💥 Actual behavior
labels_*_any (include/exclude) clause can be added to policies: definition in default.yml or team-name.yml file (GitOps). This is not valid, and silently gets ignored when fleetctl is run to apply configs to environments. It seems labels_*_any must be placed in the policy.yml instead.
🛠️ To fix
Update GitOps docs to clarify usage (must be specified per-policy)
🧑💻 Steps to reproduce
Add labels_include_any to policies: in default.yml (specifying a policy.yml instead of defining the policy in that file), for example:
# default.yml
policies:
- path: ../lib/policies-name.policies.yml
labels_include_any:
- Some Label
...you won't get a validaiton error, similar to what would happen if you tried with packages:
* labels, categories, setup_experience, and self_service values must be specified at the team level
🕯️ More info (optional)
This can cause unintentional policy applications, if the customer assumes that the policy will only apply to a label, and it does not. For example, this can cause an application to be deployed broadly, when it should not be.
💥 Actual behavior
labels_*_any(include/exclude) clause can be added topolicies:definition in default.yml or team-name.yml file (GitOps). This is not valid, and silently gets ignored whenfleetctlis run to apply configs to environments. It seemslabels_*_anymust be placed in thepolicy.ymlinstead.🛠️ To fix
Update GitOps docs to clarify usage (must be specified per-policy)
🧑💻 Steps to reproduce
Add
labels_include_anytopolicies:in default.yml (specifying apolicy.ymlinstead of defining the policy in that file), for example:...you won't get a validaiton error, similar to what would happen if you tried with packages:
🕯️ More info (optional)
This can cause unintentional policy applications, if the customer assumes that the policy will only apply to a label, and it does not. For example, this can cause an application to be deployed broadly, when it should not be.