-
Bug
-
Resolution: Done
-
Major
-
ACM 2.11.0
-
2
-
False
-
-
False
-
-
-
GRC Sprint 2025-14, GRC Sprint 2025-15, GRC Sprint 2025-16
-
Moderate
-
None
Description of problem:
A policy checking for Pods to have a certain SCC annotation marks the objects as compliant, saying they were found as specified, even when the annotation on the Pod does not match what is in the policy. Logs indicate "A mismatch was detected but a dry run update didn't make any changes. Assuming the object is compliant." So that logic may be interfering here, and potentially could cause problems for other fields/objects.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
- Find a Pod on the target cluster
- Create a policy specifying that this pod should have a bogus SCC annotation, like "openshift.io/scc: thisisnotreal"
- Observe the policy status
Actual results:
Policy is compliant, config-policy-controller log includes "A mismatch was detected but a dry run update didn't make any changes. Assuming the object is compliant."
Expected results:
The policy should be noncompliant, because the pod does not match what is specified in the policy
