Skip to content

Commit c347e5e

Browse files
ShaunaDiazShaunaDiaz
authored
Merge pull request #75011 from GroceryBoyJr/cmp-2336-go
CMP-2336 Make CO 1.4.1 Release Notes Live
2 parents 1eb887b + 430e134 commit c347e5e

File tree

1 file changed

+39
-33
lines changed

1 file changed

+39
-33
lines changed

security/compliance_operator/compliance-operator-release-notes.adoc

Lines changed: 39 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -15,39 +15,45 @@ For an overview of the Compliance Operator, see xref:../../security/compliance_o
1515

1616
To access the latest release, see xref:../../security/compliance_operator/co-management/compliance-operator-updating.adoc#olm-preparing-upgrade_compliance-operator-updating[Updating the Compliance Operator].
1717

18-
//[id="compliance-operator-release-notes-1-4-1"]
19-
//== OpenShift Compliance Operator 1.4.1
20-
//
21-
//The following advisory is available for the OpenShift Compliance Operator 1.4.1:
22-
//
23-
//* link:https://access.redhat.com/errata/RHBA-2024:1830[RHBA-2024:1830 - OpenShift Compliance Operator bug fix and enhancement update]
24-
//
25-
//[id="compliance-operator-1-4-1-new-features-and-enhancements"]
26-
//=== New features and enhancements
27-
//
28-
//* With this update, Compliance Operator now provides `OCP4 STIG ID` and `SRG` with the profile rules. (link:https://issues.redhat.com/browse/CMP-2401[*CMP-2401*])
29-
//
30-
//* With this update, obsolete rules being applied to `s390x` have been removed. (link:https://issues.redhat.com/browse/CMP-2471[*CMP-2471*])
31-
//
32-
//[id="compliance-operator-1-4-1-bug-fixes"]
33-
//=== Bug fixes
34-
//
35-
//* Previously, for RHCOS systems using RHEL9, application of the `ocp4-kubelet-enable-protect-kernel-sysctl-file-exist` rule failed. This update replaces the rule with `ocp4-kubelet-enable-protect-kernel-sysctl`. Now, after auto remediation is applied, RHEL9-based RHCOS systems will show `PASS` upon the application of this rule. (link:https://issues.redhat.com/browse/OCPBUGS-13589[*OCPBUGS-13589*])
36-
//
37-
//* Previously, after applying compliance remediations using profile `rhcos4-e8`, the nodes were no longer accessible using SSH to the core user account. With this update, nodes remain accessible through SSH using sshkey. (link:https://issues.redhat.com/browse/OCPBUGS-1833[*OCPBUGS-1833*])
38-
//
39-
//* Previously, the `STIG` profile was missing rules from CaC that fulfill requirements on the published `STIG` for {product-title}. With this update, upon remediation, the cluster satisfies `STIG` requirements that can be remediated using Compliance Operator. (link:https://issues.redhat.com/browse/OCPBUGS-26193[*OCPBUGS-26193*])
40-
//
41-
//* Previously, creating a `ScanSettingBinding` with profiles of different types for multiple products bypassed a restriction against multiple products types in a binding. With this update, the product validation now allows multiple products regardless of the of profile types in the `ScanSettingBinding`. (link:https://issues.redhat.com/browse/OCPBUGS-26229[*OCPBUGS-26229*])
42-
//
43-
//* Previously, running the `rhcos4-service-debug-shell-disabled` rule showed as `FAIL` even after auto-remediation was applied. With this update, running the `rhcos4-service-debug-shell-disabled` rule now shows `PASS` after auto-remediation is applied. (link:https://issues.redhat.com/browse/OCPBUGS-28242[*OCPBUGS-28242*])
44-
//
45-
//* With this update, instructions for the use of the `rhcos4-banner-etc-issue` rule are enhanced to provide more detail. (link:https://issues.redhat.com/browse/OCPBUGS-28797[*OCPBUGS-28797*])
46-
//
47-
//* Previously the `api_server_api_priority_flowschema_catch_all` rule provided `FAIL` status on {product-title} 4.16 clusters. With this update, the `api_server_api_priority_flowschema_catch_all` rule provides `PASS` status on {product-title} 4.16 clusters. (link:https://issues.redhat.com/browse/OCPBUGS-28918[*OCPBUGS-28918*])
48-
//
49-
//* Previously, when a profile was removed from a completed scan shown in `ScanSettingBinding` (SSB), Compliance Operator did not remove the old scan. Afterward, when launching a new SSB using the deleted profile, Compliance Operator failed to update the result. With this release of Compliance Operator, the new SSB now shows the new compliance check result. (link:https://issues.redhat.com/browse/OCPBUGS-29272[*OCPBUGS-29272*])
50-
//
18+
[id="compliance-operator-release-notes-1-4-1"]
19+
== OpenShift Compliance Operator 1.4.1
20+
21+
The following advisory is available for the OpenShift Compliance Operator 1.4.1:
22+
23+
* link:https://access.redhat.com/errata/RHBA-2024:1830[RHBA-2024:1830 - OpenShift Compliance Operator bug fix and enhancement update]
24+
25+
[id="compliance-operator-1-4-1-new-features-and-enhancements"]
26+
=== New features and enhancements
27+
28+
* As of this release, the Compliance Operator now provides the CIS OpenShift 1.5.0 profile rules. (link:https://issues.redhat.com/browse/CMP-2447[*CMP-2447*])
29+
30+
* With this update, the Compliance Operator now provides `OCP4 STIG ID` and `SRG` with the profile rules. (link:https://issues.redhat.com/browse/CMP-2401[*CMP-2401*])
31+
32+
* With this update, obsolete rules being applied to `s390x` have been removed. (link:https://issues.redhat.com/browse/CMP-2471[*CMP-2471*])
33+
34+
[id="compliance-operator-1-4-1-bug-fixes"]
35+
=== Bug fixes
36+
37+
* Previously, for {op-system-first} systems using {op-system-base-full} 9, application of the `ocp4-kubelet-enable-protect-kernel-sysctl-file-exist` rule failed. This update replaces the rule with `ocp4-kubelet-enable-protect-kernel-sysctl`. Now, after auto remediation is applied, {op-system-base} 9-based {op-system} systems will show `PASS` upon the application of this rule. (link:https://issues.redhat.com/browse/OCPBUGS-13589[*OCPBUGS-13589*])
38+
39+
* Previously, after applying compliance remediations using profile `rhcos4-e8`, the nodes were no longer accessible using SSH to the core user account. With this update, nodes remain accessible through SSH using the `sshkey1 option. (link:https://issues.redhat.com/browse/OCPBUGS-18331[*OCPBUGS-18331*])
40+
41+
* Previously, the `STIG` profile was missing rules from CaC that fulfill requirements on the published `STIG` for {product-title}. With this update, upon remediation, the cluster satisfies `STIG` requirements that can be remediated using Compliance Operator. (link:https://issues.redhat.com/browse/OCPBUGS-26193[*OCPBUGS-26193*])
42+
43+
* Previously, creating a `ScanSettingBinding` object with profiles of different types for multiple products bypassed a restriction against multiple products types in a binding. With this update, the product validation now allows multiple products regardless of the of profile types in the `ScanSettingBinding` object. (link:https://issues.redhat.com/browse/OCPBUGS-26229[*OCPBUGS-26229*])
44+
45+
* Previously, running the `rhcos4-service-debug-shell-disabled` rule showed as `FAIL` even after auto-remediation was applied. With this update, running the `rhcos4-service-debug-shell-disabled` rule now shows `PASS` after auto-remediation is applied. (link:https://issues.redhat.com/browse/OCPBUGS-28242[*OCPBUGS-28242*])
46+
47+
* With this update, instructions for the use of the `rhcos4-banner-etc-issue` rule are enhanced to provide more detail. (link:https://issues.redhat.com/browse/OCPBUGS-28797[*OCPBUGS-28797*])
48+
49+
* Previously the `api_server_api_priority_flowschema_catch_all` rule provided `FAIL` status on {product-title} 4.16 clusters. With this update, the `api_server_api_priority_flowschema_catch_all` rule provides `PASS` status on {product-title} 4.16 clusters. (link:https://issues.redhat.com/browse/OCPBUGS-28918[*OCPBUGS-28918*])
50+
51+
* Previously, when a profile was removed from a completed scan shown in a `ScanSettingBinding` (SSB) object, the Compliance Operator did not remove the old scan. Afterward, when launching a new SSB using the deleted profile, the Compliance Operator failed to update the result. With this release of the Compliance Operator, the new SSB now shows the new compliance check result. (link:https://issues.redhat.com/browse/OCPBUGS-29272[*OCPBUGS-29272*])
52+
53+
* Previously, on `ppc64le` architecture, the metrics service was not created. With this update, when deploying the Compliance Operator v1.4.1 on `ppc64le` architecture, the metrics service is now created correctly. (link:https://issues.redhat.com/browse/OCPBUGS-32797[*OCPBUGS-32797*])
54+
55+
* Previously, on a HyperShift hosted cluster, a scan with the `ocp4-pci-dss profile` will run into an unrecoverable error due to a `filter cannot iterate` issue. With this release, the scan for the `ocp4-pci-dss` profile will reach `done` status and return either a `Compliance` or `Non-Compliance` test result. (link:https://issues.redhat.com/browse/OCPBUGS-33067[*OCPBUGS-33067*])
56+
5157
[id="compliance-operator-release-notes-1-4-0"]
5258
== OpenShift Compliance Operator 1.4.0
5359

0 commit comments

Comments
 (0)