-
Bug
-
Resolution: Done
-
Critical
-
ACM 2.7.3
-
2
-
False
-
None
-
False
-
-
-
GRC Sprint 2023-08, GRC Sprint 2023-09, GRC Sprint 2023-10
-
Important
-
?
-
No
Description of problem:
The entire status of the root policy is missing when the policy uses the hub template function with ManagedCluster CR while its child policy has the correct status.
Example of the policy:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
ran.openshift.io/ztp-deploy-wave: "100"
creationTimestamp: "2023-05-17T18:23:53Z"
generation: 1
name: hub-templating-policy-sriov-config
namespace: ztp-test
resourceVersion: "100585537"
uid: d9984847-ea52-49e8-9b7f-de18b6aad74e
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: hub-templating-policy-sriov-config-config
spec:
evaluationInterval:
compliant: 10s
noncompliant: 10s
namespaceselector:
exclude:
- kube-*
include:
- '*'
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetwork
metadata:
name: ztp-test
namespace: openshift-sriov-network-operator
spec:
networkNamespace: openshift-sriov-network-operator
resourceName: '{{hub (lookup "cluster.open-cluster-management.io/v1"
"ManagedCluster" "" .ManagedClusterName).metadata.labels.sites hub}}-du_fh'
vlan: '{{hub (index (lookup "v1" "ConfigMap" "ztp-test" "sriovdata").data
(printf "%s_du_fh_vlan" .ManagedClusterName)) | toInt hub}}'
remediationAction: inform
severity: low
remediationAction: inform
The template function is resolved as shown in child policy
[kni@registry.hv4-acm01 angie]$ oc get policies -n cnfdf20 ztp-test.hub-templating-policy-sriov-config -o yaml apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: annotations: creationTimestamp: "2023-05-17T18:23:53Z" generation: 1 labels: policy.open-cluster-management.io/cluster-name: cnfdf20 policy.open-cluster-management.io/cluster-namespace: cnfdf20 policy.open-cluster-management.io/root-policy: ztp-test.hub-templating-policy-sriov-config name: ztp-test.hub-templating-policy-sriov-config namespace: cnfdf20 resourceVersion: "100585663" uid: ed800ec1-9567-4d64-8ab0-34438e9698ab spec: disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: hub-templating-policy-sriov-config-config spec: evaluationInterval: compliant: 10s noncompliant: 10s namespaceselector: exclude: - kube-* include: - '*' object-templates: - complianceType: musthave objectDefinition: apiVersion: sriovnetwork.openshift.io/v1 kind: SriovNetwork metadata: name: ztp-test namespace: openshift-sriov-network-operator spec: networkNamespace: openshift-sriov-network-operator resourceName: cnfdf20-du_fh vlan: 110 remediationAction: inform severity: low remediationAction: inform status: compliant: NonCompliant details: - compliant: NonCompliant history: - eventName: ztp-test.hub-templating-policy-sriov-config.1760017daadfbc2e lastTimestamp: "2023-05-17T18:24:59Z" message: 'NonCompliant; violation - sriovnetworks not found: [ztp-test] in namespace openshift-sriov-network-operator missing'
However, the parent policy doesn't have status
$ oc get policies -A | grep ztp-test cnfdf20 ztp-test.hub-templating-policy-sriov-config inform NonCompliant 26m ztp-test hub-templating-policy-sriov-config inform 26m
The log reports the ManagedCluster resource cannot be found when updating the watch dependencies
E0517 18:34:49.247307 1 client.go:437] Could not start a watch request for cluster.open-cluster-management.io/v1, Kind=ManagedCluster, Namespace=ztp-test, Name=cnfdf20, error: the server could not find the requested resource 2023-05-17T18:34:49.247Z error policy-propagator propagator/propagation.go:399 Failed to update the dynamic watches for the policy ztp-test/hub-templating-policy-sriov-config on objects referenced by hub policy templates {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test", "error": "the server could not find the requested resource"} open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleDecisions /remote-source/app/controllers/propagator/propagation.go:399 open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleRootPolicy /remote-source/app/controllers/propagator/propagation.go:516 open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).Reconcile /remote-source/app/controllers/propagator/policy_controller.go:158 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:114 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:311 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:266 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2 /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:227 2023-05-17T18:34:49.247Z info policy-propagator propagator/propagation.go:518 Failed to get any placement decisions. Giving up on the request. {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test"} 2023-05-17T18:34:49.247Z error controller.policy-propagator controller/controller.go:317 Reconciler error {"reconciler group": "policy.open-cluster-management.io", "reconciler kind": "Policy", "name": "hub-templating-policy-sriov-config", "namespace": "ztp-test", "error": "could not get the placement decisions"}
Version-Release number of selected component (if applicable):
2.7.3 (also tried on 2.7.4, 2.8.0)
How reproducible: 100%
Steps to Reproduce:
- Create an inform policy with the hub template function used for ManagedCluster CR as shown in the above example
- Observe status for the root policy and check the log
Actual results:
The root policy doesn't have any status
Expected results:
No error. The child policy and root policy should have idential status
Additional info:
- is cloned by
-
-
- Closed
-