MustNotHave mode for OperatorPolicy #222
Conversation
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
c94f6a1
to
ff1f704
Compare
Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
2e1d948
to
268dc5d
Compare
Also adjusts CSV reporting to handle when the CSV exists but the subscription does not, by using a label that OLM adds to these objects. The authorino operator was chosen because it has more than one CRD, but not too many to make a concise test. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
268dc5d
to
350f6fa
Compare
When the subscription has a ConstraintsNotSatisfiable condition, the exact content of the message is not always consistent. We have added other things to sort the message better, but it looks like we missed this test which was still assuming a certain part was first. Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
350f6fa
to
1cd841d
Compare
|
Tests passed twice, I'm finally feeling good about this 😆 |
| //+kubebuilder:default=DeleteIfUnused | ||
| //+kubebuilder:validation:Enum=Keep;Delete;DeleteIfUnused | ||
| // Specifies whether to delete the OperatorGroup; defaults to 'DeleteIfUnused' which | ||
| // will only delete the OperatorGroup if there is not another Subscription using it. |
There was a problem hiding this comment.
So "Delete" means delete even though another sub uses this?
There was a problem hiding this comment.
Right, it means "Delete, regardless of any consequences". Kind of like a mustnothave configuration policy.
|
|
||
| //+kubebuilder:default=Delete | ||
| //+kubebuilder:validation:Enum=Keep;Delete | ||
| // Specifies whether to delete the ClusterServiceVersion; defaults to 'Delete' |
There was a problem hiding this comment.
Can we add when this happens? maybe top of RemovalBehavior
There was a problem hiding this comment.
In the CRD description for removalBehavior, it says "RemovalBehavior defines what resources will be removed by enforced mustnothave policies ..."
Is that what you meant? Or what's another place to put it?
api/v1beta1/operatorpolicy_types.go
Outdated
| // Kind APIServiceDefinitions | ||
| APIServiceDefinitions RemovalAction `json:"apiServiceDefinitions,omitempty"` | ||
|
|
||
| // Future? |
There was a problem hiding this comment.
😆 the whole feature was a TODO ...
This type / option was something I thought would be good during the design, but I haven't found anyone asking for it, or any examples of it yet, so I want to hold off on it until we can understand it better.
api/v1beta1/operatorpolicy_types.go
Outdated
| // Kind APIServiceDefinitions | ||
| APIServiceDefinitions RemovalAction `json:"apiServiceDefinitions,omitempty"` | ||
|
|
||
| // Future? |
There was a problem hiding this comment.
Let's just remove this commented out code
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
1cd841d
to
5656849
Compare
| return nil, updateStatus(policy, keptCond("ClusterServiceVersion"), relatedCSVs...), nil | ||
| } | ||
|
|
||
| for i := range csvList { |
There was a problem hiding this comment.
Is it possible to have more than one CSV?
There was a problem hiding this comment.
In general, there might be more than one CSV: I think if one fails it might stay around even while another one is created. However, it's not clear to me if/when OLM will remove the label from an old CSV. So I would say it's very likely there would only be one CSV in this list, but it should handle the case where there are more.
controllers/operatorpolicy_status.go
Outdated
| @@ -489,6 +560,17 @@ func subResFailedCond(subFailedCond operatorv1alpha1.SubscriptionCondition) meta | |||
| return cond | |||
| } | |||
|
|
|||
| // irrelevantCond returns a Compliant condition, with a Reason like '____Irrelevant', | |||
There was a problem hiding this comment.
Is NotApplicable a little better?
There was a problem hiding this comment.
That does sound better
|
@JustinKuli does the order of operations matter? To me, it seems like we should wait for the subscription to be fully deleted before deleting anything else so that we don't conflict with OLM. What do you think? |
| opPolName = "oppol-authorino" | ||
| ) | ||
| BeforeAll(func() { | ||
| utils.Kubectl("delete", "crd", "--selector=olm.managed=true") |
@mprahl that could be nice. I think that even if stuff was deleted in the wrong order, eventually this would get to the correct state, but it could be a lot of churn on the cluster: for example if the CSV was deleted before the Subscription was removed, OLM would probably re-create the CSV. The policy would reconcile several times and (probably) eventually get to a stable status. This also makes me think that we might want to validate some relationships between the removalBehavior options: if Subscriptions is set to Keep, than it should probably be an error to set ClusterServiceVersions to Delete, since that would cause a loop with OLM. |
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
5656849
to
c07b031
Compare
controllers/operatorpolicy_status.go
Outdated
| return metav1.Condition{ | ||
| Type: condType(kind), | ||
| Status: metav1.ConditionTrue, | ||
| Reason: kind + "Excluded", |
There was a problem hiding this comment.
What about this?
| Reason: kind + "Excluded", | |
| Reason: kind + "NotPresent", |
There was a problem hiding this comment.
Updated this. "Included" is also now "Present" and the deleted and kept conditions are updated so that their messages are shorter and avoid the "checked by the mustnothave" language.
controllers/operatorpolicy_status.go
Outdated
| Type: condType(kind), | ||
| Status: metav1.ConditionTrue, | ||
| Reason: kind + "Excluded", | ||
| Message: "the " + kind + " checked by the mustnothave policy was not found", |
There was a problem hiding this comment.
Perhaps we can get straight to the point. The user should know this is desired based on the compliance type they set.
| Message: "the " + kind + " checked by the mustnothave policy was not found", | |
| Message: "the " + kind + " is not present", |
Enforced mustnohave policies will delete things based on the new RemovalBehavior field. In inform mode, resources that would be removed by an enforced policy will be causes for NonCompliance. This gives control to users in order to prevent unintended side effects. Refs: - https://issues.redhat.com/browse/ACM-9287 Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
JustinKuli
force-pushed
the
9287-mustnothave
branch
from
c07b031
to
34f38bc
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JustinKuli, mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -600,13 +680,33 @@ func buildCSVCond(csv *operatorv1alpha1.ClusterServiceVersion) metav1.Condition | |||
| } | |||
| } | |||
|
|
|||
| // noCSVCond is a NonCompliant condition with Reason 'RelevantCSVNotFound' | |||
| var noCSVCond = metav1.Condition{ | |||
| Type: csvConditionType, | |||
| Status: metav1.ConditionFalse, | |||
There was a problem hiding this comment.
Maybe I missed something, but wouldn't this imply that the reason "RelevantCSVNotFound" is false here given the status of the condition?
There was a problem hiding this comment.
Conditions and reasons can be confusing, and that's not limited to just our use of them. I think the status goes with the type, not the reason.
So I read them like <Type>? <Status>, because <Reason>. Extra info: <Message>
So in this case, "ClusterServiceVersionCompliant? False, because RelevantCSVNotFound. Extra info: A relevant installed ClusterServiceVersion could not be found"
| //+kubebuilder:default=Keep | ||
| //+kubebuilder:validation:Enum=Keep;Delete | ||
| // Specifies whether to delete any CustomResourceDefinitions associated with the operator; | ||
| // defaults to 'Keep' because deleting them should be done deliberately | ||
| CRDs RemovalAction `json:"customResourceDefinitions,omitempty"` |
There was a problem hiding this comment.
Do these CRDs refer to CRDs created by OLM as a prerequisite for installing the desired operator?
There was a problem hiding this comment.
They are the CRDs created by OLM, as defined in the PackageManifest/ClusterServiceVersion for the operator.
|
/unhold |
openshift-merge-bot
bot
merged commit 1711136
into
open-cluster-management-io:main
This was added to the compliance message in open-cluster-management-io/config-policy-controller#222 Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
This was added to the compliance message in open-cluster-management-io/config-policy-controller#222 Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
For https://issues.redhat.com/browse/ACM-9287