Skip to content

CMP-3834: Add CIS profiles auto-remediation test#77

Open
taimurhafeez wants to merge 1 commit intoComplianceAsCode:mainfrom
taimurhafeez:CMP-3834-cis-profile-test
Open

CMP-3834: Add CIS profiles auto-remediation test#77
taimurhafeez wants to merge 1 commit intoComplianceAsCode:mainfrom
taimurhafeez:CMP-3834-cis-profile-test

Conversation

@taimurhafeez
Copy link
Copy Markdown
Collaborator

@taimurhafeez taimurhafeez commented Apr 24, 2026

The test validates that auto-remediation works correctly for CIS profiles by:

  1. Creating a custom MachineConfigPool and KubeletConfig
  2. Running scans with ocp4-cis and ocp4-cis-node profiles
  3. Verifying remediations are auto-applied
  4. Triggering a rescan and validating improvements

The test case requires encryption to be enabled on the cluster first, which might take some time. The command to enable encryption is
oc patch apiserver cluster --type=merge -p '{"spec":{"encryption":{"type":"aesgcm"}}}'
It will take some time. To know if the next command can be executed, in a seperate terminal we can monitor it for every 30 seconds:
watch -n 30 "oc get co kube-apiserver openshift-apiserver"
And when progressing is False for both kube-apiserver and openshift-apiserver, then we can run the test with the following command
go test -v -timeout 120m . -run=^TestCISProfiles$ \ -install-operator=true

Output on OCP 4.22:

=== RUN   TestCISProfiles
2026/04/24 15:43:17 Labeled node ip-10-0-39-126.us-west-1.compute.internal with node-role.kubernetes.io/wrscan=
2026/04/24 15:43:18 Created MachineConfigPool wrscan
2026/04/24 15:43:18 Waiting for MachineConfigPool wrscan to update (this may take 10-20 minutes)
2026/04/24 15:43:18 MachineConfigPool wrscan is updated: 0/0 machines updated
2026/04/24 15:43:18 MachineConfigPool wrscan updated successfully
2026/04/24 15:43:18 Created KubeletConfig custom-wrscan
2026/04/24 15:43:18 Waiting for KubeletConfig custom-wrscan to be applied successfully
2026/04/24 15:43:18 KubeletConfig custom-wrscan applied successfully
2026/04/24 15:43:18 Waiting for MachineConfigPool wrscan to update (this may take 10-20 minutes)
2026/04/24 15:43:19 MachineConfigPool wrscan is updated: 0/0 machines updated
2026/04/24 15:43:19 MachineConfigPool wrscan updated successfully
2026/04/24 15:43:19 Created ScanSetting cis-auto-apply with auto-apply remediations
2026/04/24 15:43:19 Waiting for initial scans to complete
2026/04/24 15:43:19 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is LAUNCHING
2026/04/24 15:43:25 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:30 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:35 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:40 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:45 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:51 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:43:56 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is AGGREGATING
2026/04/24 15:44:01 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is AGGREGATING
2026/04/24 15:44:06 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis is AGGREGATING
2026/04/24 15:44:11 ComplianceSuite cis-profiles-test is DONE
2026/04/24 15:44:12 Initial scan completed with 148 check results
2026/04/24 15:44:12 Waiting for remediations to be auto-applied
2026/04/24 15:44:12 Waiting for 13 remediations to be applied for suite cis-profiles-test
2026/04/24 15:44:15 Remediation status for suite cis-profiles-test: Applied=13, Error=0, NeedsReview=0, Outdated=0, Total=13
2026/04/24 15:44:15 Successfully applied 13 remediations for suite cis-profiles-test
2026/04/24 15:44:15 Waiting for MachineConfigPool to update after remediations
2026/04/24 15:44:15 Waiting for MachineConfigPool wrscan to update (this may take 10-20 minutes)
2026/04/24 15:44:15 MachineConfigPool wrscan is updated: 1/1 machines updated
2026/04/24 15:44:15 MachineConfigPool wrscan updated successfully
2026/04/24 15:44:15 Triggering rescan to verify remediations
2026/04/24 15:44:15 Triggering rescan for suite cis-profiles-test
2026/04/24 15:44:16 Triggered rescan for scan ocp4-cis
2026/04/24 15:44:16 Triggered rescan for scan ocp4-cis-node-wrscan
2026/04/24 15:44:16 Waiting for rescan to complete
2026/04/24 15:44:16 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis is LAUNCHING
2026/04/24 15:44:21 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:27 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:32 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:37 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:42 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:47 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:53 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:44:58 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:03 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:08 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:13 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:19 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:24 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:29 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:34 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:40 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:45 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:50 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:45:55 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:00 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:06 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:11 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:16 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:21 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:26 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:31 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:37 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:42 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:47 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:52 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:46:57 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:47:03 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:47:08 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is RUNNING
2026/04/24 15:47:13 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is AGGREGATING
2026/04/24 15:47:18 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is AGGREGATING
2026/04/24 15:47:23 ComplianceSuite cis-profiles-test is not DONE: suite cis-profiles-test scan ocp4-cis-node-wrscan is AGGREGATING
2026/04/24 15:47:29 ComplianceSuite cis-profiles-test is DONE
2026/04/24 15:47:29 Rescan completed: 1 checks improved from initial scan
2026/04/24 15:47:29 Final results: 148 total checks
2026/04/24 15:47:29 CIS profiles test completed successfully: 1 checks improved
2026/04/24 15:47:30 Deleted KubeletConfig custom-wrscan
2026/04/24 15:47:31 Paused MachineConfigPool wrscan
2026/04/24 15:47:36 Deleted MachineConfigPool wrscan
2026/04/24 15:47:37 Removed label node-role.kubernetes.io/wrscan from node ip-10-0-39-126.us-west-1.compute.internal
--- PASS: TestCISProfiles (260.76s)
PASS

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 24, 2026

@taimurhafeez: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-platform-compliance aabee39 link true /test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-ocp4-cis aabee39 link true /test e2e-aws-ocp4-cis
ci/prow/e2e-aws-ocp4-stig aabee39 link true /test e2e-aws-ocp4-stig
ci/prow/e2e-aws-rhcos4-moderate aabee39 link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@taimurhafeez taimurhafeez mentioned this pull request Apr 29, 2026
Open
rhmdnd
rhmdnd requested changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious on the direction of this test since it's profile specific, where historically these tests have been willing to accept any profile offered by the operator.

Comment thread e2e_test.go
}
}

// TestCISProfiles tests auto-remediation for CIS profiles.
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to do a lot of what TestProfileRemediations already does when running it with the CIS profiles.

Is there a way we can incorporate the test paths for MCP/KubeletConfig setup and etcd encryption into the TestProfileRemediations path?

Most of the testing here is independent of any particular profile. It's mostly designed to take a profile, and run it through scans and remediation in a generic way, then asserts the final scan state. This change takes that pattern in a new direction, where we're starting build profile-specific behavior into the tests themselves (e.g., we wouldn't reuse TestCISProfiles with another but the cis and cis-node profiles).

Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhmdnd rhmdnd rhmdnd requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@taimurhafeez @rhmdnd