[Bug] Conflicting rules are applied simultaneously #7192
Description
Kyverno Version
1.10.0
Kubernetes Version
1.26.x
Kubernetes Platform
Bare metal
Kyverno Rule Type
Mutate
Description
When there are two mutually exclusive rules in a single cluster policy, then both of them get applied. This doesn't happen if they are in separate cluster policies.
Steps to reproduce
- Apply the following manifest:
apiVersion: v1
kind: Namespace
metadata:
name: test
labels:
policy.lan/flag: 'true'
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-a
namespace: test
spec:
containers:
- name: nginx
image: nginx
---
apiVersion: v1
kind: Pod
metadata:
name: nginx-b
namespace: test
spec:
containers:
- name: nginx
image: nginx
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: test
spec:
rules:
- name: apply-flag
match:
any:
- resources:
kinds:
- Namespace
selector:
matchLabels:
policy.lan/flag: 'true'
mutate:
targets:
- kind: Pod
apiVersion: '*'
name: '*'
namespace: '{{ request.object.metadata.name }}'
patchStrategicMerge:
metadata:
labels:
policy.lan/apply-flag: 'true'
- name: remove-flag
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
selector:
matchLabels:
policy.lan/flag: 'true'
mutate:
targets:
- kind: Pod
apiVersion: '*'
name: '*'
namespace: '{{ request.object.metadata.name }}'
patchStrategicMerge:
metadata:
labels:
policy.lan/remove-flag: 'true'kubectl get pods -n test --show-labels:
NAME READY STATUS RESTARTS AGE LABELS
nginx-a 1/1 Running 0 7m36s <none>
nginx-b 1/1 Running 0 7m31s <none>
kubectl label namespace test policy.lan/flag-
kubectl get pods -n test --show-labels:
NAME READY STATUS RESTARTS AGE LABELS
nginx-a 1/1 Running 0 9m1s policy.lan/apply-flag=true,policy.lan/remove-flag=true
nginx-b 1/1 Running 0 8m56s policy.lan/apply-flag=true,policy.lan/remove-flag=true
Expected behavior
kubectl get pods -n test --show-labels:
NAME READY STATUS RESTARTS AGE LABELS
nginx-a 1/1 Running 0 7m36s <none>
nginx-b 1/1 Running 0 7m31s <none>
kubectl label namespace test policy.lan/flag-
kubectl get pods -n test --show-labels:
NAME READY STATUS RESTARTS AGE LABELS
nginx-a 1/1 Running 0 43s policy.lan/remove-flag=true
nginx-b 1/1 Running 0 38s policy.lan/remove-flag=true
Screenshots
No response
Kyverno logs
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal PolicyApplied 8s kyverno-mutate policy test/apply-flag applied
Warning PolicyError 8s kyverno-mutate policy test/apply-flag error: Operation cannot be fulfilled on pods "nginx-a": the object has been modified; please apply your changes to the latest version and try again
Normal PolicyApplied 8s kyverno-mutate policy test/remove-flag appliedSlack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.