Kyverno Version

1.10.0

Kubernetes Version

1.26.x

Kubernetes Platform

K3d

Kyverno Rule Type

Generate

Description

Basic loop protection logic for a generate rule is broken in 1.10.0-alpha.2. A policy should be denied creation if it generates the same resource kind as it matches on.

Steps to reproduce

1. Create this ClusterPolicy and see it is accepted (incorrect).

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-policy
spec:
  rules:
  - name: copy-corp-ca-cert
    match:
      any:
      - resources:
          kinds:
          - ConfigMap
          operations:
          - CREATE
    generate:
      apiVersion: v1
      kind: ConfigMap
      name: corp-{{ random('[0-9a-z]{8}') }}
      namespace: "{{request.namespace}}"
      synchronize: false
      data:
        data:
          foo: bar

Expected behavior

Policy creation is blocked with a reason stating why.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.