Closed sachsachdevacloud closed 2 years ago
Additional Info- This has been tested on OCP 4.6 version
What is your operator version? I can't reproduce this with the current master. This is how I set the SSB:
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: tailored-ssb-cis-compliance
namespace: openshift-compliance
profiles:
- name: tailored-ocp4-cis-node
kind: TailoredProfile
apiGroup: compliance.openshift.io/v1alpha1
- name: tailored-ocp4-cis-platform
kind: TailoredProfile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
and this is how the tailored profiles look like:
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: tailored-ocp4-cis-node
spec:
extends: ocp4-cis-node
title: CIS node tailored for BZ-1972559
description: foo
disableRules:
- name: ocp4-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree
rationale: The customer's kubelet doesn't seem to set this
- name: ocp4-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree
rationale: The customer's kubelet doesn't seem to set this
and:
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: tailored-ocp4-cis-platform
spec:
extends: ocp4-cis
title: CIS platform tailoring
description: CIS platform tailoring
disableRules:
- name: ocp4-file-owner-scheduler-kubeconfig
rationale: fobar
This results in the following objects:
oc get ssb,compliancesuites,compliancescans
NAME AGE
scansettingbinding.compliance.openshift.io/tailored-ssb-cis-compliance 17s
NAME PHASE RESULT
compliancesuite.compliance.openshift.io/tailored-ssb-cis-compliance LAUNCHING NOT-AVAILABLE
NAME PHASE RESULT
compliancescan.compliance.openshift.io/tailored-ocp4-cis-node-master RUNNING NOT-AVAILABLE
compliancescan.compliance.openshift.io/tailored-ocp4-cis-node-worker LAUNCHING NOT-AVAILABLE
compliancescan.compliance.openshift.io/tailored-ocp4-cis-platform LAUNCHING NOT-AVAILABLE
So please provide a more detailed reproducer.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
@openshift-bot: Closing this issue.
I have two TailoredProfiles created one extends oc4-cis and the other for ocp4-cis-node. In the ScanSettingBinding, I have defined both the TailoredProfile however the final scan considers only one TailoredProfile only.