Description of problem:
In SD, we have policies that are placed on Management Clusters, but actually target the hostedcluster namespaces that occur on the Management Cluster. Since the placement does not change, the policy noncompliance does not immediately trigger when a new management cluster change occurs.
But, the new managed cluster event causes a change to the list of namespaces, and the namespace selector should be aware of those changes and may need to change the policy state to `noncompliant` and start a reconcile loop.
It is an open question on if we should support the legacy "include" and "exclude" namespace selectors or just ones that allow server-side filtering.
Implementation Details:
- Update the watch library to be able to watch resources with a label selector and without a name.
- The config-policy-controller should create watches on the namespace selectors of policies.
- An update to the namespace selector results should make the "shouldEvaluatePolicy" function return true.
Goals
This Section: Namespace Selector based polices should be reactive as normal managed cluster placement based policies, and reconcile when there is addition or deletion of the namespace list.
How reproducible:
Steps to Reproduce:
- ...
Actual results:
Expected results:
Additional info:
- is cloned by
-
ACM-6899 [2.8] Namespace Selector based policies should detect immediately to avoid missed events
- Closed