Bug 2151462

Summary: GRC policies are not getting propagated for cluster-admin users
Product: Red Hat Advanced Cluster Management for Kubernetes Reporter: Mihir Lele <mlele>
Component: GRC & PolicyAssignee: Chaitanya K <ckandaga>
Status: CLOSED NOTABUG QA Contact: Derek Ho <dho>
Severity: high Docs Contact:
Priority: high    
Version: rhacm-2.6.zCC: gparvin, mprahl
Target Milestone: ---Flags: dho: qe_test_coverage-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-09 14:00:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mihir Lele 2022-12-07 08:18:08 UTC 
Description of the problem:

GRC policies is not getting propagated for cluster-admin users. The policies get deployed on the managed clusters if the policies are created using the kubeadmin user.

Release version: ACM 2.6.2

Steps to reproduce:

Login to the ACM UI and create a GRC policy

Actual results:

Placementrule is not read by the propagator and hence policy does not get propagated to the managed clusters (local-cluster and one imported managed cluster)

Expected results:

Policy should get propagated to the managed clusters.

Additional info:

1) Policy gets propagated if the customer creates it using kubeadmin user
2) ACM UI is being used to create these policies
3) Customer does not have any gitops integration in this environment 
4) Users are externally authenticated AD users that have cluster-admin role assigned to them

Workaround:

Manually edit the placementrule and remove the user and group annotations.
Comment 4 Gus Parvin 2023-02-09 14:00:00 UTC 
While the support case was closed with an unclear resolution, we believe the problem was with the syncing of the groups from LDAP to OpenSHift. The last recommendation was to redirect the support ticket to OpenShift for troubleshooting.  Please follow up if any additional support is needed here. Thanks