Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18279

The tailoredprofile example is not correct

XMLWordPrintable

    • No
    • 1
    • OSDOCS Sprint 241
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       

      The new-profile.yaml file in https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-tailor.html#compliance-new-tailored-profiles_compliance-tailor is not a good example. With that example, you can only create a tailoredprofile in ERROR status.
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: new-profile
  annotations:
    compliance.openshift.io/product-type: Node 
spec:
  extends:
  description: My custom profile 
  title: Custom profile 
EOF
tailoredprofile.compliance.openshift.io/new-profile created
$ oc get tp
NAME          STATE
new-profile   ERROR
 
Better to use below yaml file instead:
$ oc apply -f tp.yaml 
tailoredprofile.compliance.openshift.io/new-profile created
$ cat tp.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: new-profile
  annotations:
    compliance.openshift.io/product-type: Node
spec:
  extends: ocp4-cis-node
  description: My custom profile
  title: Custom profile
  enableRules:
    - name: ocp4-etcd-unique-ca
      rationale: We really need to enable this
  disableRules:
    - name: ocp4-file-groupowner-cni-conf
      rationale: This doesn’t apply to my cluster
$ oc get tp
NAME          STATE
new-profile   READY
 
You can also add an explanation that the `extends` field is not mandatory. For example, remove the `extends: ocp4-cis-node` in above file, then you can get only enabled rules tested.
$ oc apply -f -<<EOF
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: new-profile-test
  annotations:
    compliance.openshift.io/product-type: Node
spec:
  description: My custom profile
  title: Custom profile
  enableRules:
    - name: ocp4-etcd-unique-ca
      rationale: We really need to enable this
  disableRules:
    - name: ocp4-file-groupowner-cni-conf
      rationale: This doesn’t apply to my cluster
EOF
tailoredprofile.compliance.openshift.io/new-profile-test created
$ oc get tp
NAME               STATE
new-profile        READY
new-profile-test   READY
$ oc compliance bind -N tp-1 tailoredprofile/new-profile-test
Creating ScanSettingBinding tp-1
$ oc get suite -w
NAME   PHASE       RESULT
tp-1   LAUNCHING   NOT-AVAILABLE
tp-1   LAUNCHING   NOT-AVAILABLE
tp-1   RUNNING     NOT-AVAILABLE
tp-1   RUNNING     NOT-AVAILABLE
tp-1   AGGREGATING   NOT-AVAILABLE
tp-1   AGGREGATING   NOT-AVAILABLE
tp-1   DONE          NOT-APPLICABLE
tp-1   DONE          NOT-APPLICABLE
^C
$ oc get ccr
NAME                                     STATUS   SEVERITY
new-profile-test-master-etcd-unique-ca   PASS     medium

       

       

      Version-Release number of selected component (if applicable):

      compliance-operator.v1.2.0

      How reproducible:

      Always

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

            antaylor@redhat.com Andrew Taylor
            xiyuan@redhat.com Xiaojie Yuan
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: