content
content copied to clipboard
ComplianceAsCode
Remove kubernetes hardcoded solution for templated service_debug rules
Description:
service_debug-shell_disabled and service_autofs_disabled have hardcoded remediations for the Kubernetes lang but templates exist for these rules.
Also, updates the jinja macro to reflect masking the service/socket.
Prior to this change there are two different fixes created for ignition and kubernetes
<xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_autofs_disabled">---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- enabled: false
name: autofs.service
</xccdf-1.2:fix>
<xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_autofs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: autofs.service
enabled: false
mask: true
- name: autofs.socket
enabled: false
mask: true
</xccdf-1.2:fix>
After this change, the kubernetes lang takes the templated version and the two fixes are identical.
<xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_autofs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: autofs.service
enabled: false
mask: true
- name: autofs.socket
enabled: false
mask: true
</xccdf-1.2:fix>
<xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_autofs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
version: 3.1.0
systemd:
units:
- name: autofs.service
enabled: false
mask: true
- name: autofs.socket
enabled: false
mask: true
</xccdf-1.2:fix>
Rationale:
There is no need to create hardcoded remediation files for these since the template files exist.
Also, when using the OpenShift Compliance Operator, the fix used for this depends on the ordering of these fixes. In my case, the kubernetes fix was before the ignition fix in the list. This caused the compliance operator to apply the kubernetes fix which failed to mask the service.
If the rule is going to check for the services to be masked, then all of the available remediations should mask the service.
Hi @CoreyCook8. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @rhmdnd could I get some 👀 on this one when you have a chance please? 🙏
@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test 4.13-images/test 4.14-images/test 4.15-images/test 4.16-images/test e2e-aws-ocp4-cis/test e2e-aws-ocp4-cis-node/test e2e-aws-ocp4-e8/test e2e-aws-ocp4-high/test e2e-aws-ocp4-high-node/test e2e-aws-ocp4-moderate/test e2e-aws-ocp4-moderate-node/test e2e-aws-ocp4-pci-dss/test e2e-aws-ocp4-pci-dss-node/test e2e-aws-ocp4-stig/test e2e-aws-ocp4-stig-node/test e2e-aws-rhcos4-e8/test e2e-aws-rhcos4-high/test e2e-aws-rhcos4-moderate/test e2e-aws-rhcos4-stig/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-4.13-imagespull-ci-ComplianceAsCode-content-master-4.14-imagespull-ci-ComplianceAsCode-content-master-4.15-imagespull-ci-ComplianceAsCode-content-master-4.16-imagespull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Thanks for the patch @CoreyCook8.
Testing this rule against a dev cluster and I noticed the default result changed since https://github.com/ComplianceAsCode/content/commit/1ce0c75b2d9e33f659301874450286b6d9c69dc4 landed.
Running e2e tests to see what the outcome is of this patch with those changes.
Based on the e2e results - this appears to be failing because the autofs package isn't installed.
https://github.com/ComplianceAsCode/content/pull/11546 should fix the e2e issues, but we might need to validate a different way to make sure the remediation still works (installing autofs manually).
@CoreyCook8: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test 4.13-images/test 4.14-images/test 4.15-images/test 4.16-images/test e2e-aws-ocp4-cis/test e2e-aws-ocp4-cis-node/test e2e-aws-ocp4-e8/test e2e-aws-ocp4-high/test e2e-aws-ocp4-high-node/test e2e-aws-ocp4-moderate/test e2e-aws-ocp4-moderate-node/test e2e-aws-ocp4-pci-dss/test e2e-aws-ocp4-pci-dss-node/test e2e-aws-ocp4-stig/test e2e-aws-ocp4-stig-node/test e2e-aws-rhcos4-e8/test e2e-aws-rhcos4-high/test e2e-aws-rhcos4-moderate/test e2e-aws-rhcos4-stig/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-4.13-imagespull-ci-ComplianceAsCode-content-master-4.14-imagespull-ci-ComplianceAsCode-content-master-4.15-imagespull-ci-ComplianceAsCode-content-master-4.16-imagespull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test 4.13-e2e-aws-ocp4-cis/test 4.13-e2e-aws-ocp4-cis-node/test 4.13-e2e-aws-ocp4-e8/test 4.13-e2e-aws-ocp4-high/test 4.13-e2e-aws-ocp4-high-node/test 4.13-e2e-aws-ocp4-moderate/test 4.13-e2e-aws-ocp4-moderate-node/test 4.13-e2e-aws-ocp4-pci-dss/test 4.13-e2e-aws-ocp4-pci-dss-node/test 4.13-e2e-aws-ocp4-stig/test 4.13-e2e-aws-ocp4-stig-node/test 4.13-e2e-aws-rhcos4-e8/test 4.13-e2e-aws-rhcos4-high/test 4.13-e2e-aws-rhcos4-moderate/test 4.13-e2e-aws-rhcos4-stig/test 4.13-images/test 4.14-images/test 4.15-e2e-aws-ocp4-cis/test 4.15-e2e-aws-ocp4-cis-node/test 4.15-e2e-aws-ocp4-e8/test 4.15-e2e-aws-ocp4-high/test 4.15-e2e-aws-ocp4-high-node/test 4.15-e2e-aws-ocp4-moderate/test 4.15-e2e-aws-ocp4-moderate-node/test 4.15-e2e-aws-ocp4-pci-dss/test 4.15-e2e-aws-ocp4-pci-dss-node/test 4.15-e2e-aws-ocp4-stig/test 4.15-e2e-aws-ocp4-stig-node/test 4.15-e2e-aws-rhcos4-e8/test 4.15-e2e-aws-rhcos4-high/test 4.15-e2e-aws-rhcos4-moderate/test 4.15-e2e-aws-rhcos4-stig/test 4.15-images/test 4.16-e2e-aws-ocp4-cis/test 4.16-e2e-aws-ocp4-cis-node/test 4.16-e2e-aws-ocp4-e8/test 4.16-e2e-aws-ocp4-high/test 4.16-e2e-aws-ocp4-high-node/test 4.16-e2e-aws-ocp4-moderate/test 4.16-e2e-aws-ocp4-moderate-node/test 4.16-e2e-aws-ocp4-pci-dss/test 4.16-e2e-aws-ocp4-pci-dss-node/test 4.16-e2e-aws-ocp4-stig/test 4.16-e2e-aws-ocp4-stig-node/test 4.16-e2e-aws-rhcos4-e8/test 4.16-e2e-aws-rhcos4-high/test 4.16-e2e-aws-rhcos4-moderate/test 4.16-e2e-aws-rhcos4-stig/test 4.16-images/test e2e-aws-ocp4-cis/test e2e-aws-ocp4-cis-node/test e2e-aws-ocp4-e8/test e2e-aws-ocp4-high/test e2e-aws-ocp4-high-node/test e2e-aws-ocp4-moderate/test e2e-aws-ocp4-moderate-node/test e2e-aws-ocp4-pci-dss/test e2e-aws-ocp4-pci-dss-node/test e2e-aws-ocp4-stig/test e2e-aws-ocp4-stig-node/test e2e-aws-rhcos4-e8/test e2e-aws-rhcos4-high/test e2e-aws-rhcos4-moderate/test e2e-aws-rhcos4-stig/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-4.13-imagespull-ci-ComplianceAsCode-content-master-4.14-imagespull-ci-ComplianceAsCode-content-master-4.15-imagespull-ci-ComplianceAsCode-content-master-4.16-imagespull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@CoreyCook8 looks like some of the build tests are hung up. @Mab879 should we just rekick these?
@CoreyCook8 looks like some of the build tests are hung up. @Mab879 should we just rekick these?
Sorry, I just saw this. First time contributors need approval for the CI to run. I just gave the approval.
@rhmdnd you should be able to do this as well.
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11370
This image was built from commit: 2ebd3794b2e0b6864da30fa19f53b6a9b2e677bf
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11370
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11370 make deploy-local
@CoreyCook8 Hi, sorry for the delay, the changes look good to me.
But could you please remove the merge commits? One way to do it is to:
$ git rebase --onto master 49de0664014309054881de12e2b73993951849ce~1 a710b6f5fbfa6ad22145c283505d2ec5148c1238
$ git checkout -B patch-1 HEAD
Code Climate has analyzed commit 2ebd3794 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.3% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}