-cis-ocp-api-server-audit-log-maxsize                             PASS     medium
   ocp4-cis-ocp-insecure-allowed-registries-for-import                   PASS     medium
   ocp4-cis-ocp-insecure-registries                                      PASS     medium
   ocp4-cis-openshift-api-server-audit-log-path                          PASS     high
   ocp4-cis-rbac-debug-role-protects-pprof                               PASS     medium
   ocp4-cis-rbac-least-privilege                                         MANUAL   high
   ocp4-cis-rbac-limit-cluster-admin                                     MANUAL   medium
   ocp4-cis-rbac-limit-secrets-access                                    MANUAL   medium
   ocp4-cis-rbac-pod-creation-access                                     MANUAL   medium
   ocp4-cis-rbac-wildcard-use                                            MANUAL   medium
   ocp4-cis-scc-drop-container-capabilities                              MANUAL   medium
   ocp4-cis-scc-limit-container-allowed-capabilities                     PASS     medium
   ocp4-cis-scc-limit-ipc-namespace                                      MANUAL   medium
   ocp4-cis-scc-limit-net-raw-capability                                 MANUAL   medium
   ocp4-cis-scc-limit-network-namespace                                  MANUAL   medium
   ocp4-cis-scc-limit-privilege-escalation                               MANUAL   medium
   ocp4-cis-scc-limit-privileged-containers                              MANUAL   medium
   ocp4-cis-scc-limit-process-id-namespace                               MANUAL   medium
   ocp4-cis-scc-limit-root-containers                                    MANUAL   medium
   ocp4-cis-scheduler-profiling-protected-by-rbac                        PASS     medium
   ocp4-cis-scheduler-service-protected-by-rbac                          PASS     medium
   ocp4-cis-secrets-consider-external-storage                            MANUAL   medium
   ocp4-cis-secrets-no-environment-variables                             MANUAL   medium
   ocp4-pci-dss-accounts-restrict-service-account-tokens                 MANUAL   medium
   ocp4-pci-dss-accounts-unique-service-account                          MANUAL   medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit          PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages     PASS     high
   ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle   PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-noderestriction      PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-scc                  PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-service-account      PASS     medium
   ocp4-pci-dss-api-server-anonymous-auth                                PASS     medium
   ocp4-pci-dss-api-server-api-priority-gate-enabled                     FAIL     medium
   ocp4-pci-dss-api-server-audit-log-maxbackup                           PASS     low
   ocp4-pci-dss-api-server-audit-log-maxsize                             PASS     medium
   ocp4-pci-dss-api-server-audit-log-path                                PASS     high
   ocp4-pci-dss-api-server-auth-mode-no-aa                               PASS     medium
   ocp4-pci-dss-api-server-auth-mode-rbac                                PASS     medium
   ocp4-pci-dss-api-server-basic-auth                                    PASS     medium
   ocp4-pci-dss-api-server-bind-address                                  PASS     low
   ocp4-pci-dss-api-server-client-ca                                     PASS     medium
   ocp4-pci-dss-api-server-encryption-provider-cipher                    PASS     medium
   ocp4-pci-dss-api-server-etcd-ca                                       PASS     medium
   ocp4-pci-dss-api-server-etcd-cert                                     PASS     medium
   ocp4-pci-dss-api-server-etcd-key                                      PASS     medium
   ocp4-pci-dss-api-server-https-for-kubelet-conn                        PASS     medium
   ocp4-pci-dss-api-server-insecure-bind-address                         PASS     medium
   ocp4-pci-dss-api-server-kubelet-certificate-authority                 PASS     high
   ocp4-pci-dss-api-server-oauth-https-serving-cert                      PASS     medium
   ocp4-pci-dss-api-server-openshift-https-serving-cert                  PASS     medium
   ocp4-pci-dss-api-server-profiling-protected-by-rbac                   PASS     medium
   ocp4-pci-dss-api-server-request-timeout                               PASS     medium
   ocp4-pci-dss-api-server-service-account-lookup                        PASS     medium
   ocp4-pci-dss-api-server-service-account-public-key                    PASS     medium
   ocp4-pci-dss-api-server-tls-cert                                      PASS     medium
   ocp4-pci-dss-api-server-tls-cipher-suites                             PASS     medium
   ocp4-pci-dss-api-server-tls-private-key                               PASS     medium
   ocp4-pci-dss-api-server-token-auth                                    PASS     high
   ocp4-pci-dss-audit-log-forwarding-enabled                             FAIL     medium
   ocp4-pci-dss-audit-profile-set                                        PASS     medium
   ocp4-pci-dss-configure-network-policies                               PASS     high
   ocp4-pci-dss-configure-network-policies-namespaces                    FAIL     high
   ocp4-pci-dss-controller-insecure-port-disabled                        PASS     low
   ocp4-pci-dss-controller-secure-port                                   PASS     low
   ocp4-pci-dss-controller-service-account-ca                            PASS     medium
   ocp4-pci-dss-controller-service-account-private-key                   PASS     medium
   ocp4-pci-dss-controller-use-service-account                           PASS     medium
   ocp4-pci-dss-etcd-auto-tls                                            PASS     medium
   ocp4-pci-dss-etcd-cert-file                                           PASS     medium
   ocp4-pci-dss-etcd-check-cipher-suite                                  PASS     medium
   ocp4-pci-dss-etcd-client-cert-auth                                    PASS     medium
   ocp4-pci-dss-etcd-key-file                                            PASS     medium
   ocp4-pci-dss-etcd-peer-auto-tls                                       PASS     medium
   ocp4-pci-dss-etcd-peer-cert-file                                      PASS     medium
   ocp4-pci-dss-etcd-peer-client-cert-auth                               PASS     medium
   ocp4-pci-dss-etcd-peer-key-file                                       PASS     medium
   ocp4-pci-dss-file-integrity-exists                                    FAIL     medium
   ocp4-pci-dss-file-integrity-notification-enabled                      FAIL     medium
   ocp4-pci-dss-general-apply-scc                                        MANUAL   medium
   ocp4-pci-dss-general-default-namespace-use                            MANUAL   medium
   ocp4-pci-dss-general-default-seccomp-profile                          MANUAL   medium
   ocp4-pci-dss-general-namespaces-in-use                                MANUAL   medium
   ocp4-pci-dss-idp-is-configured                                        PASS     medium
   ocp4-pci-dss-kubeadmin-removed                                        FAIL     medium
   ocp4-pci-dss-kubelet-disable-readonly-port                            PASS     medium
   ocp4-pci-dss-machine-volume-encrypted                                 PASS     high
   ocp4-pci-dss-ocp-allowed-registries                                   FAIL     medium
   ocp4-pci-dss-ocp-allowed-registries-for-import                        FAIL     medium
   ocp4-pci-dss-ocp-api-server-audit-log-maxbackup                       PASS     low
   ocp4-pci-dss-ocp-api-server-audit-log-maxsize                         PASS     medium
   ocp4-pci-dss-ocp-insecure-allowed-registries-for-import               PASS     medium
   ocp4-pci-dss-ocp-insecure-registries                                  PASS     medium
   ocp4-pci-dss-ocp-no-ldap-insecure                                     PASS     high
   ocp4-pci-dss-openshift-api-server-audit-log-path                      PASS     high
   ocp4-pci-dss-rbac-cluster-roles-defined                               PASS     medium
   ocp4-pci-dss-rbac-debug-role-protects-pprof                           PASS     medium
   ocp4-pci-dss-rbac-least-privilege                                     MANUAL   high
   ocp4-pci-dss-rbac-limit-cluster-admin                                 MANUAL   medium
   ocp4-pci-dss-rbac-limit-secrets-access                                MANUAL   medium
   ocp4-pci-dss-rbac-pod-creation-access                                 MANUAL   medium
   ocp4-pci-dss-rbac-roles-defined                                       PASS     medium
   ocp4-pci-dss-rbac-wildcard-use                                        MANUAL   medium
   ocp4-pci-dss-routes-protected-by-tls                                  PASS     medium
   ocp4-pci-dss-scansettingbinding-exists                                PASS     medium
   ocp4-pci-dss-scc-drop-container-capabilities                          MANUAL   medium
   ocp4-pci-dss-scc-limit-container-allowed-capabilities                 PASS     medium
   ocp4-pci-dss-scc-limit-ipc-namespace                                  MANUAL   medium
   ocp4-pci-dss-scc-limit-net-raw-capability                             MANUAL   medium
   ocp4-pci-dss-scc-limit-network-namespace                              MANUAL   medium
   ocp4-pci-dss-scc-limit-privilege-escalation                           MANUAL   medium
   ocp4-pci-dss-scc-limit-privileged-containers                          MANUAL   medium
   ocp4-pci-dss-scc-limit-process-id-namespace                           MANUAL   medium
   ocp4-pci-dss-scc-limit-root-containers                                MANUAL   medium
   ocp4-pci-dss-scheduler-profiling-protected-by-rbac                    PASS     medium
   ocp4-pci-dss-scheduler-service-protected-by-rbac                      PASS     medium
   ocp4-pci-dss-secrets-consider-external-storage                        MANUAL   medium
   ocp4-pci-dss-secrets-no-environment-variables                         MANUAL   medium
   ocp4-pci-dss-storageclass-encryption-enabled                          PASS     high
   ocp4-pci-dss-tls-version-check-apiserver                              PASS     medium
   ocp4-pci-dss-tls-version-check-router                                 PASS     medium

3. Remove ocp4-cis profile

   $ oc get ssb -oyaml &> ssb.yaml
   $ cat ssb.yaml
   apiVersion: v1
   items:
   - apiVersion: compliance.openshift.io/v1alpha1
   kind: ScanSettingBinding
   metadata:
   creationTimestamp: "2024-02-19T07:45:02Z"
   generation: 1
   name: test
   namespace: openshift-compliance
   resourceVersion: "68535"
   uid: 2ecf5aca-2767-4220-aa7c-4b42c7dae4f8
   profiles:
   - apiGroup: compliance.openshift.io/v1alpha1
   kind: Profile
   name: ocp4-pci-dss
   settingsRef:
   apiGroup: compliance.openshift.io/v1alpha1
   kind: ScanSetting
   name: default-auto-apply
   status:
   conditions:
   - lastTransitionTime: "2024-02-19T07:45:03Z"
     message: The scan setting binding was successfully processed
     reason: Processed
     status: "True"
     type: Ready
   outputRef:
     apiGroup: compliance.openshift.io
     kind: ComplianceSuite
     name: test
   phase: READY
   kind: List
   metadata:
   resourceVersion: ""

   $ oc apply -f ssb.yaml 
   Warning: resource scansettingbindings/test is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by oc apply. oc apply should only be used on resources created declaratively by either oc create --save-config or oc apply. The missing annotation will be patched automatically.
   scansettingbinding.compliance.openshift.io/test configured
   $ oc get ssb
   NAME   STATUS
   test   READY
   $ oc get suite
   NAME   PHASE   RESULT
   test   DONE    NON-COMPLIANT
   $ oc get scan
   NAME           PHASE   RESULT
   ocp4-pci-dss   DONE    NON-COMPLIANT
   $ oc get ssb test -oyaml
   apiVersion: compliance.openshift.io/v1alpha1
   kind: ScanSettingBinding
   metadata:
   annotations:
   kubectl.kubernetes.io/last-applied-configuration: |
     {"apiVersion":"compliance.openshift.io/v1alpha1","kind":"ScanSettingBinding","metadata":{"annotations":{},"creationTimestamp":"2024-02-19T07:45:02Z","generation":1,"name":"test","namespace":"openshift-compliance","resourceVersion":"68535","uid":"2ecf5aca-2767-4220-aa7c-4b42c7dae4f8"},"profiles":[{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"Profile","name":"ocp4-pci-dss"}],"settingsRef":{"apiGroup":"compliance.openshift.io/v1alpha1","kind":"ScanSetting","name":"default-auto-apply"},"status":{"conditions":[{"lastTransitionTime":"2024-02-19T07:45:03Z","message":"The scan setting binding was successfully processed","reason":"Processed","status":"True","type":"Ready"}],"outputRef":{"apiGroup":"compliance.openshift.io","kind":"ComplianceSuite","name":"test"},"phase":"READY"}}
   creationTimestamp: "2024-02-19T07:45:02Z"
   generation: 2
   name: test
   namespace: openshift-compliance
   resourceVersion: "95335"
   uid: 2ecf5aca-2767-4220-aa7c-4b42c7dae4f8
   profiles:
   - apiGroup: compliance.openshift.io/v1alpha1
   kind: Profile
   name: ocp4-pci-dss
   settingsRef:
   apiGroup: compliance.openshift.io/v1alpha1
   kind: ScanSetting
   name: default-auto-apply
   status:
   conditions:
   - lastTransitionTime: "2024-02-19T07:45:03Z"
   message: The scan setting binding was successfully processed
   reason: Processed
   status: "True"
   type: Ready
   outputRef:
   apiGroup: compliance.openshift.io
   kind: ComplianceSuite
   name: test
   phase: READY
   $ oc get scan
   NAME           PHASE   RESULT
   ocp4-pci-dss   DONE    NON-COMPLIANT

4. Verified ocp4-cis ccr are not present

   $ oc get ccr
   NAME                                                                  STATUS   SEVERITY
   ocp4-pci-dss-accounts-restrict-service-account-tokens                 MANUAL   medium
   ocp4-pci-dss-accounts-unique-service-account                          MANUAL   medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit          PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages     PASS     high
   ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle   PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-noderestriction      PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-scc                  PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-service-account      PASS     medium
   ocp4-pci-dss-api-server-anonymous-auth                                PASS     medium
   ocp4-pci-dss-api-server-api-priority-gate-enabled                     FAIL     medium
   ocp4-pci-dss-api-server-audit-log-maxbackup                           PASS     low
   ocp4-pci-dss-api-server-audit-log-maxsize                             PASS     medium
   ocp4-pci-dss-api-server-audit-log-path                                PASS     high
   ocp4-pci-dss-api-server-auth-mode-no-aa                               PASS     medium
   ocp4-pci-dss-api-server-auth-mode-rbac                                PASS     medium
   ocp4-pci-dss-api-server-basic-auth                                    PASS     medium
   ocp4-pci-dss-api-server-bind-address                                  PASS     low
   ocp4-pci-dss-api-server-client-ca                                     PASS     medium
   ocp4-pci-dss-api-server-encryption-provider-cipher                    PASS     medium
   ocp4-pci-dss-api-server-etcd-ca                                       PASS     medium
   ocp4-pci-dss-api-server-etcd-cert                                     PASS     medium
   ocp4-pci-dss-api-server-etcd-key                                      PASS     medium
   ocp4-pci-dss-api-server-https-for-kubelet-conn                        PASS     medium
   ocp4-pci-dss-api-server-insecure-bind-address                         PASS     medium
   ocp4-pci-dss-api-server-kubelet-certificate-authority                 PASS     high
   ocp4-pci-dss-api-server-oauth-https-serving-cert                      PASS     medium
   ocp4-pci-dss-api-server-openshift-https-serving-cert                  PASS     medium
   ocp4-pci-dss-api-server-profiling-protected-by-rbac                   PASS     medium
   ocp4-pci-dss-api-server-request-timeout                               PASS     medium
   ocp4-pci-dss-api-server-service-account-lookup                        PASS     medium
   ocp4-pci-dss-api-server-service-account-public-key                    PASS     medium
   ocp4-pci-dss-api-server-tls-cert                                      PASS     medium
   ocp4-pci-dss-api-server-tls-cipher-suites                             PASS     medium
   ocp4-pci-dss-api-server-tls-private-key                               PASS     medium
   ocp4-pci-dss-api-server-token-auth                                    PASS     high
   ocp4-pci-dss-audit-log-forwarding-enabled                             FAIL     medium
   ocp4-pci-dss-audit-profile-set                                        PASS     medium
   ocp4-pci-dss-configure-network-policies                               PASS     high
   ocp4-pci-dss-configure-network-policies-namespaces                    FAIL     high
   ocp4-pci-dss-controller-insecure-port-disabled                        PASS     low
   ocp4-pci-dss-controller-secure-port                                   PASS     low
   ocp4-pci-dss-controller-service-account-ca                            PASS     medium
   ocp4-pci-dss-controller-service-account-private-key                   PASS     medium
   ocp4-pci-dss-controller-use-service-account                           PASS     medium
   ocp4-pci-dss-etcd-auto-tls                                            PASS     medium
   ocp4-pci-dss-etcd-cert-file                                           PASS     medium
   ocp4-pci-dss-etcd-check-cipher-suite                                  PASS     medium
   ocp4-pci-dss-etcd-client-cert-auth                                    PASS     medium
   ocp4-pci-dss-etcd-key-file                                            PASS     medium
   ocp4-pci-dss-etcd-peer-auto-tls                                       PASS     medium
   ocp4-pci-dss-etcd-peer-cert-file                                      PASS     medium
   ocp4-pci-dss-etcd-peer-client-cert-auth                               PASS     medium
   ocp4-pci-dss-etcd-peer-key-file                                       PASS     medium
   ocp4-pci-dss-file-integrity-exists                                    FAIL     medium
   ocp4-pci-dss-file-integrity-notification-enabled                      FAIL     medium
   ocp4-pci-dss-general-apply-scc                                        MANUAL   medium
   ocp4-pci-dss-general-default-namespace-use                            MANUAL   medium
   ocp4-pci-dss-general-default-seccomp-profile                          MANUAL   medium
   ocp4-pci-dss-general-namespaces-in-use                                MANUAL   medium
   ocp4-pci-dss-idp-is-configured                                        PASS     medium
   ocp4-pci-dss-kubeadmin-removed                                        FAIL     medium
   ocp4-pci-dss-kubelet-disable-readonly-port                            PASS     medium
   ocp4-pci-dss-machine-volume-encrypted                                 PASS     high
   ocp4-pci-dss-ocp-allowed-registries                                   FAIL     medium
   ocp4-pci-dss-ocp-allowed-registries-for-import                        FAIL     medium
   ocp4-pci-dss-ocp-api-server-audit-log-maxbackup                       PASS     low
   ocp4-pci-dss-ocp-api-server-audit-log-maxsize                         PASS     medium
   ocp4-pci-dss-ocp-insecure-allowed-registries-for-import               PASS     medium
   ocp4-pci-dss-ocp-insecure-registries                                  PASS     medium
   ocp4-pci-dss-ocp-no-ldap-insecure                                     PASS     high
   ocp4-pci-dss-openshift-api-server-audit-log-path                      PASS     high
   ocp4-pci-dss-rbac-cluster-roles-defined                               PASS     medium
   ocp4-pci-dss-rbac-debug-role-protects-pprof                           PASS     medium
   ocp4-pci-dss-rbac-least-privilege                                     MANUAL   high
   ocp4-pci-dss-rbac-limit-cluster-admin                                 MANUAL   medium
   ocp4-pci-dss-rbac-limit-secrets-access                                MANUAL   medium
   ocp4-pci-dss-rbac-pod-creation-access                                 MANUAL   medium
   ocp4-pci-dss-rbac-roles-defined                                       PASS     medium
   ocp4-pci-dss-rbac-wildcard-use                                        MANUAL   medium
   ocp4-pci-dss-routes-protected-by-tls                                  PASS     medium
   ocp4-pci-dss-scansettingbinding-exists                                PASS     medium
   ocp4-pci-dss-scc-drop-container-capabilities                          MANUAL   medium
   ocp4-pci-dss-scc-limit-container-allowed-capabilities                 PASS     medium
   ocp4-pci-dss-scc-limit-ipc-namespace                                  MANUAL   medium
   ocp4-pci-dss-scc-limit-net-raw-capability                             MANUAL   medium
   ocp4-pci-dss-scc-limit-network-namespace                              MANUAL   medium
   ocp4-pci-dss-scc-limit-privilege-escalation                           MANUAL   medium
   ocp4-pci-dss-scc-limit-privileged-containers                          MANUAL   medium
   ocp4-pci-dss-scc-limit-process-id-namespace                           MANUAL   medium
   ocp4-pci-dss-scc-limit-root-containers                                MANUAL   medium
   ocp4-pci-dss-scheduler-profiling-protected-by-rbac                    PASS     medium
   ocp4-pci-dss-scheduler-service-protected-by-rbac                      PASS     medium
   ocp4-pci-dss-secrets-consider-external-storage                        MANUAL   medium
   ocp4-pci-dss-secrets-no-environment-variables                         MANUAL   medium
   ocp4-pci-dss-storageclass-encryption-enabled                          PASS     high
   ocp4-pci-dss-tls-version-check-apiserver                              PASS     medium
   ocp4-pci-dss-tls-version-check-router                                 PASS     medium

5. Create another ssb with profile/ocp4-cis

   $ oc compliance bind -N test1 -S default-auto-apply profile/ocp4-cis 
   Creating ScanSettingBinding test1
   $ oc get ssb
   NAME    STATUS
   test    READY
   test1   READY
   $ oc get suite
   NAME    PHASE     RESULT
   test    DONE      NON-COMPLIANT
   test1   RUNNING   NOT-AVAILABLE
   $ oc get scan
   NAME           PHASE     RESULT
   ocp4-cis       RUNNING   NOT-AVAILABLE
   ocp4-pci-dss   DONE      NON-COMPLIANT
   $ oc get suite -w
   NAME    PHASE     RESULT
   test    DONE      NON-COMPLIANT
   test1   RUNNING   NOT-AVAILABLE
   test1   AGGREGATING   NOT-AVAILABLE
   test1   DONE          NON-COMPLIANT
   test1   DONE          NON-COMPLIANT
   $ oc get ssb
   NAME    STATUS
   test    READY
   test1   READY
   $ oc get suite
   NAME    PHASE   RESULT
   test    DONE    NON-COMPLIANT
   test1   DONE    NON-COMPLIANT
   $ oc get scan
   NAME           PHASE   RESULT
   ocp4-cis       DONE    NON-COMPLIANT
   ocp4-pci-dss   DONE    NON-COMPLIANT
   $ oc get ccr
   NAME                                                                  STATUS   SEVERITY
   ocp4-cis-accounts-restrict-service-account-tokens                     MANUAL   medium
   ocp4-cis-accounts-unique-service-account                              MANUAL   medium
   ocp4-cis-api-server-admission-control-plugin-alwaysadmit              PASS     medium
   ocp4-cis-api-server-admission-control-plugin-alwayspullimages         PASS     high
   ocp4-cis-api-server-admission-control-plugin-namespacelifecycle       PASS     medium
   ocp4-cis-api-server-admission-control-plugin-noderestriction          PASS     medium
   ocp4-cis-api-server-admission-control-plugin-scc                      PASS     medium
   ocp4-cis-api-server-admission-control-plugin-service-account          PASS     medium
   ocp4-cis-api-server-anonymous-auth                                    PASS     medium
   ocp4-cis-api-server-api-priority-gate-enabled                         FAIL     medium
   ocp4-cis-api-server-audit-log-maxbackup                               PASS     low
   ocp4-cis-api-server-audit-log-maxsize                                 PASS     medium
   ocp4-cis-api-server-audit-log-path                                    PASS     high
   ocp4-cis-api-server-auth-mode-no-aa                                   PASS     medium
   ocp4-cis-api-server-auth-mode-rbac                                    PASS     medium
   ocp4-cis-api-server-basic-auth                                        PASS     medium
   ocp4-cis-api-server-bind-address                                      PASS     low
   ocp4-cis-api-server-client-ca                                         PASS     medium
   ocp4-cis-api-server-encryption-provider-cipher                        PASS     medium
   ocp4-cis-api-server-etcd-ca                                           PASS     medium
   ocp4-cis-api-server-etcd-cert                                         PASS     medium
   ocp4-cis-api-server-etcd-key                                          PASS     medium
   ocp4-cis-api-server-https-for-kubelet-conn                            PASS     medium
   ocp4-cis-api-server-insecure-bind-address                             PASS     medium
   ocp4-cis-api-server-kubelet-certificate-authority                     PASS     high
   ocp4-cis-api-server-oauth-https-serving-cert                          PASS     medium
   ocp4-cis-api-server-openshift-https-serving-cert                      PASS     medium
   ocp4-cis-api-server-profiling-protected-by-rbac                       PASS     medium
   ocp4-cis-api-server-request-timeout                                   PASS     medium
   ocp4-cis-api-server-service-account-lookup                            PASS     medium
   ocp4-cis-api-server-service-account-public-key                        PASS     medium
   ocp4-cis-api-server-tls-cert                                          PASS     medium
   ocp4-cis-api-server-tls-cipher-suites                                 PASS     medium
   ocp4-cis-api-server-tls-private-key                                   PASS     medium
   ocp4-cis-api-server-token-auth                                        PASS     high
   ocp4-cis-audit-log-forwarding-enabled                                 FAIL     medium
   ocp4-cis-audit-profile-set                                            PASS     medium
   ocp4-cis-configure-network-policies                                   PASS     high
   ocp4-cis-configure-network-policies-namespaces                        FAIL     high
   ocp4-cis-controller-insecure-port-disabled                            PASS     low
   ocp4-cis-controller-secure-port                                       PASS     low
   ocp4-cis-controller-service-account-ca                                PASS     medium
   ocp4-cis-controller-service-account-private-key                       PASS     medium
   ocp4-cis-controller-use-service-account                               PASS     medium
   ocp4-cis-etcd-auto-tls                                                PASS     medium
   ocp4-cis-etcd-cert-file                                               PASS     medium
   ocp4-cis-etcd-client-cert-auth                                        PASS     medium
   ocp4-cis-etcd-key-file                                                PASS     medium
   ocp4-cis-etcd-peer-auto-tls                                           PASS     medium
   ocp4-cis-etcd-peer-cert-file                                          PASS     medium
   ocp4-cis-etcd-peer-client-cert-auth                                   PASS     medium
   ocp4-cis-etcd-peer-key-file                                           PASS     medium
   ocp4-cis-general-apply-scc                                            MANUAL   medium
   ocp4-cis-general-default-namespace-use                                MANUAL   medium
   ocp4-cis-general-default-seccomp-profile                              MANUAL   medium
   ocp4-cis-general-namespaces-in-use                                    MANUAL   medium
   ocp4-cis-idp-is-configured                                            PASS     medium
   ocp4-cis-kubeadmin-removed                                            FAIL     medium
   ocp4-cis-kubelet-disable-readonly-port                                PASS     medium
   ocp4-cis-ocp-allowed-registries                                       FAIL     medium
   ocp4-cis-ocp-allowed-registries-for-import                            FAIL     medium
   ocp4-cis-ocp-api-server-audit-log-maxbackup                           PASS     low
   ocp4-cis-ocp-api-server-audit-log-maxsize                             PASS     medium
   ocp4-cis-ocp-insecure-allowed-registries-for-import                   PASS     medium
   ocp4-cis-ocp-insecure-registries                                      PASS     medium
   ocp4-cis-openshift-api-server-audit-log-path                          PASS     high
   ocp4-cis-rbac-debug-role-protects-pprof                               PASS     medium
   ocp4-cis-rbac-least-privilege                                         MANUAL   high
   ocp4-cis-rbac-limit-cluster-admin                                     MANUAL   medium
   ocp4-cis-rbac-limit-secrets-access                                    MANUAL   medium
   ocp4-cis-rbac-pod-creation-access                                     MANUAL   medium
   ocp4-cis-rbac-wildcard-use                                            MANUAL   medium
   ocp4-cis-scc-drop-container-capabilities                              MANUAL   medium
   ocp4-cis-scc-limit-container-allowed-capabilities                     PASS     medium
   ocp4-cis-scc-limit-ipc-namespace                                      MANUAL   medium
   ocp4-cis-scc-limit-net-raw-capability                                 MANUAL   medium
   ocp4-cis-scc-limit-network-namespace                                  MANUAL   medium
   ocp4-cis-scc-limit-privilege-escalation                               MANUAL   medium
   ocp4-cis-scc-limit-privileged-containers                              MANUAL   medium
   ocp4-cis-scc-limit-process-id-namespace                               MANUAL   medium
   ocp4-cis-scc-limit-root-containers                                    MANUAL   medium
   ocp4-cis-scheduler-profiling-protected-by-rbac                        PASS     medium
   ocp4-cis-scheduler-service-protected-by-rbac                          PASS     medium
   ocp4-cis-secrets-consider-external-storage                            MANUAL   medium
   ocp4-cis-secrets-no-environment-variables                             MANUAL   medium
   ocp4-pci-dss-accounts-restrict-service-account-tokens                 MANUAL   medium
   ocp4-pci-dss-accounts-unique-service-account                          MANUAL   medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwaysadmit          PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-alwayspullimages     PASS     high
   ocp4-pci-dss-api-server-admission-control-plugin-namespacelifecycle   PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-noderestriction      PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-scc                  PASS     medium
   ocp4-pci-dss-api-server-admission-control-plugin-service-account      PASS     medium
   ocp4-pci-dss-api-server-anonymous-auth                                PASS     medium
   ocp4-pci-dss-api-server-api-priority-gate-enabled                     FAIL     medium
   ocp4-pci-dss-api-server-audit-log-maxbackup                           PASS     low
   ocp4-pci-dss-api-server-audit-log-maxsize                             PASS     medium
   ocp4-pci-dss-api-server-audit-log-path                                PASS     high
   ocp4-pci-dss-api-server-auth-mode-no-aa                               PASS     medium
   ocp4-pci-dss-api-server-auth-mode-rbac                                PASS     medium
   ocp4-pci-dss-api-server-basic-auth                                    PASS     medium
   ocp4-pci-dss-api-server-bind-address                                  PASS     low
   ocp4-pci-dss-api-server-client-ca                                     PASS     medium
   ocp4-pci-dss-api-server-encryption-provider-cipher                    PASS     medium
   ocp4-pci-dss-api-server-etcd-ca                                       PASS     medium
   ocp4-pci-dss-api-server-etcd-cert                                     PASS     medium
   ocp4-pci-dss-api-server-etcd-key                                      PASS     medium
   ocp4-pci-dss-api-server-https-for-kubelet-conn                        PASS     medium
   ocp4-pci-dss-api-server-insecure-bind-address                         PASS     medium
   ocp4-pci-dss-api-server-kubelet-certificate-authority                 PASS     high
   ocp4-pci-dss-api-server-oauth-https-serving-cert                      PASS     medium
   ocp4-pci-dss-api-server-openshift-https-serving-cert                  PASS     medium
   ocp4-pci-dss-api-server-profiling-protected-by-rbac                   PASS     medium
   ocp4-pci-dss-api-server-request-timeout                               PASS     medium
   ocp4-pci-dss-api-server-service-account-lookup                        PASS     medium
   ocp4-pci-dss-api-server-service-account-public-key                    PASS     medium
   ocp4-pci-dss-api-server-tls-cert                                      PASS     medium
   ocp4-pci-dss-api-server-tls-cipher-suites                             PASS     medium
   ocp4-pci-dss-api-server-tls-private-key                               PASS     medium
   ocp4-pci-dss-api-server-token-auth                                    PASS     high
   ocp4-pci-dss-audit-log-forwarding-enabled                             FAIL     medium
   ocp4-pci-dss-audit-profile-set                                        PASS     medium
   ocp4-pci-dss-configure-network-policies                               PASS     high
   ocp4-pci-dss-configure-network-policies-namespaces                    FAIL     high
   ocp4-pci-dss-controller-insecure-port-disabled                        PASS     low
   ocp4-pci-dss-controller-secure-port                                   PASS     low
   ocp4-pci-dss-controller-service-account-ca                            PASS     medium
   ocp4-pci-dss-controller-service-account-private-key                   PASS     medium
   ocp4-pci-dss-controller-use-service-account                           PASS     medium
   ocp4-pci-dss-etcd-auto-tls                                            PASS     medium
   ocp4-pci-dss-etcd-cert-file                                           PASS     medium
   ocp4-pci-dss-etcd-check-cipher-suite                                  PASS     medium
   ocp4-pci-dss-etcd-client-cert-auth                                    PASS     medium
   ocp4-pci-dss-etcd-key-file                                            PASS     medium
   ocp4-pci-dss-etcd-peer-auto-tls                                       PASS     medium
   ocp4-pci-dss-etcd-peer-cert-file                                      PASS     medium
   ocp4-pci-dss-etcd-peer-client-cert-auth                               PASS     medium
   ocp4-pci-dss-etcd-peer-key-file                                       PASS     medium
   ocp4-pci-dss-file-integrity-exists                                    FAIL     medium
   ocp4-pci-dss-file-integrity-notification-enabled                      FAIL     medium
   ocp4-pci-dss-general-apply-scc                                        MANUAL   medium
   ocp4-pci-dss-general-default-namespace-use                            MANUAL   medium
   ocp4-pci-dss-general-default-seccomp-profile                          MANUAL   medium
   ocp4-pci-dss-general-namespaces-in-use                                MANUAL   medium
   ocp4-pci-dss-idp-is-configured                                        PASS     medium
   ocp4-pci-dss-kubeadmin-removed                                        FAIL     medium
   ocp4-pci-dss-kubelet-disable-readonly-port                            PASS     medium
   ocp4-pci-dss-machine-volume-encrypted                                 PASS     high
   ocp4-pci-dss-ocp-allowed-registries                                   FAIL     medium
   ocp4-pci-dss-ocp-allowed-registries-for-import                        FAIL     medium
   ocp4-pci-dss-ocp-api-server-audit-log-maxbackup                       PASS     low
   ocp4-pci-dss-ocp-api-server-audit-log-maxsize                         PASS     medium
   ocp4-pci-dss-ocp-insecure-allowed-registries-for-import               PASS     medium
   ocp4-pci-dss-ocp-insecure-registries                                  PASS     medium
   ocp4-pci-dss-ocp-no-ldap-insecure                                     PASS     high
   ocp4-pci-dss-openshift-api-server-audit-log-path                      PASS     high
   ocp4-pci-dss-rbac-cluster-roles-defined                               PASS     medium
   ocp4-pci-dss-rbac-debug-role-protects-pprof                           PASS     medium
   ocp4-pci-dss-rbac-least-privilege                                     MANUAL   high
   ocp4-pci-dss-rbac-limit-cluster-admin                                 MANUAL   medium
   ocp4-pci-dss-rbac-limit-secrets-access                                MANUAL   medium
   ocp4-pci-dss-rbac-pod-creation-access                                 MANUAL   medium
   ocp4-pci-dss-rbac-roles-defined                                       PASS     medium
   ocp4-pci-dss-rbac-wildcard-use                                        MANUAL   medium
   ocp4-pci-dss-routes-protected-by-tls                                  PASS     medium
   ocp4-pci-dss-scansettingbinding-exists                                PASS     medium
   ocp4-pci-dss-scc-drop-container-capabilities                          MANUAL   medium
   ocp4-pci-dss-scc-limit-container-allowed-capabilities                 PASS     medium
   ocp4-pci-dss-scc-limit-ipc-namespace                                  MANUAL   medium
   ocp4-pci-dss-scc-limit-net-raw-capability                             MANUAL   medium
   ocp4-pci-dss-scc-limit-network-namespace                              MANUAL   medium
   ocp4-pci-dss-scc-limit-privilege-escalation                           MANUAL   medium
   ocp4-pci-dss-scc-limit-privileged-containers                          MANUAL   medium
   ocp4-pci-dss-scc-limit-process-id-namespace                           MANUAL   medium
   ocp4-pci-dss-scc-limit-root-containers                                MANUAL   medium
   ocp4-pci-dss-scheduler-profiling-protected-by-rbac                    PASS     medium
   ocp4-pci-dss-scheduler-service-protected-by-rbac                      PASS     medium
   ocp4-pci-dss-secrets-consider-external-storage                        MANUAL   medium
   ocp4-pci-dss-secrets-no-environment-variables                         MANUAL   medium
   ocp4-pci-dss-storageclass-encryption-enabled                          PASS     high
   ocp4-pci-dss-tls-version-check-apiserver                              PASS     medium
   ocp4-pci-dss-tls-version-check-router                                 PASS     medium

6. Verified scan has expected ComplianceSuite

   $ oc get scan ocp4-cis -oyaml  | grep -A 2 ComplianceSuite
   kind: ComplianceSuite
   name: test1
   uid: 0eccc05f-360d-4dbb-9b3c-647b781cca27
   $ oc get scan ocp4-pci-dss -oyaml  | grep -A 2 ComplianceSuite
   kind: ComplianceSuite
   name: test
   uid: 587ec865-14d4-4300-87bc-78e0fc94838d

[BhargaviGudi]

/unhold /label qe-approved

[Vincent056]

/retest

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)~~ [Vincent056,rhmdnd] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[openshift-ci-robot]

@Vincent056: Jira Issue OCPBUGS-29272: All pull requests linked via external trackers have merged:

• ComplianceAsCode/compliance-operator#492

Jira Issue OCPBUGS-29272 has been moved to the MODIFIED state.

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/492): >This pr fixes a issue when a profile gets removed from scansettingbinding, the old scan was not deleted when a profile is removed from the existing scansettingbinding, this pr checks that and does the removal so that new scan using that profile can be launch correctly. check OCPBUGS-29272: https://issues.redhat.com/browse/OCPBUGS-29272 Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=ComplianceAsCode%2Fcompliance-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.