Update api_resource_collector_cluster_role.yaml

[ermeratos]

Added permissions for kubedescheduler operator

[openshift-ci]

Hi @ermeratos. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ermeratos, JAORMX
Once this PR has been reviewed and has the lgtm label, please assign bhargavigudi for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[JAORMX]

/ok-to-test

[BhargaviGudi]

/hold for test

[BhargaviGudi]

Verification passed with 4.17.0-0.nightly-2024-07-07-131215 + #519 code + #11997 code

1. Install CO

NAME              CONTENTIMAGE                                 CONTENTFILE         STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml     VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml   VALID
upstream-ocp4     ghcr.io/complianceascode/k8scontent:11997    ssg-ocp4-ds.xml     VALID
upstream-rhcos4   ghcr.io/complianceascode/k8scontent:11997    ssg-rhcos4-ds.xml   VALID

2. Create kubedescheduler operator from GUI and create instance

$ oc get csv -n openshift-kube-descheduler-operator
NAME                                    DISPLAY                     VERSION   REPLACES                                             PHASE
clusterkubedescheduleroperator.v5.0.1   Kube Descheduler Operator   5.0.1     clusterkubedescheduleroperator.4.14.0-202311021650   Succeeded
$ oc get kubeschedulers.operator.openshift.io -n openshift-kube-descheduler-operator
NAME      AGE
cluster   6h37m

3. Create ssb

Creating ScanSettingBinding test
$ oc get scan
NAME                            PHASE   RESULT
upstream-ocp4-bsi               DONE    NON-COMPLIANT
upstream-ocp4-bsi-node-master   DONE    COMPLIANT
upstream-ocp4-bsi-node-worker   DONE    COMPLIANT
upstream-rhcos4-bsi-master      DONE    COMPLIANT
upstream-rhcos4-bsi-worker      DONE    COMPLIANT

4. Check for rule kube-descheduler-operator-exists

$ oc get ccr | grep kube-descheduler-operator-exists
upstream-ocp4-bsi-kube-descheduler-operator-exists                 PASS     medium

5. Check the value for variable kube-descheduler-interval

$ oc describe variables.compliance.openshift.io upstream-ocp4-kube-descheduler-interval | grep Value
Value:                     86400

6. Make sure the LifecycleAndUtilization profile is listed under .spec.profiles

$ oc get kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator -o=jsonpath='{.spec.profiles}' 
["LifecycleAndUtilization"]

7. Check descheduler runs time is set under .spec.deschedulingIntervalSeconds

$ oc get kubedeschedulers.operator.openshift.io cluster -n openshift-kube-descheduler-operator -o=jsonpath='{.spec.deschedulingIntervalSeconds}' 
3600

8. Instruction of the rule kube-descheduler-operator-exists works as expected

$ oc get rule upstream-ocp4-kube-descheduler-operator-exists -ojsonpath={.instructions}
To check if the Kube Descheduler Operator is installed, run the following command:
oc get sub -n descheduler-operator cluster-kube-descheduler-operator -ojsonpath='{.status.installedCSV}'
the output should return the version of the CSV that represents the installed
operator.
$ oc get sub -n openshift-kube-descheduler-operator cluster-kube-descheduler-operator -ojsonpath='{.status.installedCSV}'
clusterkubedescheduleroperator.v5.0.1

[BhargaviGudi]

/label qe-approved

[openshift-ci]

@ermeratos: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	48058a9	link	true	/test e2e-rosa
ci/prow/e2e-aws-serial	48058a9	link	true	/test e2e-aws-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rhmdnd]

We recently fixed an issue with the trivy scan so you may need to rebase to pickup those changes and freshen up the test results.

[yuumasato]

@ermeratos could you rebase the PR on top of latest master?

[sluetze]

@ermeratos could you rebase the PR on top of latest master?

Hi @yuumasato ,

I talked to @ermeratos privately. He switched Jobs and employer and does not have any access to this github account anymore.

I can offer, that you close this PR and I create a new one and rebase it.

[yuumasato]

I can offer, that you close this PR and I create a new one and rebase it.

@sluetze That would be great, thank you.

[sluetze]

I can offer, that you close this PR and I create a new one and rebase it.

@sluetze That would be great, thank you.

done with #587