CMP-2859: Resolve failing Image-stream-sets-schedule

[KaushikOP]

Description:

• Resolve failing Image-stream-sets-schedule. Changes to samples operator which were not accounted for, and ClusterVersion managed imagestreams should be excluded.

Rationale:

• fixes failing rule

• Fixes #CMP-2859

Review Hints:

• Part of DISA-STIG profile for OCP

[openshift-ci]

Hi @KaushikOP. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[prb112]

/jira-refresh

[prb112]

1. Gather all ImageStreams - .items[]
2. Select only those not managed by ClusterVersion - select( .metadata.ownerReferences? // [] | all(.kind != "ClusterVersion"))

• ClusterVersion implies on upgrade that these ImageStream entries are upgraded

3. From those that remain, check if it's managed by the Samples Operator, if so ignore those - select(.metadata.labels[]? | select("samples.operator.openshift.io/managed: true") | not)
4. Check the Remaining ones are not tags - select(.spec.tags[]?.from.kind != "ImageStreamTag" and (partial query here)

• e.g. ImageStreamTag latest points to v1.2.3

5. The ones that remain from that check to see if scheduled is false or not set - (.importPolicy.scheduled != null or .importPolicy.scheduled != false))] | any' %}}

If any fail the last condition it returns false for the query.

[yuumasato]

Thanks a bunch for the breakdown and explanation of the jq filter.

[prb112]

/retest-required

[openshift-ci]

@prb112: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[prb112]

/jira-refresh

[yuumasato]

/ok-to-test

[yuumasato]

/LGTM

But could you also update the expected results so that our CI doesn't flag this change?

Change the following lines from FAIL to PASS.

$ grep -rA2 "imagestream-sets-schedule" tests/assertions/ocp4/
tests/assertions/ocp4/ocp4-stig-4.12.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.12.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.12.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.13.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.13.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.13.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.14.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.14.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.14.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.15.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.15.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.15.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.16.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.16.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.16.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.17.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.17.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.17.yml-    result_after_remediation: FAIL
--
tests/assertions/ocp4/ocp4-stig-4.18.yml:  e2e-stig-imagestream-sets-schedule:
tests/assertions/ocp4/ocp4-stig-4.18.yml-    default_result: FAIL
tests/assertions/ocp4/ocp4-stig-4.18.yml-    result_after_remediation: FAIL

$ cat ./applications/openshift/registry/imagestream_sets_schedule/tests/ocp4/e2e.yml 
---
default_result: FAIL

[prb112]

Thanks @yuumasato I'll leave a message with Kaushik letting him know

[yuumasato]

@KaushikOP tests/assertions/ocp4/ocp4-stig-4.18.yml was left out of the assertion update.

Please update it as well.

[yuumasato]

/test 4.17-e2e-aws-ocp4-stig
/test 4.18-e2e-aws-ocp4-stig

[prb112]

/retest-required

[KaushikOP]

Hi @yuumasato

I have made the changes. Please re-review.

[rhmdnd]

/retest-required

[yuumasato]

/test 4.12-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig

[prb112]

Grabbed the imagestreams from the must-gather. https://gist.github.com/prb112/06768521d08ecf0eba49476252580e8e

Will ask @KaushikOP to test the jq locally to see why it failed.

[prb112]

Analyzed the gist / imagestreams - it should have passed. Perhaps a retest?

[prb112]

/retest-required

[prb112]

/retest-required

[prb112]

/retest-required

[KaushikOP]

/retest-required

[KaushikOP]

/retest-required

[xiaojiey]

@prb112 @KaushikOP I am not sure below imagestream is a good example or not. I created a imagestream without ownerReferences set, and set the importPolicy.scheduled to null. Under this scenario, the rule should FAIL, right?
However, I can see the rule show as PASS. Could you please help to check? Thanks.
I also tried to create a similar imagestream with importPolicy.scheduled set to true. Both filters in the instructions will still return empty.

% oc get imagestream nginx -o yaml -n openshift-compliance
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"image.openshift.io/v1","kind":"ImageStream","metadata":{"annotations":{},"name":"nginx","namespace":"openshift-compliance"},"spec":{"tags":[{"from":{"kind":"DockerImage","name":"quay.io/security-profiles-operator/test-nginx-unprivileged:1.21"},"importPolicy":{"scheduled":false},"name":"latest"}]}}
    openshift.io/image.dockerRepositoryCheck: "2025-04-07T07:16:44Z"
  creationTimestamp: "2025-04-07T07:16:41Z"
  generation: 2
  name: nginx
  namespace: openshift-compliance
  resourceVersion: "108869"
  uid: 8364f1d4-475d-40a4-9f16-60dd13978282
spec:
  lookupPolicy:
    local: false
  tags:
  - annotations: null
    from:
      kind: DockerImage
      name: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
    generation: 2
    importPolicy:
      importMode: Legacy
    name: latest
    referencePolicy:
      type: Source
status:
  dockerImageRepository: image-registry.openshift-image-registry.svc:5000/openshift-compliance/nginx
  tags:
  - items:
    - created: "2025-04-07T07:16:44Z"
      dockerImageReference: quay.io/security-profiles-operator/test-nginx-unprivileged@sha256:362f8cfc2fed11a2037f29bfcf91c9d9ab5e3b8b46aabb846d8f1f7d81a939d2
      generation: 2
      image: sha256:362f8cfc2fed11a2037f29bfcf91c9d9ab5e3b8b46aabb846d8f1f7d81a939d2
    tag: latest

% oc get rule upstream-ocp4-imagestream-sets-schedule -o=jsonpath={.instructions}
To list all the imagestreams and identify which imagestream tags are
configured to periodically check for updates (imagePolicy = { scheduled: true }), run the following command:
oc get imagestream -A -ojson | jq -r '.items[] | select( .metadata.ownerReferences? // [] | all(.kind == "ClusterVersion")) | select(.metadata.labels[]? | select( "samples.operator.openshift.io/managed: true")) | select( .spec.tags[]?.from.kind != "ImageStreamTag" and .importPolicy.scheduled == true).metadata.name' | sort | uniq
Alternatively, to view a list of ImageStreams that do not schedule updates,
run:
oc get imagestream -A -ojson | jq -r '.items[] | select( .metadata.ownerReferences? // [] | all(.kind != "ClusterVersion")) | select(.metadata.labels[]? | select( "samples.operator.openshift.io/managed: true") | not) | select( .spec.tags[]?.from.kind != "ImageStreamTag" and (.importPolicy.scheduled == null or .importPolicy.scheduled == false)) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq
Is it the case that imagestream is not configured to perform periodical updates?%

% oc get imagestream -A -ojson | jq -r '.items[] | select( .metadata.ownerReferences? // [] | all(.kind == "ClusterVersion")) | select(.metadata.labels[]? | select( "samples.operator.openshift.io/managed: true")) | select( .spec.tags[]?.from.kind != "ImageStreamTag" and .importPolicy.scheduled == true).metadata.name' | sort | uniq

% oc get imagestream -A -ojson | jq -r '.items[] | select( .metadata.ownerReferences? // [] | all(.kind != "ClusterVersion")) | select(.metadata.labels[]? | select( "samples.operator.openshift.io/managed: true") | not) | select( .spec.tags[]?.from.kind != "ImageStreamTag" and (.importPolicy.scheduled == null or .importPolicy.scheduled == false)) | "\(.metadata.namespace),\(.metadata.name)"' | sort | uniq
% oc get ccr | grep -i imagestream-sets-schedule
ocp4-stig-imagestream-sets-schedule                             FAIL     medium
upstream-ocp4-stig-imagestream-sets-schedule                    PASS     medium

[xiaojiey]

/hold for test

[prb112]

Discussed xiaojiey's comments
refactoring dropped this edge case, we're fixing it.
Thanks :)

[KaushikOP]

Hi @xiaojiey,

We have refactored the rule to include cases that mentioned your review.

CC: @prb112

[KaushikOP]

Explanation:

1. Get all ImageStreams: .items[]
2. Target user-defined streams only: .spec.tags[]?.from.kind != "ImageStreamTag"
3. Check for non-scheduled tags: (.importPolicy.scheduled == null or .importPolicy.scheduled == false)] | any).
4. Ignore Sample Operator-managed streams: ((.metadata.labels == null) or (.metadata.labels."samples.operator.openshift.io/managed" == null) or (.metadata.labels."samples.operator.openshift.io/managed" != "true")).
5. Exclude system-managed ImageStreams: ((.metadata.ownerReferences == null) or (.metadata.ownerReferences | length == 0) or (.metadata.ownerReferences?[].kind == null) or (isempty(.metadata.ownerReferences?[] | select(.kind == "ClusterVersion")).
6. Summary: This detects user-managed, unmanaged, external ImageStreams that are not auto-updating.
7. Final condition: | any returns true if any such non-compliant ImageStream exists.

[xiaojiey]

Verification pass.
##scenario 1: there is a imagestream with schedule unset, the rule returns FAIL:
% oc get imagestream -A -ojson | jq -r '.items[] | select(( (.spec.tags[]?.from.kind != "ImageStreamTag") and ([.spec.tags[]? | (.importPolicy.scheduled == null or .importPolicy.scheduled == false)] | any) and ((.metadata.labels == null) or (.metadata.labels["samples.operator.openshift.io/managed"] == null) or (.metadata.labels["samples.operator.openshift.io/managed"] != "true")) and ((.metadata.ownerReferences == null) or (.metadata.ownerReferences | length == 0) or (.metadata.ownerReferences[]?.kind == null) or (isempty(.metadata.ownerReferences[]? | select(.kind == "ClusterVersion")))) )) | "(.metadata.namespace),(.metadata.name)"' | sort | uniq
openshift-compliance,nginx
% oc get ccr | grep imagestream-sets-schedule
upstream-ocp4-stig-imagestream-sets-schedule FAIL medium
##Scenario 2: there is no imagestream with schedule unset, the rule returns PASS:
% oc get imagestream -A -ojson | jq -r '.items[] | select(( (.spec.tags[]?.from.kind != "ImageStreamTag") and ([.spec.tags[]? | (.importPolicy.scheduled == null or .importPolicy.scheduled == false)] | any) and ((.metadata.labels == null) or (.metadata.labels["samples.operator.openshift.io/managed"] == null) or (.metadata.labels["samples.operator.openshift.io/managed"] != "true")) and ((.metadata.ownerReferences == null) or (.metadata.ownerReferences | length == 0) or (.metadata.ownerReferences[]?.kind == null) or (isempty(.metadata.ownerReferences[]? | select(.kind == "ClusterVersion")))) )) | "(.metadata.namespace),(.metadata.name)"' | sort | uniq
% oc get ccr | grep imagestream-sets-schedule
upstream-ocp4-stig-imagestream-sets-schedule PASS medium

[xiaojiey]

/unhold

[xiaojiey]

/lgtm

[yuumasato]

@KaushikOP Hi, looks good to me.

Sorry for delay in picking this up.
Since this was pushed there a new CI checks that need to pass.
Could you rebase this?
Thanks

[KaushikOP]

Hi @yuumasato,

I have rebased this with upstream/master.

[yuumasato]

@KaushikOP Sorry for delay, I got sick.

There should be no merge commits in the PR:
https://github.com/ComplianceAsCode/content/actions/runs/15256465663/job/43296097548?pr=12895

[KaushikOP]

/test all

[codeclimate]

Code Climate has analyzed commit 7b81ca2 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.