1936949 – Policies not getting propagated to local-cluster with all clusters filter

Bug 1936949 - Policies not getting propagated to local-cluster with all clusters filter

Summary: Policies not getting propagated to local-cluster with all clusters filter

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Cluster Lifecycle
Sub Component:
Version:	rhacm-2.1.z
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	rhacm-2.2
Assignee:	James Talton
QA Contact:	Derek Ho
Docs Contact:	Christopher Dawson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-09 14:17 UTC by Mihir Lele
Modified:	2024-10-01 17:39 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-23 22:50:01 UTC
Target Upstream Version:
Embargoed:
Flags:	ming: rhacm-2.1.z+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	open-cluster-management backlog issues 10276	None	None	None	2021-03-10 14:31:53 UTC
Github	open-cluster-management backlog issues 9986	None	None	None	2021-03-09 15:18:42 UTC
Red Hat Product Errata	RHBA-2021:2540	None	None	None	2021-06-23 22:50:04 UTC

Description Mihir Lele 2021-03-09 14:17:54 UTC

Issue Description:

Create a placementrule for selecting all clusters. All other managed clusters are selected, but the local-cluster is not selected.

Version-Release number of selected component (if applicable): 2.1.z


How reproducible: Always


Steps to Reproduce:
1. Create a GRC policy with no labels on the placement rule
2. Its observed that the policy gets deployed on all the managedclusters except for the local-cluster

Actual results:

Policy is not deployed on the local-cluster

Expected results:

Policies should be deployed on the local-cluster too.

Additional info:

// list all managed clusters
% oc get managedclusters 
NAME            HUB ACCEPTED   MANAGED CLUSTER URLS   JOINED   AVAILABLE   AGE
local-cluster   true                                  True     True        56d
cluster1    true                                  True     True        16h

// only cluster1 is selected by the placementrule.
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: all-ready-clusters
  namespace: default
spec:
  clusterSelector: {}
status:
  decisions:
  - clusterName: cluster1
    clusterNamespace: cluster1
Root cause
The placementrule user is not granted to create deployables resources in the local-cluster namespace, while it is granted in other manged cluster namespaces.

Workaround:

Create a Role for granting the deployable admin permission in the local-cluster namespace. Then create a RoleBinding to grant the placementrule user to the role.

// Create a Role for granting the deployable admin permission in the local-cluster namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: deployables-admin-user-zisis
  namespace: local-cluster
rules:
- apiGroups:
  - apps.open-cluster-management.io
  resources:
  - deployables
  verbs:
  - '*'

// Create a RoleBinding to bind the placementrule user to the Role as above
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployables-admin-user-zisis
  namespace: local-cluster
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: deployables-admin-user-zisis
  namespace: local-cluster
subjects:
- kind: User
  name: zisis
  apiGroup: rbac.authorization.k8s.io

Comment 11 errata-xmlrpc 2021-06-23 22:50:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Advanced Cluster Management 2.1.8 bug fix and container updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2540

Comment 12 Red Hat Bugzilla 2023-09-15 01:03:05 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.