search

openshift / file-integrity-operator

Operator providing OpenShift cluster node file integrity checking
Apache License 2.0
31 stars 27 forks source link

OCPBUGS-17129: Ignore MCO node annotation files #413

Closed rhmdnd closed 1 year ago

rhmdnd commented 1 year ago

Machine config operator uses files on the host to cache annotations. The file integrity operator will throw integrity errors if a new node is spun up and added to the cluster depending.

Since OpenShift's MCO is responsible for these files, let's exclude them from integrity checks like we do other MCO configuration files.

openshift-ci-robot commented 1 year ago

@rhmdnd: This pull request references Jira Issue OCPBUGS-17129, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/file-integrity-operator/pull/413): >Machine config operator uses files on the host to cache annotations. The >file integrity operator will throw integrity errors if a new node is >spun up and added to the cluster depending. > >Since OpenShift's MCO is responsible for these files, let's exclude them >from integrity checks like we do other MCO configuration files. > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
BhargaviGudi commented 1 year ago

Testing passed on 4.13.0-0.nightly-2023-07-27-134342 + pr code

Install FIO
$ oc apply -f - <<EOF
> apiVersion: fileintegrity.openshift.io/v1alpha1
> kind: FileIntegrity
> metadata:
>   name: example-fileintegrity
> spec:
>   config:
>     gracePeriod: 90
>     maxBackups: 5
>   debug: true
> EOF
fileintegrity.fileintegrity.openshift.io/example-fileintegrity created
$ oc get fileintegritynodestatuses.fileintegrity.openshift.io 
NAME                                                               NODE                                         STATUS
example-fileintegrity-ip-10-0-148-7.us-east-2.compute.internal     ip-10-0-148-7.us-east-2.compute.internal     Succeeded
example-fileintegrity-ip-10-0-152-61.us-east-2.compute.internal    ip-10-0-152-61.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-170-63.us-east-2.compute.internal    ip-10-0-170-63.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-182-25.us-east-2.compute.internal    ip-10-0-182-25.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-194-227.us-east-2.compute.internal   ip-10-0-194-227.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-197-133.us-east-2.compute.internal   ip-10-0-197-133.us-east-2.compute.internal   Succeeded
$ oc get machineset -n openshift-machine-api
NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
bgudi-413-b2rqn-worker-us-east-2a   1         1         1       1           98m
bgudi-413-b2rqn-worker-us-east-2b   1         1         1       1           98m
bgudi-413-b2rqn-worker-us-east-2c   1         1         1       1           98m
Scale up machineset
$ oc scale --replicas=2 machineset bgudi-413-b2rqn-worker-us-east-2a -n openshift-machine-api
machineset.machine.openshift.io/bgudi-413-b2rqn-worker-us-east-2a scaled
$ oc get machineset -n openshift-machine-api
NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
bgudi-413-b2rqn-worker-us-east-2a   2         2         1       1           98m
bgudi-413-b2rqn-worker-us-east-2b   1         1         1       1           98m
bgudi-413-b2rqn-worker-us-east-2c   1         1         1       1           98m
$ oc get fileintegritynodestatuses.fileintegrity.openshift.io 
NAME                                                               NODE                                         STATUS
example-fileintegrity-ip-10-0-143-71.us-east-2.compute.internal    ip-10-0-143-71.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-148-7.us-east-2.compute.internal     ip-10-0-148-7.us-east-2.compute.internal     Succeeded
example-fileintegrity-ip-10-0-152-61.us-east-2.compute.internal    ip-10-0-152-61.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-170-63.us-east-2.compute.internal    ip-10-0-170-63.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-182-25.us-east-2.compute.internal    ip-10-0-182-25.us-east-2.compute.internal    Succeeded
example-fileintegrity-ip-10-0-194-227.us-east-2.compute.internal   ip-10-0-194-227.us-east-2.compute.internal   Succeeded
example-fileintegrity-ip-10-0-197-133.us-east-2.compute.internal   ip-10-0-197-133.us-east-2.compute.internal   Succeeded
Vincent056 commented 1 year ago

/lgtm

openshift-ci[bot] commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/file-integrity-operator/blob/master/OWNERS)~~ [Vincent056,rhmdnd] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
rhmdnd commented 1 year ago

/test e2e-bundle-aws /test e2e-bundle-aws-upgrade

We should be good to rerun these now that https://github.com/openshift/release/pull/41989 landed.

rhmdnd commented 1 year ago

/test e2e-bundle-aws-upgrade /test e2e-bundle-aws

Failed pulling CI images

xiaojiey commented 1 year ago

/label qe-approved add label per @BhargaviGudi's comments.

openshift-ci[bot] commented 1 year ago

@rhmdnd: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
openshift-ci-robot commented 1 year ago

@rhmdnd: Jira Issue OCPBUGS-17129: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-17129 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/file-integrity-operator/pull/413): >Machine config operator uses files on the host to cache annotations. The >file integrity operator will throw integrity errors if a new node is >spun up and added to the cluster depending. > >Since OpenShift's MCO is responsible for these files, let's exclude them >from integrity checks like we do other MCO configuration files. > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.