Prevent no-op updates of ConstraintTemplates

The policy added in the test, with both a ConstraintTemplate and
Constraint, was found to oscillate between "created" and "updated"
events. This filled up the policy history, caused repeated reconciles in
multiple controllers, and unnecesary API requests.

The Semantic.DeepEqual has been replaced with comparing the marshalled
JSON for the desired and actual object specs - this is likely slower,
but more accurate. It is not clear what in the Policy precisely caused
the issue. As a second protection against this behavior, when the
template-sync updates an object, it now compares the new resourceVersion
against the old one, to skip work if the object did not actually change.

Refs:
 - https://issues.redhat.com/browse/ACM-29231

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

controllers/templatesync/template_sync.go

@@ -4,6 +4,7 @@
 package templatesync
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -811,12 +812,12 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, request reconcile.Requ
 			eObjectUnstructured["spec"] = tObjectUnstructured.Object["spec"]
 
 			eObject.SetAnnotations(tObjectUnstructured.GetAnnotations())
-
 			eObject.SetLabels(tObjectUnstructured.GetLabels())
-
 			eObject.SetOwnerReferences(tObjectUnstructured.GetOwnerReferences())
 
-			_, err = res.Update(ctx, eObject, metav1.UpdateOptions{
+			previousRV := eObject.GetResourceVersion()
+
+			updatedObj, err := res.Update(ctx, eObject, metav1.UpdateOptions{
 				FieldValidation: metav1.FieldValidationStrict,
 			})
 			if err != nil {
@@ -845,38 +846,40 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, request reconcile.Requ
 				continue
 			}
 
-			successMsg := fmt.Sprintf("Policy template %s was updated successfully", tName)
+			if updatedObj.GetResourceVersion() != previousRV {
+				successMsg := fmt.Sprintf("Policy template %s was updated successfully", tName)
 
-			// Handle cluster scoped objects
-			if isClusterScoped {
-				addFinalizer = true
+				// Handle cluster scoped objects
+				if isClusterScoped {
+					addFinalizer = true
 
-				reqLogger.V(2).Info("Finalizer required for " + gvk.Kind)
+					reqLogger.V(2).Info("Finalizer required for " + gvk.Kind)
 
-				if isGkObj {
-					r.setCreatedGkConstraint(true)
-				}
-				// The ConstraintTemplate does not generate status, so we need to generate an event for it
-				if isGkConstraintTemplate {
-					tLogger.Info("Emitting status event for " + gvk.Kind)
-					msg := fmt.Sprintf("%s %s was updated successfully", gvk.Kind, tName)
+					if isGkObj {
+						r.setCreatedGkConstraint(true)
+					}
+					// The ConstraintTemplate does not generate status, so we need to generate an event for it
+					if isGkConstraintTemplate {
+						tLogger.Info("Emitting status event for " + gvk.Kind)
+						msg := fmt.Sprintf("%s %s was updated successfully", gvk.Kind, tName)
 
-					emitErr := r.emitTemplateSuccess(ctx, instance, tIndex, tName, isClusterScoped, msg)
-					if emitErr != nil {
-						resultError = emitErr
+						emitErr := r.emitTemplateSuccess(ctx, instance, tIndex, tName, isClusterScoped, msg)
+						if emitErr != nil {
+							resultError = emitErr
+						}
 					}
 				}
-			}
 
-			err = r.handleSyncSuccess(ctx, instance, tIndex, tName, successMsg, res, gvk.GroupVersion(), eObject)
-			if err != nil {
-				resultError = err
-				tLogger.Error(resultError, "Error after updating template (will requeue)")
+				err = r.handleSyncSuccess(ctx, instance, tIndex, tName, successMsg, res, gvk.GroupVersion(), eObject)
+				if err != nil {
+					resultError = err
+					tLogger.Error(resultError, "Error after updating template (will requeue)")
 
-				policySystemErrorsCounter.WithLabelValues(instance.Name, tName, "patch-error").Inc()
-			}
+					policySystemErrorsCounter.WithLabelValues(instance.Name, tName, "patch-error").Inc()
+				}
 
-			tLogger.Info("Existing object has been updated")
+				tLogger.Info("Existing object has been updated")
+			}
 		} else {
 			err = r.handleSyncSuccess(ctx, instance, tIndex, tName, "", res, gvk.GroupVersion(), eObject)
 			if err != nil {
@@ -1044,7 +1047,10 @@ func equivalentTemplates(eObject *unstructured.Unstructured, tObject *unstructur
 		}
 	}
 
-	if !equality.Semantic.DeepEqual(eObject.UnstructuredContent()["spec"], tObject.Object["spec"]) {
+	eJSON, e1 := json.Marshal(eObject.UnstructuredContent()["spec"])
+	tJSON, e2 := json.Marshal(tObject.Object["spec"])
+
+	if !bytes.Equal(eJSON, tJSON) || e1 != nil || e2 != nil {
 		return false
 	}
 

test/e2e/case17_gatekeeper_sync_test.go

@@ -36,6 +36,8 @@ var _ = Describe("Test Gatekeeper ConstraintTemplate and constraint sync", Order
 		policyYamlExtra           string        = yamlBasePath + policyName + "-extra.yaml"
 		policyName2               string        = policyName + "-2"
 		policyYaml2               string        = yamlBasePath + policyName2 + ".yaml"
+		maxIAMPolicyName          string        = "gatekeeper-limitclusteradmin"
+		maxIAMPolicyYaml          string        = yamlBasePath + "limitclusteradmin-policy.yaml"
 		gkAuditFrequency          time.Duration = time.Minute
 		gkConstraintTemplateName  string        = caseNumber + "constrainttemplate"
 		gkConstraintTemplateYaml  string        = yamlBasePath + gkConstraintTemplateName + ".yaml"
@@ -98,7 +100,7 @@ var _ = Describe("Test Gatekeeper ConstraintTemplate and constraint sync", Order
 			Expect(err).ToNot(HaveOccurred())
 		}
 
-		for _, pName := range []string{policyName, policyName2} {
+		for _, pName := range []string{policyName, policyName2, maxIAMPolicyName} {
 			By("Deleting policy " + pName + " on the hub in ns:" + clusterNamespaceOnHub)
 			err := clientHubDynamic.Resource(gvrPolicy).Namespace(clusterNamespaceOnHub).Delete(
 				context.TODO(), pName, metav1.DeleteOptions{},
@@ -496,6 +498,66 @@ var _ = Describe("Test Gatekeeper ConstraintTemplate and constraint sync", Order
 		)
 	})
 
+	It("should not repeatedly reconcile the 'maxiamclusterbindings' ConstraintTemplate", func() {
+		By("Applying the " + maxIAMPolicyName + " policy")
+		_, err := kubectlHub("apply", "-f", maxIAMPolicyYaml, "-n", clusterNamespaceOnHub)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Waiting for policy status to be populated")
+		Eventually(func(g Gomega) {
+			plc := propagatorutils.GetWithTimeout(clientManagedDynamic, gvrPolicy,
+				maxIAMPolicyName, clusterNamespace, true, defaultTimeoutSeconds)
+
+			dpt, found, err := unstructured.NestedSlice(plc.Object, "status", "details")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(dpt).To(HaveLen(2))
+
+			dpt0, ok := dpt[0].(map[string]any)
+			g.Expect(ok).To(BeTrue())
+
+			history0, found, err := unstructured.NestedSlice(dpt0, "history")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(history0).NotTo(BeEmpty())
+
+			dpt1, ok := dpt[1].(map[string]any)
+			g.Expect(ok).To(BeTrue())
+
+			history1, found, err := unstructured.NestedSlice(dpt1, "history")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(history1).NotTo(BeEmpty())
+		}, defaultTimeoutSeconds, 1).Should(Succeed())
+
+		By("Verifying the policy history does not fill up")
+		Consistently(func(g Gomega) {
+			plc := propagatorutils.GetWithTimeout(clientManagedDynamic, gvrPolicy,
+				maxIAMPolicyName, clusterNamespace, true, defaultTimeoutSeconds)
+
+			dpt, found, err := unstructured.NestedSlice(plc.Object, "status", "details")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(dpt).To(HaveLen(2))
+
+			dpt0, ok := dpt[0].(map[string]any)
+			g.Expect(ok).To(BeTrue())
+
+			history0, found, err := unstructured.NestedSlice(dpt0, "history")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(len(history0)).To(BeNumerically("<", 5))
+
+			dpt1, ok := dpt[1].(map[string]any)
+			g.Expect(ok).To(BeTrue())
+
+			history1, found, err := unstructured.NestedSlice(dpt1, "history")
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(found).To(BeTrue())
+			g.Expect(len(history1)).To(BeNumerically("<", 5))
+		}, "20s", 1).Should(Succeed())
+	})
+
 	Describe("Test policy ordering with gatekeeper objects", func() {
 		const (
 			waitForTemplateName   = "case17-gk-dep-on-tmpl"

test/resources/case17_gatekeeper_sync/limitclusteradmin-policy.yaml

@@ -0,0 +1,134 @@
+# From https://github.com/open-cluster-management-io/policy-collection/blob/b60b1d855185fb790d6d173b0daddc3e843013db/community/AC-Access-Control/policy-gatekeeper-limitclusteradmin.yaml
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: gatekeeper-limitclusteradmin
+spec:
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: templates.gatekeeper.sh/v1
+      kind: ConstraintTemplate
+      metadata:
+        name: maxiamclusterbindings
+      spec:
+        crd:
+          spec:
+            names:
+              kind: MaxIAMClusterBindings
+            validation:
+              openAPIV3Schema:
+                type: object
+                properties:
+                  maxClusterRoleBindingUsers:
+                    type: number
+                    description: Maximum number of users and users within groups allowed to be bound to the specified role
+                    example: 5
+                  clusterRole:
+                    type: string
+                    description: Name of the ClusterRole to validate
+                    example: "cluster-admin"
+                  ignoreClusterRoleBindings: 
+                    type: array
+                    items:
+                      type: string
+                    description: List of ClusterRoleBindings to exclude from the validation count
+                    example: '["myclusteradmins-crb", "system-admins"]'
+
+        targets:
+          - target: admission.k8s.gatekeeper.sh
+            libs:
+              - |
+                package lib.helpers
+
+                # Types of subjects to count
+                count_kinds := {"User", "Group"}
+                
+                validate_subject(kind, roleRef) {
+                  kind == count_kinds[_]
+                  is_clusterrole_ref(roleRef)
+                }
+
+                is_clusterrole_ref(role) {
+                  role.kind == "ClusterRole"
+                  role.name == input.parameters.clusterRole
+                }
+
+                get_user_names("User", s_name) := names {
+                  names := {nm | nm := s_name}
+                }
+
+                get_user_names("Group", s_name) := names {
+                  names := {nm | nm := data.inventory.cluster["user.openshift.io/v1"].Group[s_name].users[_]}
+                }
+
+                is_excluded(exclusion_list, crd_name) {
+                  exclusions := {e | e := exclusion_list[_]}
+                  crd_name == exclusions[_]
+                }
+
+            rego: |
+              package maxiamclusterbindings
+
+              import data.lib.helpers.validate_subject
+              import data.lib.helpers.is_clusterrole_ref
+              import data.lib.helpers.get_user_names
+              import data.lib.helpers.is_excluded
+
+              max_admins := input.parameters.maxClusterRoleBindingUsers
+              violation[{"msg": msg}] {
+                is_number(max_admins)
+                max_admins < 1
+                msg = sprintf("maxClusterRoleBindingUsers parameter must be greater than 0(zero) maxClusterRoleBindingUsers: %v", [max_admins] )
+              }
+
+              # Make a list of all ClusterRoleBindings that should be excluded from the count
+              # Exclude the binding under review so if the number of subjects decreases we don't have an incorrect count.
+              # The updated subjects will be added back in to the count below.
+              bindings_to_exclude[crd_name] {
+                crd_name := input.review.object.metadata.name
+              }
+              bindings_to_exclude[crd_name] {
+                crd_name := input.parameters.ignoreClusterRoleBindings[_]
+              }
+
+              violation[{"msg": msg}] {
+                # check if the requested role references clusterRole parameter 
+                is_clusterrole_ref(input.review.object.roleRef)
+
+                # check if the requested binding should be excluded
+                not is_excluded(input.parameters.ignoreClusterRoleBindings, input.review.object.metadata.name)
+
+                # Get all ClusterRoleBinding that are not excluded
+                crb_list := {crb | not is_excluded(bindings_to_exclude, data.inventory.cluster["rbac.authorization.k8s.io/v1"].ClusterRoleBinding[i].metadata.name); 
+                              crb := data.inventory.cluster["rbac.authorization.k8s.io/v1"].ClusterRoleBinding[i]}
+                
+                # Get the list of all users in the list
+                current_subjects := {sub | validate_subject(crb_list[i].subjects[s].kind, crb_list[i].roleRef); 
+                                      sub := get_user_names(crb_list[i].subjects[s].kind, crb_list[i].subjects[s].name)[_]}
+
+                new_subjects := {sub | validate_subject(input.review.object.subjects[s].kind, input.review.object.roleRef); 
+                                  sub := get_user_names(input.review.object.subjects[s].kind, input.review.object.subjects[s].name)[_]}
+                total_admins := count(current_subjects | new_subjects)
+                total_admins > max_admins
+
+                msg := sprintf("Total number of bindings to role '%v' exceeded. max-admins allowed: %v - current total: %v", [input.parameters.clusterRole, max_admins, total_admins] )
+              }
+
+  - objectDefinition:
+      apiVersion: constraints.gatekeeper.sh/v1beta1
+      kind: MaxIAMClusterBindings
+      metadata:
+        name: max-cluster-admins
+      spec:
+        match:
+          kinds:
+          - apiGroups:
+            - rbac.authorization.k8s.io
+            kinds:
+            - ClusterRoleBinding
+        parameters:
+          clusterRole: cluster-admin
+          ignoreClusterRoleBindings:
+          - iam-max-groups
+          maxClusterRoleBindingUsers: 5