fix noschedule rules for hcp

[sluetze]

Description:

This PR rewrites the master_taint_noschedule test in a way that is compatible with Hypershift.

Rationale:

When running the bsi-profile on a hosted cluster in hypershift, the api-checks failed:

FATAL:Error fetching resources: couldn't filter '{"kind":"NodeList","apiVersion":"v1","metadata":{"resourceVersion":"34917081"},"items":[{"metadata":{"name":"stormshift-ocp3-nodepool1-wvz52-9p4gq","uid":"c3d27502-3df5-4eae-b4d4-7fa92013514e","resourceVersion":"34917071","creationTimestamp":"2025-05-20T16:11:45Z","labels":{"beta.kubernetes.io/arch":"amd64","beta.kubernetes.io/os":"linux","hypershift.openshift.io/managed":"true","hypershift.openshift.io/nodePool":"stormshift-ocp3-nodepool1","kubernetes.io/arch":"amd64","kubernetes.io/hostname":"stormshift-ocp3-nodepool1-wvz52-9p4gq","kubernetes.io/os":"linux","node-role.kubernetes.io/worker":"","node.openshift.io/os_id":"rhcos"},"annotations":{"alpha.kubernetes.io/provided-node-ip":"10.129.20.68","cluster.x-k8s.io/cluster-name":"ocp3","cluster.x-k8s.io/cluster-namespace":"clusters-stormshift-ocp3","cluster.x-k8s.io/labels-from-machine":"","cluster.x-k8s.io/machine":"stormshift-ocp3-nodepool1-wvz52-9p4gq","cluster.x-k8s.io/owner-kind":"MachineSet","cluster.x-...

thus the whole profile wasnt finishing. By rewriting the check, it executes now on hypershift and on regular clusters.

Review Hints:

[sluetzen@wirt CaC-content]$ oc get ccr | grep taint
ocp4-bsi-master-taint-noschedule                                                                    PASS     medium
[sluetzen@wirt CaC-content]$ oc patch  schedulers.config.openshift.io cluster --type merge --patch '{"spec": {"mastersSchedulable": true}}'
scheduler.config.openshift.io/cluster patched
[sluetzen@wirt CaC-content]$ oc get --raw /api/v1/nodes | jq '[ .items[] | select(.spec.taints[]?.key == "node-role.kubernetes.io/master" and .spec.taints[]?.effect == "NoSchedule") | .metadata.name ]
> '
[]
[sluetzen@wirt CaC-content]$ oc compliance rerun-now compliancesuite/bsi-ocp
Rerunning scans from 'bsi-ocp': ocp4-bsi
Re-running scan 'openshift-compliance/ocp4-bsi'
[sluetzen@wirt CaC-content]$ oc get ccr | grep taint
ocp4-bsi-master-taint-noschedule                                                                    FAIL     medium
[sluetzen@wirt CaC-content]$ oc patch  schedulers.config.openshift.io cluster --type merge --patch '{"spec": {"mastersSchedulable": false}}'
scheduler.config.openshift.io/cluster patched
[sluetzen@wirt CaC-content]$ oc compliance rerun-now compliancesuite/bsi-ocp
Rerunning scans from 'bsi-ocp': ocp4-bsi
Re-running scan 'openshift-compliance/ocp4-bsi'
[sluetzen@wirt CaC-content]$ oc get ccr | grep taint
ocp4-bsi-master-taint-noschedule                                                                    PASS     medium

hcp

bash-5.1 ~ $ oc get ccr | grep taint
upstream-ocp4-bsi-master-taint-noschedule                                       FAIL     medium

[openshift-ci]

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[qlty-cloud-legacy]

Code Climate has analyzed commit f12bc08 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.7% (0.0% change).

View more on Code Climate.

[github-actions]

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

[yuumasato]

/ok-to-test

[yuumasato]

@sluetze Shouldn't the rule on HCP return Not-Applicable?

[sluetze]

@sluetze Shouldn't the rule on HCP return Not-Applicable?

Yes it should. I thought, that
https://github.com/sluetze/CaC-content/blob/acf5cd98e8b6de45cea9e69a89138f8b61e153b3/applications/openshift/high-availability/control_plane_nodes_in_three_zones/rule.yml#L29

platform: not ocp4-on-hypershift-hosted

would ensure this, but for reasons I could not find out, it doesn't. Neither for the taint rule nor for the three nodes rule.

I made a small table which shows all platform: not ocp4-on-hypershift-hosted rules, and their ccr if there is one (I do not run all profiles so I do not run all rules).

I think it is safe to say, that the platform: not ocp4-on-hypershift-hosted does not work in any rule, as there is no "NOT APPLICABLE".

Tested with:
CO 1.8.2
Hosted Control Plane Cluster: 4.20.15

RULE_PATH                                                                                           CCR_NAME                                                         STATE
----------                                                                                          ----------                                                       -----
applications/openshift/api-server/api_server_admission_control_plugin_alwaysadmit/rule.yml          ocp4-cis-api-server-admission-control-plugin-alwaysadmit         PASS
applications/openshift/api-server/api_server_admission_control_plugin_alwayspullimages/rule.yml     ocp4-cis-api-server-admission-control-plugin-alwayspullimages    PASS
applications/openshift/api-server/api_server_admission_control_plugin_namespacelifecycle/rule.yml   ocp4-cis-api-server-admission-control-plugin-namespacelifecycle  FAIL
applications/openshift/api-server/api_server_admission_control_plugin_noderestriction/rule.yml      ocp4-cis-api-server-admission-control-plugin-noderestriction     FAIL
applications/openshift/api-server/api_server_admission_control_plugin_scc/rule.yml                  ocp4-cis-api-server-admission-control-plugin-scc                 FAIL
applications/openshift/api-server/api_server_admission_control_plugin_securitycontextdeny/rule.yml  (no matching CCR)                                                
applications/openshift/api-server/api_server_admission_control_plugin_service_account/rule.yml      ocp4-cis-api-server-admission-control-plugin-service-account     FAIL
applications/openshift/api-server/api_server_api_priority_gate_enabled/rule.yml                     (no matching CCR)                                                
applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml                           ocp4-cis-api-server-audit-log-maxbackup                          FAIL
applications/openshift/api-server/api_server_audit_log_maxbackup/rule.yml                           ocp4-cis-ocp-api-server-audit-log-maxbackup                      FAIL
applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml                             ocp4-cis-api-server-audit-log-maxsize                            FAIL
applications/openshift/api-server/api_server_audit_log_maxsize/rule.yml                             ocp4-cis-ocp-api-server-audit-log-maxsize                        FAIL
applications/openshift/api-server/api_server_audit_log_path/rule.yml                                ocp4-cis-openshift-api-server-audit-log-path                     PASS
applications/openshift/api-server/api_server_audit_log_path/rule.yml                                ocp4-cis-api-server-audit-log-path                               FAIL
applications/openshift/api-server/api_server_auth_mode_no_aa/rule.yml                               ocp4-cis-api-server-auth-mode-no-aa                              PASS
applications/openshift/api-server/api_server_auth_mode_node/rule.yml                                (no matching CCR)                                                
applications/openshift/api-server/api_server_auth_mode_rbac/rule.yml                                ocp4-cis-api-server-auth-mode-rbac                               FAIL
applications/openshift/api-server/api_server_basic_auth/rule.yml                                    ocp4-cis-api-server-basic-auth                                   PASS
applications/openshift/api-server/api_server_bind_address/rule.yml                                  ocp4-cis-api-server-bind-address                                 FAIL
applications/openshift/api-server/api_server_client_ca/rule.yml                                     ocp4-cis-api-server-client-ca                                    FAIL
applications/openshift/api-server/api_server_client_ca/rule.yml                                     upstream-ocp4-bsi-api-server-client-ca                           FAIL
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml                    ocp4-cis-api-server-encryption-provider-cipher                   FAIL
applications/openshift/api-server/api_server_encryption_provider_cipher/rule.yml                    upstream-ocp4-bsi-api-server-encryption-provider-cipher          FAIL
applications/openshift/api-server/api_server_etcd_ca/rule.yml                                       ocp4-cis-api-server-etcd-ca                                      FAIL
applications/openshift/api-server/api_server_etcd_cert/rule.yml                                     ocp4-cis-api-server-etcd-cert                                    FAIL
applications/openshift/api-server/api_server_etcd_key/rule.yml                                      ocp4-cis-api-server-etcd-key                                     FAIL
applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml                        upstream-ocp4-bsi-api-server-https-for-kubelet-conn              PASS
applications/openshift/api-server/api_server_https_for_kubelet_conn/rule.yml                        ocp4-cis-api-server-https-for-kubelet-conn                       PASS
applications/openshift/api-server/api_server_insecure_bind_address/rule.yml                         ocp4-cis-api-server-insecure-bind-address                        PASS
applications/openshift/api-server/api_server_insecure_port/rule.yml                                 (no matching CCR)                                                
applications/openshift/api-server/api_server_kube_no_unsupported_config_overrides/rule.yml          ocp4-cis-api-server-kube-no-unsupported-config-overrides         PASS
applications/openshift/api-server/api_server_kubelet_certificate_authority/rule.yml                 ocp4-cis-api-server-kubelet-certificate-authority                FAIL
applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml                           ocp4-cis-api-server-kubelet-client-cert                          FAIL
applications/openshift/api-server/api_server_kubelet_client_cert/rule.yml                           upstream-ocp4-bsi-api-server-kubelet-client-cert                 FAIL
applications/openshift/api-server/api_server_kubelet_client_key/rule.yml                            upstream-ocp4-bsi-api-server-kubelet-client-key                  FAIL
applications/openshift/api-server/api_server_kubelet_client_key/rule.yml                            ocp4-cis-api-server-kubelet-client-key                           FAIL
applications/openshift/api-server/api_server_no_adm_ctrl_plugins_disabled/rule.yml                  (no matching CCR)                                                
applications/openshift/api-server/api_server_no_unsupported_config_overrides/rule.yml               ocp4-cis-api-server-no-unsupported-config-overrides              PASS
applications/openshift/api-server/api_server_request_timeout/rule.yml                               ocp4-cis-api-server-request-timeout                              FAIL
applications/openshift/api-server/api_server_service_account_lookup/rule.yml                        ocp4-cis-api-server-service-account-lookup                       FAIL
applications/openshift/api-server/api_server_service_account_public_key/rule.yml                    ocp4-cis-api-server-service-account-public-key                   FAIL
applications/openshift/api-server/api_server_tls_cert/rule.yml                                      upstream-ocp4-bsi-api-server-tls-cert                            FAIL
applications/openshift/api-server/api_server_tls_cert/rule.yml                                      ocp4-cis-api-server-tls-cert                                     FAIL
applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml                             upstream-ocp4-bsi-api-server-tls-cipher-suites                   FAIL
applications/openshift/api-server/api_server_tls_private_key/rule.yml                               ocp4-cis-api-server-tls-private-key                              FAIL
applications/openshift/api-server/api_server_tls_private_key/rule.yml                               upstream-ocp4-bsi-api-server-tls-private-key                     FAIL
applications/openshift/api-server/api_server_token_auth/rule.yml                                    ocp4-cis-api-server-token-auth                                   PASS
applications/openshift/api-server/audit_log_forwarding_enabled/rule.yml                             (no matching CCR)                                                
applications/openshift/api-server/audit_log_forwarding_enabled_logging_api/rule.yml                 (no matching CCR)                                                
applications/openshift/api-server/audit_log_forwarding_enabled_observability_api/rule.yml           (no matching CCR)                                                
applications/openshift/controller/controller_insecure_port_disabled/rule.yml                        ocp4-cis-controller-insecure-port-disabled                       FAIL
applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml                   (no matching CCR)                                                
applications/openshift/controller/controller_secure_port/rule.yml                                   ocp4-cis-controller-secure-port                                  FAIL
applications/openshift/controller/controller_service_account_ca/rule.yml                            ocp4-cis-controller-service-account-ca                           FAIL
applications/openshift/controller/controller_service_account_private_key/rule.yml                   ocp4-cis-controller-service-account-private-key                  FAIL
applications/openshift/controller/controller_use_service_account/rule.yml                           ocp4-cis-controller-use-service-account                          FAIL
applications/openshift/etcd/etcd_auto_tls/rule.yml                                                  ocp4-cis-etcd-auto-tls                                           FAIL
applications/openshift/etcd/etcd_cert_file/rule.yml                                                 ocp4-cis-etcd-cert-file                                          FAIL
applications/openshift/etcd/etcd_check_cipher_suite/rule.yml                                        (no matching CCR)                                                
applications/openshift/etcd/etcd_client_cert_auth/rule.yml                                          ocp4-cis-etcd-client-cert-auth                                   FAIL
applications/openshift/etcd/etcd_key_file/rule.yml                                                  ocp4-cis-etcd-key-file                                           FAIL
applications/openshift/etcd/etcd_peer_auto_tls/rule.yml                                             ocp4-cis-etcd-peer-auto-tls                                      FAIL
applications/openshift/etcd/etcd_peer_cert_file/rule.yml                                            ocp4-cis-etcd-peer-cert-file                                     FAIL
applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml                                     ocp4-cis-etcd-peer-client-cert-auth                              FAIL
applications/openshift/etcd/etcd_peer_key_file/rule.yml                                             ocp4-cis-etcd-peer-key-file                                      FAIL
applications/openshift/general/oauth_login_template_set/rule.yml                                    (no matching CCR)                                                
applications/openshift/general/oauth_provider_selection_set/rule.yml                                (no matching CCR)                                                
applications/openshift/general/tls_version_check_apiserver/rule.yml                                 (no matching CCR)                                                
applications/openshift/high-availability/control_plane_nodes_in_three_zones/rule.yml                (no matching CCR)                                                
applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml                                  ocp4-cis-kubelet-configure-tls-cert                              FAIL
applications/openshift/kubelet/kubelet_configure_tls_cert/rule.yml                                  upstream-ocp4-bsi-kubelet-configure-tls-cert                     FAIL
applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml                                   upstream-ocp4-bsi-kubelet-configure-tls-key                      FAIL
applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml                                   ocp4-cis-kubelet-configure-tls-key                               FAIL
applications/openshift/master/master_taint_noschedule/rule.yml                                      upstream-ocp4-bsi-master-taint-noschedule                        FAIL
applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxbackup/rule.yml             (no matching CCR)                                                
applications/openshift/openshift-api-server/ocp_api_server_audit_log_maxsize/rule.yml               (no matching CCR)                                                
applications/openshift/openshift-api-server/openshift_api_server_audit_log_path/rule.yml            ocp4-cis-openshift-api-server-audit-log-path                     PASS
applications/openshift/scheduler/scheduler_no_bind_address/rule.yml                                 (no matching CCR)                                                
applications/openshift/scheduler/scheduler_port_is_zero/rule.yml                                    (no matching CCR)