LOG-4604: Add infrastructure annotations #2285
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jcantrill: This pull request references LOG-4604 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target either version "4.8." or "openshift-4.8.", but it targets "Logging 5.8.z" instead. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/cherrypick release-5.8 |
|
@jcantrill: once the present PR merges, I will cherry-pick it on top of release-5.8 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
| features.operators.openshift.io/cni: "false" | ||
| features.operators.openshift.io/csi: "false" | ||
| features.operators.openshift.io/disconnected: "true" | ||
| features.operators.openshift.io/fips-compliant: "true" |
There was a problem hiding this comment.
I don't think we can claim fips-compliant=true without fips scan.
According the latest scan result. we have to fix the issue below
logging-view-plugin-container 5.5 to 5.7 | /opt/app-root/plugin-backend | go binary is not CGO_ENABLED
logging-view-plugin-container 5.8 | /opt/app-root/plugin-backend | go binary has no build tags set (should have strictfipsruntime)
log-file-metric-exporter-container | /usr/local/bin/log-file-metric-exporter | go binary has no build tags set (should have strictfipsruntime)
cluster-logging-operator-container | /usr/bin/cluster-logging-operator | go binary has no build tags set (should have strictfipsruntime) |
AFAIK, there are tool to scan golang and java based image. No idea how to scan fluentd? No idea how to scan vector?
There was a problem hiding this comment.
@anpingli I would like to emphasize our criteria for true/false is based upon the provided definition of the annotation:
Whether the opperator accepts the [FIPS-140](https://issues.redhat.com/browse/FIPS-140) configuration of the underlying platform and works on nodes that are booted into FIPS mode. In this mode, the operator and any workloads it manages (operands) are solely calling the RHEL cryptographic library submitted for [FIPS-140](https://issues.redhat.com/browse/FIPS-140) validation
If scanning is the only way to confirm ⬆️ then we need the scan, but I do not believe this is what it says
There was a problem hiding this comment.
My understanding is this text accurately represents "our" definition, and needs to be set to true in order for our operator to show in the filtered catalog list.
There was a problem hiding this comment.
I also think we need to set this to true and work on the scan in the background if we need to.
There was a problem hiding this comment.
I think we should use fips-compliant=false before the scan issue to be fixed. https://issues.redhat.com/browse/LOG-4886
There was a problem hiding this comment.
The QE/ART/Security team is planning to scan the operator according to fips-compliant. it may block the release if scan failed when fips-compliant=true
|
continue to hold pending larger conversation of what we can properly claim |
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/lgtm |
|
@jcantrill: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@jcantrill: #2285 failed to apply on top of branch "release-5.8": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@jcantrill: #2285 failed to apply on top of branch "release-5.7": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@jcantrill: #2285 failed to apply on top of branch "release-5.6": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description
This PR:
@cahartma is it correct that we can claim aws token support? We can use the tokens as provided by the CloudCredentialsOperator?
@syedriko is it correct we can claim FIPS compliance based upon the following definition?
Links