Add enhancement last-scanned-timestamps
#501
Conversation
|
Hi @SimonBaeumer. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: SimonBaeumer The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rhmdnd
requested review from
yuumasato,
mkumku,
sheriff-rh and
Vincent056
and removed request for
jhrozek
|
/ok-to-test |
|
|
||
| ## Proposal | ||
|
|
||
| Add a `LastTimeStamp` field to the `ComplianceCheckResult` which is updated after every scan. |
There was a problem hiding this comment.
I just realized we have a similar field already on the ComplianceSuite and ComplianceScan objects:
╭─lbragstad@p1 ~
╰─➤ $ oc get scans -o json ocp4-cis | jq .status.conditions
[
{
"lastTransitionTime": "2024-04-12T20:21:52Z",
"message": "Compliance scan run is done running the scans",
"reason": "NotRunning",
"status": "False",
"type": "Processing"
},
{
"lastTransitionTime": "2024-04-12T20:21:52Z",
"message": "Compliance scan run is done and has results",
"reason": "Done",
"status": "True",
"type": "Ready"
}
]
╭─lbragstad@p1 ~
╰─➤ $ oc get suites -o json cis | jq .status.conditions
[
{
"lastTransitionTime": "2024-04-12T20:21:52Z",
"message": "Compliance suite run is done running the scans",
"reason": "NotRunning",
"status": "False",
"type": "Processing"
},
{
"lastTransitionTime": "2024-04-12T20:21:52Z",
"message": "Compliance suite run is done and has results",
"reason": "Done",
"status": "True",
"type": "Ready"
}
]
To keep things consistent, I wonder if we can just implement status conditions on ComplianceCheckResults.
|
|
||
| ## Summary | ||
|
|
||
| ACS implements an integration with Compliance Operator. For this, ACS reports when a scan was completed. Currently |
There was a problem hiding this comment.
I think the part that makes this tricky is that the data is only flowing one way (from sensor to central). Without a definitive signal that tells central "yep, you have everything" it's required to make an assumption (e.g., I've waited 5 minutes without anything new coming in from this particular suite, which is marked as DONE, I should be safe to build a report?).
There was a problem hiding this comment.
We could also implement like this:
After a scan report is triggered, wait until ComplianceSuite is in state DONE, than read all results and check that the lastScannedTimestamp is after the last triggered scan time.
If not, retry 10 minutes later.
Would require a small go routine background job though to manage this.
@rhmdnd How likely do you even think it is that a result is send after the suite reports DONE?
Imho we could also implement a small buffer of some minutes after which the the report is sent.
There was a problem hiding this comment.
Not just a report problem. ACS simply has no way to know if the results match an iteration of a scan.
There was a problem hiding this comment.
Not just a report problem. ACS simply has no way to know if the results match an iteration of a scan.
Is a guarantee necessary or the current implementation "good enough"?
If a guarantee is necessary we would need some kind of a UUID per CO scan.
There was a problem hiding this comment.
What if the ComplianceScan object contained a counter with the number of ComplianceCheckResults it generated the most recent run? Then consumers would have a known quantity to check for.
There was a problem hiding this comment.
@rhmdnd Is the ComplianceScan object aware of the total check results it creates?
There was a problem hiding this comment.
As an integer, it isn't. We could implement that though in the Reconcile loop of the ComplianceScan and tack that number onto the scan.
|
/hold for test |
|
See #512 |
|
@SimonBaeumer: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
we have implmentation in #591 |
This PR adds an enhancement to add a field
LastScannedTimestampto theCheckResultCR.This enhancement is planned to be implemented by myself. This first iteration is to get consensus on the feature request and discuss possible implementations if necessary.