OpenShift 4.4 - ssg-ocp4-ds.xml profiles not applicable ?
Closed this issue · 2 comments
Hi,
Thank's for this operator which will, hopefully, become official un Openshift operators :-)
Maybe am I doing something wrong, but the following compliance suite seems not applicable on OpenShift 4.4 :
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
name: example-compliancesuite
spec:
autoApplyRemediations: false
schedule: " 0 1 * * *"
scans:
- name: workers-scan
nodeSelector:
node-role.kubernetes.io/worker: ""
contentImage: quay.io/complianceascode/ocp4:latest
content: ssg-ocp4-ds.xml
profile: xccdf_org.ssgproject.content_profile_moderate
$ oc get compliancescans -n openshift-compliance
NAME PHASE RESULT
pssec-masters-scan DONE NOT-APPLICABLE
pssec-workers-scan DONE NOT-APPLICABLE
$ oc get complianceremediations -n openshift-compliance
--> Returns no remediation at all
The following profile works fine on same cluster :
content: ssg-rhcos4-ds.xml
profile: xccdf_org.ssgproject.content_profile_moderate
$ oc get compliancesuite -n openshift-compliance
NAME PHASE RESULT
pssec-compliancesuite DONE NON-COMPLIANT
$ oc get complianceremediations -n openshift-compliance
--> Returns quite a few remediations
$ oc version
Client Version: 4.3.5
Server Version: 4.4.11
Kubernetes Version: v1.17.1+166b070
Any hint ?
Many thank's in advance and best regards.
Thierry
@tagvd Just note that we're targeting 4.6 for the operator (and have been developing on 4.6 and 4.5) so you may run into some other issues with 4.4.
ssg-ocp4-ds.xml is the content for platform checks, and it can be run if you add scanType: Platform to the spec (these will not generate any remediations, and there's only two checks in the profile).
Otherwise if you want to run the CoreOS node-level checks, change the content to ssg-rhcos4-ds.xml
@mrogers950
Hi Matt,
Many thank's for the prompt feedback.
Tested OK in our cluster.
Please, push remediation support in 4.5 ;-)
Many thank's again.
Thierry