|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * scalability_and_performance/ztp-deploying-disconnected.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="ztp-configuring-pgt-compliance-eval-timeouts_{context}"] |
| 7 | += Configuring policy compliance evaluation timeouts for PolicyGenTemplate CRs |
| 8 | + |
| 9 | +Use {rh-rhacm-first} installed on a hub cluster to monitor and report on whether your managed clusters are compliant with applied policies. {rh-rhacm} uses policy templates to apply predefined policy controllers and policies. Policy controllers are Kubernetes custom resource definition (CRD) instances. |
| 10 | + |
| 11 | +You can override the default policy evaluation intervals with `PolicyGenTemplate` custom resources (CRs). You configure duration settings that define how long a `ConfigurationPolicy` CR can be in a state of policy compliance or non-compliance before {rh-rhacm} re-evaluates the applied cluster policies. |
| 12 | + |
| 13 | +The zero touch provisioning (ZTP) policy generator generates `ConfigurationPolicy` CR policies with pre-defined policy evaluation intervals. The default value for the `noncompliant` state is 10 seconds. The default value for the `compliant` state is 10 minutes. To disable the evaluation interval, set the value to `never`. |
| 14 | + |
| 15 | +.Prerequisites |
| 16 | + |
| 17 | +* You have installed the OpenShift CLI (`oc`). |
| 18 | +
|
| 19 | +* You have logged in to the hub cluster as a user with `cluster-admin` privileges. |
| 20 | +
|
| 21 | +* You have created a Git repository where you manage your custom site configuration data. |
| 22 | +
|
| 23 | +.Procedure |
| 24 | + |
| 25 | +. To configure the evaluation interval for all policies in a `PolicyGenTemplate` CR, add `evaluationInterval` to the `spec` field, and then set the appropriate `compliant` and `noncompliant` values. For example: |
| 26 | ++ |
| 27 | +[source,yaml] |
| 28 | +---- |
| 29 | +spec: |
| 30 | + evaluationInterval: |
| 31 | + compliant: 30m |
| 32 | + noncompliant: 20s |
| 33 | +---- |
| 34 | + |
| 35 | +. To configure the evaluation interval for the `spec.sourceFiles` object in a `PolicyGenTemplate` CR, add `evaluationInterval` to the `sourceFiles` field, for example: |
| 36 | ++ |
| 37 | +[source,yaml] |
| 38 | +---- |
| 39 | +spec: |
| 40 | + sourceFiles: |
| 41 | + - fileName: SriovSubscription.yaml |
| 42 | + policyName: "sriov-sub-policy" |
| 43 | + evaluationInterval: |
| 44 | + compliant: never |
| 45 | + noncompliant: 10s |
| 46 | +---- |
| 47 | + |
| 48 | +. Commit the `PolicyGenTemplate` CRs files in the Git repository and push your changes. |
| 49 | + |
| 50 | +.Verification |
| 51 | + |
| 52 | +Check that the managed spoke cluster policies are monitored at the expected intervals. |
| 53 | + |
| 54 | +. Log in as a user with `cluster-admin` privileges on the managed cluster. |
| 55 | + |
| 56 | +. Get the pods that are running in the `open-cluster-management-agent-addon` namespace. Run the following command: |
| 57 | ++ |
| 58 | +[source,terminal] |
| 59 | +---- |
| 60 | +$ oc get pods -n open-cluster-management-agent-addon |
| 61 | +---- |
| 62 | ++ |
| 63 | +.Example output |
| 64 | +[source,terminal] |
| 65 | +---- |
| 66 | +NAME READY STATUS RESTARTS AGE |
| 67 | +config-policy-controller-858b894c68-v4xdb 1/1 Running 22 (5d8h ago) 10d |
| 68 | +---- |
| 69 | + |
| 70 | +. Check the applied policies are being evaluated at the expected interval in the logs for the `config-policy-controller` pod: |
| 71 | ++ |
| 72 | +[source,terminal] |
| 73 | +---- |
| 74 | +$ oc logs -n open-cluster-management-agent-addon config-policy-controller-858b894c68-v4xdb |
| 75 | +---- |
| 76 | ++ |
| 77 | +.Example output |
| 78 | +[source,terminal] |
| 79 | +---- |
| 80 | +2022-05-10T15:10:25.280Z info configuration-policy-controller controllers/configurationpolicy_controller.go:166 Skipping the policy evaluation due to the policy not reaching the evaluation interval {"policy": "compute-1-config-policy-config"} |
| 81 | +2022-05-10T15:10:25.280Z info configuration-policy-controller controllers/configurationpolicy_controller.go:166 Skipping the policy evaluation due to the policy not reaching the evaluation interval {"policy": "compute-1-common-compute-1-catalog-policy-config"} |
| 82 | +---- |
0 commit comments