-
Bug
-
Resolution: Done
-
Undefined
-
ACM 2.9.0
-
None
-
2
-
False
-
None
-
False
-
-
-
GRC Sprint 2023-22, GRC Sprint 2023-23, GRC Sprint 2024-01, GRC Sprint 2024-05
-
Moderate
-
+
-
No
Description of problem:
Policies, that tries to match all the object of a Kind, are not shown in the Governance view (if these objects are not compliant).
In this example, there is one Policy which is not Complaint:
oc -n sno1 get policies NAME REMEDIATION ACTION COMPLIANCE STATE AGE ztp-common.common-cv231101-39ba72d-config-policy inform Compliant 149m ztp-group-lb-du.lb-du-cv231101-39ba72d-config-policy inform Compliant 149m ztp-group-lb-du.lb-du-cv231101-39ba72d-config-policy-el8k1 inform Compliant 149m ztp-group-lb-du.lb-du-cv231101-39ba72d-subscription-policy inform Compliant 149m ztp-group-lb-du.lb-du-val-cv231101-39ba72d-validate-policy inform NonCompliant 149m ztp-group-lb-du.optimize-ztp-cv231101-39ba72d-forced-reboot-1 inform Compliant 149m ztp-group-lb-du.optimize-ztp-cv231101-39ba72d-forced-reboot-2 inform Compliant 149m ztp-install.sno1-lb-du-cv231101-39ba72d-config-policy-bt2xm enforce Compliant 41m ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm enforce NonCompliant 41m ztp-install.sno1-optimize-ztp-cv231101-39ba72d-forced-reb-xq258 enforce Compliant 41m
But in the Governance View everything is compliant:
some objects of the failing Policy dont appear. In this case, the objects of Kind Node:
> oc -n sno1 get policies ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm -o yaml | grep "kind:" | uniq
kind: Policy
kind: ConfigurationPolicy
kind: MachineConfigPool
kind: MachineConfig
kind: SriovNetworkNodeState
kind: Node
kind: PersistentVolume
which only tries to match by Kind:
> oc -n sno1 get policies ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm -o yaml | grep "kind: Node" -A 3 -B 2
objectDefinition:
apiVersion: v1
kind: Node
status:
allocatable:
hugepages-1Gi: 32Gi
To match all the objects of Kind Node.
Back to the Governance view, there are none objects of Kind Node:
making very difficult to debug with the Goverance GUI. All the objects appear compliant, but the no compliant one are not showed.
This Policy cannot be compliant because of an wrong desired status that cannot happen. But, if I fix it, it will appear (this time as compliant) in the objects list:
Now the object of Kind Node appears
Version-Release number of selected component (if applicable):
2.9
How reproducible:
Steps to Reproduce:
- Create Policy with an object definition that matches all the objects of Kind
- Make the Policy to fail about be compliant
- The object cannot be seen in the objects list of that Policy
