See ACM-15019 for more details.

mprahl's top of mind:

I think the most straight forward way is to have the managed cluster controllers resolve the hub templates leveraging the existing hub service account per cluster (e.g. `system:open-cluster-management:cluster:local-cluster:addon:config-policy-controller`). The ACM admin would be responsible for providing permissions to the service accounts on the hub.

The downside to this approach is that when the managed cluster disconnects from the hub, it wouldn't be able to resolve hub templates. That being said, the templating library's cache should handle this well as long as the controller does not restart. In this situation, we want to make sure the logs aren't noisy due to failed reconnects and that there's some kind of backoff preventing the RetryWatcher from taking up all the CPU.

An alternative, is to have a controller in the governance-policy-framework resolve the hub templates and create resolved copies of the policies on the managed cluster. showeimer will confirm on if it's a requirement to continue evaluating a policy when the managed cluster is disconnected from the hub and the config-policy-controller pods restarts (i.e. cache is wiped).