Normal Feature Overview
Extend ACM PolicyGenerator fields to support generating a second Placement with specified labelSelector and PlacementBinding with bindingOverrides.remediationAction set to enforce and subFilter set to restricted.
With this new binding, the remediationAction for child policies for selected cluster will be set to enforce, leveraging theSelective Policy Enforcement feature.
Goals
1. Provide fields to enable generation of a second Placement and PlacementBinding with enforce remediationAction, allowing user to control when a policy will be enforced and what subset of clusters to be enforced.
2. The default behavior remains unchanged (one Placement and PlacementBinding) if related fields are not specified.
3. Allow users to define labelSelectors for the new Placement.
Requirements
(Optional) Use Cases
This Section:
For SNO provisioning and upgrade solutions in ORAN, where TALM is not involved in policy enforcement, we need to leverage selective policy enforcement using a second Placement/PlacementBinding.
This enables seamless policy enforcement during provisioning and upgrades at the right time, ensuring policies are not enforced prematurely but automatically switch to enforce when the cluster meets the required conditions.
Example Scenario: Upgrading a SNO Cluster from 4.16 to 4.17
Initial State (Before upgrade)
- A 4.16 SNO is provisioned and configured with the oran-o2ims operator
- 4.16 policies remain bound and enforces
- ACM PG is used to create 4.17 policies in inform mode with a default placementBinding and placement, which match the target OCP version (e.g, cluster-version: 4.17)
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: placement-v1-catalog-policy
namespace: ztp-sno-ran-du-v4-17-3
spec:
predicates:
- requiredClusterSelector:
labelSelector:
matchExpressions:
- key: cluster-version
operator: In
values:
- 4.17.3
tolerations:
- key: cluster.open-cluster-management.io/unavailable
operator: Exists
- key: cluster.open-cluster-management.io/unreachable
operator: Exists
apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: name: binding-v1-catalog-policy namespace: ztp-sno-ran-du-v4-17-3 placementRef: apiGroup: cluster.open-cluster-management.io kind: Placement name: placement-v1-catalog-policy subjects: - apiGroup: policy.open-cluster-management.io kind: Policy name: v1-catalog-policy
- The same ACM PG is used to create a second placement with labelSelector matching the running OCP version (e.g. openshiftVersion: 4.17) and a placemengBinding with enforce remediationAction.
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: placement-v1-catalog-policy-override
namespace: ztp-sno-ran-du-v4-17-3
spec:
predicates:
- requiredClusterSelector:
labelSelector:
matchExpressions:
- key: openshiftVersion
operator: In
values:
- 4.17.3
tolerations:
- key: cluster.open-cluster-management.io/unavailable
operator: Exists
- key: cluster.open-cluster-management.io/unreachable
operator: Exists
apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: name: binding-v1-catalog-policy-override namespace: ztp-sno-ran-du-v4-17-3 placementRef: apiGroup: cluster.open-cluster-management.io kind: Placement name: placement-v1-catalog-policy-override subjects: - apiGroup: policy.open-cluster-management.io kind: Policy name: v1-catalog-policy subFilter: restricted bindingOverrides: remediationAction: enforce
Trigger Upgrade with oran-o2ims operator
- SNO upgrade is triggered -> 4.16 policies are unbound
- 4.17 policies (inform) get bound to the spoke but remain in inform mode
After SNO is successfully upgraded to 4.17 (openshiftVersion label updates to 4.17)
- The child policies switch to enforce mode automatically
- The 4.17 policies remain enforced, ensuring compliance
Questions to answer
- ...
Out of Scope
- …
Background, and strategic fit
This Section: What does the person writing code, testing, documenting
need to know? What context can be provided to frame this feature?