Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-10195

A noncompliant OperatorPolicy causes an unrelated OperatorPolicy to be noncompliant

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • ACM 2.10.0
    • ACM 2.10.0
    • GRC
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • GRC Sprint 2024-04
    • Critical
    • No

      Description of problem:

      If I have two operator policies creating subscriptions in the same namespace and one of the subscriptions references an invalid operator/package, both operator policies are noncompliant because the `ConstraintsNotSatisfiable` condition gets set on all subscriptions in the namespace by OLM even though one subscription is not related to the other.

      The OpenShift console seems to ignore this and present the correct status:

      Version-Release number of selected component (if applicable):

      How reproducible:

      Every time

      Steps to Reproduce:

      Create a valid and invalid operator policy with subscriptions in the same namespace:

      Valid:

      apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: case20-install-gk
  namespace: open-cluster-management-global-set
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1beta1
        kind: OperatorPolicy
        metadata:
          name: case20-install-gk
        spec:
          remediationAction: enforce
          severity: critical
          complianceType: musthave
          subscription:
            channel: stable
            name: gatekeeper-operator-product
            namespace: openshift-operators
            installPlanApproval: Automatic
            source: redhat-operators
            sourceNamespace: openshift-marketplace

      Invalid:

      apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: case20-install-gk2
  namespace: open-cluster-management-global-set
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1beta1
        kind: OperatorPolicy
        metadata:
          name: case20-install-gk2
        spec:
          remediationAction: enforce
          severity: critical
          complianceType: musthave
          subscription:
            channel: stable
            name: gatekeeper-operator
            namespace: openshift-operators
            installPlanApproval: Automatic
            source: redhat-operators
            sourceNamespace: openshift-marketplace

      Actual results:

      Both operator policies are invalid with "ConstraintsNotSatisfiable".

      Expected results:

      Only the "case20-install-gk2" operator policy should be noncompliant with "ConstraintsNotSatisfiable".

      Additional info:

      Consider ignoring "ConstraintsNotSatisfiable" if the operator policy's subscription's related CSV is compliant. Also, deleting the invalid subscription does not cause OLM to reconcile and fix the existing subscription status.

        1. image-2024-02-29-10-48-13-587.png
          image-2024-02-29-10-48-13-587.png
          129 kB
        2. Screenshot 2024-03-15 at 9.46.59 AM.png
          Screenshot 2024-03-15 at 9.46.59 AM.png
          76 kB

              mprahl Matthew Prahl
              mprahl Matthew Prahl
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: