Closed jhrozek closed 3 years ago
@mrogers950 do you know of a way to get the cluster name from inside the cluster? It looks like pure k8s doesn't do that (https://github.com/kubernetes/kubernetes/issues/44954) but maybe there's some openshift API?
uhm.... we could pass in the client context, the name should be there as far as I remember.
sorry, which client context do you mean? I tried looking into config e.g.:
cfg, err := config.GetConfig()
cfg.Name
but that only holds the IP address of the API server.
uhm.... we could pass in the client context, the name should be there as far as I remember.
sorry, which client context do you mean? I tried looking into config e.g.:
cfg, err := config.GetConfig() cfg.Name
but that only holds the IP address of the API server.
oh! I actually thought that exact key would have had the URL of the API Server. Nevermind then.
There was a stupid bug in the patch that I've fixed. I still haven't added any new tests.
@jhrozek so... do we have a plan to address the target for platform checks? or are we planning to leave those as they are?
On Fri, Aug 27, 2021 at 12:30:53AM -0700, Juan Osorio Robles wrote:
@jhrozek so... do we have a plan to address the target for platform checks? or are we planning to leave those as they are?
Maybe, but honestly I think it's not worth it. I took another look and "oc cluster-info" looks at restConfig's Host, but that appears to be giving a different result in cluster (an IP address, e.g. https://172.30.0.1:443 for me, same as the KUBERNETES_PORT variable).
There is also the openshiftapiservers/cluster object which has a .spec.observedConfig.routingConfig.subdomain, but 1) that one is not readable by the compliance-operator SA, so we'd have to extend the compliance-operator SA permissions and 2) the routingConfig.subdomain URL is slightly different, e.g. for me the API server runs at https://api.jhrozek-cluster-08-27-13-42.devcluster.openshift.com:6443 but the routing subdomain is apps.jhrozek-cluster-08-27-13-42.devcluster.openshift.com so I'm not even sure how useful that would be.
In the end, it would provide /some/ identification in the report, but do you think it's worth opening the permissions for?
The api-resource-collector SA does have the permissions to read that object, so I guess we could dump the info somewhere and read it during post-processing of the results..
@jhrozek thanks for checking into this... I think it's not worth the effort as you put it. We might be introducing too much tech debt for something that might not bring as much value. Is this good to go as-is?
@jhrozek thanks for checking into this... I think it's not worth the effort as you put it. We might be introducing too much tech debt for something that might not bring as much value. Is this good to go as-is?
I think yes, the only question is about tests, but I could add them in a separate PR as well. The intent being that the scan produces the expected number of CMs and a PV with some files.
/approve /lgtm
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: JAORMX, jhrozek
The full list of commands accepted by this bot can be found here.
The pull request process is described here
@jhrozek: This pull request references Bugzilla bug 1969620, which is invalid:
Comment /bugzilla refresh
to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.
@jhrozek: This pull request references Bugzilla bug 1969620, which is invalid:
Comment /bugzilla refresh
to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.
/bugzilla refresh
/bugzilla refresh
@JAORMX: This pull request references Bugzilla bug 1969620, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (pdhamdhe@redhat.com), skipping review request.
@JAORMX: This pull request references Bugzilla bug 1969620, which is valid.
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (pdhamdhe@redhat.com), skipping review request.
@jhrozek: All pull requests linked via external trackers have merged:
Bugzilla bug 1969620 has been moved to the MODIFIED state.
The element ought to contain the hostname of the system being
scanned, but for the node scan results produced by oscap-chroot, it was
just saying unknown. This is because openscap normally reads /etc/hostname,
which is not present on RHCOS.
While there is a bug filed against openscap (https://bugzilla.redhat.com/show_bug.cgi?id=1977668) to read alternative sources, let's work around that issue in the meantime by overriding the