-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It's possible to create TailoredProfiles that violates type mutual exclusion #65
Comments
It seems that it is only the tp validation issue. When you execute scan with the tp, the disabled rules will not enabled: |
If we implement strict validation on Tailored Profiles, we could break users in an incompatible way. In the example where a user extends a Platform profile and excludes a Node rule, the profile is created, giving the impression that it works because it doesn't contain the disabled rule because it wasn't actually included in the original scan anyway.
I'd argue the user experience would be better if we informed the user that they have a mismatch between the profile they're using and what they think they're excluding. But, doing that now could be considered a backwards incompatible change. |
Tailored Profiles allow users to include or exclude rules and build their own custom profiles (to some extent). It's also possible to create a Tailored Profile without extending any existing profiles, allows users to curate profiles from scratch.
Currently, profiles are separated by scan type, where they can be either Platform or Node scans. Platform scans include checking things like kubernetes configuration. Node scan rules are responsible for things like checking file permissions of a file on the actual infrastructure, or nodes.
Tailored Profiles, just like regular profiles, must contain rules of the same type, and the compliance-operator validates this to some extent.
But, it's also possible do the following:
In this example, I can create a tailored profile that extends a Platform profile, and have it include a Node rule, which should be excluded from all Platform profiles.
This can also lead to confusion if I create a tailored profile, similar to the following:
In the case above, I get an error but it tells me the violation in question (ocp4-kubeadmin-removed) mismatches the Node scan type. This is because the first rule in the list is actually a Node rule, not a Platform rule. When I first experienced this, I was confused because I assumed (incorrectly) that the
extends
attribute of the Tailored Profile implied all rules should be of the same scan type.The text was updated successfully, but these errors were encountered: