Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-10204

Unstable subscription status causes operator policy to flood with compliance events

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • ACM 2.10.3
    • None
    • GRC
    • None
    • 2
    • False
    • None
    • False
    • No
    • GRC Sprint 2024-05, GRC Sprint 2024-06
    • Moderate

      Description of problem:

      It seems that when there are multiple "constraints not satisfiable" messages, the order of those messages is not deterministic in the subscription. So every OLM reconcile causes the status to update, which causes an operator policy compliance event. This can be an infinite loop with only the OLM controller-runtime reconcile queue's backoff mechanism providing any relief.

      See this operator policy message:

      the policy spec is valid, the policy does not specify an OperatorGroup but one already exists in the namespace - assuming that OperatorGroup is correct, constraints not satisfiable: redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.3-0.1655383639.p, @existing/openshift-operators//gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.2, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.6-0.1697738427.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.5-0.1683051284.p and redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.4-0.1666670065.p provide Gatekeeper (operator.gatekeeper.sh/v1alpha1), clusterserviceversion gatekeeper-operator-product.v3.11.1 exists and is not referenced by a subscription, subscription gatekeeper-operator-product requires at least one of redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.6-0.1697738427.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.5-0.1683051284.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.4-0.1666670065.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.3-0.1655383639.p or redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.2, subscription gatekeeper-operator-product exists, there are no relevant InstallPlans in the namespace, A relevant installed ClusterServiceVersion could not be found, The ClusterServiceVersion is missing, thus meaning there are no relevant deployments, CatalogSource was found
      

      Here is the alternate order:

      the policy spec is valid, the policy does not specify an OperatorGroup but one already exists in the namespace - assuming that OperatorGroup is correct, constraints not satisfiable: clusterserviceversion gatekeeper-operator-product.v3.11.1 exists and is not referenced by a subscription, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.4-0.1666670065.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.3-0.1655383639.p, @existing/openshift-operators//gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.2, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.6-0.1697738427.p and redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.5-0.1683051284.p originate from package gatekeeper-operator-product, subscription gatekeeper-operator-product requires at least one of redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v3.11.1, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.6-0.1697738427.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.5-0.1683051284.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.4-0.1666670065.p, redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.3-0.1655383639.p or redhat-operators/openshift-marketplace/stable/gatekeeper-operator-product.v0.2.2, subscription gatekeeper-operator-product exists, there are no relevant InstallPlans in the namespace, A relevant installed ClusterServiceVersion could not be found, The ClusterServiceVersion is missing, thus meaning there are no relevant deployments, CatalogSource was found
      

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. ...

      Actual results:

      A flood of compliance events.

      Expected results:

      A change in order should not cause a compliance message change.

      Additional info:

            rh-ee-jeluo Jeffrey Luo
            mprahl Matthew Prahl
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: