Correct compliance on no-op dryrun updates

Previously, the policy status would incorrectly have a noncompliant
event followed immediately by a compliant event when a dryrun update
would not make any changes on that object. This would cause the policy
status to repeatedly update if the policy was reconciling often - for
example if any of its watched objects were updating.

Now only the correct "compliant" event should be emitted in that case.

NOTE: This is a backport, but not just a cherry-pick. This incorporates
some of the changes from these upstream PRs, with updates for tests:
- open-cluster-management-io/config-policy-controller#404
- open-cluster-management-io/config-policy-controller#377

Refs:
 - https://issues.redhat.com/browse/ACM-25742

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

controllers/configurationpolicy_controller.go

@@ -3313,9 +3313,10 @@ func (r *ConfigurationPolicyReconciler) checkAndUpdateResource(
 				diff = handleDiff(log, recordDiff, existingObjectCopy, mergedObjCopy, r.FullDiffs)
 			}
 
-			r.setEvaluatedObject(obj.policy, obj.existingObj, !throwSpecViolation, "")
+			// treat the object as compliant, with no updates needed
+			r.setEvaluatedObject(obj.policy, obj.existingObj, true, "")
 
-			return throwSpecViolation, "", diff, updateNeeded, updatedObj
+			return false, "", diff, false, updatedObj
 		}
 
 		diff = handleDiff(log, recordDiff, existingObjectCopy, dryRunUpdatedObj, r.FullDiffs)
@@ -3561,6 +3562,10 @@ func removeFieldsForComparison(obj *unstructured.Unstructured) {
 	)
 	// The generation might actually bump but the API output might be the same.
 	unstructured.RemoveNestedField(obj.Object, "metadata", "generation")
+
+	if len(obj.GetAnnotations()) == 0 {
+		unstructured.RemoveNestedField(obj.Object, "metadata", "annotations")
+	}
 }
 
 // setEvaluatedObject updates the cache to indicate that the ConfigurationPolicy has evaluated this

test/e2e/case8_status_check_test.go

@@ -6,26 +6,27 @@ package e2e
 import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"open-cluster-management.io/config-policy-controller/test/utils"
 )
 
-const (
-	case8ConfigPolicyNamePod         string = "policy-pod-to-check"
-	case8ConfigPolicyNameCheck       string = "policy-status-checker"
-	case8ConfigPolicyNameCheckFail   string = "policy-status-checker-fail"
-	case8ConfigPolicyNameEnforceFail string = "policy-status-enforce-fail"
-	case8PolicyYamlPod               string = "../resources/case8_status_check/case8_pod.yaml"
-	case8PolicyYamlCheck             string = "../resources/case8_status_check/case8_status_check.yaml"
-	case8PolicyYamlCheckFail         string = "../resources/case8_status_check/case8_status_check_fail.yaml"
-	case8PolicyYamlEnforceFail       string = "../resources/case8_status_check/case8_status_enforce_fail.yaml"
-	case8ConfigPolicyStatusPod       string = "policy-pod-invalid"
-	case8PolicyYamlBadPod            string = "../resources/case8_status_check/case8_pod_fail.yaml"
-	case8PolicyYamlSpecChange        string = "../resources/case8_status_check/case8_pod_change.yaml"
-)
-
 var _ = Describe("Test pod obj template handling", func() {
+	const (
+		case8ConfigPolicyNamePod         string = "policy-pod-to-check"
+		case8ConfigPolicyNameCheck       string = "policy-status-checker"
+		case8ConfigPolicyNameCheckFail   string = "policy-status-checker-fail"
+		case8ConfigPolicyNameEnforceFail string = "policy-status-enforce-fail"
+		case8PolicyYamlPod               string = "../resources/case8_status_check/case8_pod.yaml"
+		case8PolicyYamlCheck             string = "../resources/case8_status_check/case8_status_check.yaml"
+		case8PolicyYamlCheckFail         string = "../resources/case8_status_check/case8_status_check_fail.yaml"
+		case8PolicyYamlEnforceFail       string = "../resources/case8_status_check/case8_status_enforce_fail.yaml"
+		case8ConfigPolicyStatusPod       string = "policy-pod-invalid"
+		case8PolicyYamlBadPod            string = "../resources/case8_status_check/case8_pod_fail.yaml"
+		case8PolicyYamlSpecChange        string = "../resources/case8_status_check/case8_pod_change.yaml"
+	)
+
 	Describe("Create a policy on managed cluster in ns:"+testNamespace, Ordered, func() {
 		It("should create a policy properly on the managed cluster", func() {
 			By("Creating " + case8ConfigPolicyNamePod + " on managed")
@@ -171,3 +172,124 @@ var _ = Describe("Test pod obj template handling", func() {
 		})
 	})
 })
+
+var _ = FDescribe("Test related object property status", Ordered, func() {
+	Describe("Create a policy missing a field added by kubernetes", Ordered, func() {
+		const (
+			policyName  = "policy-service"
+			serviceName = "grc-policy-propagator-metrics"
+			policyYAML  = "../resources/case8_status_check/case8_service_inform.yaml"
+			serviceYAML = "../resources/case8_status_check/case8_service.yaml"
+			parentYAML  = "../resources/case8_status_check/case8_parent.yaml"
+			parentName  = "case8-parent"
+		)
+
+		It("Should be compliant when the inform policy omits a field added by the apiserver", func() {
+			By("Creating a Service with explicit type: ClusterIP")
+			utils.Kubectl("apply", "-f", serviceYAML)
+
+			By("Creating the " + policyName + " policy that omits the type field)")
+			createObjWithParent(parentYAML, parentName, policyYAML, testNamespace, gvrPolicy, gvrConfigPolicy)
+
+			By("Verifying that the " + policyName + " policy is compliant")
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(
+					clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds,
+				)
+
+				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
+
+				relatedObjects, _, err := unstructured.NestedSlice(managedPlc.Object, "status", "relatedObjects")
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(relatedObjects).To(HaveLen(1))
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+			By("Verifying that only one compliance event was emitted")
+			Consistently(func() []v1.Event {
+				return utils.GetMatchingEvents(clientManaged, testNamespace, parentName, "policy:", ".*", 5)
+			}, 10, 1).Should(HaveLen(1))
+		})
+
+		It("Should be compliant when the enforce policy omits a field added by the apiserver", func() {
+			By("Changing the policy to enforce mode")
+			utils.EnforceConfigurationPolicy(policyName, testNamespace)
+
+			By("Verifying that the " + policyName + " policy is compliant")
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(
+					clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds,
+				)
+
+				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
+
+				gen, found, err := unstructured.NestedInt64(managedPlc.Object, "status", "lastEvaluatedGeneration")
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(found).To(BeTrue())
+				g.Expect(gen).To(BeEquivalentTo(2))
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+			By("Verifying that only two compliance events have been emitted")
+			Consistently(func() []v1.Event {
+				return utils.GetMatchingEvents(clientManaged, testNamespace, parentName, "policy:", ".*", 5)
+			}, 10, 1).Should(HaveLen(2))
+		})
+
+		It("Should be compliant when the enforce policy includes all fields", func() {
+			By("Patching the " + policyName + " policy with the Service type field)")
+			utils.Kubectl("patch", "configurationpolicy", policyName, "-n", testNamespace, "--type=json", "-p",
+				`[{"op": "add", "path": "/spec/object-templates/0/objectDefinition/spec/type", "value": "ClusterIP"}]`)
+
+			By("Verifying that the " + policyName + " policy is compliant")
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(
+					clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds,
+				)
+
+				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
+
+				gen, found, err := unstructured.NestedInt64(managedPlc.Object, "status", "lastEvaluatedGeneration")
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(found).To(BeTrue())
+				g.Expect(gen).To(BeEquivalentTo(3))
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+			By("Verifying that only three compliance events have been emitted")
+			Consistently(func() []v1.Event {
+				return utils.GetMatchingEvents(clientManaged, testNamespace, parentName, "policy:", ".*", 5)
+			}, 10, 1).Should(HaveLen(3))
+		})
+
+		It("Should be compliant when the inform policy includes all fields", func() {
+			By("Changing the policy to inform mode")
+			utils.Kubectl("patch", "configurationpolicy", policyName, `--type=json`,
+				`-p=[{"op":"replace","path":"/spec/remediationAction","value":"inform"}]`, "-n", testNamespace)
+
+			By("Verifying that the " + policyName + " policy is compliant")
+			Eventually(func(g Gomega) {
+				managedPlc := utils.GetWithTimeout(
+					clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds,
+				)
+
+				utils.CheckComplianceStatus(g, managedPlc, "Compliant")
+
+				gen, found, err := unstructured.NestedInt64(managedPlc.Object, "status", "lastEvaluatedGeneration")
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(found).To(BeTrue())
+				g.Expect(gen).To(BeEquivalentTo(4))
+			}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+			By("Verifying that only four compliance events have been emitted")
+			Consistently(func() []v1.Event {
+				return utils.GetMatchingEvents(clientManaged, testNamespace, parentName, "policy:", ".*", 5)
+			}, 10, 1).Should(HaveLen(4))
+		})
+
+		AfterAll(func() {
+			deleteConfigPolicies([]string{policyName, policyName})
+
+			utils.KubectlDelete("service", serviceName, "-n", "managed")
+			utils.KubectlDelete("policy", parentName, "-n", testNamespace)
+			utils.KubectlDelete("events", "-n", testNamespace, "--field-selector=involvedObject.name="+parentName)
+		})
+	})
+})

test/resources/case8_status_check/case8_parent.yaml

@@ -0,0 +1,8 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: case8-parent
+spec:
+  remediationAction: inform
+  disabled: false
+  policy-templates: []

test/resources/case8_status_check/case8_service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grc-policy-propagator-metrics
+  namespace: managed
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: metrics-https
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app: grc
+    component: ocm-policy-propagator
+    release: grc
+  sessionAffinity: None
+  type: ClusterIP

test/resources/case8_status_check/case8_service_inform.yaml

@@ -0,0 +1,40 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-service
+  namespace: managed
+  ownerReferences:
+  - apiVersion: policy.open-cluster-management.io/v1
+    kind: Policy
+    name: case8-parent
+    uid: 12345678-90ab-cdef-1234-567890abcdef # must be replaced before creation
+spec:
+  remediationAction: inform
+  severity: low
+  object-templates:
+  - complianceType: mustonlyhave
+    metadataComplianceType: musthave
+    objectDefinition:
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: grc-policy-propagator-metrics
+        namespace: managed
+      spec: # Intentionally omitting 'type' field - K8s will default to ClusterIP 
+        clusterIP: '{{ (lookup "v1" "Service" "managed" "grc-policy-propagator-metrics").spec.clusterIP }}'
+        clusterIPs:
+        - '{{ (lookup "v1" "Service" "managed" "grc-policy-propagator-metrics").spec.clusterIP }}'
+        internalTrafficPolicy: Cluster
+        ipFamilies:
+        - IPv4
+        ipFamilyPolicy: SingleStack
+        ports:
+        - name: metrics-https
+          port: 8443
+          protocol: TCP
+          targetPort: 8443
+        selector:
+          app: grc
+          component: ocm-policy-propagator
+          release: grc
+        sessionAffinity: None