Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-12270

The compliance type mustonlyhave on config-policy-controller creates numerous secrets

XMLWordPrintable

    • 2
    • False
    • None
    • False
    • GRC Sprint 2024-13
    • Critical
    • +
    • No

      Improvement To Be Made By Engineering Team:

      • Ignore the "imagePullSecrets" and "secrets" fields on ServiceAccount objects since they are essentially status and automatically managed by Kubernetes.

        Description of problem:

      The compliance type mustonlyhave on config-policy-controller creates numerous secrets. This has been implemented in ACM-11045.

      The creation of tens of thousands of secrets causing etcd to slow down and crash on multiple clusters. This started after the automated update of the ACM Operator to version 2.9.4

      Version-Release number of selected component (if applicable):

      ACM 2.9.4

      How reproducible:

      Always

      Steps to Reproduce:

      1. Have a policy with kind serviceccount and complianceType: mustonlyhave.
      1. Run this in a cluster with ACM, the SA tokens keep generating. 

      Actual results:

      The secrets are continuously being created. 

      Expected results:

      Only one secret should be created.

      Additional info:

      Workaround is to change the policy compliance type to:

      complianceType: musthave

      and reapply, they stop generating.

            rh-ee-jeluo Jeffrey Luo (Inactive)
            rhn-support-ngupta Nikhil Gupta
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: