Merge pull request #8332 from stolostron/jcberger-25582-policytools

jc-berger · web-flow · commit 0cf199568afe · 2025-11-07T15:57:50.000-05:00
https://issues.redhat.com/browse/ACM-25582
diff --git a/governance/manage_policies.adoc b/governance/manage_policies.adoc
@@ -355,7 +355,16 @@ The `template-resolver` subcommand connects to the managed cluster and hub clust
 To run a policy, add the path to the `ConfigurationPolicy` YAML by using the `--policy` flag. You can provide additional resource YAML files, which are used as the current cluster state. For example, if your policy defines a specific configuration for a namespace, provide the current namespace state to see what the policy does. Multiple resources can be in the same resource file.
 
 +
-By default, `dryrun` prints the differences between the desired states of objects defined in the policy and the current state of those resources, as well as compliance messages that the `ConfigurationPolicy` creates. To save the compliance messages to a separate file, use the `--messages-path` argument. To save the full policy status, including additional information about the related objects, use the `--status-path` argument.
+To evaluate a policy against the current state of a live cluster, use the `--from-cluster` flag or set the `DRYRUN_FROM_CLUSTER` environment variable to `true`.  
+
+The `dryrun` subcommand reads the current state of resources directly from the cluster that you configured in your `kubeconfig` file or from the cluster that is specified by the `KUBECONFIG` environment variable. In both these scenarios, the `dryun` subcommand does not gather information from the resource files. 
+
+When you enable the `--from-cluster` flag, it ignores any YAML resource files that are provided as input. Enabling the  `--from-cluster` flag allows you to test a policy against your actual cluster state without manually exporting and supporting resource files.
+
++
+By default, `dryrun` prints the differences between the desired states of objects that are defined in the policy and the current state of those resources, as well as compliance messages that the `ConfigurationPolicy` creates. 
+
+To save the compliance messages to a separate file, use the `--messages-path` argument. To save the full policy status, including additional information about the related objects, use the `--status-path` argument.
 
 +
 If the policy is `NonCompliant` based on the input, the tool returns a non-zero exit code. To compare the resulting status against a known status, use the `--desired-status` argument. For example, to verify that the policy reports a missing resource, provide a YAML file with the missing resource inside a `.relatedObjects` list. To verify that the policy is `NonCompliant`, create a YAML file with the `compliant: NonCompliant` line.
diff --git a/release_notes/acm_new.adoc b/release_notes/acm_new.adoc
@@ -99,6 +99,8 @@ See link:../observability/observe_environments_intro.adoc#observing-environments
 
 - *Technology Preview:* Use the `--lint` argument when you resolve templates to display linting issues that the policy tool found in the policy.
 
+-  Enable the  `--from-cluster` flag to test a policy against your actual cluster state without manually exporting and supporting resource files. For more information, see link:../governance/manage_policies.adoc#policy-cli-commands[Policy command-line tool].
+
 - See link:../governance/grc_intro.adoc#governance[Governance] to learn more about the dashboard and the policy framework.
 
 [#bus-continuity-new-features]
