Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-6291

[2.8] The root policy is missing status when using ManagedCluster CR in the hub template

XMLWordPrintable

    • 2
    • False
    • None
    • False
    • GRC Sprint 2023-13
    • Important
    • ?
    • No

      Description of problem:

      The entire status of the root policy is missing when the policy uses the hub template function with ManagedCluster CR while its child policy has the correct status.

      Example of the policy:

      apiVersion: policy.open-cluster-management.io/v1
      kind: Policy
      metadata:
        annotations:
          policy.open-cluster-management.io/categories: CM Configuration Management
          policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
          policy.open-cluster-management.io/standards: NIST SP 800-53
          ran.openshift.io/ztp-deploy-wave: "100"
        creationTimestamp: "2023-05-17T18:23:53Z"
        generation: 1
        name: hub-templating-policy-sriov-config
        namespace: ztp-test
        resourceVersion: "100585537"
        uid: d9984847-ea52-49e8-9b7f-de18b6aad74e
      spec:
        disabled: false
        policy-templates:
        - objectDefinition:
            apiVersion: policy.open-cluster-management.io/v1
            kind: ConfigurationPolicy
            metadata:
              name: hub-templating-policy-sriov-config-config
            spec:
              evaluationInterval:
                compliant: 10s
                noncompliant: 10s
              namespaceselector:
                exclude:
                - kube-*
                include:
                - '*'
              object-templates:
              - complianceType: musthave
                objectDefinition:
                  apiVersion: sriovnetwork.openshift.io/v1
                  kind: SriovNetwork
                  metadata:
                    name: ztp-test
                    namespace: openshift-sriov-network-operator
                  spec:
                    networkNamespace: openshift-sriov-network-operator
                    resourceName: '{{hub (lookup "cluster.open-cluster-management.io/v1"
                      "ManagedCluster" "" .ManagedClusterName).metadata.labels.sites hub}}-du_fh'
                    vlan: '{{hub (index (lookup "v1" "ConfigMap" "ztp-test" "sriovdata").data
                      (printf "%s_du_fh_vlan" .ManagedClusterName)) | toInt hub}}'
              remediationAction: inform
              severity: low
        remediationAction: inform

      The template function is resolved as shown in child policy

      [kni@registry.hv4-acm01 angie]$ oc get policies -n cnfdf20 ztp-test.hub-templating-policy-sriov-config -o yaml
      apiVersion: policy.open-cluster-management.io/v1
      kind: Policy
      metadata:
        annotations:
        creationTimestamp: "2023-05-17T18:23:53Z"
        generation: 1
        labels:
          policy.open-cluster-management.io/cluster-name: cnfdf20
          policy.open-cluster-management.io/cluster-namespace: cnfdf20
          policy.open-cluster-management.io/root-policy: ztp-test.hub-templating-policy-sriov-config
        name: ztp-test.hub-templating-policy-sriov-config
        namespace: cnfdf20
        resourceVersion: "100585663"
        uid: ed800ec1-9567-4d64-8ab0-34438e9698ab
      spec:
        disabled: false
        policy-templates:
        - objectDefinition:
            apiVersion: policy.open-cluster-management.io/v1
            kind: ConfigurationPolicy
            metadata:
              name: hub-templating-policy-sriov-config-config
            spec:
              evaluationInterval:
                compliant: 10s
                noncompliant: 10s
              namespaceselector:
                exclude:
                - kube-*
                include:
                - '*'
              object-templates:
              - complianceType: musthave
                objectDefinition:
                  apiVersion: sriovnetwork.openshift.io/v1
                  kind: SriovNetwork
                  metadata:
                    name: ztp-test
                    namespace: openshift-sriov-network-operator
                  spec:
                    networkNamespace: openshift-sriov-network-operator
                    resourceName: cnfdf20-du_fh
                    vlan: 110
              remediationAction: inform
              severity: low
        remediationAction: inform
      status:
        compliant: NonCompliant
        details:
        - compliant: NonCompliant
          history:
          - eventName: ztp-test.hub-templating-policy-sriov-config.1760017daadfbc2e
            lastTimestamp: "2023-05-17T18:24:59Z"
            message: 'NonCompliant; violation - sriovnetworks not found: [ztp-test] in namespace
              openshift-sriov-network-operator missing'

      However, the parent policy doesn't have status

      $ oc get policies -A | grep ztp-test
      cnfdf20              ztp-test.hub-templating-policy-sriov-config              inform               NonCompliant       26m
      ztp-test             hub-templating-policy-sriov-config                       inform                                  26m

      The log reports the ManagedCluster resource cannot be found when updating the watch dependencies

      E0517 18:34:49.247307       1 client.go:437] Could not start a watch request for cluster.open-cluster-management.io/v1, Kind=ManagedCluster, Namespace=ztp-test, Name=cnfdf20, error: the server could not find the requested resource
      2023-05-17T18:34:49.247Z        error   policy-propagator       propagator/propagation.go:399   Failed to update the dynamic watches for the policy ztp-test/hub-templating-policy-sriov-config on objects referenced by hub policy templates   {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test", "error": "the server could not find the requested resource"}
      open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleDecisions
              /remote-source/app/controllers/propagator/propagation.go:399
      open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).handleRootPolicy
              /remote-source/app/controllers/propagator/propagation.go:516
      open-cluster-management.io/governance-policy-propagator/controllers/propagator.(*PolicyReconciler).Reconcile
              /remote-source/app/controllers/propagator/policy_controller.go:158
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
              /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:114
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
              /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:311
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
              /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:266
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
              /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/internal/controller/controller.go:227
      2023-05-17T18:34:49.247Z        info    policy-propagator       propagator/propagation.go:518   Failed to get any placement decisions. Giving up on the request.        {"policyName": "hub-templating-policy-sriov-config", "policyNamespace": "ztp-test"}
      2023-05-17T18:34:49.247Z        error   controller.policy-propagator    controller/controller.go:317    Reconciler error        {"reconciler group": "policy.open-cluster-management.io", "reconciler kind": "Policy", "name": "hub-templating-policy-sriov-config", "namespace": "ztp-test", "error": "could not get the placement decisions"}
      

       Version-Release number of selected component (if applicable):

      2.7.3 (also tried on 2.7.4, 2.8.0)

      How reproducible: 100%

      Steps to Reproduce:

      1. Create an inform policy with the hub template function used for ManagedCluster CR as shown in the above example
      2. Observe status for the root policy and check the log

      Actual results:

      The root policy doesn't have any status

      Expected results: 
      No error. The child policy and root policy should have idential status

      Additional info:

            jkulikau@redhat.com Justin Kulikauskas
            angwang@redhat.com Angie Wang
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: