Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-3424

[GRC] Resource does not get created with an empty field and the policy check flip-flops alternatively marking the policy as being compliant and non-compliant

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Undefined
    • ACM 2.7.5
    • ACM 2.7.0
    • GRC
    • 3
    • False
    • None
    • False
    • No
    • ?
    • GRC Sprint 2023-04, GRC Sprint 2023-08

    Description

      Description of problem:

      [GRC] Resource does not get created with an empty field and the policy check flip-flops alternatively marking the policy as being compliant and non-compliant

      Version-Release number of selected component (if applicable): ACM 2.7.0

      How reproducible: Always

      Steps to Reproduce:

      1. Create the GRC policy from ACM hub
      2. Propagate the policy on the managed cluster
      3. Check the details of the created resource from the managed cluster
      4. Check the compliance history of the GRC policy

      Actual results:

      Resource is created without the empty field and the policy flip-flops from being compliant to being non-compliant

      Expected results:

      Resource should get created with the empty field and the policy needs to be marked as compliant.

      Additional info:

      1) apiVersion: policy.open-cluster-management.io/v1
      kind: Policy
      metadata:
      name: self-provisioning
      namespace: acm-policies
      annotations:
      apps.open-cluster-management.io/do-not-delete: "true"
      spec:
      disabled: false
      policy-templates:

      • objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
        name: self-provisioning
        spec:
        remediationAction: enforce
        severity: high
        pruneObjectBehavior: None
        object-templates:
      • complianceType: mustonlyhave
        objectDefinition:
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
        annotations:
        rbac.authorization.kubernetes.io/autoupdate: "false"
        name: self-provisioners
        roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: self-provisioner
        subjects: []

      2) Resource is created without the empty field:

      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
      name: self-provisioners
      annotations:
      rbac.authorization.kubernetes.io/autoupdate: 'false'
      roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: self-provisioner

      3) The compliance status is alternating between compliant and non compliant (report from ACM Dashboard):
      Without violations notification - clusterrolebindings [self-provisioners] was updated successfully a few seconds ago
      With violations violation - No instances of `clusterrolebindings` found as specified a few seconds ago
      Without violations notification - clusterrolebindings [self-provisioners] was updated successfully a few seconds ago
      With violations violation - No instances of `clusterrolebindings` found as specified a few seconds ago
      Without violations notification - clusterrolebindings [self-provisioners] was updated successfully a few seconds ago
      With violations violation - No instances of `clusterrolebindings` found as specified a few seconds ago
      Without violations notification - clusterrolebindings [self-provisioners] was updated successfully a few seconds ago

      Attachments

        Activity

          People

            yikim@redhat.com Yi Rae Kim
            rhn-support-mlele Mihir Lele
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: