OCPBUGS-53041: Fix multi-platform support for OVS rules #13201

rhmdnd · 2025-03-18T22:05:38Z

No description provided.

rhmdnd · 2025-03-18T22:06:20Z

/test

openshift-ci · 2025-03-18T22:06:23Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.12-e2e-aws-ocp4-cis

/test 4.12-e2e-aws-ocp4-cis-node

/test 4.12-e2e-aws-ocp4-e8

/test 4.12-e2e-aws-ocp4-high

/test 4.12-e2e-aws-ocp4-high-node

/test 4.12-e2e-aws-ocp4-moderate

/test 4.12-e2e-aws-ocp4-moderate-node

/test 4.12-e2e-aws-ocp4-pci-dss

/test 4.12-e2e-aws-ocp4-pci-dss-4-0

/test 4.12-e2e-aws-ocp4-pci-dss-node

/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.12-e2e-aws-ocp4-stig

/test 4.12-e2e-aws-ocp4-stig-node

/test 4.12-e2e-aws-rhcos4-e8

/test 4.12-e2e-aws-rhcos4-high

/test 4.12-e2e-aws-rhcos4-moderate

/test 4.12-e2e-aws-rhcos4-stig

/test 4.12-images

/test 4.13-e2e-aws-ocp4-bsi

/test 4.13-e2e-aws-ocp4-bsi-node

/test 4.13-e2e-aws-ocp4-cis

/test 4.13-e2e-aws-ocp4-cis-node

/test 4.13-e2e-aws-ocp4-e8

/test 4.13-e2e-aws-ocp4-high

/test 4.13-e2e-aws-ocp4-high-node

/test 4.13-e2e-aws-ocp4-moderate

/test 4.13-e2e-aws-ocp4-moderate-node

/test 4.13-e2e-aws-ocp4-pci-dss

/test 4.13-e2e-aws-ocp4-pci-dss-4-0

/test 4.13-e2e-aws-ocp4-pci-dss-node

/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.13-e2e-aws-ocp4-stig

/test 4.13-e2e-aws-ocp4-stig-node

/test 4.13-e2e-aws-rhcos4-bsi

/test 4.13-e2e-aws-rhcos4-e8

/test 4.13-e2e-aws-rhcos4-high

/test 4.13-e2e-aws-rhcos4-moderate

/test 4.13-e2e-aws-rhcos4-stig

/test 4.13-images

/test 4.14-e2e-aws-ocp4-bsi

/test 4.14-e2e-aws-ocp4-bsi-node

/test 4.14-e2e-aws-ocp4-pci-dss-4-0

/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.14-e2e-aws-rhcos4-bsi

/test 4.14-images

/test 4.15-e2e-aws-ocp4-bsi

/test 4.15-e2e-aws-ocp4-bsi-node

/test 4.15-e2e-aws-ocp4-cis

/test 4.15-e2e-aws-ocp4-cis-node

/test 4.15-e2e-aws-ocp4-e8

/test 4.15-e2e-aws-ocp4-high

/test 4.15-e2e-aws-ocp4-high-node

/test 4.15-e2e-aws-ocp4-moderate

/test 4.15-e2e-aws-ocp4-moderate-node

/test 4.15-e2e-aws-ocp4-pci-dss

/test 4.15-e2e-aws-ocp4-pci-dss-4-0

/test 4.15-e2e-aws-ocp4-pci-dss-node

/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.15-e2e-aws-ocp4-stig

/test 4.15-e2e-aws-ocp4-stig-node

/test 4.15-e2e-aws-rhcos4-bsi

/test 4.15-e2e-aws-rhcos4-e8

/test 4.15-e2e-aws-rhcos4-high

/test 4.15-e2e-aws-rhcos4-moderate

/test 4.15-e2e-aws-rhcos4-stig

/test 4.15-e2e-rosa-ocp4-cis-node

/test 4.15-e2e-rosa-ocp4-pci-dss-node

/test 4.15-images

/test 4.16-e2e-aws-ocp4-bsi

/test 4.16-e2e-aws-ocp4-bsi-node

/test 4.16-e2e-aws-ocp4-cis

/test 4.16-e2e-aws-ocp4-cis-node

/test 4.16-e2e-aws-ocp4-e8

/test 4.16-e2e-aws-ocp4-high

/test 4.16-e2e-aws-ocp4-high-node

/test 4.16-e2e-aws-ocp4-moderate

/test 4.16-e2e-aws-ocp4-moderate-node

/test 4.16-e2e-aws-ocp4-pci-dss

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

/test 4.16-e2e-aws-ocp4-pci-dss-node

/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.16-e2e-aws-ocp4-stig

/test 4.16-e2e-aws-ocp4-stig-node

/test 4.16-e2e-aws-rhcos4-bsi

/test 4.16-e2e-aws-rhcos4-e8

/test 4.16-e2e-aws-rhcos4-high

/test 4.16-e2e-aws-rhcos4-moderate

/test 4.16-e2e-aws-rhcos4-stig

/test 4.16-images

/test 4.17-e2e-aws-ocp4-bsi

/test 4.17-e2e-aws-ocp4-bsi-node

/test 4.17-e2e-aws-ocp4-cis

/test 4.17-e2e-aws-ocp4-cis-node

/test 4.17-e2e-aws-ocp4-e8

/test 4.17-e2e-aws-ocp4-high

/test 4.17-e2e-aws-ocp4-high-node

/test 4.17-e2e-aws-ocp4-moderate

/test 4.17-e2e-aws-ocp4-moderate-node

/test 4.17-e2e-aws-ocp4-pci-dss

/test 4.17-e2e-aws-ocp4-pci-dss-4-0

/test 4.17-e2e-aws-ocp4-pci-dss-node

/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.17-e2e-aws-ocp4-stig

/test 4.17-e2e-aws-ocp4-stig-node

/test 4.17-e2e-aws-rhcos4-bsi

/test 4.17-e2e-aws-rhcos4-e8

/test 4.17-e2e-aws-rhcos4-high

/test 4.17-e2e-aws-rhcos4-moderate

/test 4.17-e2e-aws-rhcos4-stig

/test 4.17-images

/test 4.18-e2e-aws-ocp4-bsi

/test 4.18-e2e-aws-ocp4-bsi-node

/test 4.18-e2e-aws-ocp4-cis

/test 4.18-e2e-aws-ocp4-cis-node

/test 4.18-e2e-aws-ocp4-e8

/test 4.18-e2e-aws-ocp4-high

/test 4.18-e2e-aws-ocp4-high-node

/test 4.18-e2e-aws-ocp4-moderate

/test 4.18-e2e-aws-ocp4-moderate-node

/test 4.18-e2e-aws-ocp4-pci-dss

/test 4.18-e2e-aws-ocp4-pci-dss-4-0

/test 4.18-e2e-aws-ocp4-pci-dss-node

/test 4.18-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.18-e2e-aws-ocp4-stig

/test 4.18-e2e-aws-ocp4-stig-node

/test 4.18-e2e-aws-rhcos4-bsi

/test 4.18-e2e-aws-rhcos4-e8

/test 4.18-e2e-aws-rhcos4-high

/test 4.18-e2e-aws-rhcos4-moderate

/test 4.18-e2e-aws-rhcos4-stig

/test 4.18-images

/test e2e-aws-ocp4-bsi

/test e2e-aws-ocp4-bsi-node

/test e2e-aws-ocp4-cis

/test e2e-aws-ocp4-cis-arm

/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis-node-arm

/test e2e-aws-ocp4-e8

/test e2e-aws-ocp4-high

/test e2e-aws-ocp4-high-node

/test e2e-aws-ocp4-moderate

/test e2e-aws-ocp4-moderate-node

/test e2e-aws-ocp4-pci-dss

/test e2e-aws-ocp4-pci-dss-4-0

/test e2e-aws-ocp4-pci-dss-node

/test e2e-aws-ocp4-pci-dss-node-4-0

/test e2e-aws-ocp4-stig

/test e2e-aws-ocp4-stig-node

/test e2e-aws-rhcos4-bsi

/test e2e-aws-rhcos4-e8

/test e2e-aws-rhcos4-high

/test e2e-aws-rhcos4-moderate

/test e2e-aws-rhcos4-stig

/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.12-images

pull-ci-ComplianceAsCode-content-master-4.13-images

pull-ci-ComplianceAsCode-content-master-4.14-images

pull-ci-ComplianceAsCode-content-master-4.15-images

pull-ci-ComplianceAsCode-content-master-4.16-images

pull-ci-ComplianceAsCode-content-master-4.17-images

pull-ci-ComplianceAsCode-content-master-4.18-images

pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

rhmdnd · 2025-03-18T22:06:44Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

rhmdnd · 2025-03-19T02:00:30Z

Both of the following rules pass on arm64 but that shouldn't be happening:

helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-conf-db - Status: PASS - Severity: medium
helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-conf-db matched expected result
helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-conf-db-lock - Status: PASS - Severity: medium
helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-conf-db-lock matched expected result

Specifically the file-groupowner-ovs-conf-db rule since it doesn't have a condition for aarch64_arch.

https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/master/file_groupowner_ovs_conf_db/oval/shared.xml#L6-L7

applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml

applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml

applications/openshift/master/file_groupowner_ovs_conf_db_x86/rule.yml

rhmdnd · 2025-03-25T18:38:32Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

rhmdnd · 2025-03-25T21:00:36Z

applications/openshift/master/file_groupowner_ovs_conf_db_aarch64/rule.yml

@@ -0,0 +1,37 @@
+documentation_complete: true
+
+platform: ocp4-node and aarch64_arch


Strange - this rule isn't even getting reported in the results:

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/ComplianceAsCode_content/13201/pull-ci-ComplianceAsCode-content-master-e2e-aws-ocp4-cis-node-arm/1904603840137662464

Grab the html report from the ARF results and see why this failed.

Suggested change

platform: ocp4-node and aarch64_arch

platforms:

- ocp4-node

- aarch64_arch

There is an issue with the filter_rules where when the platforms is defined within a single line the comparison will fail thinking that ocp4-node is not part of the platforms, like this:

>>> platforms = {'ocp4-node and aarch64_arch'} >>> "ocp4-node" in platforms False

😮‍💨 thanks for the help, that worked!

One thing I noticed with this is that it works for running the rule on aarch64. But, if I apply the same technique to other rules intended for x86 or s390x, they will still get selected and run in the profile:

$ oc get ccr | grep ovs-conf-db- upstream-ocp4-cis-node-master-file-groupowner-ovs-conf-db-aarch64 PASS medium upstream-ocp4-cis-node-master-file-groupowner-ovs-conf-db-s390x PASS medium upstream-ocp4-cis-node-master-file-groupowner-ovs-conf-db-x86-64 FAIL medium upstream-ocp4-cis-node-worker-file-groupowner-ovs-conf-db-aarch64 PASS medium upstream-ocp4-cis-node-worker-file-groupowner-ovs-conf-db-s390x PASS medium upstream-ocp4-cis-node-worker-file-groupowner-ovs-conf-db-x86-64 FAIL medium

It appears the x86 and s390x rules are not filtered out at run time, which is interesting because I think we do something similar with ocp4-node-on-sdn and ocp4-node-on-ovs for example.

The ovs and sdn filters are leveraged in https://github.com/ComplianceAsCode/content/blob/master/products/ocp4/profiles/cis-node-1-7.profile#L26

applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml

rhmdnd · 2025-03-28T15:34:26Z

utils/build_ds_container.py

@@ -143,7 +143,7 @@ def build_container_image():
        REPO_PATH, '/Dockerfiles/compliance_operator_content.Dockerfile')
    command = [
        'podman', 'build', '-f', dockerfile_path, '-t',
-        'localcontentbuild:latest', '.']
+        'localcontentbuild:latest', '--platform', 'linux/arm64', '.']


Should pull this out into its own change.

Vincent056 · 2025-03-28T21:43:21Z

unique-cces is failing

rhmdnd · 2025-03-28T21:55:22Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

rhmdnd · 2025-03-31T14:32:48Z

Latest testing shows the current PR is pulling in rules it shouldn't be on aarch64:

helpers.go:879: E2E-Error: e2e-cis-node-worker-file-groupowner-ovs-conf-db-s390x: Rule assertion missing
helpers.go:872: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-conf-db-x86-64 - Status: FAIL - Severity: medium
helpers.go:879: E2E-Error: e2e-cis-node-worker-file-groupowner-ovs-conf-db-x86-64: Rule assertion missing
helpers.go:872: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-pid - Status: PASS - Severity: medium

rhmdnd · 2025-03-31T16:04:51Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

rhmdnd · 2025-03-31T21:23:31Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

Vincent056 · 2025-04-01T01:15:48Z

ci/prow/e2e-aws-ocp4-cis-node

    helpers.go:907: Missing rule assertion entries:
        e2e-cis-node-master-file-groupowner-ovs-conf-db-x86-64:
          default_result: PASS
        e2e-cis-node-worker-file-groupowner-ovs-conf-db-x86-64:
          default_result: PASS
    helpers.go:932: Scan e2e-cis-node-mas

ci/prow/e2e-aws-ocp4-cis-node-arm

    helpers.go:907: Missing rule assertion entries:
        e2e-cis-node-master-file-groupowner-ovs-conf-db-x86-64:
          default_result: NOT-APPLICABLE
        e2e-cis-node-worker-file-groupowner-ovs-conf-db-x86-64:
          default_result: NOT-APPLICABLE

it looks like the test is working as expected

rhmdnd · 2025-04-01T03:49:49Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm

rhmdnd · 2025-04-01T03:52:29Z

controls/nist_ocp4.yml

@@ -1092,14 +1092,14 @@ controls:
 - id: AC-6(8)
  status: supported
  notes: |-
-    Red Hat OpenShift provides security context constraints (SCC) [1] that control permissions for actions that a pod can perform and what resources a pod can access. 
+    Red Hat OpenShift provides security context constraints (SCC) [1] that control permissions for actions that a pod can perform and what resources a pod can access.


Fixing all these random whitespace issues in #13261

rhmdnd · 2025-04-01T03:54:42Z

/test

openshift-ci · 2025-04-01T03:54:46Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.12-e2e-aws-ocp4-cis

/test 4.12-e2e-aws-ocp4-cis-node

/test 4.12-e2e-aws-ocp4-e8

/test 4.12-e2e-aws-ocp4-high

/test 4.12-e2e-aws-ocp4-high-node

/test 4.12-e2e-aws-ocp4-moderate

/test 4.12-e2e-aws-ocp4-moderate-node

/test 4.12-e2e-aws-ocp4-pci-dss

/test 4.12-e2e-aws-ocp4-pci-dss-4-0

/test 4.12-e2e-aws-ocp4-pci-dss-node

/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.12-e2e-aws-ocp4-stig

/test 4.12-e2e-aws-ocp4-stig-node

/test 4.12-e2e-aws-rhcos4-e8

/test 4.12-e2e-aws-rhcos4-high

/test 4.12-e2e-aws-rhcos4-moderate

/test 4.12-e2e-aws-rhcos4-stig

/test 4.12-images

/test 4.13-e2e-aws-ocp4-bsi

/test 4.13-e2e-aws-ocp4-bsi-node

/test 4.13-e2e-aws-ocp4-cis

/test 4.13-e2e-aws-ocp4-cis-node

/test 4.13-e2e-aws-ocp4-e8

/test 4.13-e2e-aws-ocp4-high

/test 4.13-e2e-aws-ocp4-high-node

/test 4.13-e2e-aws-ocp4-moderate

/test 4.13-e2e-aws-ocp4-moderate-node

/test 4.13-e2e-aws-ocp4-pci-dss

/test 4.13-e2e-aws-ocp4-pci-dss-4-0

/test 4.13-e2e-aws-ocp4-pci-dss-node

/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.13-e2e-aws-ocp4-stig

/test 4.13-e2e-aws-ocp4-stig-node

/test 4.13-e2e-aws-rhcos4-bsi

/test 4.13-e2e-aws-rhcos4-e8

/test 4.13-e2e-aws-rhcos4-high

/test 4.13-e2e-aws-rhcos4-moderate

/test 4.13-e2e-aws-rhcos4-stig

/test 4.13-images

/test 4.14-e2e-aws-ocp4-bsi

/test 4.14-e2e-aws-ocp4-bsi-node

/test 4.14-e2e-aws-ocp4-pci-dss-4-0

/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.14-e2e-aws-rhcos4-bsi

/test 4.14-images

/test 4.15-e2e-aws-ocp4-bsi

/test 4.15-e2e-aws-ocp4-bsi-node

/test 4.15-e2e-aws-ocp4-cis

/test 4.15-e2e-aws-ocp4-cis-node

/test 4.15-e2e-aws-ocp4-e8

/test 4.15-e2e-aws-ocp4-high

/test 4.15-e2e-aws-ocp4-high-node

/test 4.15-e2e-aws-ocp4-moderate

/test 4.15-e2e-aws-ocp4-moderate-node

/test 4.15-e2e-aws-ocp4-pci-dss

/test 4.15-e2e-aws-ocp4-pci-dss-4-0

/test 4.15-e2e-aws-ocp4-pci-dss-node

/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.15-e2e-aws-ocp4-stig

/test 4.15-e2e-aws-ocp4-stig-node

/test 4.15-e2e-aws-rhcos4-bsi

/test 4.15-e2e-aws-rhcos4-e8

/test 4.15-e2e-aws-rhcos4-high

/test 4.15-e2e-aws-rhcos4-moderate

/test 4.15-e2e-aws-rhcos4-stig

/test 4.15-e2e-rosa-ocp4-cis-node

/test 4.15-e2e-rosa-ocp4-pci-dss-node

/test 4.15-images

/test 4.16-e2e-aws-ocp4-bsi

/test 4.16-e2e-aws-ocp4-bsi-node

/test 4.16-e2e-aws-ocp4-cis

/test 4.16-e2e-aws-ocp4-cis-node

/test 4.16-e2e-aws-ocp4-e8

/test 4.16-e2e-aws-ocp4-high

/test 4.16-e2e-aws-ocp4-high-node

/test 4.16-e2e-aws-ocp4-moderate

/test 4.16-e2e-aws-ocp4-moderate-node

/test 4.16-e2e-aws-ocp4-pci-dss

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

/test 4.16-e2e-aws-ocp4-pci-dss-node

/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.16-e2e-aws-ocp4-stig

/test 4.16-e2e-aws-ocp4-stig-node

/test 4.16-e2e-aws-rhcos4-bsi

/test 4.16-e2e-aws-rhcos4-e8

/test 4.16-e2e-aws-rhcos4-high

/test 4.16-e2e-aws-rhcos4-moderate

/test 4.16-e2e-aws-rhcos4-stig

/test 4.16-images

/test 4.17-e2e-aws-ocp4-bsi

/test 4.17-e2e-aws-ocp4-bsi-node

/test 4.17-e2e-aws-ocp4-cis

/test 4.17-e2e-aws-ocp4-cis-node

/test 4.17-e2e-aws-ocp4-e8

/test 4.17-e2e-aws-ocp4-high

/test 4.17-e2e-aws-ocp4-high-node

/test 4.17-e2e-aws-ocp4-moderate

/test 4.17-e2e-aws-ocp4-moderate-node

/test 4.17-e2e-aws-ocp4-pci-dss

/test 4.17-e2e-aws-ocp4-pci-dss-4-0

/test 4.17-e2e-aws-ocp4-pci-dss-node

/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.17-e2e-aws-ocp4-stig

/test 4.17-e2e-aws-ocp4-stig-node

/test 4.17-e2e-aws-rhcos4-bsi

/test 4.17-e2e-aws-rhcos4-e8

/test 4.17-e2e-aws-rhcos4-high

/test 4.17-e2e-aws-rhcos4-moderate

/test 4.17-e2e-aws-rhcos4-stig

/test 4.17-images

/test 4.18-e2e-aws-ocp4-bsi

/test 4.18-e2e-aws-ocp4-bsi-node

/test 4.18-e2e-aws-ocp4-cis

/test 4.18-e2e-aws-ocp4-cis-node

/test 4.18-e2e-aws-ocp4-e8

/test 4.18-e2e-aws-ocp4-high

/test 4.18-e2e-aws-ocp4-high-node

/test 4.18-e2e-aws-ocp4-moderate

/test 4.18-e2e-aws-ocp4-moderate-node

/test 4.18-e2e-aws-ocp4-pci-dss

/test 4.18-e2e-aws-ocp4-pci-dss-4-0

/test 4.18-e2e-aws-ocp4-pci-dss-node

/test 4.18-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.18-e2e-aws-ocp4-stig

/test 4.18-e2e-aws-ocp4-stig-node

/test 4.18-e2e-aws-rhcos4-bsi

/test 4.18-e2e-aws-rhcos4-e8

/test 4.18-e2e-aws-rhcos4-high

/test 4.18-e2e-aws-rhcos4-moderate

/test 4.18-e2e-aws-rhcos4-stig

/test 4.18-images

/test e2e-aws-ocp4-bsi

/test e2e-aws-ocp4-bsi-node

/test e2e-aws-ocp4-cis

/test e2e-aws-ocp4-cis-arm

/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis-node-arm

/test e2e-aws-ocp4-e8

/test e2e-aws-ocp4-high

/test e2e-aws-ocp4-high-node

/test e2e-aws-ocp4-moderate

/test e2e-aws-ocp4-moderate-arm

/test e2e-aws-ocp4-moderate-node

/test e2e-aws-ocp4-moderate-node-arm

/test e2e-aws-ocp4-pci-dss

/test e2e-aws-ocp4-pci-dss-4-0

/test e2e-aws-ocp4-pci-dss-node

/test e2e-aws-ocp4-pci-dss-node-4-0

/test e2e-aws-ocp4-stig

/test e2e-aws-ocp4-stig-node

/test e2e-aws-rhcos4-bsi

/test e2e-aws-rhcos4-e8

/test e2e-aws-rhcos4-high

/test e2e-aws-rhcos4-moderate

/test e2e-aws-rhcos4-moderate-arm

/test e2e-aws-rhcos4-stig

/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.12-images

pull-ci-ComplianceAsCode-content-master-4.13-images

pull-ci-ComplianceAsCode-content-master-4.14-images

pull-ci-ComplianceAsCode-content-master-4.15-images

pull-ci-ComplianceAsCode-content-master-4.16-images

pull-ci-ComplianceAsCode-content-master-4.17-images

pull-ci-ComplianceAsCode-content-master-4.18-images

pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

rhmdnd · 2025-04-01T03:55:29Z

/test e2e-aws-ocp4-moderate-node-arm

applications/openshift/master/file_groupowner_ovs_conf_db_lock_openvswitch/rule.yml

applications/openshift/master/file_groupowner_ovs_conf_db_openvswitch/rule.yml

shared/references/cce-redhat-avail.txt

applications/openshift/master/file_groupowner_ovs_conf_db/rule.yml

shared/references/cce-redhat-avail.txt

rhmdnd · 2025-04-01T14:28:36Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-moderate-node-arm
/test 4.15-e2e-aws-ocp4-pci-dss-node

ssg/entities/profile_base.py

The approach we're using with OVAL to select rules based on conditions doesn't work for multi-arch checks. Instead, the rule always passes even when it's checking a platform that has `openvswitch` for the group owner instead of `hugetlbfs`. This commit attempts to simplify the rule by removing the complexity of OVAL and relying on individual rules, one for checking group ownership for openvswitch and the other for hugetlbfs. It also uses the platform consistently, instead of using platforms, which expects a list of conditions. Using platform is more straightforward, and incorporates the architecture CPE into the evaluation at runtime.

codeclimate · 2025-04-01T20:36:00Z

Code Climate has analyzed commit 8e54261 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

rhmdnd · 2025-04-01T21:11:45Z

/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-cis-node-arm
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-moderate-node-arm
/test 4.15-e2e-aws-ocp4-pci-dss-node

rhmdnd · 2025-04-02T00:27:58Z

Rerunning testing farm because of the following timeouts:

2025-04-01 21:17:49 test.py:52: lib.waive.collect_waivers:150: using /var/ARTIFACTS/work-anssi_bp28_highd2k_qsbf/hardening/host-os/oscap/anssi_bp28_high/discover/default-0/tests/conf/waivers for waiving
2025-04-01 21:17:49 test.py:52: lib.results.report_plain:186: ERROR / (timed out: test exceeded duration time)
Connection to 18.219.58.56 closed.

Which seems unrelated to this change. @Mab879 are you seeing this crop up in other patches?

xiaojiey · 2025-04-02T04:21:04Z

Verified on a x86 clsuter + 4.19.0-0.nightly-2025-03-31-174812 + content from #13201:

% oc debug node/ip-10-0-27-125.us-east-2.compute.internal  -- chroot /host ls -lL /etc/openvswitch/system-id.conf
Starting pod/ip-10-0-27-125us-east-2computeinternal-debug-jwc96 ...
To use host binaries, run `chroot /host`
-rw-r--r--. 1 openvswitch hugetlbfs 37 Apr  2 01:31 /etc/openvswitch/system-id.conf

Removing debug pod ...
% oc get ccr | grep -i file-groupowner-ovs-sys-id-conf            
upstream-ocp4-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs                PASS     medium
upstream-ocp4-cis-node-worker-file-groupowner-ovs-sys-id-conf-hugetlbfs                PASS     medium
##The test result align with the test result in e2e-aws-ocp4-cis-node job:
    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs - Status: PASS - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch - Status: NOT-APPLICABLE - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs - Status: PASS - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch - Status: NOT-APPLICABLE - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch matched expected result

For ARM, checked below test result form e2e-aws-ocp4-cis-node-arm job, which is expected:

    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs - Status: NOT-APPLICABLE - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-hugetlbfs matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch - Status: PASS - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-master-file-groupowner-ovs-sys-id-conf-openvswitch matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-sys-id-conf-hugetlbfs - Status: NOT-APPLICABLE - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-worker-file-groupowner-ovs-sys-id-conf-hugetlbfs matched expected result
    helpers.go:872: Result - Name: e2e-cis-node-worker-file-groupowner-ovs-sys-id-conf-openvswitch - Status: PASS - Severity: medium
    helpers.go:1060: Rule e2e-cis-node-worker-file-groupowner-ovs-sys-id-conf-openvswitch matched expected result

Vincent056 · 2025-04-02T14:33:59Z

/lgtm

There were added initially in ComplianceAsCode#13201 but were added for the platform profiles in addition to the node profiles.

rhmdnd requested a review from Vincent056 March 18, 2025 22:05

rhmdnd mentioned this pull request Mar 19, 2025

filter_rules does not work with boolean "dynamic" platforms #9077

Open

rhmdnd commented Mar 19, 2025

View reviewed changes

applications/openshift/master/file_groupowner_ovs_conf_db_lock_not_s390x/rule.yml Outdated Show resolved Hide resolved

rhmdnd force-pushed the OCPBUGS-53041 branch from 04e2e80 to 937b155 Compare March 19, 2025 20:16

rhmdnd commented Mar 19, 2025

View reviewed changes

applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml Outdated Show resolved Hide resolved

rhmdnd commented Mar 19, 2025

View reviewed changes

applications/openshift/master/file_groupowner_ovs_conf_db_x86/rule.yml Outdated Show resolved Hide resolved

jan-cerny added the OpenShift OpenShift product related. label Mar 25, 2025

rhmdnd commented Mar 25, 2025

View reviewed changes

applications/openshift/master/file_groupowner_ovs_conf_db_x86/rule.yml Outdated Show resolved Hide resolved

rhmdnd force-pushed the OCPBUGS-53041 branch 3 times, most recently from c504136 to b69553d Compare March 25, 2025 18:37

rhmdnd commented Mar 25, 2025

View reviewed changes

rhmdnd commented Mar 28, 2025

View reviewed changes

applications/openshift/master/file_groupowner_ovs_conf_db_s390x/rule.yml Outdated Show resolved Hide resolved

rhmdnd commented Mar 28, 2025

View reviewed changes

rhmdnd force-pushed the OCPBUGS-53041 branch from b69553d to 86eb022 Compare March 28, 2025 21:54

rhmdnd added this to the 0.1.77 milestone Mar 31, 2025

rhmdnd force-pushed the OCPBUGS-53041 branch from 86eb022 to c7fc94f Compare March 31, 2025 16:04

rhmdnd force-pushed the OCPBUGS-53041 branch from f612d8a to 94c440f Compare April 1, 2025 03:49