1. Proposed title of this feature request

Policy CLI "dryrun" should read cluster state

2. What is the nature and description of the request?

Customers use the policy CLI tooling to test their changes to their Policies before applying them to RHACM. However customers would like the "dryrun" functionality to also read the current cluster state and then show differences between the current state and when the new Policy is applied.

At the moment both template-resolver and the dry-run tool can only handle one Policy/ConfigurationPolicy. Customers would like to use the output of the policygenenerator with the template-resolver which would generate all the resources from the live cluster.

As an example, let's say we have a policy that creates a namespace with a label and the label is looked up from a configmap. With the new template-resolver we get the full configmap from the cluster but I do not get the namespace itself from the cluster. If we then use these files for the dry-run command it will always state that the namespace is missing. It would be great if the resource that the policy manages can also be fetched from the live cluster via the template-resolver.

3. Why does the customer need this?

Ability to test the effects of a new Policy before actually applying it helps with making changes that do not have unintended side effects. This greatly helps customers to adopt RHACM and Policies.

4. List any affected packages or components.

Policy CLI tooling