Update assertions for kubelet-client-cert|key rules #12366

rhmdnd · 2024-09-05T13:42:46Z

We recently enabled these rules for 4.17, but didn't update the 4.17
assertion files for STIG, FedRAMP High, FedRAMP Moderate, or CIS. This
commit does that so that so the tests assert the correct behavior on
4.17.

#12311

rhmdnd · 2024-09-05T13:44:00Z

/test

openshift-ci · 2024-09-05T13:44:03Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.12-e2e-aws-ocp4-cis
/test 4.12-e2e-aws-ocp4-cis-node
/test 4.12-e2e-aws-ocp4-e8
/test 4.12-e2e-aws-ocp4-high
/test 4.12-e2e-aws-ocp4-high-node
/test 4.12-e2e-aws-ocp4-moderate
/test 4.12-e2e-aws-ocp4-moderate-node
/test 4.12-e2e-aws-ocp4-pci-dss
/test 4.12-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.12-e2e-aws-ocp4-stig
/test 4.12-e2e-aws-ocp4-stig-node
/test 4.12-e2e-aws-rhcos4-e8
/test 4.12-e2e-aws-rhcos4-high
/test 4.12-e2e-aws-rhcos4-moderate
/test 4.12-e2e-aws-rhcos4-stig
/test 4.12-images
/test 4.13-e2e-aws-ocp4-bsi
/test 4.13-e2e-aws-ocp4-bsi-node
/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-bsi
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-e2e-aws-ocp4-bsi
/test 4.14-e2e-aws-ocp4-bsi-node
/test 4.14-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-rhcos4-bsi
/test 4.14-images
/test 4.15-e2e-aws-ocp4-bsi
/test 4.15-e2e-aws-ocp4-bsi-node
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-bsi
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-e2e-rosa-ocp4-cis-node
/test 4.15-e2e-rosa-ocp4-pci-dss-node
/test 4.15-images
/test 4.16-e2e-aws-ocp4-bsi
/test 4.16-e2e-aws-ocp4-bsi-node
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-4-0
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-bsi
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-cis-node
/test 4.17-e2e-aws-ocp4-e8
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high-node
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate-node
/test 4.17-e2e-aws-ocp4-pci-dss
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-node
/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-stig-node
/test 4.17-e2e-aws-rhcos4-bsi
/test 4.17-e2e-aws-rhcos4-e8
/test 4.17-e2e-aws-rhcos4-high
/test 4.17-e2e-aws-rhcos4-moderate
/test 4.17-e2e-aws-rhcos4-stig
/test 4.17-images
/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-4-0
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-pci-dss-node-4-0
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-bsi
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.12-images
pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-4.17-images
pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

github-actions · 2024-09-05T13:44:10Z

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

rhmdnd · 2024-09-05T13:45:35Z

/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-pci-dss-4-0

github-actions · 2024-09-05T14:04:49Z

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12366
This image was built from commit: 6c3503f

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12366

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12366 make deploy-local

yuumasato · 2024-09-05T18:30:59Z

@rhmdnd #12311 also updated rule kubelet-configure-tls-cert and kubelet-configure-tls-key which are also failing assertion, 😓

See: 4.17-e2e-aws-ocp4-pci-dss-4-0

    helpers.go:872: Result - Name: e2e-pci-dss-4-0-kubelet-configure-tls-cert - Status: PASS - Severity: medium
    helpers.go:879: E2E-FAILURE: The expected result for the e2e-pci-dss-4-0-kubelet-configure-tls-cert rule didn't match. Expected 'NOT-APPLICABLE', Got 'PASS' 
...
    helpers.go:872: Result - Name: e2e-pci-dss-4-0-kubelet-configure-tls-key - Status: PASS - Severity: medium
    helpers.go:879: E2E-FAILURE: The expected result for the e2e-pci-dss-4-0-kubelet-configure-tls-key rule didn't match. Expected 'NOT-APPLICABLE', Got 'PASS'

rhmdnd · 2024-09-12T13:26:46Z

/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-pci-dss-4-0

We recently enabled these rules for 4.17, but didn't update the 4.17 assertion files for FedRAMP High, FedRAMP Moderate, PCI-DSS, or CIS. This commit does that so that so the tests assert the correct behavior on 4.17. ComplianceAsCode#12311

rhmdnd · 2024-09-13T13:31:46Z

/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-pci-dss-4-0

codeclimate · 2024-09-13T14:14:27Z

Code Climate has analyzed commit 6c3503f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

rhmdnd · 2024-09-13T18:23:14Z

/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-pci-dss-4-0

rhmdnd · 2024-09-13T19:14:52Z

/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-pci-dss-4-0

yuumasato · 2024-09-16T09:41:28Z

/packit retest-failed

yuumasato · 2024-09-16T09:41:43Z

/retest

yuumasato · 2024-09-16T17:45:15Z

/retest

openshift-ci · 2024-09-16T20:08:35Z

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.17-e2e-aws-ocp4-stig	`6c3503f`	link	true	`/test 4.17-e2e-aws-ocp4-stig`
ci/prow/4.17-e2e-aws-ocp4-pci-dss-4-0	`6c3503f`	link	true	`/test 4.17-e2e-aws-ocp4-pci-dss-4-0`
ci/prow/4.17-e2e-aws-ocp4-cis	`6c3503f`	link	true	`/test 4.17-e2e-aws-ocp4-cis`
ci/prow/4.17-e2e-aws-ocp4-moderate	`6c3503f`	link	true	`/test 4.17-e2e-aws-ocp4-moderate`
ci/prow/4.17-e2e-aws-ocp4-high	`6c3503f`	link	true	`/test 4.17-e2e-aws-ocp4-high`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yuumasato · 2024-09-17T14:10:24Z

The prow tests are falling to come up, but the changes look good to me.
Merging and expecting these failures to be sorted out in next CI wave.

rhmdnd requested a review from yuumasato September 5, 2024 13:42

rhmdnd added this to the 0.1.75 milestone Sep 5, 2024

yuumasato self-assigned this Sep 5, 2024

yuumasato added the OpenShift OpenShift product related. label Sep 5, 2024

openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Sep 7, 2024

rhmdnd force-pushed the update-assertions-for-kubelet-client-cert branch from cd32877 to 24fef5b Compare September 12, 2024 13:25

openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Sep 12, 2024

rhmdnd force-pushed the update-assertions-for-kubelet-client-cert branch from 24fef5b to 6c3503f Compare September 13, 2024 13:31

yuumasato approved these changes Sep 17, 2024

View reviewed changes

yuumasato merged commit 05980b0 into ComplianceAsCode:master Sep 17, 2024
100 of 105 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update assertions for kubelet-client-cert|key rules #12366

Update assertions for kubelet-client-cert|key rules #12366

rhmdnd commented Sep 5, 2024

rhmdnd commented Sep 5, 2024

openshift-ci bot commented Sep 5, 2024

github-actions bot commented Sep 5, 2024

rhmdnd commented Sep 5, 2024

github-actions bot commented Sep 5, 2024 •

edited

Loading

yuumasato commented Sep 5, 2024

rhmdnd commented Sep 12, 2024

rhmdnd commented Sep 13, 2024

codeclimate bot commented Sep 13, 2024

rhmdnd commented Sep 13, 2024

rhmdnd commented Sep 13, 2024

yuumasato commented Sep 16, 2024

yuumasato commented Sep 16, 2024

yuumasato commented Sep 16, 2024

openshift-ci bot commented Sep 16, 2024

yuumasato commented Sep 17, 2024

Update assertions for kubelet-client-cert|key rules #12366

Update assertions for kubelet-client-cert|key rules #12366

Conversation

rhmdnd commented Sep 5, 2024

rhmdnd commented Sep 5, 2024

openshift-ci bot commented Sep 5, 2024

github-actions bot commented Sep 5, 2024

rhmdnd commented Sep 5, 2024

github-actions bot commented Sep 5, 2024 • edited Loading

yuumasato commented Sep 5, 2024

rhmdnd commented Sep 12, 2024

rhmdnd commented Sep 13, 2024

codeclimate bot commented Sep 13, 2024

rhmdnd commented Sep 13, 2024

rhmdnd commented Sep 13, 2024

yuumasato commented Sep 16, 2024

yuumasato commented Sep 16, 2024

yuumasato commented Sep 16, 2024

openshift-ci bot commented Sep 16, 2024

yuumasato commented Sep 17, 2024

github-actions bot commented Sep 5, 2024 •

edited

Loading