Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-10877

mustonlyhave ConfigurationPolicies don't consider root-level keys

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • ACM 2.10.3
    • ACM 2.10.0
    • GRC
    • None
    • 2
    • False
    • None
    • False
    • GRC Sprint 2024-07
    • Important
    • No

      The expectation is that a root-level key in an existing object for a mustonlyhave ConfigurationPolicy would be deleted/nullified if it's not defined in the ConfigurationPolicy objectDefinition.

      However, in the case of something like a RoleBinding where subjects is not defined in the policy and the expectation is to wipe out that field, for example an objectDefinition with:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata: 
  name: self-provisioners
  annotations: 
    rbac.authorization.kubernetes.io/autoupdate: "false"
roleRef: 
  name: self-provisioner
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole

      The mustonlyhave, when comparing with a RoleBinding that does have a subjects defined, does not become NonCompliant because the controller is only looking at the root fields that have been defined. For example, this RoleBinding would be Compliant even though it should be NonCompliant for mustonlyhave:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
. . .
subjects: 
- name: my-group
  apiGroup: rbac.authorization.k8s.io
  kind: Group

              dhaiduce Dale Haiducek
              dhaiduce Dale Haiducek
              ManiKrishna Sai Ravi
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: