Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-1185

Ability to modify specific entries when using policy "mustonlyhave"

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • None
    • GRC
    • False
    • False
    • ACM-33 - Multi-cluster Governance, Risk & Compliance (GRC)

      The difference between must-have and mustonlyhave is:

      • "Compliance setting = mustonlyhave" means RHACM will apply the configuration as defined in the policy on the cluster. For eg: new entries on the policy are added to the existing object + this would also mean that removing older entries in the policy would result in these entries being removed from the object. In short, `mustonlyhave` set defined changed object to exact state, like delete and create it again. So data will be the same as in YAML.
      • "Compliance setting = must-have" means RHACM will have a merging behavior. For eg. new entries on the policy are added to the existing object, but if there are entries removed from the policy these are not removed from the service. Must-have works like logical OR - it appends defined data to an existing object, so if you change list in key A, it will append new values:

      If the object is:

      objectDefinition:
   apiVersion: v1
   kind: Service
   metadata:
     name: <name>
     namespace: <namespace>
   spec:
     a: 
       - valueA
       - valueB
     b: {...}
     c: {...}

      Then with must-have :

      complianceType: must-have
      objectDefinition:
        apiVersion: v1
        kind: Service
        metadata:
          name: <name>
          namespace: <namespace>
        spec:
          a:
            - value-XYZ

      will result in:

      objectDefinition:
   apiVersion: v1
   kind: Service
   metadata:
     name: <name>
     namespace: <namespace>
   spec:
     a: 
       - valueA
       - valueB
       - value-XYZ
     b: {...}
     c: {...}

      but mustonlyhave will result in:

      objectDefinition:
   apiVersion: v1
   kind: Service
   metadata:
     name: <name>
     namespace: <namespace>
   spec:
     a: 
       - value-XYZ

      So, the customer wants the flexibility to leave the key `b` an `c` untouched and change only `a` as with policy "mustonlyhave" so that the final result looks similar as below:

      objectDefinition:
   apiVersion: v1
   kind: Service
   metadata:
     name: <name>
     namespace: <namespace>
   spec:
     a: 
       - value-XYZ
     b: {...}
     c: {...}

      WHY RFE IS NEEDED?

      At the moment, "mustonlyhave" set defined changed object to exact state, removing all the entries and including only those entries that were defined. Customer wants to have the flexibility to leave the untouched values and add/remove only those entries that were altered while using the policy "mustonlyhave".

            rhn-support-cstark Christian Stark
            rhn-support-mmarkand Mridul Markandey
            Matthew Prahl Matthew Prahl
            Gus Parvin Gus Parvin
            Sho Weimer Sho Weimer
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: