[Bug] pod mutation for patchesJson6902 with foreach creates 'null' strategicMerge autogen rules #4731
Description
Kyverno Version
1.8.0
Kubernetes Version
1.24.x
Kubernetes Platform
GKE
Kyverno Rule Type
Mutate
Description
While validating a mutating policy for pod containers that used a json6902 patch I double checked to make sure that the controlled Deployment was also mutated by the autogen policy. The deployment however was missing the expected mutations and missing the annotation from kyverno controller indicating it had mutated. Inspecting the stored policy on the cluster the autogen rules appear abnormal and consist of 'nulls'. This seems to produce a no-op effect on the controller resources (although its a scary looking 'patch' because it appears as though it might 'null' out the entire template spec), so its not dangerous but 1) it doesn't work as intended; 2) causes the webhook to process resources for patches that have no effect.
In further testing, I removed the foreach in the mutation rule and simplified to just adding a dummy label to a pod. In that case, I get no autogen rules at all. So the autogen behavior is inconsistent and confusing - is it supposed to work for json6902 patches at all?
Tested using 1.7.3, 1.8.0-rc2, and 'latest' controller tags and found the issue in all versions.
Steps to reproduce
- Apply a mutating policy with json patch to the cluster
kind: ClusterPolicy
metadata:
name: mutate-pod-require-non-root-user
spec:
rules:
- name: require-non-root-user
match:
all:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: request.object.spec.containers
preconditions:
all:
# skip images that are exempt (allowed to run as a root user);
# escape quotes where the replaced value may contain hyphens
- key: "{{images.containers.\"{{element.name}}\".path}}"
operator: AnyNotIn
value:
- myorg/exempt-image-name
patchesJson6902: |-
- path: /spec/containers/{{elementIndex}}/securityContext/runAsNonRoot
op: add
value: true
The webhook runs autogen on this policy and returns the following autogenerated rule in the status (taken from 1.8.0 on main). Instead of a json patch it now shows a strategicMerge but the patch is effectively 'null'
status:
autogen:
rules:
- exclude:
resources: {}
generate:
clone: {}
cloneList: {}
match:
all:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
namespaceSelector:
matchExpressions:
- key: system
operator: DoesNotExist
resources: {}
mutate:
foreach:
- list: request.object.spec.template.spec.containers
patchStrategicMerge:
spec:
template: null
preconditions:
all:
- key: '{{images.containers."{{element.name}}".path}}'
operator: AnyNotIn
value:
- external/datadog/agent
- wayfair/backstory
- wayfair/k8s-swiss-knife
- wayfair/supporthub
name: autogen-require-non-root-user
preconditions:
all:
- key: '{{ request.operation }}'
operator: AnyIn
value:
- CREATE
validate: {}
Expected behavior
Based on documentation of Kyverno autogen I expected that I would get 2 additional rules that match Deployment/StatefulSet/DaemonSet and CronJobs, with the json6902 path adjusted to reflect the pod template path in the corresponding controller schema.
ie a new rule like
- name: autogen-cronjob-
Screenshots
No response
Kyverno logs
No response
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1664282697092249
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.