Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update various openshift assertions #12443

Merged
merged 3 commits into from
Oct 10, 2024
Merged

Update various openshift assertions #12443

merged 3 commits into from
Oct 10, 2024

Conversation

yuumasato
Copy link
Member

Description:

  • Update various openshift assertions

Rationale:

Review hints:

@yuumasato yuumasato added the OpenShift OpenShift product related. label Sep 30, 2024
@yuumasato yuumasato added this to the 0.1.75 milestone Sep 30, 2024
@yuumasato
Copy link
Member Author

/test

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 30, 2024

@yuumasato: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test 4.12-e2e-aws-ocp4-cis
  • /test 4.12-e2e-aws-ocp4-cis-node
  • /test 4.12-e2e-aws-ocp4-e8
  • /test 4.12-e2e-aws-ocp4-high
  • /test 4.12-e2e-aws-ocp4-high-node
  • /test 4.12-e2e-aws-ocp4-moderate
  • /test 4.12-e2e-aws-ocp4-moderate-node
  • /test 4.12-e2e-aws-ocp4-pci-dss
  • /test 4.12-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.12-e2e-aws-ocp4-pci-dss-node
  • /test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.12-e2e-aws-ocp4-stig
  • /test 4.12-e2e-aws-ocp4-stig-node
  • /test 4.12-e2e-aws-rhcos4-e8
  • /test 4.12-e2e-aws-rhcos4-high
  • /test 4.12-e2e-aws-rhcos4-moderate
  • /test 4.12-e2e-aws-rhcos4-stig
  • /test 4.12-images
  • /test 4.13-e2e-aws-ocp4-bsi
  • /test 4.13-e2e-aws-ocp4-bsi-node
  • /test 4.13-e2e-aws-ocp4-cis
  • /test 4.13-e2e-aws-ocp4-cis-node
  • /test 4.13-e2e-aws-ocp4-e8
  • /test 4.13-e2e-aws-ocp4-high
  • /test 4.13-e2e-aws-ocp4-high-node
  • /test 4.13-e2e-aws-ocp4-moderate
  • /test 4.13-e2e-aws-ocp4-moderate-node
  • /test 4.13-e2e-aws-ocp4-pci-dss
  • /test 4.13-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.13-e2e-aws-ocp4-pci-dss-node
  • /test 4.13-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.13-e2e-aws-ocp4-stig
  • /test 4.13-e2e-aws-ocp4-stig-node
  • /test 4.13-e2e-aws-rhcos4-bsi
  • /test 4.13-e2e-aws-rhcos4-e8
  • /test 4.13-e2e-aws-rhcos4-high
  • /test 4.13-e2e-aws-rhcos4-moderate
  • /test 4.13-e2e-aws-rhcos4-stig
  • /test 4.13-images
  • /test 4.14-e2e-aws-ocp4-bsi
  • /test 4.14-e2e-aws-ocp4-bsi-node
  • /test 4.14-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.14-e2e-aws-rhcos4-bsi
  • /test 4.14-images
  • /test 4.15-e2e-aws-ocp4-bsi
  • /test 4.15-e2e-aws-ocp4-bsi-node
  • /test 4.15-e2e-aws-ocp4-cis
  • /test 4.15-e2e-aws-ocp4-cis-node
  • /test 4.15-e2e-aws-ocp4-e8
  • /test 4.15-e2e-aws-ocp4-high
  • /test 4.15-e2e-aws-ocp4-high-node
  • /test 4.15-e2e-aws-ocp4-moderate
  • /test 4.15-e2e-aws-ocp4-moderate-node
  • /test 4.15-e2e-aws-ocp4-pci-dss
  • /test 4.15-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.15-e2e-aws-ocp4-pci-dss-node
  • /test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.15-e2e-aws-ocp4-stig
  • /test 4.15-e2e-aws-ocp4-stig-node
  • /test 4.15-e2e-aws-rhcos4-bsi
  • /test 4.15-e2e-aws-rhcos4-e8
  • /test 4.15-e2e-aws-rhcos4-high
  • /test 4.15-e2e-aws-rhcos4-moderate
  • /test 4.15-e2e-aws-rhcos4-stig
  • /test 4.15-e2e-rosa-ocp4-cis-node
  • /test 4.15-e2e-rosa-ocp4-pci-dss-node
  • /test 4.15-images
  • /test 4.16-e2e-aws-ocp4-bsi
  • /test 4.16-e2e-aws-ocp4-bsi-node
  • /test 4.16-e2e-aws-ocp4-cis
  • /test 4.16-e2e-aws-ocp4-cis-node
  • /test 4.16-e2e-aws-ocp4-e8
  • /test 4.16-e2e-aws-ocp4-high
  • /test 4.16-e2e-aws-ocp4-high-node
  • /test 4.16-e2e-aws-ocp4-moderate
  • /test 4.16-e2e-aws-ocp4-moderate-node
  • /test 4.16-e2e-aws-ocp4-pci-dss
  • /test 4.16-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.16-e2e-aws-ocp4-pci-dss-node
  • /test 4.16-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.16-e2e-aws-ocp4-stig
  • /test 4.16-e2e-aws-ocp4-stig-node
  • /test 4.16-e2e-aws-rhcos4-bsi
  • /test 4.16-e2e-aws-rhcos4-e8
  • /test 4.16-e2e-aws-rhcos4-high
  • /test 4.16-e2e-aws-rhcos4-moderate
  • /test 4.16-e2e-aws-rhcos4-stig
  • /test 4.16-images
  • /test 4.17-e2e-aws-ocp4-bsi
  • /test 4.17-e2e-aws-ocp4-bsi-node
  • /test 4.17-e2e-aws-ocp4-cis
  • /test 4.17-e2e-aws-ocp4-cis-node
  • /test 4.17-e2e-aws-ocp4-e8
  • /test 4.17-e2e-aws-ocp4-high
  • /test 4.17-e2e-aws-ocp4-high-node
  • /test 4.17-e2e-aws-ocp4-moderate
  • /test 4.17-e2e-aws-ocp4-moderate-node
  • /test 4.17-e2e-aws-ocp4-pci-dss
  • /test 4.17-e2e-aws-ocp4-pci-dss-4-0
  • /test 4.17-e2e-aws-ocp4-pci-dss-node
  • /test 4.17-e2e-aws-ocp4-pci-dss-node-4-0
  • /test 4.17-e2e-aws-ocp4-stig
  • /test 4.17-e2e-aws-ocp4-stig-node
  • /test 4.17-e2e-aws-rhcos4-bsi
  • /test 4.17-e2e-aws-rhcos4-e8
  • /test 4.17-e2e-aws-rhcos4-high
  • /test 4.17-e2e-aws-rhcos4-moderate
  • /test 4.17-e2e-aws-rhcos4-stig
  • /test 4.17-images
  • /test e2e-aws-ocp4-bsi
  • /test e2e-aws-ocp4-bsi-node
  • /test e2e-aws-ocp4-cis
  • /test e2e-aws-ocp4-cis-node
  • /test e2e-aws-ocp4-e8
  • /test e2e-aws-ocp4-high
  • /test e2e-aws-ocp4-high-node
  • /test e2e-aws-ocp4-moderate
  • /test e2e-aws-ocp4-moderate-node
  • /test e2e-aws-ocp4-pci-dss
  • /test e2e-aws-ocp4-pci-dss-4-0
  • /test e2e-aws-ocp4-pci-dss-node
  • /test e2e-aws-ocp4-pci-dss-node-4-0
  • /test e2e-aws-ocp4-stig
  • /test e2e-aws-ocp4-stig-node
  • /test e2e-aws-rhcos4-bsi
  • /test e2e-aws-rhcos4-e8
  • /test e2e-aws-rhcos4-high
  • /test e2e-aws-rhcos4-moderate
  • /test e2e-aws-rhcos4-stig
  • /test images

Use /test all to run the following jobs that were automatically triggered:

  • pull-ci-ComplianceAsCode-content-master-4.12-images
  • pull-ci-ComplianceAsCode-content-master-4.13-images
  • pull-ci-ComplianceAsCode-content-master-4.14-images
  • pull-ci-ComplianceAsCode-content-master-4.15-images
  • pull-ci-ComplianceAsCode-content-master-4.16-images
  • pull-ci-ComplianceAsCode-content-master-4.17-images
  • pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 30, 2024
edited
Loading

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@yuumasato
Copy link
Member Author

/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 30, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12443
This image was built from commit: 9630d28

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12443

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12443 make deploy-local

@yuumasato
Copy link
Member Author

Hmm, the scripts creating the ClustterLogging and ClusterLogForwarder also need updates.

@yuumasato
Copy link
Member Author

/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.16-e2e-aws-ocp4-stig

@yuumasato
Copy link
Member Author

I have update the rules to handle the resources from logging operator 6.0.
But I think we actually need to add new rules checking these resources, otherwise users still on previous version of logging operator will start to get FAIL evaluations.

@Vincent056
Copy link
Contributor

I have update the rules to handle the resources from logging operator 6.0. But I think we actually need to add new rules checking these resources, otherwise users still on previous version of logging operator will start to get FAIL evaluations.

yes, I think we should add an additional rule, and make a rule to pass if either one passes the requirement.

@yuumasato yuumasato force-pushed the update_various_openshift_assertions branch from b4e5a09 to 5e6f52a Compare October 3, 2024 07:30
@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-stig
/test 4.14-e2e-aws-ocp4-stig

@yuumasato yuumasato force-pushed the update_various_openshift_assertions branch from 5e6f52a to 28f5530 Compare October 3, 2024 07:57
@yuumasato
Copy link
Member Author

yuumasato commented Oct 3, 2024
edited
Loading

The Cluster Logging Operator changes require ComplianceAsCode/compliance-operator#616 to work.

After applying the testing remediations on a 4.13 (CLO 5.9) and 4.14 (CLO 6.0) the following logging rules are passing:

  • cluster-logging-operator-exist
  • audit-log-forwarding-enabled
  • audit-log-forwarding-uses-tls

I did not test rule audit_log_forwarding_webhook as that requires a hypershift environment.

@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-stig
/test 4.14-e2e-aws-ocp4-stig

@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-4-0

@yuumasato yuumasato force-pushed the update_various_openshift_assertions branch from 28f5530 to aa5575f Compare October 3, 2024 13:24
@yuumasato
Copy link
Member Author

/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-4-0
/test 4.13-e2e-aws-ocp4-stig
/test 4.14-e2e-aws-ocp4-stig

@yuumasato
Fix typo in assertion rule id
d3bdfa9 
I guess I typed ctrl+a in vim and did not notice, :)
@yuumasato
Fix result after remediation for cni-conf permissions
cf3fb45 
These rules are passing by default now and after remediation they
continue to passs
@yuumasato
This rule can occasionally result inconsistent
9630d28 
Align this rule's assertion with what's in other profiles.
@yuumasato yuumasato force-pushed the update_various_openshift_assertions branch from aa5575f to 9630d28 Compare October 10, 2024 08:50
@yuumasato
Copy link
Member Author

The CLO changes were carved out to its own PR: #12484

/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0

@codeclimate CodeClimate
Copy link

codeclimate bot commented Oct 10, 2024

Code Climate has analyzed commit 9630d28 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 10, 2024

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/4.16-e2e-aws-ocp4-stig b4e5a09 link true /test 4.16-e2e-aws-ocp4-stig
ci/prow/4.14-e2e-aws-ocp4-pci-dss-4-0 aa5575f link true /test 4.14-e2e-aws-ocp4-pci-dss-4-0
ci/prow/4.13-e2e-aws-ocp4-pci-dss-4-0 aa5575f link true /test 4.13-e2e-aws-ocp4-pci-dss-4-0
ci/prow/4.13-e2e-aws-ocp4-stig aa5575f link true /test 4.13-e2e-aws-ocp4-stig
ci/prow/4.17-e2e-aws-ocp4-pci-dss-4-0 9630d28 link true /test 4.17-e2e-aws-ocp4-pci-dss-4-0
ci/prow/4.15-e2e-aws-ocp4-pci-dss-4-0 9630d28 link true /test 4.15-e2e-aws-ocp4-pci-dss-4-0

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rhmdnd
rhmdnd approved these changes Oct 10, 2024
View reviewed changes
Copy link
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Failures are due to CLO issues, we're we're ironing out in a separate PR.

@rhmdnd rhmdnd merged commit 2d2175c into ComplianceAsCode:master Oct 10, 2024
106 of 109 checks passed
@yuumasato yuumasato deleted the update_various_openshift_assertions branch October 10, 2024 14:44
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhmdnd rhmdnd rhmdnd approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@BhargaviGudi BhargaviGudi Awaiting requested review from BhargaviGudi

Assignees

@rhmdnd rhmdnd

Labels
OpenShift OpenShift product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
4 participants
@yuumasato @Vincent056 @rhmdnd @Mab879