Skip to content

Clarify how to use labels_include_any with policies in GitOps #38113

@TsekNet

Description

@TsekNet

💥  Actual behavior

labels_*_any (include/exclude) clause can be added to policies: definition in default.yml or team-name.yml file (GitOps). This is not valid, and silently gets ignored when fleetctl is run to apply configs to environments. It seems labels_*_any must be placed in the policy.yml instead.

🛠️ To fix

Update GitOps docs to clarify usage (must be specified per-policy)

🧑‍💻  Steps to reproduce

Add labels_include_any to policies: in default.yml (specifying a policy.yml instead of defining the policy in that file), for example:

# default.yml
policies:
  - path: ../lib/policies-name.policies.yml
     labels_include_any:
      - Some Label

...you won't get a validaiton error, similar to what would happen if you tried with packages:

​* labels, categories, setup_experience, and self_service values must be specified at the team level

🕯️ More info (optional)

This can cause unintentional policy applications, if the customer assumes that the policy will only apply to a label, and it does not. For example, this can cause an application to be deployed broadly, when it should not be.

Metadata

Metadata

Assignees

Labels

#g-orchestrationOrchestration product group:improve documentationInvolves writing improvements or additions to documentation:productProduct Design department (shows up on 🦢 Drafting board)bugSomething isn't working as documentedcustomer-numa

Type

No type

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions