Red Hat Product Errata RHBA-2021:4530 - Bug Fix Advisory
Issued:
2021-11-10
Updated:
2021-11-10

RHBA-2021:4530 - Bug Fix Advisory

Synopsis

OpenShift Compliance Operator bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Topic

An updated OpenShift Compliance Operator image that fixes various bugs and
adds enhancements is now available for the Red Hat OpenShift Enterprise 4
catalog.

Description

The OpenShift Compliance Operator image update is available with the
following changes:

  • add error to the result object as comment (#721)
  • fix needs-review unpause pool
  • Validate that rules in tailored profile are of appropriate type
  • TailoredProfiles: Allocate rules map with expected number of items
  • Fix error message json representation in CRD
  • aggregator: Remove MachineConfig validation
  • Add description to TailoredProfile yaml
  • Specify fsgroup, user and non-root user usage in resultserver
  • Gather /version when doing Platform scans
  • Add flag to skip the metrics deployment
  • fetch openscap version during build time
  • Add instructions and check type to Rule object
  • add support for multi line remediation
  • Fix value-required handling.
  • Use ClusterRole/ClusterRoleBinding for monitoring permissions
  • Remove tailorprofile variable selection check
  • Disallow empty titles and descriptions for tailored profiles
  • Restart profileparser on failures
  • Make default scanTolerations more tolerant
  • Associate variable with compliance check result
  • Enable Creation of TailoredProfiles without extending existing ones
  • Don't shadow an import with a variable name
  • compliancescan: Fill the <target> element and the urn:xccdf:fact:identifier for node checks
  • Add support for remediation templating for operator

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64

Fixes

  • BZ - 1969620 - In RHOCP 4.7, compliance operator scan results in XCCDF format has target name missing only for profiles: ocp4-cis-node
  • BZ - 1983062 - The rule ocp4-moderate-oauth-or-oauthclient-inactivity-timeout gets FAIL when the OAuth server timeout parameter accessTokenInactivityTimeout is configured as “600s”
  • BZ - 1988259 - Rules missing from compliance operator after upgrade from 4.6.30 to 4.6.34
  • BZ - 1999374 - Metrics not available on GUI for Compliance Operator
  • BZ - 2003170 - Instruction in compliancecheckresults ocp4-cis-configure-network-policies-namespaces is wrong

CVEs

(none)

References

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.