Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-16781

OperatorPolicy may report a confusing status when invalid

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • ACM 2.12.2
    • GRC
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • GRC Sprint 2025-23
    • Moderate
    • None

      Description of problem:

      When the subscription section of the OperatorPolicy is invalid, the status might incorrectly indicate that other parts of the policy are invalid. This, combined with the many "... because the policy is invalid" clauses in the overall status, makes it very confusing to read and understand what parts might need to be fixed by the user.

      Version-Release number of selected component (if applicable): 

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create an OperatorPolicy, specifying a non-default namespace for the subscription and operatorgroup. Also (incorrectly) specify installPlanApproval for the subscription.
      2. Observe the status.

      Actual results:

      The status message will be like "NonCompliant; installPlanApproval is prohibited in spec.subscription, the namespace specified in spec.operatorGroup ('example') must match the namespace used for the subscription ('openshift-operators'), the status of the OperatorGroup could not be determined because the policy is invalid, the status of the Subscription could not be determined because the policy is invalid, the status of the InstallPlan could not be determined because the policy is invalid, a relevant installed ClusterServiceVersion could not be found, no CRDs were found for the operator, there are no relevant deployments because the ClusterServiceVersion is missing, the status of the CatalogSource could not be determined because the policy is invalid"

      Expected results:

      The important bit is just "installPlanApproval is prohibited in spec.subscription". The rest is basically noise.

      This part is actually incorrect: "the namespace specified in spec.operatorGroup ('example') must match the namespace used for the subscription ('openshift-operators'),".

      Additional info:

      The incorrect part is because the controller is using the controller-default namespace for the subscription in this situation only when looking at the operator group namespace. Basically, it's using an "empty" subscription because it was invalid, and reporting something inaccurate as a result.

              yikim@redhat.com Yi Rae Kim
              jkulikau@redhat.com Justin Kulikauskas
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: