-
Bug
-
Resolution: Done
-
Normal
-
ACM 2.13.0
-
1
-
False
-
None
-
False
-
-
-
GRC Sprint 2025-05
-
Low
-
None
Description of problem:
I want to use the policytools dryrun command to validate the ACM stable policies. These policies are all inform by default and many use a namespace selector that simply includes the "default" namespace. When running dryrun in this manner, NonCompliant is shown with the error:
NonCompliant; violation - namespaced object sample-nginx-pod of kind Pod has no namespace specified from the policy namespaceSelector nor the object metadata
Error: policy is NonCompliant
To work around the error, a namespace can be added to the pod manifest – basically bypassing the namespaceSelector.
Version-Release number of selected component (if applicable):
2.13.0-SNAPSHOT-2025-02-24-05-54-38
How reproducible:
Always
Steps to Reproduce:
- Created pod resource in namespace default.
- Used the inform policy https://github.com/open-cluster-management-io/policy-collection/blob/main/stable/CM-Configuration-Management/policy-pod.yaml
- Ran: policytools dryrun -p policies/policy-pod.yaml resources/pod.yaml
- Got NonCompliant message above
Actual results:
$ policytools dryrun -p policies/policy-pod.yaml resources/pod.yaml
- Diffs:
- Compliance messages:
NonCompliant; violation - namespaced object sample-nginx-pod of kind Pod has no namespace specified from the policy namespaceSelector nor the object metadata
Error: policy is NonCompliantExpected results:
$ policytools dryrun -p policies/policy-pod.yaml resources/pod.yaml
- Diffs:
v1 Pod default/sample-nginx-pod:
- Compliance messages:
Compliant; notification - pods [sample-nginx-pod] found as specified in namespace defaultAdditional info:
Got Compliant by setting namespace: default for the pod