Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-2449

Hub template watching stops working after a period of time

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • ACM 2.7.0
    • ACM 2.7.0
    • GRC
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • ACM Sprint 24
    • No

      Description of problem:

      I created a policy with a script, replacing INDEX with numerically increasing values so I end up with 10 similar policies.

      Each policy depends on a configmap that initially does not exist.

      Policy:

      apiVersion: policy.open-cluster-management.io/v1
      kind: Policy
      metadata:
        name: policy-config-cm-INDEX
        annotations:
          policy.open-cluster-management.io/standards: NIST 800-53
          policy.open-cluster-management.io/categories: CM Configuration Management
          policy.open-cluster-management.io/controls: CM-2 Baseline
      spec:
        remediationAction: inform
        disabled: false
        policy-templates:
          - objectDefinition:
              apiVersion: policy.open-cluster-management.io/v1
              kind: ConfigurationPolicy
              metadata:
                name: policy-user-ca-bundle-INDEX
              spec:
                remediationAction: inform # will be overridden by remediationAction in parent policy
                severity: low
                namespaceSelector:
                  include: ['default']
                object-templates:
                  - complianceType: musthave
                    objectDefinition:
                      kind: ConfigMap
                      apiVersion: v1
                      metadata:
                        name: user-ca-bundle-INDEX
                        namespace: default
                      data:
                        ca-bundle.crt: |-
                          'hub fromConfigMap "" "config-cm-INDEX" "value" hub'

      apiVersion: policy.open-cluster-management.io/v1
      kind: PlacementBinding
      metadata:
        name: binding-policy-config-INDEX
      placementRef:
        name: placement-policy-config-INDEX
        kind: PlacementRule
        apiGroup: apps.open-cluster-management.io
      subjects:

      • name: policy-config-cm-INDEX
          kind: Policy
          apiGroup: policy.open-cluster-management.io

        apiVersion: apps.open-cluster-management.io/v1
        kind: PlacementRule
        metadata:
          name: placement-policy-config-INDEX
        spec:
          clusterConditions:
          - status: 'True'
            type: ManagedClusterConditionAvailable
          clusterSelector:
            matchExpressions:
              - {key: vendor, operator: In, values: ['OpenShift']}

       

      Create the configmaps later.  My first recreate was about 12 hours after policy creation.  Second recreate was much longer than that.

      Configmap: replace index in a similar way.

      apiVersion: v1
      data:
        value: test
      kind: ConfigMap
      metadata:
        name: config-cm-INDEX

       

      When the problem is happening you will not see the policy become compliant, even though the configmap has been created so the hub template will resolve.  You can force it to wake up by switching to inform/enforce or disable/enable.

        1. recreate.sh
          2 kB
        2. policy-template.yaml
          2 kB
        3. cm-template.yaml
          0.1 kB

              mprahl Matthew Prahl
              gparvin-redhat Gus Parvin
              ManiKrishna Sai Ravi ManiKrishna Sai Ravi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: