Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix manual remediation for SPO rule #12315

Merged
merged 3 commits into from
Aug 21, 2024
Merged

Fix manual remediation for SPO rule #12315

merged 3 commits into from
Aug 21, 2024

Conversation

rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Aug 19, 2024

We have a manual remediation for installing SPO, but it was failing
in our e2e suite with the following error:

fork/exec /go/src/github.com/ComplianceAsCode/content/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh: permission denied

This commit updates the script so that it's executable and doesn't fail
when applied.

@rhmdnd rhmdnd requested a review from yuumasato August 19, 2024 19:46
@rhmdnd rhmdnd mentioned this pull request Aug 19, 2024
Merged
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 19, 2024

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@rhmdnd rhmdnd added the OpenShift OpenShift product related. label Aug 19, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 19, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12315
This image was built from commit: 7d1a1c7

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12315

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12315 make deploy-local

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 19, 2024

Looks like we need another fix for the remediation:

installing security profiles operator
+ oc apply -f /go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml --server-side=true
error: the path "/go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml" does not exist

@yuumasato
Copy link
Member

Looks like we need another fix for the remediation:

installing security profiles operator
+ oc apply -f /go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml --server-side=true
error: the path "/go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml" does not exist

Well, that is weird, the file exists...

@yuumasato
Copy link
Member

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 20, 2024

Looks like we need another fix for the remediation:

installing security profiles operator
+ oc apply -f /go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml --server-side=true
error: the path "/go/src/github.com/ComplianceAsCode/content/ocp-resources/e2e/spo-install.yaml" does not exist

Well, that is weird, the file exists...

I don't see it in that directory.

╭─lbragstad@p1 ~/Projects/content ‹master›
╰─➤  $ git log -n1           
commit aa881c3d0d589eb8e726bed948eb572b0ed84636 (HEAD -> master, upstream/master, origin/master, origin/HEAD)
Merge: 53f90ecc18 0df3c5dd1d
Author: Eduardo Barretto <[email protected]>
Date:   Tue Aug 20 11:52:17 2024 +0200

    Merge pull request #12298 from ericeberry/master
    
    Ubuntu 22.04 STIG V2R1 changes
╭─lbragstad@p1 ~/Projects/content ‹master›
╰─➤  $ find . -type f -name spo-install.yaml
╭─lbragstad@p1 ~/Projects/content ‹master›
╰─➤  $

https://github.com/ComplianceAsCode/content/tree/master/ocp-resources/e2e shows some of the other files we rely on - but it looks like we forgot to add spo-install.yaml.

@yuumasato
Copy link
Member

No way!

git status ocp-resources/
On branch update_ocp4_stig_to_v2r1
Untracked files:
  (use "git add <file>..." to include in what will be committed)
        ocp-resources/e2e/spo-install.yaml

nothing added to commit but untracked files present (use "git add" to track)

@yuumasato yuumasato mentioned this pull request Aug 20, 2024
Merged
@yuumasato
Copy link
Member

@rhmdnd pushed the file on #12317
I forgot to add it, 🤦

@rhmdnd
Fix manual remediation for SPO rule
a9231d7 
We have a manual remediation for installing SPO, but it was failing
in our e2e suite with the following error:

  fork/exec /go/src/github.com/ComplianceAsCode/content/applications/openshift/confinement/security_profiles_operator_exists/tests/ocp4/e2e-remediation.sh: permission denied

This commit updates the script so that it's executable and doesn't fail
when applied.
@rhmdnd rhmdnd force-pushed the fix-manual-spo-remediation branch from 213450e to a9231d7 Compare August 20, 2024 19:31
@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 20, 2024

Rebased to pickup #12317

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 20, 2024

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@rhmdnd rhmdnd added this to the 0.1.75 milestone Aug 20, 2024
@yuumasato
Copy link
Member

@rhmdnd Addressing the metadata in 72743aa

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@yuumasato
Copy link
Member

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 21, 2024
edited
Loading

Looks like the deployment times out, causing the manual remediation to fail.

Error from server (NotFound): subscriptions.operators.coreos.com "security-profiles-operator" not found

@yuumasato
Copy link
Member

Looks like the deployment times out, causing the manual remediation to fail.

Error from server (NotFound): subscriptions.operators.coreos.com "security-profiles-operator" not found

The subscription name was wrong, 🤦 .

@yuumasato
Copy link
Member

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

@codeclimate CodeClimate
Copy link

codeclimate bot commented Aug 21, 2024

Code Climate has analyzed commit 7d1a1c7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@rhmdnd
Copy link
Collaborator Author

rhmdnd commented Aug 21, 2024

Cool - this worked as expected in the e2e tests for PCI-DSS v4.0:

helpers.go:872: Result - Name: e2e-pci-dss-4-0-security-profiles-operator-exists - Status: PASS - Severity: medium
helpers.go:1060: Rule e2e-pci-dss-4-0-security-profiles-operator-exists matched expected result

rhmdnd
rhmdnd commented Aug 21, 2024
View reviewed changes
Copy link
Collaborator Author

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

yuumasato
yuumasato approved these changes Aug 21, 2024
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rhmdnd rhmdnd merged commit 0ad4684 into ComplianceAsCode:master Aug 21, 2024
98 of 99 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuumasato yuumasato yuumasato approved these changes

Assignees

@rhmdnd rhmdnd

Labels
OpenShift OpenShift product related.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
2 participants
@rhmdnd @yuumasato