Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-4338: Apply all remediations associate with each ComplianceCheckResult #188

Merged
merged 1 commit into from
Jan 20, 2023
Merged

OCPBUGS-4338: Apply all remediations associate with each ComplianceCheckResult #188

merged 1 commit into from
Jan 20, 2023

Conversation

Vincent056
Copy link

@Vincent056 Vincent056 commented Dec 2, 2022
edited
Loading

Make Compliance Operator apply all the related remediations for one ComplianceCheckResult at once, this helps users who use manual remediation, this feature will look for all the related remediations for a ComplianceCheckResult when one remediation is applied.

For ex. we have

ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree                                  
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1                              
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2         
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3     
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4

remediations, when a user applies either one of them, we will apply all the other remediations associated with the rule.

[OCPBUGS-4338]https://issues.redhat.com/browse/OCPBUGS-4338

@openshift-ci openshift-ci bot added the approved label Dec 2, 2022
@Vincent056 Vincent056 changed the title Apply all remediations associate with each ComplianceCheckResult OCPBUGS-4338: Apply all remediations associate with each ComplianceCheckResult Dec 2, 2022
@openshift-ci-robot
Copy link
Collaborator

@Vincent056: This pull request references Jira Issue OCPBUGS-4338, which is invalid:

  • expected the bug to target the "4.13.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Make Compliance Operator apply all the related remediations for one ComplianceCheckResult at once, this helps users who use manual remediation, this feature will look for all the related remediations for a ComplianceCheckResult when one remediation is applied.

For ex. we have

ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree                                  
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1                              
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2         
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3     
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4

remediations, when a user applies either one of them, we will apply all the other remediations associated with the rule.

[OCPBUGS-4338]https://issues.redhat.com/browse/OCPBUGS-4338

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jhrozek
Copy link

jhrozek commented Dec 9, 2022

/jira refresh

@openshift-ci-robot
Copy link
Collaborator

@jhrozek: This pull request references Jira Issue OCPBUGS-4338, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from xiaojiey December 9, 2022 12:08
@jhrozek
Copy link

jhrozek commented Dec 9, 2022

/hold for QE, docs and PX

jhrozek
jhrozek reviewed Dec 9, 2022
View reviewed changes
Copy link

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my manual testing went fine, just left a couple of minor comments in the PR

jhrozek
jhrozek approved these changes Dec 12, 2022
View reviewed changes
Copy link

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Dec 12, 2022
@xiaojiey
Copy link
Collaborator

@Vincent056 It supposed to work all kubeleconfig rules. Not for rule ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree only. Ritht? Seems it is not working as expected:

  1. Deploy operator:
    $ export IMAGE_REPO=quay.io/xiyuan
    $ export TAG=pr188
    $ make images && make push
    $ make catalog && make catalog-deploy
  2. Create a custom mcp wscan
    $ oc get mcp
    NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
    master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 4h55m
    worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 4h55m
    wscan rendered-wscan-0a27d56621844f2bce5439acf8923ff0 True False False 1 1 1 0 3h38m
  3. Trigger a test:
    $ oc apply -f -<<EOF
    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    metadata:
    name: test
    namespace: openshift-compliance
    rawResultStorage:
    nodeSelector:
    node-role.kubernetes.io/master: ""
    pvAccessModes:
  • ReadWriteOnce
    rotation: 3
    size: 1Gi
    tolerations:
  • effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  • effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  • effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
    roles:
  • wscan
    scanTolerations:
  • operator: Exists
    schedule: 0 1 * * *
    showNotApplicable: false
    strictNodeScan: true
    scanLimits: {
    "cpu": "150m",
    "memory": "512Mi"
    }
    debug: true
    autoApplyRemediations: false

autoUpdateRemediations: false
EOF
scansetting.compliance.openshift.io/test created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-wscan-tp
spec:
extends: ocp4-cis
title: My modified nist profile with a custom value
setValues:

  • name: ocp4-var-role-master
    value: wscan
    rationale: test for wscan nodes
  • name: ocp4-var-role-worker
    value: wscan
    rationale: test for wscan nodes
    description: cis-wscan-scan
    EOF
    tailoredprofile.compliance.openshift.io/cis-wscan-tp created
    $ oc get suite -w
    NAME PHASE RESULT
    my-ssb-r LAUNCHING NOT-AVAILABLE
    my-ssb-r RUNNING NOT-AVAILABLE
    my-ssb-r AGGREGATING NOT-AVAILABLE
    my-ssb-r DONE NON-COMPLIANT
    my-ssb-r DONE NON-COMPLIANT
    ^C
    $ oc get cr
    NAME STATE
    cis-wscan-tp-api-server-encryption-provider-cipher NotApplied
    cis-wscan-tp-api-server-encryption-provider-config NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 NotApplied
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree patched
    $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied
    $ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o yaml
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:
  • 99-wscan-generated-kubelet
    generation: 3
    name: compliance-operator-kubelet-wscan
    resourceVersion: "137554"
    uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
    spec:
    kubeletConfig:
    evictionPressureTransitionPeriod: 0s
    evictionSoft:
    nodefs.inodesFree: 5%
    evictionSoftGracePeriod:
    nodefs.inodesFree: 1m30s
    machineConfigPoolSelector:
    matchLabels:
    pools.operator.machineconfiguration.openshift.io/wscan: ""
    status:
    conditions:
  • lastTransitionTime: "2022-12-19T06:32:53Z"
    message: Success
    status: "True"
    type: Success
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 patched
    [xiyuan@MiWiFi-RA69-srv compliance-operator (pr-188)]$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
    apiVersion: v1
    items:
  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:
    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get mcp -w
      NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
      master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 5h18m
      worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 5h18m
      wscan rendered-wscan-e6b51ca61264c6b4a050832985a8c236 False True False 1 0 0 0 4h1m
      wscan rendered-wscan-0bcba57d8b9928c3a6097502e370cc68 True False False 1 1 1 0 4h 6m
      ^C$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:
  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:
    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
      $ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:
  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:
    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""

@xiaojiey
Copy link
Collaborator

@Vincent056 It supposed to work all kubeleconfig rules. Not for rule ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree only. Ritht? Seems it is not working as expected:

  1. Deploy operator:
    $ export IMAGE_REPO=quay.io/xiyuan
    $ export TAG=pr188
    $ make images && make push
    $ make catalog && make catalog-deploy
  2. Create a custom mcp wscan
    $ oc get mcp
    NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
    master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 4h55m
    worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 4h55m
    wscan rendered-wscan-0a27d56621844f2bce5439acf8923ff0 True False False 1 1 1 0 3h38m
  3. Trigger a test:
    $ oc apply -f -<<EOF
    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    metadata:
    name: test
    namespace: openshift-compliance
    rawResultStorage:
    nodeSelector:
    node-role.kubernetes.io/master: ""
    pvAccessModes:
  • ReadWriteOnce
    rotation: 3
    size: 1Gi
    tolerations:
  • effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  • effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  • effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
    roles:
  • wscan
    scanTolerations:
  • operator: Exists
    schedule: 0 1 * * *
    showNotApplicable: false
    strictNodeScan: true
    scanLimits: {
    "cpu": "150m",
    "memory": "512Mi"
    }
    debug: true
    autoApplyRemediations: false

autoUpdateRemediations: false
EOF
scansetting.compliance.openshift.io/test created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-wscan-tp
spec:
extends: ocp4-cis
title: My modified nist profile with a custom value
setValues:

  • name: ocp4-var-role-master
    value: wscan
    rationale: test for wscan nodes

  • name: ocp4-var-role-worker
    value: wscan
    rationale: test for wscan nodes
    description: cis-wscan-scan
    EOF
    tailoredprofile.compliance.openshift.io/cis-wscan-tp created
    $ oc get suite -w
    NAME PHASE RESULT
    my-ssb-r LAUNCHING NOT-AVAILABLE
    my-ssb-r RUNNING NOT-AVAILABLE
    my-ssb-r AGGREGATING NOT-AVAILABLE
    my-ssb-r DONE NON-COMPLIANT
    my-ssb-r DONE NON-COMPLIANT
    ^C
    $ oc get cr
    NAME STATE
    cis-wscan-tp-api-server-encryption-provider-cipher NotApplied
    cis-wscan-tp-api-server-encryption-provider-config NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 NotApplied
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree patched
    $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied
    $ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o yaml
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

  • 99-wscan-generated-kubelet
    generation: 3
    name: compliance-operator-kubelet-wscan
    resourceVersion: "137554"
    uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
    spec:
    kubeletConfig:
    evictionPressureTransitionPeriod: 0s
    evictionSoft:
    nodefs.inodesFree: 5%
    evictionSoftGracePeriod:
    nodefs.inodesFree: 1m30s
    machineConfigPoolSelector:
    matchLabels:
    pools.operator.machineconfiguration.openshift.io/wscan: ""
    status:
    conditions:

  • lastTransitionTime: "2022-12-19T06:32:53Z"
    message: Success
    status: "True"
    type: Success
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 patched
    [xiyuan@MiWiFi-RA69-srv compliance-operator (pr-188)]$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
    apiVersion: v1
    items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get mcp -w
      NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
      master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 5h18m
      worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 5h18m
      wscan rendered-wscan-e6b51ca61264c6b4a050832985a8c236 False True False 1 0 0 0 4h1m
      wscan rendered-wscan-0bcba57d8b9928c3a6097502e370cc68 True False False 1 1 1 0 4h 6m
      ^C$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
      $ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""

In summary, it works for cr without -1/-2/-3/-4/-5 postfix; but not works for cr with -1/-2/-3/-4/-5 postfix.
@Vincent056 Could you help to double check? Thanks.

@openshift-ci openshift-ci bot removed the lgtm label Dec 20, 2022
@Vincent056
Copy link
Author

@Vincent056 It supposed to work all kubeleconfig rules. Not for rule ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree only. Ritht? Seems it is not working as expected:

  1. Deploy operator:
    $ export IMAGE_REPO=quay.io/xiyuan
    $ export TAG=pr188
    $ make images && make push
    $ make catalog && make catalog-deploy
  2. Create a custom mcp wscan
    $ oc get mcp
    NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
    master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 4h55m
    worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 4h55m
    wscan rendered-wscan-0a27d56621844f2bce5439acf8923ff0 True False False 1 1 1 0 3h38m
  3. Trigger a test:
    $ oc apply -f -<<EOF
    apiVersion: compliance.openshift.io/v1alpha1
    kind: ScanSetting
    metadata:
    name: test
    namespace: openshift-compliance
    rawResultStorage:
    nodeSelector:
    node-role.kubernetes.io/master: ""
    pvAccessModes:
  • ReadWriteOnce
    rotation: 3
    size: 1Gi
    tolerations:
  • effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  • effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  • effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
    roles:
  • wscan
    scanTolerations:
  • operator: Exists
    schedule: 0 1 * * *
    showNotApplicable: false
    strictNodeScan: true
    scanLimits: {
    "cpu": "150m",
    "memory": "512Mi"
    }
    debug: true
    autoApplyRemediations: false

autoUpdateRemediations: false
EOF
scansetting.compliance.openshift.io/test created
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: cis-wscan-tp
spec:
extends: ocp4-cis
title: My modified nist profile with a custom value
setValues:

  • name: ocp4-var-role-master
    value: wscan
    rationale: test for wscan nodes

  • name: ocp4-var-role-worker
    value: wscan
    rationale: test for wscan nodes
    description: cis-wscan-scan
    EOF
    tailoredprofile.compliance.openshift.io/cis-wscan-tp created
    $ oc get suite -w
    NAME PHASE RESULT
    my-ssb-r LAUNCHING NOT-AVAILABLE
    my-ssb-r RUNNING NOT-AVAILABLE
    my-ssb-r AGGREGATING NOT-AVAILABLE
    my-ssb-r DONE NON-COMPLIANT
    my-ssb-r DONE NON-COMPLIANT
    ^C
    $ oc get cr
    NAME STATE
    cis-wscan-tp-api-server-encryption-provider-cipher NotApplied
    cis-wscan-tp-api-server-encryption-provider-config NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections NotApplied
    cis-wscan-tp-kubelet-enable-streaming-connections-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-5 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 NotApplied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 NotApplied
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree patched
    $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4 Applied
    cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5 Applied
    $ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o yaml
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

  • 99-wscan-generated-kubelet
    generation: 3
    name: compliance-operator-kubelet-wscan
    resourceVersion: "137554"
    uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
    spec:
    kubeletConfig:
    evictionPressureTransitionPeriod: 0s
    evictionSoft:
    nodefs.inodesFree: 5%
    evictionSoftGracePeriod:
    nodefs.inodesFree: 1m30s
    machineConfigPoolSelector:
    matchLabels:
    pools.operator.machineconfiguration.openshift.io/wscan: ""
    status:
    conditions:

  • lastTransitionTime: "2022-12-19T06:32:53Z"
    message: Success
    status: "True"
    type: Success
    $ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 -p '{"spec":{"apply":true}}' --type='merge'
    complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 patched
    [xiyuan@MiWiFi-RA69-srv compliance-operator (pr-188)]$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
    apiVersion: v1
    items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get mcp -w
      NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
      master rendered-master-b8bb79938983d09fd20ceaf2cf40613e True False False 3 3 3 0 5h18m
      worker rendered-worker-0a27d56621844f2bce5439acf8923ff0 True False False 2 2 2 0 5h18m
      wscan rendered-wscan-e6b51ca61264c6b4a050832985a8c236 False True False 1 0 0 0 4h1m
      wscan rendered-wscan-0bcba57d8b9928c3a6097502e370cc68 True False False 1 1 1 0 4h 6m
      ^C$ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""
      $ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 Applied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4 NotApplied
      cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5 NotApplied
      $ oc get kubeletconfigs.machineconfiguration.openshift.io -o yaml
      apiVersion: v1
      items:

  • apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
    annotations:
    machineconfiguration.openshift.io/mc-name-suffix: ""
    creationTimestamp: "2022-12-19T06:32:52Z"
    finalizers:

    • 99-wscan-generated-kubelet
      generation: 4
      name: compliance-operator-kubelet-wscan
      resourceVersion: "143695"
      uid: 7c0aa06e-8d6b-47b3-abaf-c1ad9f6a855f
      spec:
      kubeletConfig:
      evictionPressureTransitionPeriod: 0s
      evictionSoft:
      nodefs.inodesFree: 5%
      evictionSoftGracePeriod:
      imagefs.available: 1m30s
      nodefs.inodesFree: 1m30s
      machineConfigPoolSelector:
      matchLabels:
      pools.operator.machineconfiguration.openshift.io/wscan: ""
      status:
      conditions:
    • lastTransitionTime: "2022-12-19T06:48:01Z"
      message: Success
      status: "True"
      type: Success
      kind: List
      metadata:
      resourceVersion: ""

In summary, it works for cr without -1/-2/-3/-4/-5 postfix; but not works for cr with -1/-2/-3/-4/-5 postfix. @Vincent056 Could you help to double check? Thanks.

sorry, could you test with the new commit? It should be fixed now

@xiaojiey
Copy link
Collaborator

xiaojiey commented Dec 20, 2022
edited
Loading

Repeated the test with 4.13.0-0.nightly-2022-12-19-122634 and new CO version from the PR. Now it working as expected. When applying a rule with/without "-1/-2/-3/-4/-5" postfix, the related crs will get applied. However, there is another problem, seems after rescan some cr in OutDated status, but I didn't see any difference from the current config and outdated config, details seen from: http://pastebin.test.redhat.com/1085853. Could you help to check? Thanks.

$ oc get cr
NAME                                                                     STATE
cis-wscan-tp-api-server-encryption-provider-cipher                       NotApplied
cis-wscan-tp-api-server-encryption-provider-config                       NotApplied
cis-wscan-tp-kubelet-enable-streaming-connections                        NotApplied
cis-wscan-tp-kubelet-enable-streaming-connections-1                      NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available      NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-1    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-2    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-available-3    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-1   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-2   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-imagefs-inodesfree-3   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available       NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-1     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-2     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-memory-available-3     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available       NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-1     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-2     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-available-3     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree      NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-1    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-2    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree-3    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available      NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-1   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-2   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-3   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-4   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-inodesfree-5   NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available       NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-1     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-2     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-4     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-5     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available       NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-1     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-2     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-3     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-4     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-5     NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree      NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4    NotApplied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5    NotApplied
$ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 -p '{"spec":{"apply":true}}' --type='merge'
complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1 patched
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-13c24bb371a9b807d798153c3537ba41   True      False      False      3              3                   3                     0                      6h25m
worker   rendered-worker-b56f06fdbefe161b0b59d1eea1e3ef11   True      False      False      2              2                   2                     0                      6h25m
wscan    rendered-wscan-b56f06fdbefe161b0b59d1eea1e3ef11    False     True       False      1              0                   0                     0                      8m50s
wscan    rendered-wscan-d163570806fb35a5a6f46cacfde39641    True      False      False      1              1                   1                     0                      9m2s
^C$ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available      Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-1    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-2    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-3    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-4    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-imagefs-available-5    Applied
$ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o=jsonpath={.spec.kubeletConfig} | jq -r
{
  "evictionPressureTransitionPeriod": "0s",
  "evictionSoft": {
    "imagefs.available": "15%"
  },
  "evictionSoftGracePeriod": {
    "imagefs.available": "1m30s"
  }
}
================================================================
$ oc patch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 -p '{"spec":{"apply":true}}' --type='merge'
complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2 patched
$ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o=jsonpath={.spec.kubeletConfig} | jq -r
{
  "evictionPressureTransitionPeriod": "0s",
  "evictionSoft": {
    "imagefs.available": "15%",
    "nodefs.inodesFree": "5%"
  },
  "evictionSoftGracePeriod": {
    "imagefs.available": "1m30s",
    "nodefs.inodesFree": "1m30s"
  }
}
$ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree      Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4    Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-5    Applied
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-13c24bb371a9b807d798153c3537ba41   True      False      False      3              3                   3                     0                      6h32m
worker   rendered-worker-b56f06fdbefe161b0b59d1eea1e3ef11   True      False      False      2              2                   2                     0                      6h32m
wscan    rendered-wscan-d163570806fb35a5a6f46cacfde39641    False     True       False      1              0                   0                     0                      15m
wscan    rendered-wscan-0b34874cb4c66958ebf62d3cc6e83b3a    True      False      False      1              1                   1                     0                      15m
^C
====================================================
$ opatch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available -p '{"spec":{"apply":true}}' --type='merge'
complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available patched
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-13c24bb371a9b807d798153c3537ba41   True      False      False      3              3                   3                     0                      6h34m
worker   rendered-worker-b56f06fdbefe161b0b59d1eea1e3ef11   True      False      False      2              2                   2                     0                      6h34m
wscan    rendered-wscan-0b34874cb4c66958ebf62d3cc6e83b3a    False     True       False      1              0                   0                     0                      17m
wscan    rendered-wscan-0b34874cb4c66958ebf62d3cc6e83b3a    False     True       False      1              0                   0                     0                      18m
^C$ oget kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o=jsonpath={.spec.kubeletConfig} | jq -r
{
  "evictionPressureTransitionPeriod": "0s",
  "evictionSoft": {
    "imagefs.available": "15%",
    "nodefs.available": "10%",
    "nodefs.inodesFree": "5%"
  },
  "evictionSoftGracePeriod": {
    "imagefs.available": "1m30s",
    "nodefs.available": "1m30s",
    "nodefs.inodesFree": "1m30s"
  }
}
$ oc get cr | grep  cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available       Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-1     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-2     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-3     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-4     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-nodefs-available-5     Applied
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-13c24bb371a9b807d798153c3537ba41   True      False      False      3              3                   3                     0                      6h35m
worker   rendered-worker-b56f06fdbefe161b0b59d1eea1e3ef11   True      False      False      2              2                   2                     0                      6h35m
wscan    rendered-wscan-0b34874cb4c66958ebf62d3cc6e83b3a    False     True       False      1              0                   0                     0                      18m
wscan    rendered-wscan-688cfb7cc2f5467c78a9bce6f14b4b8e    True      False      False      1              1                   1                     0                      19m
================================================================
$ opatch cr cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3 -p '{"spec":{"apply":true}}' --type='merge'
complianceremediation.compliance.openshift.io/cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3 patched
$ oc get mcp -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-13c24bb371a9b807d798153c3537ba41   True      False      False      3              3                   3                     0                      6h37m
worker   rendered-worker-b56f06fdbefe161b0b59d1eea1e3ef11   True      False      False      2              2                   2                     0                      6h37m
wscan    rendered-wscan-688cfb7cc2f5467c78a9bce6f14b4b8e    True      False      False      1              1                   1                     0                      20m
wscan    rendered-wscan-688cfb7cc2f5467c78a9bce6f14b4b8e    False     True       False      1              0                   0                     0                      20m
wscan    rendered-wscan-688cfb7cc2f5467c78a9bce6f14b4b8e    False     True       False      1              0                   0                     0                      20m
^C$ oc get cr | grep cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available       Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-1     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-2     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-3     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-4     Applied
cis-wscan-tp-kubelet-eviction-thresholds-set-soft-memory-available-5     Applied
$ oc get kubeletconfigs.machineconfiguration.openshift.io compliance-operator-kubelet-wscan -o=jsonpath={.spec.kubeletConfig} | jq -r
{
  "evictionPressureTransitionPeriod": "0s",
  "evictionSoft": {
    "imagefs.available": "15%",
    "memory.available": "500Mi",
    "nodefs.available": "10%",
    "nodefs.inodesFree": "5%"
  },
  "evictionSoftGracePeriod": {
    "imagefs.available": "1m30s",
    "memory.available": "1m30s",
    "nodefs.available": "1m30s",
    "nodefs.inodesFree": "1m30s"
  }
}

@jhrozek
Copy link

jhrozek commented Dec 20, 2022 via email

@Vincent056
Copy link
Author

On Tue, Dec 20, 2022 at 06:40:34AM -0800, Xiaojie Yuan wrote: Repeated the test with 4.13.0-0.nightly-2022-12-19-122634 and new CO version from the PR. Now it working as expected. When applying a rule with/without "-1/-2/-3/-4/-5" postfix, the related crs will get applied. However, there is another problem, seems after rescan some cr in OutDated status, but I didn't see any difference from the current config and outdated config, details seen from: http://pastebin.test.redhat.com/1085853. Could you help to check? Thanks.
btw Xiaojie showed me the problem earlier today and I think that it's an unrelated bug because the objects in .spec.current and .spec.outdated were the same. I don't know if we should fix the issue in the same PR, just saying that it's probably not related to the code changes in this PR, but rather some old bug that got triggered.

Let me look into this

@jhrozek
Copy link

jhrozek commented Jan 13, 2023

Looks like this PR needs to be rebased.

@jhrozek
Copy link

jhrozek commented Jan 13, 2023 via email

@Vincent056
Copy link
Author

On Tue, Dec 20, 2022 at 06:38:46PM -0800, Vincent Shen wrote: > On Tue, Dec 20, 2022 at 06:40:34AM -0800, Xiaojie Yuan wrote: Repeated the test with 4.13.0-0.nightly-2022-12-19-122634 and new CO version from the PR. Now it working as expected. When applying a rule with/without "-1/-2/-3/-4/-5" postfix, the related crs will get applied. However, there is another problem, seems after rescan some cr in OutDated status, but I didn't see any difference from the current config and outdated config, details seen from: http://pastebin.test.redhat.com/1085853. Could you help to check? Thanks. > btw Xiaojie showed me the problem earlier today and I think that it's an unrelated bug because the objects in .spec.current and .spec.outdated were the same. I don't know if we should fix the issue in the same PR, just saying that it's probably not related to the code changes in this PR, but rather some old bug that got triggered. Let me look into this
btw I don't think the issue is related and therefore should be a separate PR with a separate ticket.

Thanks, I will file in a separate ticket for it

@jhrozek
Copy link

jhrozek commented Jan 16, 2023

/test e2e-aws
infra issues

jhrozek
jhrozek requested changes Jan 16, 2023
View reviewed changes
Copy link

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a small bug we need to fix

pkg/controller/complianceremediation/complianceremediation_controller.go Show resolved Hide resolved
@Vincent056
Apply all remediations associate with each ComplianceCheckResult
fcc86e1 
Make Compliance Operator to apply all the related remediations for one CCR
@Vincent056
Copy link
Author

/retest

jhrozek
jhrozek approved these changes Jan 17, 2023
View reviewed changes
Copy link

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 17, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jan 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhrozek, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jhrozek
Copy link

jhrozek commented Jan 17, 2023

@xiaojiey PTAL for formal QE-ack
@sheriff-rh PTAL for docs ack
@mkumku PTAL for PX ack

rhmdnd
rhmdnd reviewed Jan 18, 2023
View reviewed changes
Copy link

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good - still waiting on a cluster to test this.

@mkumku
Copy link
Collaborator

mkumku commented Jan 18, 2023

Hi Vincent, what is the option to still go one by one applying the remediations, if the customer wants to do so or for debugging purposes?

@Vincent056
Copy link
Author

Hi Vincent, what is the option to still go one by one applying the remediations, if the customer wants to do so or for debugging purposes?

they shouldn't apply remediations associated with a rule one by one, they should be applied at once. It might break their cluster if remediation was partially applied associated with a rule

@mkumku
Copy link
Collaborator

mkumku commented Jan 18, 2023

LGTM.
No TE is needed since it will be in the release notes and no special config required from the user.

@jhrozek
Copy link

jhrozek commented Jan 19, 2023

Adding qe-approved since @xiaojiey tested the PR and the issue she saw was agreed to be a separate problem.

@openshift-merge-robot openshift-merge-robot merged commit 6b1b904 into ComplianceAsCode:master Jan 20, 2023
@openshift-ci-robot
Copy link
Collaborator

@Vincent056: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-4338 has been moved to the MODIFIED state.

In response to this:

Make Compliance Operator apply all the related remediations for one ComplianceCheckResult at once, this helps users who use manual remediation, this feature will look for all the related remediations for a ComplianceCheckResult when one remediation is applied.

For ex. we have

ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree                                  
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-1                              
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-2         
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-3     
ocp4-cis-kubelet-eviction-thresholds-set-soft-nodefs-inodesfree-4

remediations, when a user applies either one of them, we will apply all the other remediations associated with the rule.

[OCPBUGS-4338]https://issues.redhat.com/browse/OCPBUGS-4338

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd left review comments

@jhrozek jhrozek jhrozek approved these changes

@mrogers950 mrogers950 Awaiting requested review from mrogers950

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

Assignees

@jhrozek jhrozek

Labels
approved bugzilla/valid-bug docs-approved jira/valid-bug lgtm px-approved qe-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Vincent056 @openshift-ci-robot @jhrozek @xiaojiey @mkumku @rhmdnd @openshift-merge-robot @sheriff-rh