Created attachment 1847387 [details] The enforce version of the policy. Description of problem: The inform Policy which applies the DU configuration for ClusterLogForwarding never resolves to the Compliant state. This inform policy is copied to create an enforce policy which is used to apply the configuration to the cluster. The enforce version of the Policy goes compliant but the inform version of the Policy remains NotCompliant. The inform policy (enforce copy attached) apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: annotations: policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-2 Baseline Configuration policy.open-cluster-management.io/standards: NIST SP 800-53 ran.openshift.io/ztp-deploy-wave: "10" labels: app.kubernetes.io/instance: policies name: group-cnfocto1-log-forwarder-policy namespace: ztp-group-cnfocto1 spec: disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: group-cnfocto1-log-forwarder-policy-config spec: namespaceselector: exclude: - kube-* include: - '*' object-templates: - complianceType: musthave objectDefinition: apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: annotations: ran.openshift.io/ztp-deploy-wave: "10" name: instance namespace: openshift-logging spec: inputs: - infrastructure: namespaces: - openshift-apiserver - openshift-cluster-version - openshift-etcd - openshift-kube-scheduler - openshift-monitoring - openshift-performance-addon - openshift-ptp - openshift-machine-config-operator - open-cluster-management-agent - open-cluster-management-agent-addon name: infra-logs outputs: - name: kafka-open type: kafka url: tcp://10.1.2.3:9092/test pipelines: - inputRefs: - audit name: audit-logs outputRefs: - kafka-open - inputRefs: - infrastructure name: infrastructure-logs outputRefs: - kafka-open remediationAction: inform severity: low remediationAction: inform The applied ClusterLogForwarder configuration continues to grow in size as additional content is continually added to the spec. apiVersion: logging.openshift.io/v1 kind: ClusterLogForwarder metadata: annotations: ran.openshift.io/ztp-deploy-wave: "10" creationTimestamp: "2021-12-22T15:21:53Z" generation: 839 name: instance namespace: openshift-logging resourceVersion: "419157" uid: 9101269b-f222-4f83-a36f-cb1cb0648749 spec: inputs: - infrastructure: {} name: infra-logs - infrastructure: {} name: infra-logs - infrastructure: {} name: infra-logs <snip 840 additional identical entries> Version-Release number of selected component (if applicable): 4.10 How reproducible: Always Steps to Reproduce: 1. Deploy cluster using gitops ZTP configured for inform policies 2. Use Topology Aware Lifecycle Operator to remediate those policies to cluster 3. Actual results: ClusterLogForwarder inform policy does not go compliant but the enforce policy does. ClusterLogForwarder CR on the cluster continues to grow. Expected results: Both policies go compliant. ClusterLogForwarder gets desired content. Additional info:
ZTP install with TALO succeeded using ztp site generate image built from master branch.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056