Clarify the recordDiff default behavior

Signed-off-by: mprahl <mprahl@users.noreply.github.com>
open-cluster-management-io · May 21, 2024 · e22b067 · e22b067
1 parent 0dcb265
commit e22b067
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 9 deletions.
diff --git a/api/v1/configurationpolicy_types.go b/api/v1/configurationpolicy_types.go
@@ -199,9 +199,13 @@ type ObjectTemplate struct {
  // +kubebuilder:pruning:PreserveUnknownFields
  ObjectDefinition runtime.RawExtension `json:"objectDefinition"`
 
- // RecordDiff specifies whether (and where) to log the diff between the object on the
- // cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
- // ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+ // RecordDiff specifies whether and where to log the difference between the object on the cluster
+ // and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+ // difference in the policy status field, `Log` to log the difference in the
+ // `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+ // object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+ // `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+ // data. For all other kinds, the default value is `InStatus`.
  RecordDiff RecordDiff `json:"recordDiff,omitempty"`
 }
 

diff --git a/...ustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml b/...ustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
@@ -165,9 +165,13 @@ spec:
  x-kubernetes-preserve-unknown-fields: true
  recordDiff:
  description: |-
- RecordDiff specifies whether (and where) to log the diff between the object on the
- cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
- ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+ RecordDiff specifies whether and where to log the difference between the object on the cluster
+ and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+ difference in the policy status field, `Log` to log the difference in the
+ `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+ object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+ `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+ data. For all other kinds, the default value is `InStatus`.
  enum:
  - Log
  - InStatus

diff --git a/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml b/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
@@ -172,9 +172,13 @@ spec:
  x-kubernetes-preserve-unknown-fields: true
  recordDiff:
  description: |-
- RecordDiff specifies whether (and where) to log the diff between the object on the
- cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
- ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+ RecordDiff specifies whether and where to log the difference between the object on the cluster
+ and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+ difference in the policy status field, `Log` to log the difference in the
+ `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+ object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+ `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+ data. For all other kinds, the default value is `InStatus`.
  enum:
  - Log
  - InStatus