OCPBUGS-31510: change the analysis to not include ImageStreamTag

[prb112]

Description:

ImageStreamTag is improperly considered with the rule.yaml

Rationale:

https://issues.redhat.com/browse/OCPBUGS-31510

Review Hints:

The logic changes are for rhcos4-disa-stig.

[openshift-ci]

Hi @prb112. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_imagestream_sets_schedule'.
--- xccdf_org.ssgproject.content_rule_imagestream_sets_schedule
+++ xccdf_org.ssgproject.content_rule_imagestream_sets_schedule
@@ -22,9 +22,9 @@
 Therefore, you need to use a tool that can query the OCP API, retrieve the following:
 /apis/image.openshift.io/v1/imagestreams
     API endpoint, filter with with the jq utility using the following filter
-    [.items[]] | map(.spec.tags[]?.importPolicy.scheduled != true) | any
+    [.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all
     and persist it to the local
-    /apis/image.openshift.io/v1/imagestreams#47d97a900e89c07d2fcec9092f067d294f3d90e7c02e37b073c60576a6fa602f
+    /apis/image.openshift.io/v1/imagestreams#fbe2637b570482a77a9b52dc0c9c94eeb918519c0b64368ffbf3acfa02fc166f
     file.
 
 [reference]:

OCIL for rule 'xccdf_org.ssgproject.content_rule_imagestream_sets_schedule' differs.
--- ocil:ssg-imagestream_sets_schedule_ocil:questionnaire:1
+++ ocil:ssg-imagestream_sets_schedule_ocil:questionnaire:1
@@ -1,8 +1,8 @@
 To list all the imagestreams and identify which imagestream tags are
 configured to periodically check for updates (imagePolicy = { scheduled: true }), run the following command:
-oc get imagestream  --all-namespaces -o jsonpath='[.items[]] | map(.spec.tags[]?.importPolicy.scheduled != true) | any'
+oc get imagestreams -A -ojson | jq '.items[] | select(.spec.tags[]?.importPolicy.scheduled == true) | .metadata.name' | sort | uniq
 Alternatively, to view a list of ImageStreams that do not schedule updates,
 run:
-oc get imagestreams -A -ojson | jq '.items[] | select(.spec.tags[]?.importPolicy.scheduled != true) | .metadata.name' | sort | uniq
+oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]? | select(.from.kind != "ImageStreamTag" and (.importPolicy.scheduled == null or .importPolicy.scheduled == false))) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq
       Is it the case that imagestream is not configured to perform periodical updates?
       

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11783
This image was built from commit: fbc4a28

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11783

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11783 make deploy-local

[rhmdnd]

/test

[openshift-ci]

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test 4.13-e2e-aws-ocp4-cis
• /test 4.13-e2e-aws-ocp4-cis-node
• /test 4.13-e2e-aws-ocp4-e8
• /test 4.13-e2e-aws-ocp4-high
• /test 4.13-e2e-aws-ocp4-high-node
• /test 4.13-e2e-aws-ocp4-moderate
• /test 4.13-e2e-aws-ocp4-moderate-node
• /test 4.13-e2e-aws-ocp4-pci-dss
• /test 4.13-e2e-aws-ocp4-pci-dss-node
• /test 4.13-e2e-aws-ocp4-stig
• /test 4.13-e2e-aws-ocp4-stig-node
• /test 4.13-e2e-aws-rhcos4-e8
• /test 4.13-e2e-aws-rhcos4-high
• /test 4.13-e2e-aws-rhcos4-moderate
• /test 4.13-e2e-aws-rhcos4-stig
• /test 4.13-images
• /test 4.14-images
• /test 4.15-e2e-aws-ocp4-cis
• /test 4.15-e2e-aws-ocp4-cis-node
• /test 4.15-e2e-aws-ocp4-e8
• /test 4.15-e2e-aws-ocp4-high
• /test 4.15-e2e-aws-ocp4-high-node
• /test 4.15-e2e-aws-ocp4-moderate
• /test 4.15-e2e-aws-ocp4-moderate-node
• /test 4.15-e2e-aws-ocp4-pci-dss
• /test 4.15-e2e-aws-ocp4-pci-dss-node
• /test 4.15-e2e-aws-ocp4-stig
• /test 4.15-e2e-aws-ocp4-stig-node
• /test 4.15-e2e-aws-rhcos4-e8
• /test 4.15-e2e-aws-rhcos4-high
• /test 4.15-e2e-aws-rhcos4-moderate
• /test 4.15-e2e-aws-rhcos4-stig
• /test 4.15-images
• /test 4.16-e2e-aws-ocp4-cis
• /test 4.16-e2e-aws-ocp4-cis-node
• /test 4.16-e2e-aws-ocp4-e8
• /test 4.16-e2e-aws-ocp4-high
• /test 4.16-e2e-aws-ocp4-high-node
• /test 4.16-e2e-aws-ocp4-moderate
• /test 4.16-e2e-aws-ocp4-moderate-node
• /test 4.16-e2e-aws-ocp4-pci-dss
• /test 4.16-e2e-aws-ocp4-pci-dss-node
• /test 4.16-e2e-aws-ocp4-stig
• /test 4.16-e2e-aws-ocp4-stig-node
• /test 4.16-e2e-aws-rhcos4-e8
• /test 4.16-e2e-aws-rhcos4-high
• /test 4.16-e2e-aws-rhcos4-moderate
• /test 4.16-e2e-aws-rhcos4-stig
• /test 4.16-images
• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-4.13-images
• pull-ci-ComplianceAsCode-content-master-4.14-images
• pull-ci-ComplianceAsCode-content-master-4.15-images
• pull-ci-ComplianceAsCode-content-master-4.16-images
• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhmdnd]

/test e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

[prb112]

/retest

[prb112]

Checked a prior run with PR 11593 - found the same failures for e2e-stig-imagestream-sets-schedule I think it might be expected, and other elements are requiring a retest.

[xiaojiey]

/hold for test

[prb112]

Hey @Vincent056 - I've updated the command within the <pre> text. Thank you, Paul

[prb112]

/retest

[prb112]

Hi @xiaojiey have you had any updates on testing from your end? Thanks! Paul

[xiaojiey]

@prb112 I am not if there is an env issue or not. The first command in the instruction doesn't work as expected. Could you please help to check? Thanks.
Verification fail with 4.16.0-0.nightly-2024-04-23-032717 + ghcr.io/complianceascode/k8scontent:11783

% oc get rule upstream-ocp4-imagestream-sets-schedule -o=jsonpath={.instructions}
To list all the imagestreams and identify which imagestream tags are
configured to periodically check for updates (imagePolicy = { scheduled: true }), run the following command:
oc get imagestream  --all-namespaces -o jsonpath='[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all'
Alternatively, to view a list of ImageStreams that do not schedule updates,
run:
oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]? | select(.from.kind != "ImageStreamTag" and (.importPolicy.scheduled == null or .importPolicy.scheduled == false))) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq%                                                                                                                                                                                 

% oc get imagestream  --all-namespaces -o jsonpath='[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all'
[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all%                                                              

% oc get imagestreams -A -ojson | jq -r '.items[] | select(.spec.tags[]? | select(.from.kind != "ImageStreamTag" and (.importPolicy.scheduled == null or .importPolicy.scheduled == false))) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq
openshift,dotnet
openshift,dotnet-runtime
openshift,fuse7-eap-openshift
openshift,fuse7-eap-openshift-java11
openshift,fuse7-java-openshift
openshift,fuse7-java11-openshift
openshift,fuse7-karaf-openshift
openshift,fuse7-karaf-openshift-jdk11
openshift,golang
openshift,httpd
openshift,java
openshift,java-runtime
openshift,jboss-datagrid73-openshift
openshift,jboss-eap-xp3-openjdk11-openshift
openshift,jboss-eap-xp3-openjdk11-runtime-openshift
openshift,jboss-eap-xp4-openjdk11-openshift
openshift,jboss-eap-xp4-openjdk11-runtime-openshift
openshift,jboss-eap74-openjdk11-openshift
openshift,jboss-eap74-openjdk11-runtime-openshift
openshift,jboss-eap74-openjdk8-openshift
openshift,jboss-eap74-openjdk8-runtime-openshift
openshift,jboss-webserver57-openjdk11-tomcat9-openshift-ubi8
openshift,jboss-webserver57-openjdk8-tomcat9-openshift-ubi8
openshift,jenkins
openshift,jenkins-agent-base
openshift,mariadb
openshift,mysql
openshift,nginx
openshift,nodejs
openshift,openjdk-11-rhel7
openshift,perl
openshift,php
openshift,postgresql
openshift,postgresql13-for-sso75-openshift-rhel8
openshift,postgresql13-for-sso76-openshift-rhel8
openshift,python
openshift,redhat-openjdk18-openshift
openshift,redis
openshift,ruby
openshift,sso75-openshift-rhel8
openshift,sso76-openshift-rhel8
openshift,ubi8-openjdk-11
openshift,ubi8-openjdk-11-runtime
openshift,ubi8-openjdk-17
openshift,ubi8-openjdk-17-runtime
openshift,ubi8-openjdk-21
openshift,ubi8-openjdk-21-runtime
openshift,ubi8-openjdk-8
openshift,ubi8-openjdk-8-runtime

[xiaojiey]

can you update the command to

oc get imagestream  --all-namespaces -o json | jq -r '{{{ jqfilter }}}'

Per the current command in the instruction, it will only display some non-meaning words:

% oc get imagestream  --all-namespaces -o jsonpath='[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all'
[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all%

The command and output we expected is:

% oc get imagestream  -A -o=json | jq -r '[.items[] | .spec.tags[]? | select(.from.kind != "ImageStreamTag") | (.importPolicy.scheduled != null and .importPolicy.scheduled != false)] | all'
false

[prb112]

Hi @xiaojiey I think I follow you. That seems reasonable - however, it'll have to be hard coded. jsonpath does not support the filter above.

[prb112]

This should be resolved @xiaojiey - Thank you for the diligence

[xiaojiey]

verification pass with 4.16.0-0.nightly-2024-05-07-025557 + ghcr.io/complianceascode/k8scontent:11783. Details seen from the comment of the bug https://issues.redhat.com/browse/OCPBUGS-31510

[codeclimate]

Code Climate has analyzed commit fbc4a28 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[xiaojiey]

/unhold

[prb112]

Hey @Vincent056 or @rhmdnd do you mind reviewing the PR? @xiaojiey has kindly tested. Thanks, Paul

[yuumasato]

/ok-to-test

[yuumasato]

/test e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

[prb112]

/retest-required

[prb112]

/retest

[prb112]

/retest

[prb112]

/retest

[prb112]

/retest

[yuumasato]

Thank you for the fix.

[yuumasato]

Skipping the Ansible hardening tests.