-
Bug
-
Resolution: Unresolved
-
Undefined
-
ACM 2.7.7
-
None
-
2
-
False
-
None
-
False
-
No
-
-
-
GRC Sprint 2023-16, GRC Sprint 2023-17
-
Moderate
Description of problem:
Coming from https://access.redhat.com/support/cases/#/case/03596282.
The following policy is missing the "apiVersion" in the "objectDefinition", which causes the config-policy-controller to return false in the "isObjectNamespaced" method, which causes the query for the secret to be cluster scoped which always comes back as not found since such a resource type doesn't exist.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-remove-kubeadmin
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-remove-kubeadmin
spec:
severity: low
object-templates:
- complianceType: mustnothave
objectDefinition:
kind: Secret
metadata:
name: kubeadmin
namespace: kube-system
type: Opaque
Version-Release number of selected component (if applicable):
How reproducible:
See above.
Steps to Reproduce:
- # See above
Actual results:
mustnothave shows as compliant even though the Secret exists.
Expected results:
An error should be returned if the apiVersion field is missing.