Loading...

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: ACM 2.7.6
Affects Version/s: ACM 2.7.3
Component/s: GRC
Labels:

Story Points:
2
Blocked:
False
Blocked Reason:
None
Ready:
False
Regression:
No
Test Coverage:

?

Sprint:
GRC Sprint 2023-08, GRC Sprint 2023-09, GRC Sprint 2023-10
Severity:
Important

SFDC Cases Links:
SFDC Cases Counter:

Description

Description of problem:

The entire status of the root policy is missing when the policy uses the hub template function with ManagedCluster CR while its child policy has the correct status.

Example of the policy:

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    ran.openshift.io/ztp-deploy-wave: "100"
  creationTimestamp: "2023-05-17T18:23:53Z"
  generation: 1
  name: hub-templating-policy-sriov-config
  namespace: ztp-test
  resourceVersion: "100585537"
  uid: d9984847-ea52-49e8-9b7f-de18b6aad74e
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: hub-templating-policy-sriov-config-config
      spec:
        evaluationInterval:
          compliant: 10s
          noncompliant: 10s
        namespaceselector:
          exclude:
          - kube-*
          include:
          - '*'
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: sriovnetwork.openshift.io/v1
            kind: SriovNetwork
            metadata:
              name: ztp-test
              namespace: openshift-sriov-network-operator
            spec:
              networkNamespace: openshift-sriov-network-operator
              resourceName: '{{hub (lookup "cluster.open-cluster-management.io/v1"
                "ManagedCluster" "" .ManagedClusterName).metadata.labels.sites hub}}-du_fh'
              vlan: '{{hub (index (lookup "v1" "ConfigMap" "ztp-test" "sriovdata").data
                (printf "%s_du_fh_vlan" .ManagedClusterName)) | toInt hub}}'
        remediationAction: inform
        severity: low
  remediationAction: inform

The template function is resolved as shown in child policy

[kni@registry.hv4-acm01 angie]$ oc get policies -n cnfdf20 ztp-test.hub-templating-policy-sriov-config -o yaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
  creationTimestamp: "2023-05-17T18:23:53Z"
  generation: 1
  labels:
    policy.open-cluster-management.io/cluster-name: cnfdf20
    policy.open-cluster-management.io/cluster-namespace: cnfdf20
    policy.open-cluster-management.io/root-policy: ztp-test.hub-templating-policy-sriov-config
  name: ztp-test.hub-templating-policy-sriov-config
  namespace: cnfdf20
  resourceVersion: "100585663"
  uid: ed800ec1-9567-4d64-8ab0-34438e9698ab
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: hub-templating-policy-sriov-config-config
      spec:
        evaluationInterval:
          compliant: 10s
          noncompliant: 10s
        namespaceselector:
          exclude:
          - kube-*
          include:
          - '*'
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: sriovnetwork.openshift.io/v1
            kind: SriovNetwork
            metadata:
              name: ztp-test
              namespace: openshift-sriov-network-operator
            spec:
              networkNamespace: openshift-sriov-network-operator
              resourceName: cnfdf20-du_fh
              vlan: 110
        remediationAction: inform
        severity: low
  remediationAction: inform
status:
  compliant: NonCompliant
  details:
  - compliant: NonCompliant
    history:
    - eventName: ztp-test.hub-templating-policy-sriov-config.1760017daadfbc2e
      lastTimestamp: "2023-05-17T18:24:59Z"
      message: 'NonCompliant; violation - sriovnetworks not found: [ztp-test] in namespace
        openshift-sriov-network-operator missing'

However, the parent policy doesn't have status

$ oc get policies -A | grep ztp-test
cnfdf20              ztp-test.hub-templating-policy-sriov-config              inform               NonCompliant       26m
ztp-test             hub-templating-policy-sriov-config                       inform                                  26m

The log reports the ManagedCluster resource cannot be found when updating the watch dependencies

E0517 18:34:49.247307       1 client.go:437] Could not start a watch request for cluster.open-cluster-management.io/v1, Kind=ManagedCluster, Namespace=ztp-test, Name=cnfdf20, error: the server could not find the requested resource
2023-05-17T18:34:49.247Z        error   policy-propagator       propagator/propagation.go:399   Failed to update the dynamic watches for the policy ztp-test/hub-templating-policy-sriov-config on objects referenced by hub policy templates   {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test", "error": "the server could not find the requested resource"}
open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleDecisions
        /remote-source/app/controllers/propagator/propagation.go:399
open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleRootPolicy
        /remote-source/app/controllers/propagator/propagation.go:516
open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).Reconcile
        /remote-source/app/controllers/propagator/policy_controller.go:158
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
        /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
        /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
        /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
        /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:227
2023-05-17T18:34:49.247Z        info    policy-propagator       propagator/propagation.go:518   Failed to get any placement decisions. Giving up on the request.        {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test"}
2023-05-17T18:34:49.247Z        error   controller.policy-propagator    controller/controller.go:317    Reconciler error        {"reconciler group": "policy.open-cluster-management.io", "reconciler kind": "Policy", "name": "hub-templating-policy-sriov-config", "namespace": "ztp-test", "error": "could not get the placement decisions"}

Version-Release number of selected component (if applicable):

2.7.3 (also tried on 2.7.4, 2.8.0)

How reproducible: 100%

Steps to Reproduce:

Create an inform policy with the hub template function used for ManagedCluster CR as shown in the above example
Observe status for the root policy and check the log

Actual results:

The root policy doesn't have any status

Expected results:
No error. The child policy and root policy should have idential status

Additional info:

Attachments

Issue Links

is cloned by

ACM-6291 [2.8] The root policy is missing status when using ManagedCluster CR in the hub template

Closed

[2.7] The root policy is missing status when using ManagedCluster CR in the hub template