Fixing rule checks for CMP-3034

[rutvik23]

Description:

The PCI-DSS compliance rule ocp4-security-profiles-operator-exists is not able to check existence of subscription object due to an extra suffix -sub in the command oc get subscription security-profiles-operator-sub -nopenshift-security-profiles -o jsonpath='{.status.installedCSV}', as well inside filepath: /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles-sub/subscriptions/

Rationale:

Fixes CMP-3034

Review Hints:

1. Install compliance-operator v1.6.0
2. Run ocp4-pci-dss-4-0/ocp4-pci-dss profile scan
3. Check the CCR for failed rule ocp4-security-profiles-operator-exists
4. Install the security-profile-operator to remediate this rule.
5. re-run the compliance scan
6. The CCR would still show FAIL status for rule ocp4-security-profiles-operator-exists

[openshift-ci]

Hi @rutvik23. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ocp4 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_security_profiles_operator_exists'.
--- xccdf_org.ssgproject.content_rule_security_profiles_operator_exists
+++ xccdf_org.ssgproject.content_rule_security_profiles_operator_exists
@@ -13,7 +13,7 @@
 
 [warning]:
 This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub API endpoint to the local /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator-sub file.
+Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator API endpoint to the local /apis/operators.coreos.com/v1alpha1/namespaces/openshift-security-profiles/subscriptions/security-profiles-operator file.
 
 [reference]:
 SYS.1.6.A21

OCIL for rule 'xccdf_org.ssgproject.content_rule_security_profiles_operator_exists' differs.
--- ocil:ssg-security_profiles_operator_exists_ocil:questionnaire:1
+++ ocil:ssg-security_profiles_operator_exists_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 To check if the Security Profiles Operator is installed, run the following command:
-oc get sub -nopenshift-security-profiles security-profiles-operator-sub -ojsonpath='{.status.installedCSV}'
+oc get sub -nopenshift-security-profiles security-profiles-operator -ojsonpath='{.status.installedCSV}'
 the output should return the version of the CSV that represents the installed operator.
       Is it the case that the security profiles operator is not installed?
       

[codeclimate]

Code Climate has analyzed commit c0c5b35 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[yuumasato]

Interesting, when installing through the web console, the Subscription CRD is named security-profiles-operator instead of security-profiles-operator-sub.

I think this needs to be adjusted in https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/security_and_compliance/security-profiles-operator#spo-installing-cli_spo-enabling as well.
CC: @sheriff-rh @GroceryBoyJr

[yuumasato]

/test e2e-aws-ocp4-bsi

[yuumasato]

/ok-to-test

[yuumasato]

/test e2e-aws-ocp4-bsi

[openshift-ci]

@rutvik23: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-bsi	c0c5b35	link	true	/test e2e-aws-ocp4-bsi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.