Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.19.z, 4.20.0
Component/s: GitOps ZTP
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Critical
Regression:
None
Deployment Environment:
QA

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
Proposed
Sprint:
None

RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Release Note Not Required
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-61357. The following is the description of the original issue:
—
Description of problem:

    Line 25 in policyTemplate.go : https://github.com/openshift-kni/cnf-features-deploy/blob/master/ztp/policygenerator/policyGen/policyTemplate.go#L25, has  namespaceselector which should be  namespaceSelector. because of it, all policies created by policy Template Generator has field namespaceselector, which has been ignored by previous version of ACM until some code in ACM 2.15.0 introduce strict fields validation and now ACM 2.15.0 invalidates all the policies created with PolicyGenTemplate, which blocks ACM 2.15 ZTP Scale test. Below is an example:
# oc --kubeconfig=/root/hv-vm/kc/vm00001/kubeconfig get  policy -n vm00001     ztp-common.common-latest-config-policy  -oyaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    ran.openshift.io/ztp-deploy-wave: "1"
  creationTimestamp: "2025-09-06T23:26:53Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: policy-common-and-group
    policy.open-cluster-management.io/cluster-name: vm00001
    policy.open-cluster-management.io/cluster-namespace: vm00001
    policy.open-cluster-management.io/root-policy: ztp-common.common-latest-config-policy
  name: ztp-common.common-latest-config-policy
  namespace: vm00001
  resourceVersion: "12486"
  uid: 32a896e0-839a-47e0-9b6a-0008fc34aece
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: common-latest-config-policy-config
      spec:
        evaluationInterval:
          compliant: 10m
          noncompliant: 10s
        namespaceselector:
          exclude:
          - kube-*
          include:
          - '*'
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: v1
            data:
              config.yaml: |
                alertmanagerMain:
                  enabled: false
                telemeterClient:
                  enabled: false
                prometheusK8s:
                   retention: 24h
            kind: ConfigMap
            metadata:
              name: cluster-monitoring-config
              namespace: openshift-monitoring
        - complianceType: musthave
          objectDefinition:
            apiVersion: operators.coreos.com/v1alpha1
            kind: CatalogSource
            metadata:
              annotations:
                target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
              labels:
                lca.openshift.io/target-ocp-version: 4.18.0
              name: rh-du-operators
              namespace: openshift-marketplace
            spec:
              displayName: disconnected-redhat-operators
              image: d16-h01-000-r650.rdu2.scalelab.redhat.com:5000/olm-mirror/redhat-operator-index:v4.18
              publisher: Red Hat
              sourceType: grpc
              updateStrategy:
                registryPoll:
                  interval: 1h
            status:
              connectionState:
                lastObservedState: READY
        - complianceType: musthave
          objectDefinition:
            apiVersion: operator.openshift.io/v1alpha1
            kind: ImageContentSourcePolicy
            metadata:
              name: disconnected-internal-icsp
            spec:
              repositoryDigestMirrors:
              - mirrors:
                - d16-h01-000-r650.rdu2.scalelab.redhat.com:5000
                source: registry.redhat.io
              - mirrors:
                - d16-h01-000-r650.rdu2.scalelab.redhat.com:5000
                source: brew.registry.redhat.io
              - mirrors:
                - d16-h01-000-r650.rdu2.scalelab.redhat.com:5000
                source: registry-proxy.engineering.redhat.com
              - mirrors:
                - d16-h01-000-r650.rdu2.scalelab.redhat.com:5000/ocp4/openshift4
                source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
              - mirrors:
                - d16-h01-000-r650.rdu2.scalelab.redhat.com:5000/ocp4/openshift4
                source: quay.io/openshift-release-dev/ocp-release
        remediationAction: inform
        severity: low
  remediationAction: inform
status:
  compliant: NonCompliant
  details:
  - compliant: NonCompliant
    history:
    - eventName: ztp-common.common-latest-config-policy.1862d5319ae30036
      lastTimestamp: "2025-09-06T23:26:53Z"
      message: 'NonCompliant; template-error; Failed to create policy template: ConfigurationPolicy
        in version "v1" cannot be handled as a ConfigurationPolicy: strict decoding
        error: unknown field "spec.namespaceselector"'
    templateMeta:
      creationTimestamp: null
      name: common-latest-config-policy-config

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.Deploy cluster with ZTP gitops and ACM 2.15.0 downstream build, use PolicyGenTemplate to create polices
    2.check Policies after clusters are deploied
    3.

Actual results:

    ACM 2.15.0 report all polices create by PGT with below error:
'NonCompliant; template-error; Failed to create policy template: ConfigurationPolicy    in version "v1" cannot be handled as a ConfigurationPolicy: strict decoding    error: unknown field "spec.namespaceselector"'

Expected results:

    all polices created by PGT should be validated by ACM 2.15.0

Additional info:

blocks

OCPBUGS-61838 Policy validation failure in ACM 2.15.0 due to non camel case field namespaceSelector

Verified

clones

OCPBUGS-61357 Policy validation failure in ACM 2.15.0 due to non camel case PGT field namespaceselector

Verified

is blocked by

OCPBUGS-61357 Policy validation failure in ACM 2.15.0 due to non camel case PGT field namespaceselector

Verified

is cloned by

OCPBUGS-61838 Policy validation failure in ACM 2.15.0 due to non camel case field namespaceSelector

Verified

links to

openshift-kni/cnf-features-deploy#2955: [release-4.19] ztp: OCPBUGS-61585: update policyTemplate namespaceSelector

Assignee:: Abraham Miller

Reporter:: Ting Xue

Need Info From:: None

Contributors:: None

QA Contact:: Dwaine Gonyier

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/09/11 8:38 PM

Updated:: 2025/10/06 5:57 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide