Update api_resource_collector_cluster_role.yaml

ermeratos commented 3 months ago

Added permissions for kubedescheduler operator

openshift-ci[bot] commented 3 months ago

Hi @ermeratos. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

openshift-ci[bot] commented 2 months ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ermeratos, JAORMX Once this PR has been reviewed and has the lgtm label, please assign bhargavigudi for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/ComplianceAsCode/compliance-operator/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

JAORMX commented 2 months ago

/ok-to-test

BhargaviGudi commented 1 month ago

/hold for test

BhargaviGudi commented 1 month ago

Verification passed with 4.17.0-0.nightly-2024-07-07-131215 + #519 code + #11997 code

Install CO

NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:11997    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:11997    ssg-rhcos4-ds.xml   VALID

Create kubedescheduler operator from GUI and create instance

$ oc get csv -n openshift-kube-descheduler-operator
NAME                                    DISPLAY                     VERSION   REPLACES                                             PHASE
clusterkubedescheduleroperator.v5.0.1   Kube Descheduler Operator   5.0.1     clusterkubedescheduleroperator.4.14.0-202311021650   Succeeded
$ oc get kubeschedulers.operator.openshift.io -n openshift-kube-descheduler-operator
NAME      AGE
cluster   6h37m

Create ssb

Creating ScanSettingBinding test
$ oc get scan
NAME                            PHASE   RESULT
upstream-ocp4-bsi               DONE    NON-COMPLIANT
upstream-ocp4-bsi-node-master   DONE    COMPLIANT
upstream-ocp4-bsi-node-worker   DONE    COMPLIANT
upstream-rhcos4-bsi-master      DONE    COMPLIANT
upstream-rhcos4-bsi-worker      DONE    COMPLIANT

Check for rule kube-descheduler-operator-exists

$ oc get ccr | grep kube-descheduler-operator-exists
upstream-ocp4-bsi-kube-descheduler-operator-exists                 PASS     medium

Check the value for variable kube-descheduler-interval

$ oc describe variables.compliance.openshift.io upstream-ocp4-kube-descheduler-interval | grep Value
Value:                     86400

Make sure the LifecycleAndUtilization profile is listed under .spec.profiles

$ oc get kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator -o=jsonpath='{.spec.profiles}' 
["LifecycleAndUtilization"]

Check descheduler runs time is set under .spec.deschedulingIntervalSeconds

$ oc get kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator -o=jsonpath='{.spec.deschedulingIntervalSeconds}' 
3600

Instruction of the rule kube-descheduler-operator-exists works as expected

$ oc get rule upstream-ocp4-kube-descheduler-operator-exists -ojsonpath={.instructions}
To check if the Kube Descheduler Operator is installed, run the following command:
oc get sub -n descheduler-operator cluster-kube-descheduler-operator -ojsonpath='{.status.installedCSV}'
the output should return the version of the CSV that represents the installed
operator.
$ oc get sub -n openshift-kube-descheduler-operator cluster-kube-descheduler-operator -ojsonpath='{.status.installedCSV}'
clusterkubedescheduleroperator.v5.0.1

BhargaviGudi commented 1 month ago

/label qe-approved

openshift-ci[bot] commented 1 month ago

@ermeratos: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	48058a9cfe47e6f40c80ea4a0d7cba30257ca2af	link	true	`/test e2e-rosa`
ci/prow/e2e-aws-serial	48058a9cfe47e6f40c80ea4a0d7cba30257ca2af	link	true	`/test e2e-aws-serial`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).