Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-6127

ACM cluster-admin policy is slow to apply at cluster creation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • ACM 2.8.0
    • GRC
    • 2
    • False
    • None
    • False
    • GRC Sprint 2023-11, GRC Sprint 2023-12
    • Important
    • No

      Description of problem:

      Slow policy apply at Hypershift cluster creation. We have a test that creates an Hypershift cluster and tries to create a cluster -admin user.
      The relative cluster role binding is applied through an ACM policy which is slow to apply from time to time and this has a user impact.

      Already investigated in ACM-4486

      Version-Release number of selected component (if applicable):

      2.7.3

      How reproducible:

      From time to time

      Steps to Reproduce:

      1.  
      2.  
      3. ...

      Actual results:

      Expected results:

      Policy is created at most 2 minutes after cluster readiness

      Additional info:

      Issue visible on https://ci.int.devshift.net/job/uhc-integration-tests-staging/3598/consoleFull

      ID:			24jeihcada202bsfvsfp0ent94l6ng3r
External ID:		7f352bb0-62c0-4fcf-8597-c1b29f7f7d73
Name:			sda-it-96mm
State:			ready
API URL:		https://api.sda-it-96mm.bu0t.s3.devshift.org:443
API Listening:		external
Console URL:		https://console-openshift-console.apps.rosa.sda-it-96mm.bu0t.s3.devshift.org
Masters:		0
Infra:			0
Computes:		2
Product:		rosa
Provider:		aws
Version:		4.13.4
Region:			us-west-2
Multi-az:		true
CCS:			true
Subnet IDs:		[subnet-0e36d20571f3cb4c6 subnet-0f47a217e74fccbb6]
PrivateLink:		false
STS:			true
Existing VPC:		true
Channel Group:		candidate
Cluster Admin:		true
Organization:		SDA Testing - Stage
Creator:		etabak_privileged_uhc_25022019
Email:			etabak+privileged_uhc_25022019@redhat.com
AccountNumber:          6341839
Created:		2023-06-26T06:59:20Z
Expiration:		2023-06-27T18:59:18Z
Management Cluster:     hs-mc-bqv8ijpk0 / 22l3ncsvb89obhsshvml4rcpt2d62rme
Service Cluster:        hs-sc-ngo46s1u0 / 22l3ncsvb89obhsshvml4rcpt2d62rme

      Timeline
      06:59:20Z
      07:07:23Z ready
      governance pod running since 07:08:20
      we wait until 07:13:59.863
      07:14:37Z cluster role binding created

      So here we have more than 6 minutes to apply the policy from the moment the pod is created (and 7 after cluster readiness).
      Attaching policy and some logs

        1. config-policy-controller-6fdffbb8c7-kr8fn.txt
          20.45 MB
        2. describepods.txt
          26 kB
        3. governance-policy-framework-5bb7479cdb-q2z5h.txt
          19.87 MB
        4. policy.yml
          4 kB
        5. policy-stats-short.column.txt
          27 kB
        6. policy-stats-short-0vfs0cl5g.column.txt
          2 kB

              jkulikau@redhat.com Justin Kulikauskas
              rh-ee-adecorte Andrea Decorte
              Matthew Prahl
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: