Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-26420

RBAC UI - policy-virt-oauth error checking IDP configuration across virtualization clusters

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Low
    • None

      Description of problem:

      The policy policy-virt-oauth in the open-cluster-management-global-set namespace is designed to validate that all virtualization clusters using fine-grained RBAC have the same Identity Provider (IDP) configured. This policy is part of the installer files and is intended to ensure consistency across all VM clusters.

      The policy operates in inform mode and targets clusters with the environment=virtualization label (including the hub cluster). However, the policy is currently reporting an error and not functioning as expected.

      Policy Purpose:

      • Validate that the same authentication/IDP is configured across all virtualization clusters
      • Part of the fine-grained RBAC requirements for ACM virtualization deployments
      • Deployed via installer files to open-cluster-management-global-set namespace
      • Checks all clusters labeled with environment=virtualization

      Current Behavior:

      The policy policy-virt-oauth is showing NonCompliant status with errors. The policy uses hub templates to lookup OAuth configuration from the hub cluster and compare it across managed clusters, but the template logic or validation appears to have issues.

      Expected Behavior:

      The policy should successfully:
      1. Query OAuth configuration from all clusters with environment=virtualization label
      2. Compare IDP configurations across these clusters
      3. Report compliant/non-compliant status accurately without errors
      4. Provide clear violation messages when IDPs don't match

      Policy Details:

      • Name: policy-virt-oauth
      • Namespace: open-cluster-management-global-set
      • Remediation Action: inform
      • Placement: Targets clusters with environment=virtualization label
      • Current Status: NonCompliant on local-cluster

      The policy template uses hub functions to lookup OAuth objects and validate identityProviders configuration, but the object-templates-raw section may have template rendering or validation issues.

      Additional Info:

      This affects the ability to enforce consistent authentication across virtualization clusters, which is a requirement for fine-grained RBAC in CNV deployments.

              Unassigned Unassigned
              kurwang@redhat.com Kurtis Wang
              Atif Shafi Atif Shafi
              ACM QE Team
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: