openshift / compliance-operator

Operator providing OpenShift cluster compliance checks
Apache License 2.0
110 stars 110 forks source link

Issue with using multiple TailoredProfiles in ScanSettingBinding #730

Closed sachsachdevacloud closed 2 years ago

sachsachdevacloud commented 3 years ago

I have two TailoredProfiles created one extends oc4-cis and the other for ocp4-cis-node. In the ScanSettingBinding, I have defined both the TailoredProfile however the final scan considers only one TailoredProfile only.

sachsachdevacloud commented 3 years ago

Additional Info- This has been tested on OCP 4.6 version

jhrozek commented 3 years ago

What is your operator version? I can't reproduce this with the current master. This is how I set the SSB:

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: tailored-ssb-cis-compliance
  namespace: openshift-compliance
profiles:
  - name: tailored-ocp4-cis-node
    kind: TailoredProfile
    apiGroup: compliance.openshift.io/v1alpha1
  - name: tailored-ocp4-cis-platform
    kind: TailoredProfile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1

and this is how the tailored profiles look like:

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: tailored-ocp4-cis-node
spec:
  extends: ocp4-cis-node
  title: CIS node tailored for BZ-1972559
  description: foo
  disableRules:
    - name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree
      rationale: The customer's kubelet doesn't seem to set this
    - name: ocp4-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree
      rationale: The customer's kubelet doesn't seem to set this

and:

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: tailored-ocp4-cis-platform
spec:
  extends: ocp4-cis
  title: CIS platform tailoring
  description: CIS platform tailoring
  disableRules:
    - name: ocp4-file-owner-scheduler-kubeconfig
      rationale: fobar

This results in the following objects:

oc get ssb,compliancesuites,compliancescans
NAME                                                                     AGE
scansettingbinding.compliance.openshift.io/tailored-ssb-cis-compliance   17s

NAME                                                                  PHASE       RESULT
compliancesuite.compliance.openshift.io/tailored-ssb-cis-compliance   LAUNCHING   NOT-AVAILABLE

NAME                                                                   PHASE       RESULT
compliancescan.compliance.openshift.io/tailored-ocp4-cis-node-master   RUNNING     NOT-AVAILABLE
compliancescan.compliance.openshift.io/tailored-ocp4-cis-node-worker   LAUNCHING   NOT-AVAILABLE
compliancescan.compliance.openshift.io/tailored-ocp4-cis-platform      LAUNCHING   NOT-AVAILABLE

So please provide a more detailed reproducer.

openshift-bot commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 2 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 2 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 2 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/compliance-operator/issues/730#issuecomment-1065923377): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.