Add Kubernetes remediation for rule configure_crypto_policy

[Vincent056]

Added Kubernets auto remediation for rule configure_crypto_policy

Related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2062530

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[jhrozek]

Hi @Vincent056 it seems like the e2e tests are catching some issue here:

     helpers.go:808: Result - Name: e2e-e8-worker-configure-crypto-policy - Status: FAIL - Severity: high
    helpers.go:815: E2E-FAILURE: The expected result for the configure_crypto_policy rule didn't match. Expected 'PASS', Got 'FAIL' 

[Vincent056]

/retest

[Vincent056]

Remove e2e test, rhcos4-moderate profile has different default variable for var_system_crypto_policy than rhcos4-e8, this makes the first scan fail on rhcos4-e8 but not on rhcos4-moderate.

[codeclimate]

Code Climate has analyzed commit e98fb03 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

[Vincent056]

/retest

[openshift-ci]

@Vincent056: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-high	e98fb03	link	true	/test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate	e98fb03	link	true	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jhrozek]

So now the tests related to your rule are all passing, but here is this failure:

  helpers.go:812: Excluded Rule from counting - Name: e2e-high-master-configure-usbguard-auditbackend
    helpers.go:815: E2E-FAILURE: The expected result for the configure_usbguard_auditbackend rule didn't match. Expected 'PASS', Got 'NOT-APPLICABLE'

Because other rhcos4 rules are passing, I wonder if we have an issue with installing usbguard?
Does the rule pass manually for you?

[Vincent056]

So now the tests related to your rule are all passing, but here is this failure:

  helpers.go:812: Excluded Rule from counting - Name: e2e-high-master-configure-usbguard-auditbackend
    helpers.go:815: E2E-FAILURE: The expected result for the configure_usbguard_auditbackend rule didn't match. Expected 'PASS', Got 'NOT-APPLICABLE'

Because other rhcos4 rules are passing, I wonder if we have an issue with installing usbguard? Does the rule pass manually for you?

Yes, this rule passes manually for me

[xiaojiey]

/bugzilla cc-qa

[xiaojiey]

/bugzilla cc-qa

[xiaojiey]

/label qe-approved

[openshift-ci]

@xiaojiey: The label(s) qe-approved cannot be applied, because the repository doesn't have them.

In response to this:

/label qe-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[xiaojiey]

test cases details could be seen from: https://url.corp.redhat.com/8162b96
@Vincent056 Could you please help to review? Thanks.

[Vincent056]

test cases details could be seen from: https://url.corp.redhat.com/8162b96 @Vincent056 Could you please help to review? Thanks.

Thanks for adding the test case, it looks good to me

[jhrozek]

thank you, tested manually. As I said in the other PR, let's add a card and disable the offending test for now