Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMP-2378: Fix OCP version regex #11499

Merged
merged 3 commits into from
Feb 21, 2024
Merged

CMP-2378: Fix OCP version regex #11499

merged 3 commits into from
Feb 21, 2024

Conversation

Vincent056
Copy link
Contributor

@Vincent056 Vincent056 commented Jan 30, 2024
edited
Loading

We have issues when the OCP version is something like 4.14.6, the old regex matches this version into both 4.6 and 4.14, this commit changes the regex so it requires the match to start with '4'.

This is related to:
https://issues.redhat.com/browse/CMP-2378

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 30, 2024
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 30, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11499

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11499

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11499 make deploy-local

@marcusburghardt marcusburghardt added the OpenShift OpenShift product related. label Jan 30, 2024
@Vincent056
Copy link
Contributor Author

Vincent056 commented Jan 31, 2024
edited
Loading

deployed and tested on a OCP 4.14.6 cluster:

Title
	Configure the kubelet Certificate File for the API Server
Rule
	xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert_pre_4_9
Ident
	CCE-85890-2
I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert_pre_4_9'.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_node_on_openshift-ovn:def:1': Red Hat OpenShift Container network 4 on OpenShift-OVN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_node_on_openshift-ovn:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_node_on_openshift-sdn:def:1': Red Hat OpenShift Container network 4 on OpenShift-SDN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_node_on_openshift-sdn:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_node:def:1': Red Hat OpenShift Container Platform Node.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_node:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_aws:def:1': Red Hat OpenShift Container Platform 4 on AWS.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_aws:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_azure:def:1': Red Hat OpenShift Container Platform 4 on Azure.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_azure:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_gcp:def:1': Red Hat OpenShift Container Platform 4 on GCP.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_gcp:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftovn:def:1': Red Hat OpenShift Container network 4 on OpenShiftOVN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftovn:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1': Red Hat OpenShift Container network 4 on OpenShiftSDN.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_10:def:1': Red Hat OpenShift Container Platform 4.10.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_10:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_11:def:1': Red Hat OpenShift Container Platform 4.11.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_11:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_12:def:1': Red Hat OpenShift Container Platform 4.12.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_12:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_13:def:1': Red Hat OpenShift Container Platform 4.13.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_13:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_14:def:1': Red Hat OpenShift Container Platform 4.14.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_14:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_15:def:1': Red Hat OpenShift Container Platform 4.15.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_15:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_16:def:1': Red Hat OpenShift Container Platform 4.16.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_16:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_17:def:1': Red Hat OpenShift Container Platform 4.17.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_17:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_18:def:1': Red Hat OpenShift Container Platform 4.18.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_18:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_6:def:1': Red Hat OpenShift Container Platform 4.6.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_6:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_7:def:1': Red Hat OpenShift Container Platform 4.7.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_7:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_8:def:1': Red Hat OpenShift Container Platform 4.8.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_8:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_9:def:1': Red Hat OpenShift Container Platform 4.9.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_9:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4:def:1' evaluated as true.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_hypershift_hosted:def:1': Red Hat OpenShift Container Platform.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_hypershift_hosted:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_6:def:1': Red Hat OpenShift Container Platform 4.6.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_6:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_7:def:1': Red Hat OpenShift Container Platform 4.7.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_7:def:1' evaluated as false.
I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_8:def:1': Red Hat OpenShift Container Platform 4.8.
I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_8:def:1' evaluated as false.
I: oscap: Rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert_pre_4_9' is not applicable.
Result
	notapplicable

[vincent@node cac-content-fork]$ oc get --raw /apis/config.openshift.io/v1/clusteroperators/openshift-apiserver | jq '[.status.versions[].version]'
[
  "4.14.6",
  "4.14.6"
]

@Vincent056
Copy link
Contributor Author

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 31, 2024

@Vincent056: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.14-images
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Vincent056
Copy link
Contributor Author

/test e2e-aws-ocp4-cis

@xiaojiey
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Jan 31, 2024
@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

@Vincent056 The expected result should be there will be test result for ocp4-cis-api-server-kubelet-client-key, and no result for ocp4-cis-api-server-kubelet-client-key-pre-4-9, right?
It is weird, I tested with payload 4.14.6 and didn't neither of them with this PR.

@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

Verification pass with 4.14.6 and content in #11499:
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.14.6 True False 8h Cluster version is 4.14.6

$ oc compliance bind -N test profile/upstream-ocp4-cis
Creating ScanSettingBinding test
$ oc get suite -w
NAME PHASE RESULT
test RUNNING NOT-AVAILABLE
test AGGREGATING NOT-AVAILABLE
test DONE NON-COMPLIANT
test DONE NON-COMPLIANT
^C
$ oc get ccr | grep kubelet-client
upstream-ocp4-cis-api-server-kubelet-client-cert PASS high
upstream-ocp4-cis-api-server-kubelet-client-key PASS high

@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 1, 2024
@xiaojiey
Copy link
Collaborator

xiaojiey commented Feb 1, 2024

/label qe-approved

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 1, 2024

@xiaojiey: The label(s) qe-approved cannot be applied, because the repository doesn't have them.

In response to this:

/label qe-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yuumasato yuumasato self-assigned this Feb 2, 2024
@yuumasato
Copy link
Member

@BhargaviGudi Hi, could you check this PR once again?

yuumasato
yuumasato approved these changes Feb 6, 2024
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@BhargaviGudi
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 7, 2024
@Vincent056 Vincent056 changed the title OCP4: Fix OCP version regex CMP-2378: Fix OCP version regex Feb 7, 2024
@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.14.6 + compliance-operator with compliance-operator code + PR #11499 code

$ oc get clusterversions.config.openshift.io 
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.14.6    True        False         4h36m   Cluster version is 4.14.6
$ oc compliance bind -N test profile/upstream-ocp4-cis
Creating ScanSettingBinding test
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
$ oc get ccr | grep kubelet-client
upstream-ocp4-cis-api-server-kubelet-client-cert                           PASS     high
upstream-ocp4-cis-api-server-kubelet-client-key                            PASS     high

@BhargaviGudi
Copy link
Collaborator

/unhold
/label qe-approved

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 12, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 12, 2024

@BhargaviGudi: The label(s) qe-approved cannot be applied, because the repository doesn't have them.

In response to this:

/unhold
/label qe-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@BhargaviGudi
Copy link
Collaborator

/lgtm

@rhmdnd rhmdnd mentioned this pull request Feb 13, 2024
Merged
@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 13, 2024

/test

@BhargaviGudi
Copy link
Collaborator

@lbragstad I did not observe the issue with 4.16.0 or 4.15.0 or 4.13.0

$ oc get ccr | grep kubelet-client
upstream-ocp4-cis-api-server-kubelet-client-cert                           PASS     high
upstream-ocp4-cis-api-server-kubelet-client-key                            PASS     high
$ oc get clusterversions.config.openshift.io 
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-02-08-073857   True        False         3h4m    Cluster version is 4.16.0-0.nightly-2024-02-08-073857

@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 19, 2024

/test 4.15-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

@rhmdnd
Copy link
Collaborator

rhmdnd commented Feb 19, 2024

The 4.16 e2e tests still seem to be failing on:

helpers.go:815: E2E-FAILURE: The expected result for the api_server_api_priority_flowschema_catch_all rule didn't match. Expected 'PASS', Got 'FAIL'

@rhmdnd rhmdnd mentioned this pull request Feb 19, 2024
Merged
@Vincent056
Copy link
Contributor Author

The 4.16 e2e tests still seem to be failing on:

helpers.go:815: E2E-FAILURE: The expected result for the api_server_api_priority_flowschema_catch_all rule didn't match. Expected 'PASS', Got 'FAIL'

OCP4.16 has introduced flowcontrol.apiserver.k8s.io/v1 https://kubernetes.io/docs/reference/using-api/deprecation-guide/

@Vincent056
Copy link
Contributor Author

/retest

@Vincent056
OCP4: Fix OCP version regex
59708f9 
We have issues when the OCP version is something like 4.14.6, the old regex matches this version into both 4.6 and 4.14, this commit change the regex so it requires the match to start with '4'.
@Vincent056
Adding ocp4.14 ocp4.15 to applicable ocp rules
b3c374d 
Adding ocp4.14 ocp4.15 to applicable rules so they get run on those OCP versions
@Vincent056
Copy link
Contributor Author

/test 4.15-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 20, 2024
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all'.
--- xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all
+++ xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all
@@ -17,7 +17,8 @@
 This rule's check operates on the cluster configuration dump.
 Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all file  true
      /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all file  true
-     /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all file  true .
+     /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all file  true
+     /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all API endpoint to the local /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/catch-all file  true .
 
 [reference]:
 CIP-003-8 R6

OVAL for rule 'xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all' differs.
--- oval:ssg-api_server_api_priority_flowschema_catch_all:def:1
+++ oval:ssg-api_server_api_priority_flowschema_catch_all:def:1
@@ -2,3 +2,4 @@
 extend_definition oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1
 extend_definition oval:ssg-api_server_api_priority_v1beta1_flowschema_catch_all:def:1
 extend_definition oval:ssg-api_server_api_priority_v1beta2_flowschema_catch_all:def:1
+extend_definition oval:ssg-api_server_api_priority_v1_flowschema_catch_all:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_api_server_api_priority_v1beta2_flowschema_catch_all'
--- xccdf_org.ssgproject.content_rule_api_server_api_priority_v1beta2_flowschema_catch_all
+++ xccdf_org.ssgproject.content_rule_api_server_api_priority_v1beta2_flowschema_catch_all
@@ -1,3 +1,5 @@
 oval:ssg-installed_app_is_ocp4_11:def:1
 oval:ssg-installed_app_is_ocp4_12:def:1
 oval:ssg-installed_app_is_ocp4_13:def:1
+oval:ssg-installed_app_is_ocp4_14:def:1
+oval:ssg-installed_app_is_ocp4_15:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert'
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert
@@ -3,4 +3,7 @@
 oval:ssg-installed_app_is_ocp4_11:def:1
 oval:ssg-installed_app_is_ocp4_12:def:1
 oval:ssg-installed_app_is_ocp4_13:def:1
+oval:ssg-installed_app_is_ocp4_14:def:1
+oval:ssg-installed_app_is_ocp4_15:def:1
+oval:ssg-installed_app_is_ocp4_16:def:1
 oval:ssg-installed_app_is_ocp4_9:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key'
--- xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
+++ xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key
@@ -3,4 +3,7 @@
 oval:ssg-installed_app_is_ocp4_11:def:1
 oval:ssg-installed_app_is_ocp4_12:def:1
 oval:ssg-installed_app_is_ocp4_13:def:1
+oval:ssg-installed_app_is_ocp4_14:def:1
+oval:ssg-installed_app_is_ocp4_15:def:1
+oval:ssg-installed_app_is_ocp4_16:def:1
 oval:ssg-installed_app_is_ocp4_9:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert
@@ -3,4 +3,7 @@
 oval:ssg-installed_app_is_ocp4_11:def:1
 oval:ssg-installed_app_is_ocp4_12:def:1
 oval:ssg-installed_app_is_ocp4_13:def:1
+oval:ssg-installed_app_is_ocp4_14:def:1
+oval:ssg-installed_app_is_ocp4_15:def:1
+oval:ssg-installed_app_is_ocp4_16:def:1
 oval:ssg-installed_app_is_ocp4_9:def:1

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key'
--- xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
+++ xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key
@@ -3,4 +3,7 @@
 oval:ssg-installed_app_is_ocp4_11:def:1
 oval:ssg-installed_app_is_ocp4_12:def:1
 oval:ssg-installed_app_is_ocp4_13:def:1
+oval:ssg-installed_app_is_ocp4_14:def:1
+oval:ssg-installed_app_is_ocp4_15:def:1
+oval:ssg-installed_app_is_ocp4_16:def:1
 oval:ssg-installed_app_is_ocp4_9:def:1

@Vincent056
Copy link
Contributor Author

/test 4.15-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

@BhargaviGudi
Copy link
Collaborator

/hold for test

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 20, 2024
@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.16.0-0.nightly-2024-02-17-094036 + compliance-operator with compliance-operator code + PR #11499 code
Verified the same with 4.15.0-rc.5 and 4.14.6

$ oc get clusterversions.config.openshift.io 
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.nightly-2024-02-17-094036   True        False         100m    Cluster version is 4.16.0-0.nightly-2024-02-17-094036
$ oc compliance bind -N test profile/upstream-ocp4-cis
Creating ScanSettingBinding test
$ oc get ssb
NAME   STATUS
test   READY
$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT
test   DONE          NON-COMPLIANT
$ oc get scan
NAME                PHASE   RESULT
upstream-ocp4-cis   DONE    NON-COMPLIANT
$ oc get ccr | grep kubelet-client
upstream-ocp4-cis-api-server-kubelet-client-cert                           PASS     high
upstream-ocp4-cis-api-server-kubelet-client-key                            PASS     high

@BhargaviGudi
Copy link
Collaborator

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label Feb 20, 2024
rhmdnd
rhmdnd approved these changes Feb 20, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@Vincent056
OCP4: add api_server_api_priority_v1_flowschema_catch_all
26626d3 
OCP 4.16 has introduced flowcontrol.apiserver.k8s.io/v1, this commit adds the v1 for ocp 4.16
@codeclimate CodeClimate
Copy link

codeclimate bot commented Feb 20, 2024

Code Climate has analyzed commit 26626d3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.3% (0.0% change).

View more on Code Climate.

rhmdnd
rhmdnd approved these changes Feb 21, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Checking to see if we can get the test farm to pass, even though it seems unrelated.

@rhmdnd rhmdnd merged commit 1d53639 into master Feb 21, 2024
50 of 53 checks passed
@yuumasato yuumasato added this to the 0.1.73 milestone Feb 22, 2024
@yuumasato yuumasato deleted the ocp4_version branch March 1, 2024 14:35
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.73
Development

Successfully merging this pull request may close these issues.
7 participants
@Vincent056 @xiaojiey @yuumasato @BhargaviGudi @rhmdnd @Mab879 @marcusburghardt