Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove product validation in ScanSettingBinding #489

Merged
merged 3 commits into from
Mar 21, 2024
Merged

Remove product validation in ScanSettingBinding #489

merged 3 commits into from
Mar 21, 2024

Conversation

Vincent056
Copy link

This commit removes product validation in ScanSettingBinding so we can launch both rhcos4 and ocp4-node scan in one SSB.

ex.

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: ocp4-rhcos4-moderate-mix
  namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-moderate-node
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: rhcos4-moderate
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default

@xiaojiey
Copy link
Collaborator

/hold for test

JAORMX
JAORMX reviewed Jan 11, 2024
View reviewed changes
Copy link
Collaborator

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something you really wanna do? I recall us having limitations on the scans we can launch from a specific scan setting binding, and this might become problematic when scheduling them

@Vincent056
Copy link
Author

Vincent056 commented Jan 11, 2024
edited
Loading

Is this something you really wanna do? I recall us having limitations on the scans we can launch from a specific scan setting binding, and this might become problematic when scheduling them

hi @JAORMX it's good to hear from you! I wonder if you still remember what the limitations were? I spent some time digging into the code, but couldn't figure out why it was designed this way.

And I also did some testing with this PR to run scans with

apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: ocp4-rhcos4-moderate-mix
  namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-moderate-node
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: rhcos4-moderate
- apiGroup: compliance.openshift.io/v1alpha1
  kind: Profile
  name: ocp4-moderate
settingsRef:
  apiGroup: compliance.openshift.io/v1alpha1
  kind: ScanSetting
  name: default

All the scans were launched and working as expected, tho I will do more testing on it before making this change.

@JAORMX
Copy link
Collaborator

JAORMX commented Jan 11, 2024

Could be that we no longer have that!

@openshift-ci openshift-ci bot added the lgtm label Jan 11, 2024
@openshift-ci openshift-ci bot removed the lgtm label Jan 15, 2024
@Vincent056 Vincent056 force-pushed the mix_scan branch 2 times, most recently from 4eb3d86 to b469c24 Compare January 16, 2024 07:00
@Vincent056
Copy link
Author

Vincent056 commented Jan 16, 2024
edited
Loading

we are affected by ComplianceAsCode/content@6343659:

[vincent@node compliance-operator]$ for i in `oc get node|grep -i master|cut -d " " -f1`; do echo $i;oc debug -q node/$i -- ls -l /host/var/log/kube-apiserver;done;
ip-10-0-157-230.ec2.internal
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
total 130948
-rw-------. 1 root root 79922585 Jan 16 09:06 audit.log
-rw-r--r--. 1 root root        4 Jan 16 08:39 termination.log
ip-10-0-188-243.ec2.internal
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
total 106436
-rw-------. 1 root root 104856885 Jan 16 09:05 audit-2024-01-16T09-05-41.016.log
-rw-------. 1 root root   2514143 Jan 16 09:06 audit.log
-rw-r--r--. 1 root root         4 Jan 16 08:37 termination.log
ip-10-0-199-110.ec2.internal
Warning: would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
total 117908
-rw-------. 1 root root 103748183 Jan 16 09:06 audit.log
-rw-------. 1 root root   1132900 Jan 16 08:43 termination.log

We might need to update the OCP version:

[vincent@node compliance-operator]$ oc get clusterversion
NAME      VERSION                                                    AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.ci.test-2024-01-16-081659-ci-op-v3mjd6zh-latest   True        False         25m     Cluster version is 4.12.0-0.ci.test-2024-01-16-081659-ci-op-v3mjd6zh-latest

@xiaojiey
Copy link
Collaborator

Per https://issues.redhat.com/browse/OCPBUGS-11856, seems it was fixed on 4.14 and higher versions

rhmdnd
rhmdnd reviewed Jan 16, 2024
View reviewed changes
tests/e2e/serial/main_test.go Outdated
@@ -232,7 +232,7 @@ func TestSuiteScan(t *testing.T) {
},
},
ID: "xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument",
Status: compv1alpha1.CheckResultInfo,
Status: compv1alpha1.CheckResultFail,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be pulled out into it's own PR since ComplianceAsCode/content#11329 landed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#490 create a PR here

@xiaojiey
Copy link
Collaborator

@Vincent056 I retested the PR, I still got the same result for moderate profiles.
After all auto-remediations applied, the test suite showed INCONSISTENT, and some rules showed FAIL even if the auto-remediation are available for them.

$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME                                                                   STATUS   SEVERITY
rhcos4-moderate-master-service-debug-shell-disabled                    FAIL     medium
rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
rhcos4-moderate-worker-service-debug-shell-disabled                    FAIL     medium
rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
$ oc get ccr -l compliance.openshift.io/inconsistent-check
NAME                                                                               STATUS         SEVERITY
ocp4-moderate-node-worker-kubelet-anonymous-auth                                   INCONSISTENT   medium
ocp4-moderate-node-worker-kubelet-eviction-thresholds-set-hard-imagefs-available   INCONSISTENT   medium
ocp4-moderate-node-worker-kubelet-eviction-thresholds-set-hard-memory-available    INCONSISTENT   medium
ocp4-moderate-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-available    INCONSISTENT   medium
ocp4-moderate-node-worker-kubelet-eviction-thresholds-set-hard-nodefs-inodesfree   INCONSISTENT   medium

@github-actions GitHub Actions
Copy link

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:489

@BhargaviGudi
Copy link
Collaborator

/hold for test

@BhargaviGudi
Copy link
Collaborator

Verification failed with 4.15.0-0.nightly-2024-02-12-213938 + compliance-operator from PR #489

Verification failed for moderate profiles.
Even after multiple rescan some rules showed FAIL even if the auto-remediation are available for them.
@Vincent056 Could you please help me check? Thanks

1. Install CO from PR code
2. Create ssb with profiles ocp4-moderate,ocp4-moderate-node, rhcos4-moderate
$ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get scan
NAME                        PHASE   RESULT
ocp4-moderate               DONE    NON-COMPLIANT
ocp4-moderate-node-master   DONE    NON-COMPLIANT
ocp4-moderate-node-worker   DONE    NON-COMPLIANT
rhcos4-moderate-master      DONE    NON-COMPLIANT
rhcos4-moderate-worker      DONE    NON-COMPLIANT
3. $ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': ocp4-moderate, ocp4-moderate-node-master, ocp4-moderate-node-worker, rhcos4-moderate-master, rhcos4-moderate-worker
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/ocp4-moderate-node-master'
Re-running scan 'openshift-compliance/ocp4-moderate-node-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get ccr -l compliance.openshift.io/inconsistent-check 
No resources found in openshift-compliance namespace.
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL | grep service-debug-shell-disabled
rhcos4-moderate-master-service-debug-shell-disabled                    FAIL     medium
rhcos4-moderate-worker-service-debug-shell-disabled                    FAIL     medium
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL
NAME                                                                   STATUS   SEVERITY
rhcos4-moderate-master-service-debug-shell-disabled                    FAIL     medium
rhcos4-moderate-master-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-moderate-master-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium
rhcos4-moderate-worker-service-debug-shell-disabled                    FAIL     medium
rhcos4-moderate-worker-sysctl-net-core-bpf-jit-harden                  FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-ra              FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-all-accept-redirects       FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-ra          FAIL     medium
rhcos4-moderate-worker-sysctl-net-ipv6-conf-default-accept-redirects   FAIL     medium

@Vincent056
Remove product validation in ScanSettingBinding
dc8068c 
This commit remove product validation in ScanSettingBinding so we can launch both rhcos4 and ocp4-node scan in one SSB.
@github-actions GitHub Actions
Copy link

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:489

@BhargaviGudi
Copy link
Collaborator

Unable to create ssb with both rhcos4 and ocp4. Observing below error.

$ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
[bgudi@bgudi-thinkpadt14sgen2i compliance-operator]$ oc get ssb
NAME   STATUS
test   INVALID
$ oc describe ssb test  | tail 
    Last Transition Time:  2024-02-26T08:32:04Z
    Message:               ScanSettingBinding defines multiple products: redhat_enterprise_linux_coreos_4 and redhat_openshift_container_platform_node_4
    Reason:                Invalid
    Status:                False
    Type:                  Ready
  Phase:                   INVALID
Events:
  Type     Reason            Age                    From                    Message
  ----     ------            ----                   ----                    -------
  Warning  MultipleProducts  2m30s (x2 over 2m30s)  scansettingbindingctrl  ScanSettingBinding defines multiple products: redhat_enterprise_linux_coreos_4 and redhat_openshift_container_platform_node_4

@Vincent056 Could you please help me check this issue? Thanks

@Vincent056
Copy link
Author

Unable to create ssb with both rhcos4 and ocp4. Observing below error.

$ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
[bgudi@bgudi-thinkpadt14sgen2i compliance-operator]$ oc get ssb
NAME   STATUS
test   INVALID
$ oc describe ssb test  | tail 
    Last Transition Time:  2024-02-26T08:32:04Z
    Message:               ScanSettingBinding defines multiple products: redhat_enterprise_linux_coreos_4 and redhat_openshift_container_platform_node_4
    Reason:                Invalid
    Status:                False
    Type:                  Ready
  Phase:                   INVALID
Events:
  Type     Reason            Age                    From                    Message
  ----     ------            ----                   ----                    -------
  Warning  MultipleProducts  2m30s (x2 over 2m30s)  scansettingbindingctrl  ScanSettingBinding defines multiple products: redhat_enterprise_linux_coreos_4 and redhat_openshift_container_platform_node_4

@Vincent056 Could you please help me check this issue? Thanks

could you test without using
make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:489 this workflow hass issue right now. @BhargaviGudi

@Vincent056
Copy link
Author

also, service_debug-shell_disabled failure is not related to this PR, it is caused by ComplianceAsCode/content#11638.

@Vincent056
Copy link
Author

also, service_debug-shell_disabled failure is not related to this PR, it is caused by ComplianceAsCode/content#11638. @BhargaviGudi @xiaojiey

@BhargaviGudi
Copy link
Collaborator

Verification passed with 4.16.0-0.nightly-2024-02-29-062601 + compliance-operator from PR #489

1.Install CO from #489 code
2. Create ssb with both ocp4 and rhcos4 moderate profiles

$ oc compliance bind -N test -S default-auto-apply profile/ocp4-moderate profile/ocp4-moderate-node profile/rhcos4-moderate
Creating ScanSettingBinding test
$ oc get ssb
NAME   STATUS
test   READY
$ oc get suite
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
$ oc get scan
NAME                        PHASE   RESULT
ocp4-moderate               DONE    NON-COMPLIANT
ocp4-moderate-node-master   DONE    NON-COMPLIANT
ocp4-moderate-node-worker   DONE    NON-COMPLIANT
rhcos4-moderate-master      DONE    NON-COMPLIANT
rhcos4-moderate-worker      DONE    NON-COMPLIANT
$ oc get cr | wc -l
384
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL  | wc -l
384
  1. Rescan 1, Test suite showed INCONSISTENT after first rescan
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': ocp4-moderate, ocp4-moderate-node-master, ocp4-moderate-node-worker, rhcos4-moderate-master, rhcos4-moderate-worker
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/ocp4-moderate-node-master'
Re-running scan 'openshift-compliance/ocp4-moderate-node-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
$ oc get mcp 
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-7d0ea5763836e5b625eba3944429b98d   True      False      False      3              3                   3                     0                      75m
worker   rendered-worker-87c4d7ee718c76bfe7480070caf12219   True      False      False      3              3                   3                     0                      75m
$ oc get suite
NAME   PHASE   RESULT
test   DONE    INCONSISTENT
$ oc get scan
NAME                        PHASE   RESULT
ocp4-moderate               DONE    NON-COMPLIANT
ocp4-moderate-node-master   DONE    INCONSISTENT
ocp4-moderate-node-worker   DONE    NON-COMPLIANT
rhcos4-moderate-master      DONE    INCONSISTENT
rhcos4-moderate-worker      DONE    INCONSISTENT
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=INCONSISTENT | wc -l
374
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=INCONSISTENT | head
NAME                                                                                                STATUS         SEVERITY
ocp4-moderate-node-master-directory-access-var-log-kube-audit                                       INCONSISTENT   medium
ocp4-moderate-node-master-directory-access-var-log-oauth-audit                                      INCONSISTENT   medium
ocp4-moderate-node-master-directory-access-var-log-ocp-audit                                        INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-chmod                                           INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-chown                                           INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-fchmod                                          INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-fchmodat                                        INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-fchown                                          INCONSISTENT   medium
rhcos4-moderate-master-audit-rules-dac-modification-fchownat                                        INCONSISTENT   medium
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL | wc -l
7
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
NAME                                                  STATUS   SEVERITY
rhcos4-moderate-master-service-debug-shell-disabled   FAIL     medium
rhcos4-moderate-master-service-usbguard-enabled       FAIL     medium
rhcos4-moderate-master-usbguard-allow-hid-and-hub     FAIL     medium
rhcos4-moderate-worker-service-debug-shell-disabled   FAIL     medium
rhcos4-moderate-worker-service-usbguard-enabled       FAIL     medium
rhcos4-moderate-worker-usbguard-allow-hid-and-hub     FAIL     medium
  1. No failures fond after multiple auto-remediations applied
$ oc compliance rerun-now scansettingbinding test
Rerunning scans from 'test': ocp4-moderate, ocp4-moderate-node-master, ocp4-moderate-node-worker, rhcos4-moderate-master, rhcos4-moderate-worker
Re-running scan 'openshift-compliance/ocp4-moderate'
Re-running scan 'openshift-compliance/ocp4-moderate-node-master'
Re-running scan 'openshift-compliance/ocp4-moderate-node-worker'
Re-running scan 'openshift-compliance/rhcos4-moderate-master'
Re-running scan 'openshift-compliance/rhcos4-moderate-worker'
$ oc get suite -w
NAME   PHASE   RESULT
test   DONE    NON-COMPLIANT
^C$ oc get scan
NAME                        PHASE   RESULT
ocp4-moderate               DONE    NON-COMPLIANT
ocp4-moderate-node-master   DONE    NON-COMPLIANT
ocp4-moderate-node-worker   DONE    NON-COMPLIANT
rhcos4-moderate-master      DONE    NON-COMPLIANT
rhcos4-moderate-worker      DONE    NON-COMPLIANT
$ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-cf516039ca96cdda753182127e231b75   True      False      False      3              3                   3                     0                      117m
worker   rendered-worker-988dc07a0adb1aa35c672f8ba3fe36ed   True      False      False      3              3                   3                     0                      117m
$ oc get ccr -l compliance.openshift.io/automated-remediation=,compliance.openshift.io/check-status=FAIL 
NAME                                                  STATUS   SEVERITY
rhcos4-moderate-master-service-debug-shell-disabled   FAIL     medium
rhcos4-moderate-worker-service-debug-shell-disabled   FAIL     medium
$ oc get ccr -l compliance.openshift.io/inconsistent-check
No resources found in openshift-compliance namespace.

service-debug-shell-disabled failure is caused by ComplianceAsCode/content#11638

@BhargaviGudi
Copy link
Collaborator

/unhold

@BhargaviGudi
Copy link
Collaborator

/label qe-approved

@BhargaviGudi
Copy link
Collaborator

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 4, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Mar 4, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BhargaviGudi, JAORMX, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [BhargaviGudi,Vincent056]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Vincent056
OCP4/e2e: TestMixProductScan INCONSISTENT for file_permissions_var_lo…
d45bb1e 
…g_kube_audit

E2e tests have been flaky because of the file_permissions_var_log_kube_audit rule. This is because there is a bug in the API-server in old versions of OCP[1][2]. For now, we'll just check that the scan is not inconsistent until we upgrade to a version that has the fix. [1]https://bugzilla.redhat.com/show_bug.cgi?id=2001442 [2]ComplianceAsCode/content@6343659
@openshift-ci openshift-ci bot removed the lgtm label Mar 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 4, 2024

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:489

rhmdnd
rhmdnd reviewed Mar 4, 2024
View reviewed changes
Copy link

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one comment on the e2e test. Otherwise, experimenting with this locally works as expected.

Thanks!

@BhargaviGudi BhargaviGudi mentioned this pull request Mar 5, 2024
Merged
@Vincent056
Remove ResultInconsistent for flaky e2e test
5bed715 
Since later OCP has addressed the bug in the API-server https://bugzilla.redhat.com/show_bug.cgi?id=2001442, we can remove the ResultInconsistent as the accept result.
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 7, 2024

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:489

rhmdnd
rhmdnd reviewed Mar 21, 2024
View reviewed changes
pkg/controller/scansettingbinding/scansettingbinding_controller.go
@@ -183,27 +182,11 @@ func (r *ReconcileScanSettingBinding) Reconcile(ctx context.Context, request rec
}
}

scan, product, err := newCompScanFromBindingProfile(r, instance, profileObj, log)
scan, _, err := newCompScanFromBindingProfile(r, instance, profileObj, log)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is the only place where this is called, and since we're not using product anymore we can probably clean it up in another patch.

@rhmdnd
Copy link

rhmdnd commented Mar 21, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 21, 2024
@rhmdnd rhmdnd requested review from mkumku and sheriff-rh March 21, 2024 18:15
@openshift-merge-bot openshift-merge-bot bot merged commit 1c5f9e7 into master Mar 21, 2024
24 checks passed
@openshift-merge-bot openshift-merge-bot bot deleted the mix_scan branch March 21, 2024 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd left review comments

@BhargaviGudi BhargaviGudi BhargaviGudi approved these changes

@JAORMX JAORMX JAORMX approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@mkumku mkumku Awaiting requested review from mkumku

@sheriff-rh sheriff-rh Awaiting requested review from sheriff-rh

Assignees

@JAORMX JAORMX

@rhmdnd rhmdnd

@BhargaviGudi BhargaviGudi

Labels
approved lgtm px-approved qe-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Vincent056 @xiaojiey @JAORMX @BhargaviGudi @rhmdnd @mkumku