Governance and risk dashboard not returning CIS benchmark results
Running a VMPolicy - cis benchmark for rhel7 (Virtual Machine)
policy yields visible results in the Governance and risk dashboard. If your scan yields no results after creating the policy, check the logs of your ibm-management-vmpolicy-ansible-xxx
pod by running the folowing command:
oc logs ibm-management-vmpolicy-ansible-* -n kube-system
The following conditions cause the VM policy operator to not run the CIS playbooks on your target VMs:
Hashi Vault is sealed, please unseal it to use policy ansible engine path. Ending play
Hashi Vault is not accessible, please check the service is running and accessible to use vmpolicy ansible engine path. Ending play
# If the next request on the policy comes in too early (within 5 minutes default), ignore it
"end play, epoch comparison"
end play if no vm returned
Search API did not return any VM for the tag VMSELECTOR TAGS, ending play SEARCH API SERVER RESPONSE
end play if no vm in target host
No single VM eligible for Target host group, ending play
Vault sealed
Symptom
Log entry: Hashi Vault is sealed, please unseal it to use policy ansible engine path. Ending play
Cause
If Vault is sealed the VM policy operator cannot access it.
Resolving the problem
Unseal Vault. For more information, see Unsealing Vault.
Vault not accessible
Symptom
Log entry: Hashi Vault is not accessible, please check the service is running and accessible to use vmpolicy ansible engine path. Ending play
Cause
Vault service is not running or accessible to VMPolicy operator
Solution
Make sure that the sre-bastion-vault
service is available and that pods are running in the kube-system
namespace.
Insufficient time gap
Symptom
Log entry: # If the next request on the policy comes in too early (within 5 minutes default), ignore it
"end play, epoch comparison"
Cause
If you modify or create the same VMPolicy - cis benchmark for rhel7 (Virtual Machine)
with no time gap, the VM operator with not perform an action on it.
Solution
Wait for next reconcile loop. If you don't want to wait you can delete the ibm-management-vmpolicy-ansible-xxx
pod, then it will automatically get re-created when you issue the following command to restart the pod:
oc delete pod ibm-management-vmpolicy-ansible-* -n kube-system
Tag issues
Symptoms
Log entries:
end play if no vm returned
Search API did not return any VM for the tag VMSELECTOR TAGS, ending play SEARCH API SERVER RESPONSE
Cause
The VMs that apply to the tags you provided do not exist.
Solution
Make sure that your VM policy has the same tags defined in both IBM Cloud Pak® for Multicloud Management – Infrastructure Management and your VMs. If your policy defines multiple tags, make sure that your VMs also contain all of those tags.
For example, if you have two tags defined:
vmSelector:
tags:
environment: production
os: rhel7
The VM operator checks for VMs that have both of those tags, environment: production
and os: rhel7
.
Target host issues
Symptoms
Log entries:
end play if no vm in target host
No single VM eligible for Target host group, ending play
Causes
These errors can be because of two reasons:
- You don't have any VMs in Infrastructure management that have a valid public hostname or public IP address.
- You have not entered VM credentials in Vault.
Solution
- Make sure your VMs are available for direct SSH. Jump host is not supported
- Add VM credentials in Vault. For more information about adding VM credentials in Vault, see Adding VM credentials to Vault.
Note: You can search the Invalid VM uid list
(no public hostname or IP address) and the use the List of VM hostnames/ip whose secrets are not in the Vault
in the ibm-management-vmpolicy-ansible-xxx
pod log.