search

ComplianceAsCode / compliance-operator

Operator providing Kubernetes cluster compliance checks
Apache License 2.0
36 stars 22 forks source link

Add unique profile ID #502

Closed Vincent056 closed 3 months ago

Vincent056 commented 4 months ago

This commit implements unique profile ID feature, we are adding a unique profile ID to Profile, ComplianceScan, and ComplianceCheckResult CRD. The profile UUID is generated from sha1 of <product-id>-<existing-xccdf-profile-id>

ex. ocp4-moderate profile has redhat_openshift_container_platform_4.1 product id and xccdf_org.ssgproject.content_profile_moderate profile id

QA: What is the reason for this commit?

Provides a unique GID for each profile across all profile bundles/datastream,
so ACS can consume that to filter rules/compliancecheckresult by profile-id.

What is the business value?

Supporting integration with ACS

What would be the impact on the user once this goes live?

No impact should be expected with PR, user will see additional annotations/labels on Profile, ComplianceScan, TailoredProfile CRs.
Added annotations, labels:
"compliance.openshift.io/guid"
"compliance.openshift.io/extended-profile-guid"
it will be internal use for ACS

Would this apply to only new deployments or all the deployments once upgraded?

No impact

Would each user have different profile ID? Why is it good/necessary?

No, they will have the same Profile ID

https://issues.redhat.com/browse/CMP-2452

xiaojiey commented 4 months ago

/hold for test

xiaojiey commented 4 months ago

/retest-required

xiaojiey commented 4 months ago

Verification pass for 4.16.0-0.nightly-2024-04-15-184947 + code in https://github.com/ComplianceAsCode/compliance-operator/pull/502:

$ oc get profile ocp4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4b9qj8",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/unique-id": "85b76bd6-d2c6-5c4e-9766-b4997d8ac7c4"
}
$ oc get profile ocp4-moderate-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4b9qj8",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_node_4",
  "compliance.openshift.io/product-type": "Node",
  "compliance.openshift.io/unique-id": "56d6d196-76b4-5ed5-b721-55cb635cc9f6"
}
$ oc get profile rhcos4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-rhcos4kr8b2",
  "compliance.openshift.io/product": "redhat_enterprise_linux_coreos_4",
  "compliance.openshift.io/product-type": "Node",
  "compliance.openshift.io/unique-id": "54d8e347-d602-5d29-992a-43d65a2b9ee6"
}
$ oc get profile rhcos4-cis -o=jsonpath={.metadata.annotations} | jq -r
Error from server (NotFound): profiles.compliance.openshift.io "rhcos4-cis" not found
$ oc get profile ocp4-cis -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4b9qj8",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/unique-id": "a65a90a9-9a32-5c81-8ea9-a6eb0eb43a7a"
}
$ oc get profile ocp4-cis-1-4 -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4b9qj8",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/unique-id": "dcacd354-fecf-5bca-8853-b610e42f389c"
}
$ oc get profile ocp4-cis-1-5 -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp4b9qj8",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/unique-id": "255b2bee-92b4-5ce3-9b55-e8185c52b30b"
}
Trigger a ssb with ocp4-moderate, ocp4-moderate-node and check the labels for the scans:
$ oc get scan --show-labels
NAME                        PHASE   RESULT          LABELS
ocp4-moderate               DONE    NON-COMPLIANT   compliance.openshift.io/suite=test,compliance.openshift.io/unique-id=85b76bd6-d2c6-5c4e-9766-b4997d8ac7c4
ocp4-moderate-node-master   DONE    NON-COMPLIANT   compliance.openshift.io/suite=test,compliance.openshift.io/unique-id=56d6d196-76b4-5ed5-b721-55cb635cc9f6
ocp4-moderate-node-worker   DONE    NON-COMPLIANT   compliance.openshift.io/suite=test,compliance.openshift.io/unique-id=56d6d196-76b4-5ed5-b721-55cb635cc9f6
xiaojiey commented 4 months ago

/unhold

xiaojiey commented 4 months ago

/label qe-approved

Vincent056 commented 4 months ago

/retest

Vincent056 commented 4 months ago

/retest

Vincent056 commented 4 months ago

/retest

xiaojiey commented 4 months ago

/hold for test

openshift-ci[bot] commented 3 months ago

@GroceryBoyJr: changing LGTM is restricted to collaborators

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/502#issuecomment-2079823326): >/lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
GroceryBoyJr commented 3 months ago

/assign @GroceryBoyJr

openshift-ci[bot] commented 3 months ago

@GroceryBoyJr: changing LGTM is restricted to collaborators

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/502#issuecomment-2079824365): >/lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
GroceryBoyJr commented 3 months ago

/label docs-approved

mkumku commented 3 months ago

Hi guys, I have some questions please:

  1. What is the reason for this commit?
  2. What is the business value?
  3. What would be the impact on the user once this goes live?
  4. Would this apply to only new deployments or all the deployments once upgraded?
  5. Would each user have different profile ID? Why is it good/necessary?
  6. Is there jira issue associated with the request I can take a look or customer complaint?
Vincent056 commented 3 months ago

Hi guys, I have some questions please:

  1. What is the reason for this commit?
  2. What is the business value?
  3. What would be the impact on the user once this goes live?
  4. Would this apply to only new deployments or all the deployments once upgraded?
  5. Would each user have different profile ID? Why is it good/necessary?
  6. Is there jira issue associated with the request I can take a look or customer complaint?

Hi guys, I have some questions please:

  1. What is the reason for this commit?
  2. What is the business value?
  3. What would be the impact on the user once this goes live?
  4. Would this apply to only new deployments or all the deployments once upgraded?
  5. Would each user have different profile ID? Why is it good/necessary?
  6. Is there jira issue associated with the request I can take a look or customer complaint?

https://github.com/ComplianceAsCode/compliance-operator/pull/502#issue-2239382585 Updated the description here

xiaojiey commented 3 months ago

/hold for test

xiaojiey commented 3 months ago

@Vincent056 It seems the profile guild from the scan labels is not the same with the guid from the profile itself. Per my understanding, the label for ocp4-moderate scan should be "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c", instead of "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1". Could you please help to check? Thanks.

Verified with 4.16.0-0.nightly-2024-04-26-145258 + CO operator built from https://github.com/ComplianceAsCode/compliance-operator/pull/502:

$ oc get profile ocp4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "d625badc-92a1-5438-afd7-19526c26b03c",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-moderate-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "ef297cbd-f5a0-5c0c-baab-edeebb761e27",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_node_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile rhcos4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "eceb9af0-17d4-5c59-9b17-07cfd22a3ba1",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-rhcos49czdp",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_enterprise_linux_coreos_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile ocp4-cis -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "a230315d-3e4a-5b58-b00f-f96f1553e036",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-5 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "9a9d06fb-96d6-5b64-ab3a-461fed654d91",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-4 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "f3c248d7-c4f7-5e82-96f4-780483c36a87",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
]$ oc compliance bind -N test profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE   RESULT
test   PENDING   NOT-AVAILABLE
...
test   RUNNING     NOT-AVAILABLE
...
$ oc get scan --show-labels 
NAME                        PHASE     RESULT          LABELS
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
ocp4-moderate-node-master   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
xiaojiey commented 3 months ago

/remove-label qe-approved

Vincent056 commented 3 months ago

@Vincent056 It seems the profile guild from the scan labels is not the same with the guid from the profile itself. Per my understanding, the label for ocp4-moderate scan should be "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c", instead of "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1". Could you please help to check? Thanks.

Verified with 4.16.0-0.nightly-2024-04-26-145258 + CO operator built from #502:

$ oc get profile ocp4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "d625badc-92a1-5438-afd7-19526c26b03c",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-moderate-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "ef297cbd-f5a0-5c0c-baab-edeebb761e27",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_node_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile rhcos4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "eceb9af0-17d4-5c59-9b17-07cfd22a3ba1",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-rhcos49czdp",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_enterprise_linux_coreos_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile ocp4-cis -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "a230315d-3e4a-5b58-b00f-f96f1553e036",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-5 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "9a9d06fb-96d6-5b64-ab3a-461fed654d91",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-4 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "f3c248d7-c4f7-5e82-96f4-780483c36a87",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
]$ oc compliance bind -N test profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE   RESULT
test   PENDING   NOT-AVAILABLE
...
test   RUNNING     NOT-AVAILABLE
...
$ oc get scan --show-labels 
NAME                        PHASE     RESULT          LABELS
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
ocp4-moderate-node-master   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
[vincent@node cac-content-fork]$ oc get scan --show-labels 
NAME                     PHASE     RESULT           LABELS
ocp4-cis                 RUNNING   NOT-AVAILABLE    compliance.openshift.io/guid=a230315d-3e4a-5b58-b00f-f96f1553e036,compliance.openshift.io/suite=ocp4-moderate-ssb
ocp4-moderate            RUNNING   NOT-AVAILABLE    compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=ocp4-moderate-ssb
rhcos4-moderate-master   DONE      NOT-APPLICABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=ocp4-moderate-ssb
rhcos4-moderate-worker   DONE      NOT-APPLICABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=ocp4-moderate-ssb

could you help to check again, it looks like I am getting the correct result here

BhargaviGudi commented 3 months ago

@Vincent056 It seems the profile guild from the scan labels is not the same with the guid from the profile itself. Per my understanding, the label for ocp4-moderate scan should be "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c", instead of "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1". Could you please help to check? Thanks. Verified with 4.16.0-0.nightly-2024-04-26-145258 + CO operator built from #502:

$ oc get profile ocp4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "d625badc-92a1-5438-afd7-19526c26b03c",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-moderate-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "ef297cbd-f5a0-5c0c-baab-edeebb761e27",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_node_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile rhcos4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "eceb9af0-17d4-5c59-9b17-07cfd22a3ba1",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-rhcos49czdp",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_enterprise_linux_coreos_4",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Node"
}
$ oc get profile ocp4-cis -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "a230315d-3e4a-5b58-b00f-f96f1553e036",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-5 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "9a9d06fb-96d6-5b64-ab3a-461fed654d91",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
$ oc get profile ocp4-cis-1-4 -o=jsonpath={.metadata.annotations} | jq -r
{
  "[compliance.openshift.io/guid](http://compliance.openshift.io/guid)": "f3c248d7-c4f7-5e82-96f4-780483c36a87",
  "[compliance.openshift.io/image-digest](http://compliance.openshift.io/image-digest)": "pb-ocp47x79w",
  "[compliance.openshift.io/product](http://compliance.openshift.io/product)": "redhat_openshift_container_platform_4.1",
  "[compliance.openshift.io/product-type](http://compliance.openshift.io/product-type)": "Platform"
}
]$ oc compliance bind -N test profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE   RESULT
test   PENDING   NOT-AVAILABLE
...
test   RUNNING     NOT-AVAILABLE
...
$ oc get scan --show-labels 
NAME                        PHASE     RESULT          LABELS
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
ocp4-moderate-node-master   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   DONE      NON-COMPLIANT   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      DONE      NON-COMPLIANT   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
[vincent@node cac-content-fork]$ oc get scan --show-labels 
NAME                     PHASE     RESULT           LABELS
ocp4-cis                 RUNNING   NOT-AVAILABLE    compliance.openshift.io/guid=a230315d-3e4a-5b58-b00f-f96f1553e036,compliance.openshift.io/suite=ocp4-moderate-ssb
ocp4-moderate            RUNNING   NOT-AVAILABLE    compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=ocp4-moderate-ssb
rhcos4-moderate-master   DONE      NOT-APPLICABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=ocp4-moderate-ssb
rhcos4-moderate-worker   DONE      NOT-APPLICABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=ocp4-moderate-ssb

could you help to check again, it looks like I am getting the correct result here

@Vincent056 I have also observed that profile guild from the scan labels is not the same with the guid. With moderate profile, the label for ocp4-moderate scan should be "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c", instead of "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1" and the label for rhcos4-moderate scan should be "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1", instead of "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c"

$ oc compliance bind -N test profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get scan --show-labels 
NAME                        PHASE     RESULT          LABELS
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
ocp4-moderate-node-master   RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=test
rhcos4-moderate-worker      RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=test

With below ssb, the label for ocp4-moderate scan should be "compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c", instead of "compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1"

$ oc compliance bind -N test profile/ocp4-cis profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get scan --show-labels 
NAME                        PHASE     RESULT          LABELS
ocp4-cis                    RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=a230315d-3e4a-5b58-b00f-f96f1553e036,compliance.openshift.io/suite=test
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
ocp4-moderate-node-master   RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      RUNNING   NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
Vincent056 commented 3 months ago

oc get scan --show-labels

@BhargaviGudi thanks for the review, could you retest with the latest patch thanks:

[vincent@node compliance-operator]$ oc get scan --show-labels 
NAME                        PHASE         RESULT          LABELS
ocp4-cis                    AGGREGATING   NOT-AVAILABLE   compliance.openshift.io/guid=a230315d-3e4a-5b58-b00f-f96f1553e036,compliance.openshift.io/suite=test
ocp4-moderate               AGGREGATING   NOT-AVAILABLE   compliance.openshift.io/guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=test
ocp4-moderate-node-master   AGGREGATING   NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   RUNNING       NOT-AVAILABLE   compliance.openshift.io/guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      RUNNING       NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      RUNNING       NOT-AVAILABLE   compliance.openshift.io/guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
xiaojiey commented 3 months ago

Verification pass with 4.16.0-0.nightly-2024-05-07-025557 + operator built from https://github.com/ComplianceAsCode/compliance-operator/pull/502:

1. profile-guid for profiles:
% oc get profile ocp4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp47zf9s",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/profile-guid": "d625badc-92a1-5438-afd7-19526c26b03c"
}
% oc get profile ocp4-moderate-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp47zf9s",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_node_4",
  "compliance.openshift.io/product-type": "Node",
  "compliance.openshift.io/profile-guid": "ef297cbd-f5a0-5c0c-baab-edeebb761e27"
}
% oc get profile rhcos4-moderate -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-rhcos4pmqbv",
  "compliance.openshift.io/product": "redhat_enterprise_linux_coreos_4",
  "compliance.openshift.io/product-type": "Node",
  "compliance.openshift.io/profile-guid": "eceb9af0-17d4-5c59-9b17-07cfd22a3ba1"
}
% oc get profile ocp4-cis -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp47zf9s",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_4.1",
  "compliance.openshift.io/product-type": "Platform",
  "compliance.openshift.io/profile-guid": "a230315d-3e4a-5b58-b00f-f96f1553e036"
}
% oc get profile ocp4-cis-node -o=jsonpath={.metadata.annotations} | jq -r
{
  "compliance.openshift.io/image-digest": "pb-ocp47zf9s",
  "compliance.openshift.io/product": "redhat_openshift_container_platform_node_4",
  "compliance.openshift.io/product-type": "Node",
  "compliance.openshift.io/profile-guid": "fea955f1-9f13-56fd-aacf-868b95b7283f"
}
2. Create a ssb, check the labels for scans and ccrs
$ oc compliance bind -N test profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get scan --show-labels
NAME                        PHASE     RESULT          LABELS
ocp4-moderate               RUNNING   NOT-AVAILABLE   compliance.openshift.io/profile-guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/suite=test
ocp4-moderate-node-master   RUNNING   NOT-AVAILABLE   compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
ocp4-moderate-node-worker   RUNNING   NOT-AVAILABLE   compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/suite=test
rhcos4-moderate-master      RUNNING   NOT-AVAILABLE   compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
rhcos4-moderate-worker      RUNNING   NOT-AVAILABLE   compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/suite=test
$ oc get suite -w
NAME   PHASE     RESULT
test   DONE          NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/scan-name=ocp4-moderate --show-labels | head -n 3
NAME                                                                    STATUS   SEVERITY   LABELS
ocp4-moderate-accounts-restrict-service-account-tokens                  MANUAL   medium     compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=MANUAL,compliance.openshift.io/profile-guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/scan-name=ocp4-moderate,compliance.openshift.io/suite=test
ocp4-moderate-accounts-unique-service-account                           MANUAL   medium     compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=MANUAL,compliance.openshift.io/profile-guid=d625badc-92a1-5438-afd7-19526c26b03c,compliance.openshift.io/scan-name=ocp4-moderate,compliance.openshift.io/suite=test
$ oc get ccr -l compliance.openshift.io/scan-name=ocp4-moderate-node-master --show-labels | head -n 3
NAME                                                                               STATUS   SEVERITY   LABELS
ocp4-moderate-node-master-directory-access-var-log-kube-audit                      FAIL     medium     compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/scan-name=ocp4-moderate-node-master,compliance.openshift.io/suite=test
ocp4-moderate-node-master-directory-access-var-log-oauth-audit                     FAIL     medium     compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/scan-name=ocp4-moderate-node-master,compliance.openshift.io/suite=test
$ oc get ccr -l compliance.openshift.io/scan-name=ocp4-moderate-node-worker --show-labels | head -n 3
NAME                                                                               STATUS   SEVERITY   LABELS
ocp4-moderate-node-worker-file-groupowner-cni-conf                                 PASS     medium     compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=PASS,compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/scan-name=ocp4-moderate-node-worker,compliance.openshift.io/suite=test
ocp4-moderate-node-worker-file-groupowner-kubelet-conf                             PASS     medium     compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=PASS,compliance.openshift.io/profile-guid=ef297cbd-f5a0-5c0c-baab-edeebb761e27,compliance.openshift.io/scan-name=ocp4-moderate-node-worker,compliance.openshift.io/suite=test
$ oc get ccr -l compliance.openshift.io/scan-name=rhcos4-moderate-master --show-labels | head -n 3
NAME                                                                                                STATUS   SEVERITY   LABELS
rhcos4-moderate-master-accounts-no-uid-except-zero                                                  PASS     high       compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=test
rhcos4-moderate-master-audit-rules-dac-modification-chmod                                           FAIL     medium     compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/scan-name=rhcos4-moderate-master,compliance.openshift.io/suite=test
$ oc get ccr -l compliance.openshift.io/scan-name=rhcos4-moderate-worker --show-labels | head -n 3
NAME                                                                                                STATUS   SEVERITY   LABELS
rhcos4-moderate-worker-accounts-no-uid-except-zero                                                  PASS     high       compliance.openshift.io/check-severity=high,compliance.openshift.io/check-status=PASS,compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=test
rhcos4-moderate-worker-audit-rules-dac-modification-chmod                                           FAIL     medium     compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-severity=medium,compliance.openshift.io/check-status=FAIL,compliance.openshift.io/profile-guid=eceb9af0-17d4-5c59-9b17-07cfd22a3ba1,compliance.openshift.io/scan-name=rhcos4-moderate-worker,compliance.openshift.io/suite=test
xiaojiey commented 3 months ago

/unhold

xiaojiey commented 3 months ago

/label qe-approved

openshift-ci[bot] commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)~~ [Vincent056,rhmdnd] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment