OCPBUGS-17828: Fix rule instruction

[Vincent056]

This is to fix the rule instruction so that we can display as multiline string instead of pre-wrap text, and user is able to copy and run oc command in the instruction without having to remove escape. The issue was caused by space before newline made it not able to output multiline yaml formate.

[openshift-ci-robot]

@Vincent056: This pull request references Jira Issue OCPBUGS-17828, which is invalid:

• expected the bug to target the "4.17.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is to fix the rule instruction so that we can display as multiline string instead of pre-wrap text, and user is able to copy and run oc command in the instruction without having to remove escape. The issue was caused by space before newline made it not able to output multiline yaml formate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Vincent056]

To verify make sure no output for:
[vincent@node compliance-operator]$ oc get rule -o yaml | grep "instructions: \""

[yuumasato]

/lgtm

Before this patch:

$oc get rule.compliance.openshift.io/ocp4-api-server-encryption-provider-cipher -oyaml
instructions: "OpenShift supports encryption of data at rest of etcd datastore, but
  it is up to the\ncustomer to configure. The asecbc cipher is used. No other ciphers
  are supported. Keys\nare stored on the filesystem of the master and automatically
  rotated.\nRun the following command to review the Encrypted status condition for
  the OpenShift\nAPI server to verify that its resources were successfully encrypted:\n\n#
  encrypt the etcd datastore\n$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.status}{\"\\n\"}{.reason}{\"\\n\"}{.message}{\"\\n\"}{end}'\n\nThe
  output shows EncryptionCompleted upon successful encryption.\nIf the output shows
  EncryptionInProgress this means that encryption is still in\nprogress. Wait a few
  minutes and try again.\nTo display the encryption configured, run the following
  command:\n$ oc get --raw  | jq  \nIf the output does not list aescbc, the encryption
  is not configured correctly."
  
oc get rule ocp4-scc-limit-container-allowed-capabilities -oyaml
instructions: "This rule checks the SCCs with allowedCapabilities set to non-null\nand
  fails if there are more such SCCs than those allowed in the variable\nnamed ocp4-var-sccs-with-allowed-capabilities-regex.
  To debug the rule,\ncheck the variable value, e.g:\n$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex
  \ -ojsonpath='{.value}' \nThen use following command to list the SCCs that would                                                                             
  fail the test:\n$ oc get scc -o json | jq '[.items[] | select(.metadata.name | test(\"^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$\";
  \"\") | not) | select(.allowedCapabilities != null) | .metadata.name]'\nPlease replace
  the regular expression in the test command with the value read from the variable\nocp4-var-sccs-with-allowed-capabilities-regex.
  You can read the variable\nvalue with:\n$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex
  -ojsonpath='{.value}' -n openshift-compliance" 

And after the patch:

oc get rule.compliance.openshift.io/ocp4-api-server-encryption-provider-cipher -oyaml
instructions: |-
  OpenShift supports encryption of data at rest of etcd datastore, but it is up to the
  customer to configure. The asecbc cipher is used. No other ciphers are supported. Keys
  are stored on the filesystem of the master and automatically rotated.
  Run the following command to review the Encrypted status condition for the OpenShift
  API server to verify that its resources were successfully encrypted:

  # encrypt the etcd datastore
  $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'

  The output shows EncryptionCompleted upon successful encryption.
  If the output shows EncryptionInProgress this means that encryption is still in
  progress. Wait a few minutes and try again.
  To display the encryption configured, run the following command:
  $ oc get --raw  | jq
  If the output does not list aescbc, the encryption is not configured correctly.
  Is it the case that <tt>aescbc</tt> is not configured as the encryption provider?

oc get rule ocp4-scc-limit-container-allowed-capabilities -oyaml 
instructions: |-
  This rule checks the SCCs with allowedCapabilities set to non-null
  and fails if there are more such SCCs than those allowed in the variable
  named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,
  check the variable value, e.g:
  $ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'
  Then use following command to list the SCCs that would fail the test:
  $ oc get scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
  Please replace the regular expression in the test command with the value read from the variable
  ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable
  value with:
  $ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
  Is it the case that allowed capabilities listings in SCCs needs review?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056, yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Vincent056]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[xiaojiey]

/hold for test

[xiaojiey]

Verification pass with #537 + ComplianceAsCode/content#12071:

## instructions
% oc get rule upstream-ocp4-scc-limit-container-allowed-capabilities -o=jsonpath={.instructions}
This rule checks the SCCs with allowedCapabilities set to non-null
and fails if there are more such SCCs than those allowed in the variable
named ocp4-var-sccs-with-allowed-capabilities-regex. To debug the rule,
check the variable value, e.g:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'
Then use following command to list the SCCs that would fail the test:
$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
Please replace the regular expression in the test command with the value read from the variable
ocp4-var-sccs-with-allowed-capabilities-regex. You can read the variable
value with:
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
Is it the case that allowed capabilities listings in SCCs needs review?%    

###default output for commands in the instruction                                                                                         
% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[]
% oc get variable ocp4-var-sccs-with-allowed-capabilities-regex -ojsonpath='{.value}' -n openshift-compliance
^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$%  
###output with a cutom scc:
 % cat scc_test.yaml 
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: test-scc scc is used for test purpose
  name: test-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
seccompProfiles:
- runtime/default
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- '*'
% oc apply -f scc_test.yaml
securitycontextconstraints.security.openshift.io/test-scc created
% oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[
  "test-scc"
]

[xiaojiey]

/unhold
/label-qe-approved

[xiaojiey]

/unhold

[xiaojiey]

/label qe-approved

[yuumasato]

/jira refresh

[openshift-ci-robot]

@yuumasato: This pull request references Jira Issue OCPBUGS-17828, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[yuumasato]

This was approved by QE already.

/label qe-approved

[openshift-ci-robot]

@Vincent056: This pull request references Jira Issue OCPBUGS-17828, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

In response to this:

This is to fix the rule instruction so that we can display as multiline string instead of pre-wrap text, and user is able to copy and run oc command in the instruction without having to remove escape. The issue was caused by space before newline made it not able to output multiline yaml formate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@Vincent056: Jira Issue OCPBUGS-17828: All pull requests linked via external trackers have merged:

• ComplianceAsCode/compliance-operator#537

Jira Issue OCPBUGS-17828 has been moved to the MODIFIED state.

In response to this:

This is to fix the rule instruction so that we can display as multiline string instead of pre-wrap text, and user is able to copy and run oc command in the instruction without having to remove escape. The issue was caused by space before newline made it not able to output multiline yaml formate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.