Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8782

When an unnamed musthave object is not found, nothing relevant appears in the related resources section

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • ACM 2.10.1
    • ACM 2.9.0
    • GRC
    • None
    • 2
    • False
    • None
    • False
    • GRC Sprint 2023-22, GRC Sprint 2023-23, GRC Sprint 2024-01, GRC Sprint 2024-05
    • Moderate
    • +
    • No

      Description of problem:

      Policies, that tries to match all the object of a Kind, are not shown in the Governance view (if these objects are not compliant).
      In this example, there is one Policy which is not Complaint:

       

       oc -n sno1 get policies
NAME                                                              REMEDIATION ACTION   COMPLIANCE STATE   AGE
ztp-common.common-cv231101-39ba72d-config-policy                  inform               Compliant          149m
ztp-group-lb-du.lb-du-cv231101-39ba72d-config-policy              inform               Compliant          149m
ztp-group-lb-du.lb-du-cv231101-39ba72d-config-policy-el8k1        inform               Compliant          149m
ztp-group-lb-du.lb-du-cv231101-39ba72d-subscription-policy        inform               Compliant          149m
ztp-group-lb-du.lb-du-val-cv231101-39ba72d-validate-policy        inform               NonCompliant       149m
ztp-group-lb-du.optimize-ztp-cv231101-39ba72d-forced-reboot-1     inform               Compliant          149m
ztp-group-lb-du.optimize-ztp-cv231101-39ba72d-forced-reboot-2     inform               Compliant          149m
ztp-install.sno1-lb-du-cv231101-39ba72d-config-policy-bt2xm       enforce              Compliant          41m
ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm   enforce              NonCompliant       41m
ztp-install.sno1-optimize-ztp-cv231101-39ba72d-forced-reb-xq258   enforce              Compliant          41m

      But in the Governance View everything is compliant:

      some objects of the failing Policy dont appear.  In this case, the objects of Kind Node:

      > oc -n sno1 get policies ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm -o yaml | grep "kind:" | uniq
kind: Policy
      kind: ConfigurationPolicy
            kind: MachineConfigPool
                  kind: MachineConfig
            kind: SriovNetworkNodeState
            kind: Node
            kind: PersistentVolume

      which only tries to match by Kind:

      > oc -n sno1 get policies ztp-install.sno1-lb-du-val-cv231101-39ba72d-validate-poli-8khbm -o yaml | grep "kind: Node" -A 3 -B 2
          objectDefinition:
            apiVersion: v1
            kind: Node
            status:
              allocatable:
                hugepages-1Gi: 32Gi

      To match all the objects of Kind Node.

      Back to the Governance view, there are none objects of Kind Node:

      making very difficult to debug with the Goverance GUI. All the objects appear compliant, but the no compliant one are not showed.

       

      This Policy cannot be compliant because of an wrong desired status that cannot happen. But, if I fix it, it will appear (this time as compliant) in the objects list:

      Now the object of Kind Node appears

      Version-Release number of selected component (if applicable):

      2.9

      How reproducible:

      Steps to Reproduce:

      1.  Create  Policy with an object definition that matches all the objects of Kind
      2.  Make the Policy to fail about be compliant
      3.  The object cannot be seen in the objects list of that Policy

      Actual results:

      Expected results:

      Additional info:

        1. image-2023-11-28-13-27-38-362.png
          image-2023-11-28-13-27-38-362.png
          196 kB
        2. image-2023-11-28-13-30-52-810.png
          image-2023-11-28-13-30-52-810.png
          29 kB
        3. image-2023-11-28-14-10-14-066.png
          image-2023-11-28-14-10-14-066.png
          47 kB
        4. Screenshot 2023-12-11 at 7.20.11 AM.png
          Screenshot 2023-12-11 at 7.20.11 AM.png
          84 kB
        5. Screenshot 2023-12-11 at 7.20.43 AM.png
          Screenshot 2023-12-11 at 7.20.43 AM.png
          445 kB
        6. Screenshot 2024-04-01 at 11.43.02 AM.png
          Screenshot 2024-04-01 at 11.43.02 AM.png
          24 kB

            [ACM-8782] When an unnamed musthave object is not found, nothing relevant appears in the related resources section

            Jose Gato Luis added a comment -

            Hi, is this going to be backported?

            Jose Gato Luis added a comment - Hi, is this going to be backported?

            Yi Rae Kim added a comment -

            Yi Rae Kim added a comment -

            Yi Rae Kim added a comment - - edited

            PR: https://github.com/stolostron/console/pull/3196

            https://github.com/open-cluster-management-io/config-policy-controller/pull/182*

            Yi Rae Kim added a comment - - edited PR: https://github.com/stolostron/console/pull/3196 https://github.com/open-cluster-management-io/config-policy-controller/pull/182*

            Jose Gato Luis added a comment -

            yes, you understood it correctly. But, the issue only affect listing these objects when no compliant. When the object, even if no having name,  turns compliant, appears in the list. In my last screenshot, we can see the object of Kind Node, compliant, and it does not match any specific name of the Kind object.

            Jose Gato Luis added a comment - yes, you understood it correctly. But, the issue only affect listing these objects when no compliant. When the object, even if no having name,  turns compliant, appears in the list. In my last screenshot, we can see the object of Kind Node, compliant, and it does not match any specific name of the Kind object.

            Justin Kulikauskas added a comment -

            I re-titled the issue, based on my understanding of what you've observed. If I misunderstood the issue, please feel free to update it again. I just think this will help us understand the issue to assign it.

            My understanding is that you have a `musthave` object template which does not specify a name (in this case, you want to ensure that there is at least one Node with a certain status). When a Node like that can't be found, the policy is marked as NonCompliant, but there is no object in the Related Resources section for you to explore. I believe that if the template was named, there would be an entry in the Related Resources section with some kind of "not found" reason, and it would be marked as NonCompliant.

            I agree that it would be nice if all NonCompliant configuration policies had at least one NonCompliant related resource.

            Justin Kulikauskas added a comment - I re-titled the issue, based on my understanding of what you've observed. If I misunderstood the issue, please feel free to update it again. I just think this will help us understand the issue to assign it. My understanding is that you have a `musthave` object template which does not specify a name (in this case, you want to ensure that there is at least one Node with a certain status). When a Node like that can't be found, the policy is marked as NonCompliant, but there is no object in the Related Resources section for you to explore. I believe that if the template was named, there would be an entry in the Related Resources section with some kind of "not found" reason, and it would be marked as NonCompliant. I agree that it would be nice if all NonCompliant configuration policies had at least one NonCompliant related resource.

              yikim@redhat.com Yi Rae Kim
              jgato@redhat.com Jose Gato Luis
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: