-
Bug
-
Resolution: Done
-
Undefined
-
None
-
4.13.z, 4.12.z, 4.11.z, 4.10.z, 4.14.0
-
None
-
No
-
1
-
OSDOCS Sprint 241
-
1
-
False
-
Description of problem:
The new-profile.yaml file in https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-tailor.html#compliance-new-tailored-profiles_compliance-tailor is not a good example. With that example, you can only create a tailoredprofile in ERROR status. $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: new-profile annotations: compliance.openshift.io/product-type: Node spec: extends: description: My custom profile title: Custom profile EOF tailoredprofile.compliance.openshift.io/new-profile created $ oc get tp NAME STATE new-profile ERROR Better to use below yaml file instead: $ oc apply -f tp.yaml tailoredprofile.compliance.openshift.io/new-profile created $ cat tp.yaml apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: new-profile annotations: compliance.openshift.io/product-type: Node spec: extends: ocp4-cis-node description: My custom profile title: Custom profile enableRules: - name: ocp4-etcd-unique-ca rationale: We really need to enable this disableRules: - name: ocp4-file-groupowner-cni-conf rationale: This doesn’t apply to my cluster $ oc get tp NAME STATE new-profile READY You can also add an explanation that the `extends` field is not mandatory. For example, remove the `extends: ocp4-cis-node` in above file, then you can get only enabled rules tested. $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: TailoredProfile metadata: name: new-profile-test annotations: compliance.openshift.io/product-type: Node spec: description: My custom profile title: Custom profile enableRules: - name: ocp4-etcd-unique-ca rationale: We really need to enable this disableRules: - name: ocp4-file-groupowner-cni-conf rationale: This doesn’t apply to my cluster EOF tailoredprofile.compliance.openshift.io/new-profile-test created $ oc get tp NAME STATE new-profile READY new-profile-test READY $ oc compliance bind -N tp-1 tailoredprofile/new-profile-test Creating ScanSettingBinding tp-1 $ oc get suite -w NAME PHASE RESULT tp-1 LAUNCHING NOT-AVAILABLE tp-1 LAUNCHING NOT-AVAILABLE tp-1 RUNNING NOT-AVAILABLE tp-1 RUNNING NOT-AVAILABLE tp-1 AGGREGATING NOT-AVAILABLE tp-1 AGGREGATING NOT-AVAILABLE tp-1 DONE NOT-APPLICABLE tp-1 DONE NOT-APPLICABLE ^C $ oc get ccr NAME STATUS SEVERITY new-profile-test-master-etcd-unique-ca PASS medium
Version-Release number of selected component (if applicable):
compliance-operator.v1.2.0
How reproducible:
Always
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
- links to
(1 links to)