-
Bug
-
Resolution: Done
-
Undefined
-
ACM 2.9.0
-
2
-
False
-
-
False
-
10/30: green for ACM 2.9
-
-
-
GRC Sprint 2023-15, GRC Sprint 2023-16
-
Important
-
No
Description of problem:
When an enforced policy contains a non-existent object, the policy controller considers the policy compliant if the object is successfully created on the target cluster. This holds true in most cases, except when the enforced object contains a status field check. For example, consider a policy that enforces a cluster-logging subscription and also requires that the subscription's status.state be "AtLatestKnown" [1]. After successfully creating the non-existent subscription CR, the policy becomes compliant right way[2], but the subscription status hasn't change to "AtLatestKnown" yet [3].
If the policy has a longer evaluation interval set for Compliant, it will remain in this incorrect state until the next polling cycle. This incorrect information can cause components such as TALM, which rely on the policy status, to make incorrect decisions.
I think the config policy controller should also verify if the status field is matched as desired after the object is created.
Version-Release number of selected component (if applicable):
ACM 2.9
How reproducible:
100%
Steps to Reproduce:
- Create an enforce policy includes an object contains status, see reference[1]
- Check the enforce policy compliant status
- ...
Actual results:
The policy shows Compliant as the subscription CR is created.
Expected results:
The policy shows NonCompliant as the status of the subscription CR is not as expected.
Additional info:
[1]: example of the enforce policy
apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: annotations: policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-2 Baseline Configuration policy.open-cluster-management.io/standards: NIST SP 800-53 name: sub-policy-enforce namespace: ztp-test spec: disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: sub-policy-config-enforce spec: evaluationInterval: compliant: 10m noncompliant: 10s namespaceselector: exclude: - kube-* include: - '*' object-templates: - complianceType: musthave objectDefinition: apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: cluster-logging namespace: openshift-logging spec: channel: stable installPlanApproval: Manual name: cluster-logging source: redhat-operators sourceNamespace: openshift-marketplace status: state: AtLatestKnown remediationAction: enforce severity: low remediationAction: enforce
[2]: the policy shows Compliant
status: compliant: Compliant details: - compliant: Compliant history: - eventName: ztp-test.sub-policy-enforce.177d974f9df69944 lastTimestamp: "2023-08-22T03:36:43Z" message: Compliant; notification - subscriptions [cluster-logging] in namespace openshift-logging was missing, and was created successfully - eventName: ztp-test.sub-policy-enforce.177d974f9c8a4520 lastTimestamp: "2023-08-22T03:36:43Z" message: 'NonCompliant; violation - No instances of `subscriptions` found as specified in namespaces: openshift-logging' templateMeta: creationTimestamp: null name: sub-policy-config-enforce
[3]: the subcription status.state is not same as specified in the policy
$ oc get subs -n openshift-logging cluster-logging -o json | jq -r '.status.state'
UpgradePending