Updating policy settings does not change policy state to pending

[kravciak]

When I modify policy config policyserver is restarted. Only after that changes are applied to the cluster.
UI does not reflect this transition period, for example when updating mode policy is immediatelly Active and Protect but change are not in effect yet. Same applies to other modifications, for example module updates.

When I make errors in configuration it's not obvious that changes were not applied and old policyserver stays active.

Screencast.from.2023-11-14.14-17-06.webm

[kravciak]

As discussed on daily it might be fixed by observing state PolicyUniquelyReachable instead of PolicyActive

Values are described in https://github.com/kubewarden/kubewarden-controller/blob/3e2246abe21a1613406394351b2b073992a37d04/pkg/apis/policies/v1/policy.go#L54

Sample from command line:

~ k wait clusteradmissionpolicy --for=condition=PolicyUniquelyReachable no-privileged-pod

[jordojordo]

Changing the status to search for a PolicyUniquelyReachable condition causes some messy behavior which could be confusing.

When one policy is not uniquely reachable, all other policies with a related PolicyServer are considered not reachable as well since the PS pod is updating all of the policies. However, all of the policies that are then showing as not reachable are in fact still working and active.

Perhaps a good alternative here would be to show a transitioning icon or equivalent next to the status?

Policy creation

policy-status.mp4

Policy mode update

policy-status2.mp4

Policy deletion

policy-status3.mp4