Bug 2015588
| Summary: | Inform ACM policy is not checking properly the node fields | ||
|---|---|---|---|
| Product: | Red Hat Advanced Cluster Management for Kubernetes | Reporter: | Juan Manuel Parrilla Madrid <jparrill> |
| Component: | GRC & Policy | Assignee: | Yu Cao <ycao56> |
| Status: | CLOSED ERRATA | QA Contact: | Derek Ho <dho> |
| Severity: | medium | Docs Contact: | Mikela Dockery <mdockery> |
| Priority: | unspecified | ||
| Version: | rhacm-2.3 | CC: | mcornea |
| Target Milestone: | --- | Flags: | dho:
qe_test_coverage?
ming: rhacm-2.3.z+ |
| Target Release: | rhacm-2.3.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-02-22 21:58:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Advanced Cluster Management 2.3.6 security updates and bug fixes), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0595 |
Description of the problem: Creating a Inform Policy that checks the node's allocatable or capacity fields, does not shows the reality. The policy is in non compliant state even having the same on the policy and on the node object details on the Additional info). OCP version: 4.8.5 GA ACM Version: 2.3.3 Downstream Steps to reproduce: 1. Apply the policy 2. Check that the policy is not in Compliant state even the node having that field on their description Actual results: Policy in NonCompliant Expected results: Policy in Compliant Additional info: =====> Node: apiVersion: v1 kind: Node metadata: annotations: k8s.ovn.org/host-addresses: '["fd00:4888:2000:119c::100"]' k8s.ovn.org/l3-gateway-config: '{"default":{"mode":"shared","interface-id":"br-ex_master-0.sno.hqlan.lan","mac-address":"b4:96:91:a3:ab:94","ip-addresses":["fd00:4888:2000:119c::100/64"],"ip-address":"fd00:4888:2000:119c::100/64","next-hops":["fd00:4888:2000:119c::"],"next-hop":"fd00:4888:2000:119c::","node-port-e nable":"true","vlan-id":"0"}}' k8s.ovn.org/node-chassis-id: cb2b7cc0-7fe0-4aac-8476-d6015accaf6d k8s.ovn.org/node-mgmt-port-mac-address: fa:57:7a:43:bc:34 k8s.ovn.org/node-primary-ifaddr: '{"ipv6":"fd00:4888:2000:119c::100/64"}' k8s.ovn.org/node-subnets: '{"default":"fd01:0:0:1::/64"}' k8s.ovn.org/topology-version: "4" machineconfiguration.openshift.io/controlPlaneTopology: SingleReplica machineconfiguration.openshift.io/currentConfig: rendered-master-e579f70bbc1ec17a1bc2ce76d334f8e4 machineconfiguration.openshift.io/desiredConfig: rendered-master-e579f70bbc1ec17a1bc2ce76d334f8e4 machineconfiguration.openshift.io/reason: "" machineconfiguration.openshift.io/state: Done sriovnetwork.openshift.io/state: Idle volumes.kubernetes.io/controller-managed-attach-detach: "true" creationTimestamp: "2021-10-06T09:21:22Z" labels: beta.kubernetes.io/arch: amd64 beta.kubernetes.io/os: linux fpga.intel.com/intel-accelerator-present: "" kubernetes.io/arch: amd64 kubernetes.io/hostname: master-0.sno.hqlan.lan kubernetes.io/os: linux node-role.kubernetes.io/master: "" node-role.kubernetes.io/worker: "" node.openshift.io/os_id: rhcos name: master-0.sno.hqlan.lan resourceVersion: "19191398" uid: d02ebc7e-6bd7-4208-a611-925bc5040da5 spec: {} status: addresses: - address: fd00:4888:2000:119c::100 type: InternalIP - address: master-0.sno.hqlan.lan type: Hostname allocatable: cpu: "58" ephemeral-storage: "1727851483143" hugepages-1Gi: 10Gi hugepages-2Mi: "0" intel.com/intel_fec_acc100: "0" management.workload.openshift.io/cores: 64k memory: 120060376Ki openshift.io/cvl_2_sno1_net: "8" openshift.io/cvl_sno1: "5" openshift.io/cvl_sno1_net: "5" pods: "250" capacity: cpu: "64" ephemeral-storage: 1874838852Ki hugepages-1Gi: 10Gi hugepages-2Mi: "0" intel.com/intel_fec_acc100: "0" management.workload.openshift.io/cores: 64k memory: 131672536Ki openshift.io/cvl_2_sno1_net: "8" openshift.io/cvl_sno1: "5" openshift.io/cvl_sno1_net: "5" pods: "250" conditions: - lastHeartbeatTime: "2021-10-19T15:18:22Z" ... ... =====> Policy: apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: annotations: policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-2 Baseline Configuration policy.open-cluster-management.io/standards: NIST SP 800-53 name: group-du-sno-sriov-validator namespace: group-du-sno spec: remediationAction: inform disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: group-du-sno-sriov-validator spec: remediationAction: inform severity: low object-templates: - complianceType: musthave objectDefinition: apiVersion: v1 kind: Node metadata: name: master-0.sno.hqlan.lan status: allocatable: hugepages-2Mi: "0" =====> Policy log status: compliant: NonCompliant details: - compliant: NonCompliant history: - eventName: group-du-sno.group-du-sno-sriov-validator.16af77f9ef1e1248 lastTimestamp: "2021-10-19T15:25:05Z" message: 'NonCompliant; notification - pods [sriov-network-operator-5d7fb9c569-8tc49] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; notification - pods [network-resources-injector-9zbjd] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; notification - pods [sriov-cni-mcfwc] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; notification - pods [sriov-network-config-daemon-kgfn9] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; notification - pods [operator-webhook-nc98w] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; notification - pods [sriov-device-plugin-gs95x] in namespace openshift-sriov-network-operator found as specified, therefore this Object template is compliant; violation - nodes not found: [master-0.sno.hqlan.lan] found but not as specified' =====> Logs on the Config Controller: ... ... ... configpolicy common-gitops-operator-validator in namespace(s) [NA] configpolicy group-du-sno-sriov-validator in namespace(s) [NA] processing object templates for policy common-gitops-operator-validator... processing object templates for policy group-du-sno-sriov-validator... configpolicy group-du-sno-sriov-validator in namespace(s) [NA] configpolicy common-gitops-operator-validator in namespace(s) [NA] processing object templates for policy group-du-sno-sriov-validator... processing object templates for policy common-gitops-operator-validator... configpolicy group-du-sno-sriov-validator in namespace(s) [NA] configpolicy common-gitops-operator-validator in namespace(s) [NA] processing object templates for policy common-gitops-operator-validator... processing object templates for policy group-du-sno-sriov-validator... configpolicy group-du-sno-sriov-validator in namespace(s) [NA] configpolicy common-gitops-operator-validator in namespace(s) [NA] processing object templates for policy group-du-sno-sriov-validator... processing object templates for policy common-gitops-operator-validator... configpolicy common-gitops-operator-validator in namespace(s) [NA] configpolicy group-du-sno-sriov-validator in namespace(s) [NA] processing object templates for policy group-du-sno-sriov-validator... processing object templates for policy common-gitops-operator-validator... configpolicy common-gitops-operator-validator in namespace(s) [NA] configpolicy group-du-sno-sriov-validator in namespace(s) [NA] processing object templates for policy common-gitops-operator-validator... processing object templates for policy group-du-sno-sriov-validator... configpolicy common-gitops-operator-validator in namespace(s) [NA] configpolicy group-du-sno-sriov-validator in namespace(s) [NA] processing object templates for policy group-du-sno-sriov-validator... processing object templates for policy common-gitops-operator-validator... configpolicy group-du-sno-sriov-validator in namespace(s) [NA] configpolicy common-gitops-operator-validator in namespace(s) [NA] processing object templates for policy common-gitops-operator-validator... processing object templates for policy group-du-sno-sriov-validator... configpolicy common-gitops-operator-validator in namespace(s) [NA] configpolicy group-du-sno-sriov-validator in namespace(s) [NA] processing object templates for policy common-gitops-operator-validator... processing object templates for policy group-du-sno-sriov-validator...