improve error handling for generate policy when an apiCall does not work #4774
Description
Kyverno Version
1.8.0
Kubernetes Version
1.25.x
Kubernetes Platform
KinD
Kyverno Rule Type
Generate
Description
A generate policy with an apiCall does not produce any results or errors
Steps to reproduce
- Apply policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-netpol
spec:
rules:
- name: watch-pods
match:
resources:
kinds:
- Pod
context:
- name: netpolCount
apiCall:
urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
jmesPath: "items | length(@)"
preconditions:
all:
- key: "{{ request.operation }}"
operator: Equals
value: CREATE
- key: "{{ netpolCount }}"
operator: Equals
value: 0
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{request.namespace}}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress- Create a namespace
kubectl create ns test- Create a pod
kubectl -n test run n1 --image=nginx- Check for update requests
kubectl get ur -A -n kyvernoNo update requests are created and there are no errors in the log
Try the above steps without the apiCall:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-netpol
spec:
rules:
- name: watch-pods
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.operation }}"
operator: Equals
value: CREATE
generate:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
name: default-deny
namespace: "{{request.namespace}}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
This works.
Expected behavior
The generate policy with the apiCall should work or report an error.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.