Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-5022

A late compliance event can override a Pending event

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • ACM 2.8.0
    • ACM 2.8.0, ACM 2.7.Z
    • GRC
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • GRC Sprint 2023-07
    • Moderate
    • No

      Description of problem:

      If a compliance event comes from a policy controller after the policy has transitioned to a Pending state, the Pending status could be overwritten and not automatically recovered. This can be reproduced by adding a synthetic compliance event to a policy that has only ever been Pending, but it could also happen in practice if the configuration-policy-controller has a lot of policies and is "slow" to send the compliance event.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Create a policy that will be in a Pending state
      2. Create a "synthetic" NonCompliant event on the managed cluster.

      Actual results:

      The Policy will appear to be NonCompliant, even though it should be pending. It will not "fix" its status until something else triggers a new template-sync reconcile on the policy.

      Expected results:

      The synthetic event is seen and added to the history by the status-sync, but the template-sync notices this and adds a new Pending event (so it is eventually consistent).

      Additional info:

      Example synthetic event (adjust name/UID of the Policy, and timestamps):

       

      apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-04-18T17:19:20Z"
involvedObject:
  apiVersion: policy.open-cluster-management.io/v1
  kind: Policy
  name: open-cluster-management-global-set.jkuli-dependent
  namespace: local-cluster
  resourceVersion: "635579"
  uid: 3ec388a0-1742-4300-96ed-cf869419698a
kind: Event
lastTimestamp: "2023-04-18T17:19:20Z"
message: 'NonCompliant; violation - this event was created manually'
metadata:
  creationTimestamp: "2023-04-18T17:18:20Z"
  name: open-cluster-management-global-set.jkuli-dependent.manual
  namespace: local-cluster
reason: 'policy: local-cluster/ns-jkuli-dependent'
reportingComponent: ""
reportingInstance: ""
source:
  component: policy-faker
type: Warning

      The history would look something like this:

      status:
  compliant: NonCompliant
  details:
  - compliant: NonCompliant
    history:
    - eventName: open-cluster-management-global-set.jkuli-dependent.manual
      lastTimestamp: "2023-04-18T17:19:20Z"
      message: NonCompliant; violation - this event was created manually
    - eventName: open-cluster-management-global-set.jkuli-dependent.17571705f20a1644
      lastTimestamp: "2023-04-18T17:18:20Z"
      message: 'Pending; Dependencies were not satisfied: 1 is still pending (Policy
        open-cluster-management-global-set.jkuli-initial)'

       

              jkulikau@redhat.com Justin Kulikauskas
              jkulikau@redhat.com Justin Kulikauskas
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: