Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-25116

Installer - kubevirt.io ClusterRoles not getting labeled

XMLWordPrintable

    • Critical
    • None

      Description of problem:

      The kubevirt.io:admin/edit/view labels are not getting labeled as expected.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Only tried once and it happened right away.

      Steps to Reproduce:

      1. Enable fine grained rbac feature flag
      2. Install CNV operator
      3. Label local cluster: oc label managedcluster local-cluster environment=virtualization

      Actual results:

      kubevirt.io:admin/edit/view do not get label added to them by policy.

      Expected results:

      kubevirt.io:admin/edit/view get label added to them by policy.

      Additional info:

      Issue seems to be that policy.spec.object-templates-raw is getting wiped out. I see this in the repo:

      https://github.com/stolostron/multiclusterhub-operator/blob/8c6c79db844206b392ce7384ffe607fb184c7708/pkg/templates/charts/toggle/fine-grained-rbac/templates/policy-virt-clusterroles-policy.yaml#L23

      However in actual cluster it is empty:

      ubuntu@ubuntu2404:~/REPOS/multicluster-role-assignment_mshort$ oc get policy -n open-cluster-management-global-set policy-virt-clusterroles -oyaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    installer.open-cluster-management.io/release-version: 2.15.0
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/description: ""
    policy.open-cluster-management.io/standards: NIST SP 800-53
  creationTimestamp: "2025-10-11T01:49:04Z"
  generation: 1
  labels:
    installer.name: multiclusterhub
    installer.namespace: open-cluster-management
    open-cluster-management.io/policy-cnv: virt-rbac
    velero.io/exclude-from-backup: "true"
  name: policy-virt-clusterroles
  namespace: open-cluster-management-global-set
  resourceVersion: "2179648"
  uid: c4ce7f25-cc52-4130-9441-7c8ed1121928
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: policy-virt-clusterroles
      spec:
        object-templates-raw: ""
        remediationAction: enforce
        severity: medium
  remediationAction: enforce
status:
  compliant: Compliant
  placement:
  - placement: placement-policy-virt-rbac
    placementBinding: binding-policy-virt-rbac
  status:
  - clustername: local-cluster
    clusternamespace: local-cluster
    compliant: Compliant

              yikim@redhat.com Yi Rae Kim
              rh-ee-mshort Matthew Short
              Atif Shafi Atif Shafi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: