search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

Org Policy: constraints/gcp.resourceLocations and constraints/storage.publicAccessPrevention fails to set when already set as Google Managed Default #208

Open obriensystems opened 1 year ago

obriensystems commented 1 year ago

Update troubleshooting section as well Reapply (remove the .kptignore entry) after the cluster comes up - for a 2nd run - thanks Chris

only 2 of 86 left

michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$ kubectl get gcp | grep UpToDate | wc -l
86
michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$ kubectl get gcp | grep UpdateFailed 
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations            60m   False   UpdateFailed   60m
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/storage-public-access-prevention       60m   False   UpdateFailed   60m
michael@cloudshell:~/dev/pdt-oldev/obriensystems (kcc-lz-8597)$ kubectl describe resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/restrict-resource-locations
Name:         restrict-resource-locations
Namespace:    config-control
Labels:       guardrail=true
              guardrails-enforced=guardrail-05
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              cnrm.cloud.google.com/management-conflict-prevention-policy: none
              cnrm.cloud.google.com/state-into-spec: merge
              config.k8s.io/owning-inventory: f032d6f3057af4a4cd57d7e71366edde0ef8ac6a-1670461105763137652
              internal.kpt.dev/upstream-identifier: resourcemanager.cnrm.cloud.google.com|ResourceManagerPolicy|config-control|restrict-resource-locations
API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
Kind:         ResourceManagerPolicy
Metadata:
  Creation Timestamp:  2022-12-08T00:59:57Z
  Finalizers:
    cnrm.cloud.google.com/finalizer
    cnrm.cloud.google.com/deletion-defender
  Generation:  1
  Managed Fields:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"cnrm.cloud.google.com/deletion-defender":
          v:"cnrm.cloud.google.com/finalizer":
    Manager:      cnrm-controller-manager
    Operation:    Update
    Time:         2022-12-08T00:59:57Z
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:observedGeneration:
    Manager:      cnrm-controller-manager
    Operation:    Update
    Subresource:  status
    Time:         2022-12-08T00:59:57Z
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:cnrm.cloud.google.com/blueprint:
          f:config.k8s.io/owning-inventory:
          f:internal.kpt.dev/upstream-identifier:
          f:kubectl.kubernetes.io/last-applied-configuration:
        f:labels:
          .:
          f:guardrail:
          f:guardrails-enforced:
      f:spec:
        .:
        f:constraint:
        f:listPolicy:
          .:
          f:allow:
            .:
            f:all:
            f:values:
        f:organizationRef:
          .:
          f:external:
    Manager:         kubectl
    Operation:       Update
    Time:            2022-12-08T00:59:57Z
  Resource Version:  114578
  UID:               608bcb7a-80a1-4d80-8ac0-d636106d6fd4
Spec:
  Constraint:  constraints/gcp.resourceLocations
  List Policy:
    Allow:
      All:  false
      Values:
        northamerica-northeast1
        northamerica-northeast2
  Organization Ref:
    External:  583675367868
Status:
  Conditions:
    Last Transition Time:  2022-12-08T00:59:57Z
    Message:               Update call failed: error applying desired state: summary: googleapi: Error 400: Invalid value at 'policy' (oneof), oneof field 'policy_type' is already set. Cannot set 'restoreDefault'
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value at 'policy' (oneof), oneof field 'policy_type' is already set. Cannot set 'restoreDefault'",
        "field": "policy"
      }
    ]
  }
]
, invalid
    Reason:             UpdateFailed
    Status:             False
    Type:               Ready
  Observed Generation:  1
Events:
  Type     Reason        Age                 From                              Message
  ----     ------        ----                ----                              -------
  Warning  UpdateFailed  41m (x14 over 57m)  resourcemanagerpolicy-controller  Update call failed: error applying desired state: summary: googleapi: Error 400: Invalid value at 'policy' (oneof), oneof field 'policy_type' is already set. Cannot set 'restoreDefault'
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Invalid value at 'policy' (oneof), oneof field 'policy_type' is already set. Cannot set 'restoreDefault'",
        "field": "policy"
      }
    ]
  }
]
, invalid
  Normal  Updating  60s (x34 over 57m)  resourcemanagerpolicy-controller  Update in progress
fmichaelobrien commented 1 year ago

On my 2nd LZ create - we are fully ok michael@cloudshell:~/dev/pdt-oldev (kcc-lz-8597)$ kubectl get gcp | grep UpdateFailed michael@cloudshell:~/dev/pdt-oldev (kcc-lz-8597)$ kubectl get gcp | grep UpdateFailed | wc -l 0

fmichaelobrien commented 1 year ago

Reapply (remove the .kptignore entry) after the cluster comes up - for a 2nd run - thanks Chris

cartyc commented 1 year ago

@fmichaelobrien is this issue still good to keep open or can we close it?