Governance and risk dashboard not returning CIS benchmark results

Running a VMPolicy - cis benchmark for rhel7 (Virtual Machine) policy yields visible results in the Governance and risk dashboard. If your scan yields no results after creating the policy, check the logs of your ibm-management-vmpolicy-ansible-xxx pod by running the folowing command:

oc logs ibm-management-vmpolicy-ansible-* -n kube-system

The following conditions cause the VM policy operator to not run the CIS playbooks on your target VMs:

• Hashi Vault is sealed, please unseal it to use policy ansible engine path. Ending play
• Hashi Vault is not accessible, please check the service is running and accessible to use vmpolicy ansible engine path. Ending play
• # If the next request on the policy comes in too early (within 5 minutes default), ignore it "end play, epoch comparison"
• end play if no vm returned
• Search API did not return any VM for the tag VMSELECTOR TAGS, ending play SEARCH API SERVER RESPONSE
• end play if no vm in target host
• No single VM eligible for Target host group, ending play

Vault sealed

Symptom

Log entry: Hashi Vault is sealed, please unseal it to use policy ansible engine path. Ending play

Cause

If Vault is sealed the VM policy operator cannot access it.

Resolving the problem

Unseal Vault. For more information, see Unsealing Vault.

Vault not accessible

Symptom

Log entry: Hashi Vault is not accessible, please check the service is running and accessible to use vmpolicy ansible engine path. Ending play

Cause

Vault service is not running or accessible to VMPolicy operator

Solution

Make sure that the sre-bastion-vault service is available and that pods are running in the kube-systemnamespace.

Insufficient time gap

Symptom

Log entry: # If the next request on the policy comes in too early (within 5 minutes default), ignore it "end play, epoch comparison"

Cause

If you modify or create the same VMPolicy - cis benchmark for rhel7 (Virtual Machine) with no time gap, the VM operator with not perform an action on it.

Solution

Wait for next reconcile loop. If you don't want to wait you can delete the ibm-management-vmpolicy-ansible-xxx pod, then it will automatically get re-created when you issue the following command to restart the pod:

oc delete pod ibm-management-vmpolicy-ansible-* -n kube-system

Tag issues

Symptoms

Log entries:

• end play if no vm returned
• Search API did not return any VM for the tag VMSELECTOR TAGS, ending play SEARCH API SERVER RESPONSE

Cause

The VMs that apply to the tags you provided do not exist.

Solution

Make sure that your VM policy has the same tags defined in both IBM Cloud Pak® for Multicloud Management – Infrastructure Management and your VMs. If your policy defines multiple tags, make sure that your VMs also contain all of those tags.

For example, if you have two tags defined:

          vmSelector:
            tags:
              environment: production
              os: rhel7

The VM operator checks for VMs that have both of those tags, environment: production and os: rhel7.

Target host issues

Symptoms

Log entries:

• end play if no vm in target host
• No single VM eligible for Target host group, ending play

Causes

These errors can be because of two reasons:

• You don't have any VMs in Infrastructure management that have a valid public hostname or public IP address.
• You have not entered VM credentials in Vault.

Solution

1. Make sure your VMs are available for direct SSH. Jump host is not supported
2. Add VM credentials in Vault. For more information about adding VM credentials in Vault, see Adding VM credentials to Vault.

Note: You can search the Invalid VM uid list (no public hostname or IP address) and the use the List of VM hostnames/ip whose secrets are not in the Vault in the ibm-management-vmpolicy-ansible-xxx pod log.