Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-19690

Some rules with auto-remediations available get failed after auto-remediation have been applied for rhcos4-high profile

XMLWordPrintable

    • +
    • Important
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Some rules with auto-remediations available get failed after auto-remediation have been applied for rhcos4-high profile

      Version-Release number of selected component (if applicable):

      compliance-operator.v1.3.0

      How reproducible:

      Always

      Steps to Reproduce:

       

      1. Install compliance operator 
2. Create a custom mcp wrscan 
3. Create a ss auto-rem-ss to scan wrscan mcp rule only:
      $ oc get ss auto-rem-ss -o yaml
apiVersion: compliance.openshift.io/v1alpha1
autoApplyRemediations: true
autoUpdateRemediations: true
kind: ScanSetting
maxRetryOnTimeout: 3
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"compliance.openshift.io/v1alpha1","autoApplyRemediations":true,"autoUpdateRemediations":true,"kind":"ScanSetting","metadata":{"annotations":{},"name":"auto-rem-ss","namespace":"openshift-compliance"},"rawResultStorage":{"rotation":5,"size":"2Gi"},"roles":["wrscan"],"schedule":"0 1 * * *","strictNodeScan":false}
  creationTimestamp: "2023-09-25T02:05:43Z"
  generation: 1
  name: auto-rem-ss
  namespace: openshift-compliance
  resourceVersion: "43973"
  uid: 29426481-7cd1-48f0-a3cf-934c96f651eb
rawResultStorage:
  pvAccessModes:
  - ReadWriteOnce
  rotation: 5
  size: 2Gi
roles:
- wrscan
scanTolerations:
- operator: Exists
schedule: 0 1 * * *
showNotApplicable: false
strictNodeScan: false
timeout: 30m

4. Create a ssb for rhcos4-high profile with auto-remediation set to true
$ oc compliance bind -N rhcos4-high-7xu7h0tvom -s auto-rem-ss profile/rhcos4-high

      Actual results:

      After 2 rounds of cluster reboot, all remediations get applied, rerun the scansettingbinding.

       

      $ oc get cr --no-headers| grep -Ev Applied
$ oc compliance rerun-now scansettingbinding rhcos4-high-7xu7h0tvom
Rerunning scans from 'rhcos4-high-7xu7h0tvom': rhcos4-high-wrscan
Re-running scan 'openshift-compliance/rhcos4-high-wrscan'
$ oc get suite -w
NAME                     PHASE     RESULT
rhcos4-high-7xu7h0tvom   RUNNING   NOT-AVAILABLE
rhcos4-high-7xu7h0tvom   AGGREGATING   NOT-AVAILABLE
rhcos4-high-7xu7h0tvom   DONE          NON-COMPLIANT
rhcos4-high-7xu7h0tvom   DONE          NON-COMPLIAN


$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME                                                               STATUS   SEVERITY
rhcos4-high-wrscan-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-high-wrscan-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium

      Expected results:

      All rules with auto-remediations ready should get PASS after all auto-remediations applied.

      Additional info:

       

              wsato@redhat.com Watson Sato
              xiyuan@redhat.com Xiaojie Yuan
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: