-
Bug
-
Resolution: Unresolved
-
Normal
-
ACM 2.14.0
-
None
-
Quality / Stability / Reliability
-
2
-
GRC Sprint 2025-21
-
None
Description of problem:
every 10s a change is detected for an already compliant policy
Version-Release number of selected component (if applicable):
acm 2.14.0, mce 2.9.0 on OCP 4.18.23
spoke 4.18.25
How reproducible:
customer environment
Steps to Reproduce:
- implement policy used by the customer
- ...
Actual results:
the policy is triggered every 10s :
2025-10-27T08:35:16.716973243Z 2025-10-27T08:35:16.716Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:35:26.017950137Z 2025-10-27T08:35:26.017Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:35:39.159257096Z 2025-10-27T08:35:39.159Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:35:49.017500451Z 2025-10-27T08:35:49.017Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:35:59.017031292Z 2025-10-27T08:35:59.016Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:36:21.106841173Z 2025-10-27T08:36:21.106Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:36:31.017126194Z 2025-10-27T08:36:31.017Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
(filtered to only list the detection)
expanded iteration :
2025-10-27T08:36:31.017126194Z 2025-10-27T08:36:31.017Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3167 Detected value mismatch via handleKeys {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:36:31.028941137Z 2025-10-27T08:36:31.028Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3243 A mismatch was detected but a dry run update didn't make any changes. Assuming the object is compliant. {"policy": "clusterlogforwarder-observability", "name": "collector-instance", "namespace": "openshift-logging", "resource": "clusterlogforwarders"}
2025-10-27T08:36:31.028970846Z 2025-10-27T08:36:31.028Z info configuration-policy-controller controllers/configurationpolicy_controller.go:1083 Sending an update policy status event for the object template {"policy": "clusterlogforwarder-observability", "policy": "clusterlogforwarder-observability", "index": 4}
2025-10-27T08:36:31.028970846Z 2025-10-27T08:36:31.028Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3638 Sending parent policy compliance event
2025-10-27T08:36:31.041721500Z 2025-10-27T08:36:31.041Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3708 Policy status message {"policy": "clusterlogforwarder-observability", "status": "NonCompliant: clusterrolebindings [collect-application-logs] found as specified; clusterrolebindings [collect-infrastructure-logs] found as specified; clusterrolebindings [collect-audit-logs] found as specified; serviceaccounts [logcollector] found as specified in namespace openshift-logging; clusterlogforwarders [collector-instance] found but not as specified in namespace openshift-logging"}
2025-10-27T08:36:31.041903656Z 2025-10-27T08:36:31.041Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3638 Sending parent policy compliance event
2025-10-27T08:36:31.054003387Z 2025-10-27T08:36:31.053Z info configuration-policy-controller controllers/configurationpolicy_controller.go:3708 Policy status message {"policy": "clusterlogforwarder-observability", "status": "Compliant: clusterrolebindings [collect-application-logs] found as specified; clusterrolebindings [collect-infrastructure-logs] found as specified; clusterrolebindings [collect-audit-logs] found as specified; serviceaccounts [logcollector] found as specified in namespace openshift-logging; clusterlogforwarders [collector-instance] found as specified in namespace openshift-logging"}
The policy does not have any spec.evaluationInterval set and uses the default.
Expected results:
this shouldn't be triggered every 10s
Additional info:
discussed internally and determined to be a bug with the controller with possible workaround of removing `annotations: {}` from the policy
- is cloned by
-
-
- In Progress
-
