-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-19690: Enable host network to access host sysctls #497
base: master
Are you sure you want to change the base?
OCPBUGS-19690: Enable host network to access host sysctls #497
Conversation
'hostNetwork: true' grants access to the host's sysctl configurations. 'dnsPolicy: ClusterFirstWithHostnet' is required to access services.
@yuumasato: This pull request references Jira Issue OCPBUGS-19690, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
nice finding! |
/hold for test |
Verification passed with 4.16.0-0.nightly-2024-04-16-195622 + compliance-operator with PR #497 code + PR #11722 code
|
/unhold |
/label qe-approved |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BhargaviGudi, yuumasato The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@BhargaviGudi Thank you for testing this. I re-tested again and cannot reproduce the error I had mentioned in PR description. |
Below are some of the runtime objects collected, they match the static configuration now.
|
@yuumasato: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
HostNetwork: true
the sysctlnet.core.bpf_jit_harden
becomes visible to thescanner
container.Below is a pod that has access to the sysctls:
$ oc create -f list-syctls-proc.yaml
$ oc logs list-sysctls
DNSPolicy: ClusterFirstWithHostNet
allows the CO to upload toresultserver
, otherwise we get the following error:{"level":"info","ts":"2024-03-15T18:45:57Z","logger":"cmd","msg":"Trying to upload to resultserver","url":"https://upstream-rhcos4-high-worker-rs:8443/"} {"level":"error","ts":"2024-03-15T18:45:57Z","logger":"cmd","msg":"Failed to upload results to server","error":"Post \"https://upstream-rhcos4-high-worker-rs:8443/\": dial tcp: lookup upstream-rhcos4-high-worker-rs on 10.0.0.2:53: no such host","stacktrace":"github.com/ComplianceAsCode/compliance-operator/cmd/manager.uploadToResultServer.func1\n\tgithub.com/ComplianceAsCode/compliance-operator/cmd/manager/resultcollector.go:316\ngithub.com/cenkalti/backoff/v4.RetryNotifyWithTimer.Operation.withEmptyData.func1\n\tgithub.com/cenkalti/backoff/v4@v4.2.1/retry.go:18\ngithub.com/cenkalti/backoff/v4.doRetryNotify[...]\n\tgithub.com/cenkalti/backoff/v4@v4.2.1/retry.go:88\ngithub.com/cenkalti/backoff/v4.RetryNotifyWithTimer\n\tgithub.com/cenkalti/backoff/v4@v4.2.1/retry.go:61\ngithub.com/cenkalti/backoff/v4.RetryNotify\n\tgithub.com/cenkalti/backoff/v4@v4.2.1/retry.go:49\ngithub.com/cenkalti/backoff/v4.Retry\n\tgithub.com/cenkalti/backoff/v4@v4.2.1/retry.go:38\ngithub.com/ComplianceAsCode/compliance-operator/cmd/manager.uploadToResultServer\n\tgithub.com/ComplianceAsCode/compliance-operator/cmd/manager/resultcollector.go:299\ngithub.com/ComplianceAsCode/compliance-operator/cmd/manager.handleCompleteSCAPResults.func1\n\tgithub.com/ComplianceAsCode/compliance-operator/cmd/manager/resultcollector.go:390"}
Use the content from Re-enable runtime check on network related sysctls content#11722, to check whether the
scanner
container can access the sysctls correctly.oc compliance bind -S default-auto-apply -N test profile/upstream-rhcos4-moderate
EDIT: I have re-tested and
DNSPolicy: ClusterFirstWithHostNet
indeed solves theno such host
error when trying to upload toresultserver
.