-
Bug
-
Resolution: Done
-
Critical
-
None
-
None
-
1
-
False
-
False
-
-
-
GRC Sprint 2023-04, GRC Sprint 2023-05, GRC Sprint 2023-06
-
No
Description of problem:
We added a test to login to the Hypershift clusters in SDA-8459.
This has 2 parts.
- oc login
- check that user is cluster-admin
Test #2 is failing randomly but quite frequently, e.g https://ci.int.devshift.net/job/uhc-integration-tests-integration/413/testReport/junit/(root)/API%20Test%20Suite/It_Hypershift_Login_Test_Test_that_we_are_cluster_admin/
Int that case, we have cluster ready at
09:40:20 Attempt successful, returning result
then until
09:43:15 [FAILED]
we can't login as cluster-admin
~ % oc get policies -n 22k7r7tvsao5flisvjd34qhvnf2hj87p NAME REMEDIATION ACTION COMPLIANCE STATE AGE openshift-acm-policies.backplane 11m openshift-acm-policies.backplane-cee 11m openshift-acm-policies.backplane-cee-sp 11m openshift-acm-policies.backplane-cse 11m openshift-acm-policies.backplane-cse-sp 11m openshift-acm-policies.backplane-csm 11m openshift-acm-policies.backplane-csm-sp 11m openshift-acm-policies.backplane-cssre 11m openshift-acm-policies.backplane-cssre-sp 11m openshift-acm-policies.backplane-elevated-sre 9m58s openshift-acm-policies.backplane-mobb 11m openshift-acm-policies.backplane-mobb-sp 11m openshift-acm-policies.backplane-srep 11m openshift-acm-policies.backplane-srep-sp 11m openshift-acm-policies.backplane-tam 11m openshift-acm-policies.backplane-tam-sp 11m openshift-acm-policies.ccs-dedicated-admins 11m openshift-acm-policies.customer-registry-cas 11m openshift-acm-policies.hosted-uwm 11m openshift-acm-policies.hs-hosted-route-monitor-operator 11m openshift-acm-policies.metrics-forwarder-config enforce 11m openshift-acm-policies.osd-backplane-managed-scripts 11m openshift-acm-policies.osd-cluster-admin 11m openshift-acm-policies.osd-delete-backplane-script-resources 11m openshift-acm-policies.osd-delete-backplane-serviceaccounts 11m openshift-acm-policies.osd-delete-backplane-serviceaccounts-sp 11m openshift-acm-policies.osd-must-gather-operator 11m openshift-acm-policies.osd-openshift-operators-redhat 11m openshift-acm-policies.osd-pcap-collector 11m openshift-acm-policies.osd-user-workload-monitoring 11m openshift-acm-policies.osd-user-workload-monitoring-sp 11m openshift-acm-policies.rbac-permissions-operator-config 11m openshift-acm-policies.rbac-permissions-operator-config-sp 11m openshift-acm-policies.rosa-console-branding 11m openshift-acm-policies.rosa-console-branding-configmap Compliant 11m openshift-acm-policies.rosa-ingress-certificate-cdoan enforce 11m openshift-acm-policies.rosa-ingress-certificate-policies 11m openshift-acm-policies.rosa-oauth-templates 11m openshift-rosa-oauth-tpl-policies.rosa-oauth-tpl-errors 11m openshift-rosa-oauth-tpl-policies.rosa-oauth-tpl-login 11m openshift-rosa-oauth-tpl-policies.rosa-oauth-tpl-providers 11m
the relevant policy is openshift-acm-policies.osd-cluster-admin. But interesting that we have some compliant policies, but not all.
The above policy have a evaluation policy for Non compliance at 45s, see https://github.com/lnguyen1401/managed-cluster-config/blob/master/deploy/acm-policies/50-GENERATED-osd-cluster-admin.Policy.yaml
I attach the jenkins logs and the governance-policy-framework logs in the clusterid-klusterlet.
Version-Release number of selected component (if applicable):
2.7.x
How reproducible:
random in integration staging
Steps to Reproduce:
- ...
Actual results:
Expected results:
After cluster ready, I would expect that policy are applied as soon as possible and worst case is 45 seconds of evaluation period. Not 3 minutes (and maybe more)