Description of problem:
When a ConfigurationPolicy defines a resource that has a list, and that resource is already present on the cluster, the config-policy-controller does not always update the resource to have the correct list. In particular, if the number of items in the list is the same, the config-policy-controller only seems to check one of the items, and can therefore incorrectly think that all of the items are correct.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
rules: - verbs: - get - list - watch - delete - patch apiGroups: - extensions resources: - deployments - verbs: - get - list - watch - delete - patch apiGroups: - apps resources: - deployments
- Create a ConfigurationPolicy for a role, that specifies the rules above.
- Edit the policy, changing "delete" in the "extensions" rule to "deletecollection"
- (Don't make any other changes to the policy)
Actual results:
The policy remains compliant, but the role on the cluster does not have the "deletecollection" verb
Expected results:
The policy should be noncompliant, or when it is enforced, it should update the role.
Additional info:
If you change the "apps" rule, then the policy will behave correctly, because that seems to be the item in the list that it is checking.
- is cloned by
-
ACM-7890 [2.7] ConfigurationPolicy doesn't always fully check lists
-
- Closed
-