search

ComplianceAsCode / compliance-operator

Operator providing Kubernetes cluster compliance checks
Apache License 2.0
36 stars 22 forks source link

CMP-2525: Implement dynamic scan settings for ROSA #511

Closed Vincent056 closed 3 months ago

Vincent056 commented 3 months ago

Made change to be able to detect what managed cluster we are on using ClusterClaim, through /apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io

oc get clusterclaims product.open-cluster-management.io -v 7 -o json
I0501 09:56:39.390722   70110 loader.go:373] Config loaded from file:  /Users/vincent/.kube/config
I0501 09:56:39.397643   70110 round_trippers.go:463] GET https://api.thb83-r47s4-4hg.6hoh.p3.openshiftapps.com:443/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io
I0501 09:56:39.397652   70110 round_trippers.go:469] Request Headers:
I0501 09:56:39.397657   70110 round_trippers.go:473]     User-Agent: oc/4.14.0 (darwin/arm64) kubernetes/0c63f9d
I0501 09:56:39.397661   70110 round_trippers.go:473]     Authorization: Bearer <masked>
I0501 09:56:39.397665   70110 round_trippers.go:473]     Accept: application/json
I0501 09:56:39.712622   70110 round_trippers.go:574] Response Status: 200 OK in 314 milliseconds
{
    "apiVersion": "cluster.open-cluster-management.io/v1alpha1",
    "kind": "ClusterClaim",
    "metadata": {
        "creationTimestamp": "2024-05-01T15:29:30Z",
        "generation": 1,
        "labels": {
            "open-cluster-management.io/hub-managed": "",
            "velero.io/exclude-from-backup": "true"
        },
        "name": "product.open-cluster-management.io",
        "resourceVersion": "7268",
        "uid": "6ad67a1c-ecf9-4d8e-87e0-68111bbaf97f"
    },
    "spec": {
        "value": "ROSA"
    }
}

Added ROSA platform type, disable master role if detected running on ROSA

openshift-ci-robot commented 3 months ago

@Vincent056: This pull request references CMP-2525 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/ComplianceAsCode/compliance-operator/pull/511): >Made change to be able to detect what managed cluster we are on using `ClusterClaim`, through `/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io` > >``` >oc get clusterclaims product.open-cluster-management.io -v 7 -o json >I0501 09:56:39.390722 70110 loader.go:373] Config loaded from file: /Users/vincent/.kube/config >I0501 09:56:39.397643 70110 round_trippers.go:463] GET https://api.thb83-r47s4-4hg.6hoh.p3.openshiftapps.com:443/apis/cluster.open-cluster-management.io/v1alpha1/clusterclaims/product.open-cluster-management.io >I0501 09:56:39.397652 70110 round_trippers.go:469] Request Headers: >I0501 09:56:39.397657 70110 round_trippers.go:473] User-Agent: oc/4.14.0 (darwin/arm64) kubernetes/0c63f9d >I0501 09:56:39.397661 70110 round_trippers.go:473] Authorization: Bearer >I0501 09:56:39.397665 70110 round_trippers.go:473] Accept: application/json >I0501 09:56:39.712622 70110 round_trippers.go:574] Response Status: 200 OK in 314 milliseconds >{ > "apiVersion": "cluster.open-cluster-management.io/v1alpha1", > "kind": "ClusterClaim", > "metadata": { > "creationTimestamp": "2024-05-01T15:29:30Z", > "generation": 1, > "labels": { > "open-cluster-management.io/hub-managed": "", > "velero.io/exclude-from-backup": "true" > }, > "name": "product.open-cluster-management.io", > "resourceVersion": "7268", > "uid": "6ad67a1c-ecf9-4d8e-87e0-68111bbaf97f" > }, > "spec": { > "value": "ROSA" > } >} >``` > >Added ROSA platform type, disable master role and default-auto-apply scansetting if detected running on ROSA Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=ComplianceAsCode%2Fcompliance-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 3 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)~~ [Vincent056] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
xiaojiey commented 3 months ago

/hold for test

xiaojiey commented 3 months ago

@Vincent056 I am not sure if it is an env issue. The operator was installed correctly, and default ss only contains worker role. However, the pb was not created. Could you please help to double check? thanks.

% oc get csv
NAME                         DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v1.4.0   Compliance Operator   1.4.0                Succeeded
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          15s
 % oc get ss
NAME      AGE
default   32s
% oc get ss default -o=jsonpath={.roles}
["worker"]%                                                                                                                                                                                                         % oc get pb
No resources found in openshift-compliance namespace.
% oc get csv -o yaml | grep -i image:
                  image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/openscap-ocp:latest
    - image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/k8scontent:latest
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          102s
rhmdnd commented 3 months ago

Working to get https://github.com/ComplianceAsCode/compliance-operator/pull/515 landed so you have something to test against.

rhmdnd commented 3 months ago

/test e2e-rosa

Vincent056 commented 3 months ago

/test e2e-rosa

Vincent056 commented 3 months ago

/test e2e-rosa

Vincent056 commented 3 months ago

/test e2e-rosa

rhmdnd commented 3 months ago

@Vincent056 I am not sure if it is an env issue. The operator was installed correctly, and default ss only contains worker role. However, the pb was not created. Could you please help to double check? thanks.

% oc get csv
NAME                         DISPLAY               VERSION   REPLACES   PHASE
compliance-operator.v1.4.0   Compliance Operator   1.4.0                Succeeded
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          15s
 % oc get ss
NAME      AGE
default   32s
% oc get ss default -o=jsonpath={.roles}
["worker"]%                                                                                                                                                                                                         % oc get pb
No resources found in openshift-compliance namespace.
% oc get csv -o yaml | grep -i image:
                  image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/openscap-ocp:latest
    - image: quay.io/xiyuan/compliance-operator:pr-511
    - image: ghcr.io/complianceascode/k8scontent:latest
% oc get pod
NAME                                   READY   STATUS    RESTARTS   AGE
compliance-operator-7f68c5fdb4-rgkwc   1/1     Running   0          102s

I may have a fix for this in https://github.com/ComplianceAsCode/compliance-operator/pull/518 - which includes a new platform type for ROSA, and ensure the rhcos4 and ocp4 bundles are supported for that platform type.

openshift-ci[bot] commented 3 months ago

@Vincent056: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 3b1c0c701f3be9ce534f1a62709151715dbfea94 link true /test e2e-rosa

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
Vincent056 commented 3 months ago

close this in favor of https://github.com/ComplianceAsCode/compliance-operator/pull/518