Red Hat Product Errata RHBA-2021:2652 - Bug Fix Advisory
Issued:
2021-07-07
Updated:
2021-07-07

RHBA-2021:2652 - Bug Fix Advisory

Synopsis

Compliance Operator version 0.1.35 for OpenShift Container Platform 4.6-4.8

Type/Severity

Bug Fix Advisory

Topic

An updated Compliance Operator image is now available for OpenShift
Container Platform 4.6-4.8.

Version 0.1.35:

  • Rebase to upstream release v0.1.35
  • Allow api-resource-collector to read PrometheusRules
  • Allow api-resource-collector to read oauthclients
  • Add CHANGELOG.md and make release update target
  • Add permission to get fileintegrity objects
  • Update go.uber.org/zap dependency
  • Add permission to api-resource-collector to read MCs
  • Convert XML from CaC content to markdown in the k8s objects
  • Allow the api-resource collector to read ComplianceSuite objects
  • Die xmldom! Die!
  • Set the operators.openshift.io/infrastructure-features:proxy-aware annotation
  • Make use of the HTTPS_PROXY environment variable
  • Switch to using go 1.16
  • Remove unused const definitions
  • Update dependencies
  • RBAC: Allow api-resource-collector to list FIO objects
  • Collect all ocp-api-endpoint elements
  • RBAC: Add permissions to update oauths config

Description

The Compliance Operator v0.1.35 image update is now available for OpenShift
Container Platform 4.6-4.8.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

  • BZ - 1919311 - Compliance operator pod fails with: Couldn't ensure directory","error":"mkdir /reports/0: permission denied"
  • BZ - 1919367 - Compliance operator returns NON-COMPLIANT when no remediation found for profile ocp4-cis-node
  • BZ - 1920577 - Provide better visibility into 'SKIP' scan result status as well as into OpenSCAP 'not applicable'
  • BZ - 1936413 - The instructions are missing for some rules those report status ‘MANUAL’
  • BZ - 1937472 - ocp4-cis scan reports FAIL for audit logforward check
  • BZ - 1940483 - Instructions for some rules in Compliance Operator
  • BZ - 1942208 - one of the rules [xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands] taking too long... Such scans via Compliance Operator were taking around 2 hours, even.
  • BZ - 1949377 - No clear instructions for rule ocp4-cis-node-master-kubelet-configure-tls-cipher-suites and ocp4-cis-node-worker-kubelet-configure-tls-cipher-suites
  • BZ - 1953331 - The compliance operator brew Bundle image does not available for OCP4.8
  • BZ - 1954572 - The proxy-kubeconfig related cis rules show incorrect description, rationale and instructions

CVEs

(none)

References

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.