-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LOG-4604: Add infrastructure annotations #2285
Conversation
@jcantrill: This pull request references LOG-4604 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target either version "4.8." or "openshift-4.8.", but it targets "Logging 5.8.z" instead. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold |
/cherrypick release-5.8 |
@jcantrill: once the present PR merges, I will cherry-pick it on top of release-5.8 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
features.operators.openshift.io/cni: "false" | ||
features.operators.openshift.io/csi: "false" | ||
features.operators.openshift.io/disconnected: "true" | ||
features.operators.openshift.io/fips-compliant: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can claim fips-compliant=true without fips scan.
According the latest scan result. we have to fix the issue below
logging-view-plugin-container 5.5 to 5.7 | /opt/app-root/plugin-backend | go binary is not CGO_ENABLED
logging-view-plugin-container 5.8 | /opt/app-root/plugin-backend | go binary has no build tags set (should have strictfipsruntime)
log-file-metric-exporter-container | /usr/local/bin/log-file-metric-exporter | go binary has no build tags set (should have strictfipsruntime)
cluster-logging-operator-container | /usr/bin/cluster-logging-operator | go binary has no build tags set (should have strictfipsruntime) |
AFAIK, there are tool to scan golang and java based image. No idea how to scan fluentd? No idea how to scan vector?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@anpingli I would like to emphasize our criteria for true/false is based upon the provided definition of the annotation:
Whether the opperator accepts the [FIPS-140](https://issues.redhat.com/browse/FIPS-140) configuration of the underlying platform and works on nodes that are booted into FIPS mode. In this mode, the operator and any workloads it manages (operands) are solely calling the RHEL cryptographic library submitted for [FIPS-140](https://issues.redhat.com/browse/FIPS-140) validation
If scanning is the only way to confirm ⬆️ then we need the scan, but I do not believe this is what it says
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is this text accurately represents "our" definition, and needs to be set to true in order for our operator to show in the filtered catalog list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think we need to set this to true and work on the scan in the background if we need to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should use fips-compliant=false before the scan issue to be fixed. https://issues.redhat.com/browse/LOG-4886
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The QE/ART/Security team is planning to scan the operator according to fips-compliant. it may block the release if scan failed when fips-compliant=true
continue to hold pending larger conversation of what we can properly claim |
/hold cancel |
/lgtm |
@jcantrill: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@jcantrill: #2285 failed to apply on top of branch "release-5.8":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jcantrill: #2285 failed to apply on top of branch "release-5.7":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jcantrill: #2285 failed to apply on top of branch "release-5.6":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description
This PR:
@cahartma is it correct that we can claim aws token support? We can use the tokens as provided by the CloudCredentialsOperator?
@syedriko is it correct we can claim FIPS compliance based upon the following definition?
Links