-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
Quality / Stability / Reliability
-
2
-
False
-
-
False
-
-
-
GRC Sprint 2025-20, GRC Sprint 2025-19
-
None
Description of problem:
While attempting to reproduce an issue observed while creating/deleting namespaces on a Rosa HCP that creates an impactful workload on the ACM Hub cluster (Service Cluster for Rosa HCP) I found that initial the configurationpolicies would not enforce on new namespaces until after the first evaluationinterval which was set to 2 hours for compliant policies.
Example configurationpolicy:
apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: creationTimestamp: "2025-09-23T15:50:39Z" ... spec: evaluationInterval: compliant: 2h noncompliant: 45s namespaceSelector: exclude: - kube - kube-* - openshift - openshift-* - default - redhat-* include: - '*' object-templates: - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dedicated-admin-serviceaccounts-0 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dedicated-admins-project subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:dedicated-admin recreateOption: None pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low
The policy is supposed to ensure that any namespaces created have a rolebinding named dedicated-admin-serviceaccounts-0 however it seems with a brand new HCP that this policy will not enforce on a new namespace that should be selected via the namespaceSelector.include filter and not excluded.
Example:
# echo -n "$(date -u +%Y%m%d-%H:%M:%S) :: "; oc --kubeconfig p4-alex1-0001/kubeconfig create ns ak-test 20250923-19:22:01 :: namespace/ak-test created # echo -n "$(date -u +%Y%m%d-%H:%M:%S) :: "; oc --kubeconfig kubeconfig_hs-mc-s738n5dt0 get configurationpolicies -n klusterlet-2lg72i8827hvvhdbrhic70hqjfrd9jmr rbac-permissions-operator-config-sp2 -o json | jq '"compliant: \(.status.compliant), lastEvaluated: \(.status.lastEvaluated)" ' 20250923-19:22:06 :: "compliant: Compliant, lastEvaluated: 2025-09-23T18:39:53Z" # echo "$(date -u +%Y%m%d-%H:%M:%S) :: "; oc --kubeconfig p4-alex1-0001/kubeconfig get rolebinding -n ak-test 20250923-19:23:04 :: NAME ROLE AGE system:deployers ClusterRole/system:deployer 63s system:image-builders ClusterRole/system:image-builder 63s system:image-pullers ClusterRole/system:image-puller 63s
We can see no rolebinding is created. If I leave the cluster and namespace up until the last evaluation interval triggers a run, it will create the rolebinding. Afterwards if I create a namespace it will occur almost instantly. This makes me believe that the namespace selector watcher is not being properly setup until after the first evaluation interval. I can further "reset" this by deleting the config-policy-controller pod such that it has reset.
rsion-Release number of selected component (if applicable):
# Hosted Control Plane (HCP) cluster # oc --kubeconfig p4-alex1-0001/kubeconfig get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.19.12 True False 3h27m Cluster version is 4.19.12 # Service Cluster (Hub cluster) # oc --kubeconfig kubeconfig_hs-sc-3bnmigvmg get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.19.6 True False 56d Cluster version is 4.19.6 # Management cluster # oc --kubeconfig kubeconfig_hs-mc-s738n5dt0 get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.19.4 True False 15d Cluster version is 4.19.4 # oc --kubeconfig kubeconfig_hs-sc-3bnmigvmg get mch -A NAMESPACE NAME STATUS AGE CURRENTVERSION DESIREDVERSION multicluster-hub multiclusterhub Running 216d 2.13.4 2.13.4
Attached are logs from the controller from start until it finally reconciles the policy in question
How reproducible:
Reproduces when I delete the controller pod, then the policy will not enforce on new namespaces until the interval is completed again.
Steps to Reproduce:
- ...