Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-4369

policy status isn't updated fast enough after a sub-policy is breached and enforced

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • ACM 2.6.4, ACM 2.5.8, ACM 2.7.0
    • ACM 2.6.0, ACM 2.7.0
    • GRC
    • None
    • 3
    • False
    • None
    • False
    • No
    • +
    • GRC Sprint 2023-05
    • Moderate

      Description of problem:

      If using a policy as described[1] which has at least two policy-templates ,  a breach of the sub-policies does get fixed by enforcement but it takes too long for the main policy to be updated.

      There is also no documentation on the behaviour in the governance documentation

      Version-Release number of selected component (if applicable):

      2.6 and 2.7

      How reproducible:

      all the time

      Steps to Reproduce:

      1. create a policy with two policy-templates [1]
      2. set it up to affect several clusters
      3. cause a breach in one or two of the sub-policies

      Actual results:

      The "Cluster Violations" column on the Governance - Policies tab of the RHACM console regularly appears out of date. When accessing the policy, the details under the "Placement" section will also appear out of date. However, when accessing the 'Result' tab of the policy, all details are up-to-date.

      Expected results:

      The enforcement of the policies is reflected in the status of the main policy or the main policy has no status at all other than the status of all the sub policies.

      Additional info:

      • [1] : the policy should have several policy-templates such as
        disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: config-mgmt-tiwana-test
      spec:
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: v1
            kind: Namespace
            metadata:
              annotations:
                scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator":"Exists","effect":"NoSchedule","key":"node-role.kubernetes.io/infra"}]'
              name: tiwana-test
        severity: high
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: config-mgmt-abtest
      spec:
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: v1
            kind: Namespace
            metadata:
              annotations:
                scheduler.alpha.kubernetes.io/defaultTolerations: '[{"operator":"Exists","effect":"NoSchedule","key":"node-role.kubernetes.io/infra"}]'
              name: abtest
        severity: high
  remediationAction: enforce
      •  it was discussed in the enablement of one previous version that this behaviour is expected and that it couldn't be worked around, but that isn't documented. I would want to make sure we can't work around the behaviour or change how the status when sub-policies are enforced is updated and get the get the documentation updated to mention the behaviour.
      • changing the policy between `Enforce` and `Inform` updates the governance page.

            dhaiduce Dale Haiducek
            rhn-support-fdewaley Felix Dewaleyne
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: