Should policy runs for hosts that are not within scope of associated software automation? #25066
Comments
jmwatts
added
bug
jmwatts
added
the
:release
mostlikelee
added
#g-software
lukeheath
added
story
lukeheath
changed the title
|
@noahtalerman @marko-lisica This was originally filed as a bug since it did not match the design spec of not running policies at all. Not running the policy at all is more difficult to implement, so the decision was made to release as-is with the policy running but returning Some concerns expressed:
|
|
Just had similar concerns in my conversation with @jahzielv re: #25071. Agreed with @lukeheath that "whether a policy runs" should be distinct from "whether the automation for the policy is in scope." We already see this for edge cases on policy script automations: if you supply a *nix shell script and your policy includes Windows hosts, a Windows host can fail the policy but the shell script won't run. Which winds up being basically this workflow:
This is congruent with the workflow for software installers, with the caveat around marking policy failures as blank:
My concern here is that we're coupling software install targeting with policies anyway with the "blank out policy status if a host fails and has a software automation but that automation is not in scope" logic. This means that policies with a software automation that's out-of-scope have two statuses rather than three: "Success" and "blank", which has the side effect of making #25071 more of an edge case. This means that the "right way" for solving this is to implement #24097, plus the ability to ensure labels stay in sync between a policy and the associated installer, rather than something to the effect of #24533. At which point (maybe before) we can remove the "whether an installer is in scope influences a policy's status" hack. Let me know if I'm off track here. |
|
I relabeled this as a story for the time being until I've had the chance to align with @noahtalerman on expected behavior. |
|
Luke: We're evaluating all hosts. When we say "evaluating" does that mean the policy's query is run on the hosts? Noah: That's what we want to avoid. We want to only run the policy's query if it's a member of the software's labels. Later, we want to add the ability to add target policies to only run on specific hosts based on labels (feature request here). Only run the policy and display the result if it's a member of specific labels. |
|
From our call today, the plan is:
|
|
Follow up to Luke's comment about the plan here:
As-is with copy updates. I updated the copy in the UI so the IT admin knows why some hosts return an empty (---) status. @lukeheath is it possible to get this copy update in before the 4.62 release? Figma is here:
Here's the user story for this: Bringing it into the current design sprint. Target is 4.64.
Specifically in the iteration in which we draft "Scope policies using labels" (#24097). Which the #g-orchestration team will take on this quarter (Q1 2025) FYI @rachaelshaw |
UPDATE: PR with copy update is merged! |
|
Closing this issue after we decided the following:
|
|
In cloud city's glow, |
UPDATE: @noahtalerman: Closed this issue after we decided the following:
Fleet version: v4.62.0
Web browser and operating system: Chrome 131.0.6778.205 on macOS
💥 Actual behavior
In Fleet log:
level=debug ts=2024-12-31T17:38:18.781518Z host_id=14 host_platform=darwin policy_id=67 software_installer_id=755 software_title_id=6185 software_installer_platform=darwin msg="not marking policy as failed since software is out of scope for host"🧑💻 Steps to reproduce
Testing scope)🕯️ Expected behavior
Per the design for this feature, the policy "won't be checked on hosts that aren't in the scope" but the policy does run - it just doesn't trigger installation of the software and also doesn't record the result of the policy being run.
I would expect the policy to not show up in My device and for it not to run at all based on the design for this feature.
The text was updated successfully, but these errors were encountered: