Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-18134

GRC policytools dryrun use of mapping file causes error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • ACM 2.14.0, ACM 2.13.2
    • ACM 2.13.0
    • GRC
    • None
    • Product / Portfolio Work
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • GRC Sprint 2025-05, GRC Sprint 2025-06
    • Low
    • None

      Description of problem:

      When I am using policytools to perform a dryrun I would expect generating the mapping file would be mostly harmless for any policy that successfully evaluates when the mapping file isn't provided.  Instead I am getting an error, so it becomes unclear how to properly make use of the mapping file – granted in this simple case I don't need it.

      Version-Release number of selected component (if applicable):

      2.13.0-SNAPSHOT-2025-02-26-09-53-17

      How reproducible:

      I think this should be easy to reproduce.

      Steps to Reproduce:

      1. policytools dryrun generate > mappings/mappings.yaml
      2. policytools dryrun -p policies/policy-limitmemory.yaml resources/limitrange.yaml
      # Diffs:
# Compliance messages:
NonCompliant; violation - namespaced object mem-limit-range of kind LimitRange has no namespace specified from the policy namespaceSelector nor the object metadata

      Error: policy is NonCompliant

      1. policytools dryrun --mappings-file mappings/mappings.yaml -p policies/policy-limitmemory.yaml resources/limitrange.yaml
      Error: the resource version was not found for kind LimitRange: if this is a custom resource, it may need an entry in the mappings file

      Actual results:

      The dryrun worked when I didn't specify a mappings file.  When I did it didn't work.  I didn't manually create the mappings file – I let the CLI generate it so expecting it would be correct.  The following entry exists in the mapping file:

      - Group: ""
  Kind: LimitRange
  Plural: limitranges
  Scope: namespace
  Singular: limitrange
  Version: v1

      Expected results:

      I feel like the 2 dryrun tests should have both worked.  It's not clear why the scenario where a mapping file is provided failed.  The error message indicates an entry is needed, but I think the needed entry is present.

      Additional info:

      Used our stable limitrange sample and this resource:

      apiVersion: v1
kind: LimitRange # limit memory usage
metadata:
  name: mem-limit-range
  namespace: default
spec:
  limits:
  - default:
      memory: 512Mi
    defaultRequest:
      memory: 256Mi
    type: Container

              yikim@redhat.com Yi Rae Kim
              gparvin-redhat Gus Parvin
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: