-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update expected result of e2e tests for sysctls already defined in /usr/lib/sysctl.d
#10930
Update expected result of e2e tests for sysctls already defined in /usr/lib/sysctl.d
#10930
Conversation
In ComplianceAsCode#10367 the sysctl template was updated to check whether a sysctl is set on /usr/lib/sysctl.d without being overwritten. kernel.kptr_restrict is set to 1 by default in /usr/lib/sysctl.d/50-redhat.conf Before, the template didn't check for sysctls in that path and resulted in Fail evaluation, requiring remediation.
The following sysctls are defined in /usr/lib/sysctl.d/50-redhat.conf and compliant by default. The sysctl template got updated to check the files in /usr/lib/sysctl.d.
...and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/kubernetes/shared.yml
Outdated
Show resolved
Hide resolved
/test help |
@yuumasato: The specified target(s) for
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-rhcos4-e8 |
All related rules by default pass with 4.14 nightly pyaload 4.14.0-0.nightly-2023-08-08-094653. I will double check with a 4.10/4.11/4.12 which based on rhel8 later.
|
@yuumasato @rhmdnd For 4.12, rule rhcos4-nerc-cip-master-sysctl-net-ipv4-conf-default-accept-source-route will fail by default. We may need to keep the remediation for this rule? Or can we keep the remediaiton for all rules? Thanks. |
Thanks for checking @xiaojiey |
75b4619
to
8529633
Compare
I have dropped the commit that was removing the remediations. |
Code Climate has analyzed commit 8529633 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3%. View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Description:
default_result
of OCP e2e tests toPASS
in the following rules:sysctl_net_ipv4_conf_default_accept_source_route
sysctl_fs_protected_hardlinks
sysctl_fs_protected_symlinks
sysctl_kernel_kptr_restrict
Rationale:
/usr/lib/sysctl.d
started to be taken into account.Previously, the files in that directory were not checked but now they are. And they set up compliant sysctls for these rules.
-Fixes failures in weekly OCP CI