Skip to content

[Bug] With --autoUpdateWebhooks set to false no policies are matched #7194

New issue
New issue
Closed
#7261
Closed
[Bug] With --autoUpdateWebhooks set to false no policies are matched#7194
#7261
Assignees
eddycharly
Labels
bugSomething isn't workingwebhook
Milestone
Kyverno Release 1.10.0
@chipzoller

Description

@chipzoller
chipzoller
opened on May 15, 2023

Kyverno Version

1.10.0-beta.1

Kubernetes Version

1.25.x

Kubernetes Platform

K3d

Kyverno Rule Type

Validate

Description

When setting --autoUpdateWebhooks: false, Kyverno stops matching applicable resources to policies, even in Enforce mode, allowing everything to pass.

Steps to reproduce

  1. Install Kyverno (or reconfigure) to add --autoUpdateWebhooks: false.
  2. Create a simple policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  rules:
  - name: check-for-labels
    match:
      any:
      - resources:
          kinds:
          - ConfigMap
    validate:
      message: "The label `team` is required."
      pattern:
        metadata:
          labels:
            team: "?*"
  1. Create a ConfigMap without the label
kubectl create cm one --from-literal=foo=bar
  1. See resource is allowed.
  2. See an Event is written which acknowledges failure.
3m1s        Warning   PolicyViolation   configmap/one                  policy require-labels/check-for-labels fail: validation error: The label `team` is required. rule check-for-labels failed at path /metadata/labels/

Note that I also changed the match from "*/*" to "*" to troubleshoot a related issue reported on Slack.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  creationTimestamp: "2023-05-15T12:37:03Z"
  generation: 2
  labels:
    webhook.kyverno.io/managed-by: kyverno
  name: kyverno-resource-validating-webhook-cfg
  resourceVersion: "800992"
  uid: b59ad9e4-b73e-4080-bde2-1be5f60fe5ba
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQWRXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFZTVJZd0ZBWURWUVFEREEwcUxtdDUKZG1WeWJtOHVjM1pqTUI0WERUSXpNRFV4TVRFNU1EUTFPRm9YRFRJME1EVXhNREl3TURRMU9Gb3dHREVXTUJRRwpBMVVFQXd3TktpNXJlWFpsY201dkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTHFkZzRQRkZZT3RnT1RmQmF0VFdtSzdHV1ludjhwOWVrVnJnK3VJNnhGT2dBM1RBS1prQVZvSGJ2VWsKWWYreEN0dHl4NWpkOVhWMW1reXNCZmlOcm15Qk92UzJpZFVtR2lhaXZpbzNaR1JldWYzWFg4enYxTnlEd0pnYQpFeHZPc2cyQjcyZU5RZDBCdDArYUdGTUVrdWdoRk01bHhRN2hoK04rMDEyOFpEdXp6anZ2Y1lYNlBtRTZMbjdWClI2NHVyRGJFMHVjZ1UzMko3MGJqMFJpNkpHTjBpODROZmFTZFp4R3lVMXVPRU1CdloyOTc5SlM0NWFOb2hjR2cKb3ZBNENQblFER0o0a1NHYXovOWxsZXk4aGRWR0o1Qnh5ajIyTmU1c0t0RXpIL09PaG54Vkk5a3ZiTng0RVlJYwpMUzB3bmhvNkJENDFEMlZzSlc1QUxIem1LSGNDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHCkExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk1tY2dIZUtVRUVxYmxWRDZ3OUwwbGszVjlqdk1BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJOeXNKc0xpQWJ0N2FOdFcydkw2RWxmT0FrTXgvalV3aE5LWXBpYWJWdQozSTk5dEZjQlFqOTRkYnFjUHZ2ZDNRSDVodHBEbkxrRExpd1hvbUdkNWdNQ1NuRXdEdTF6c2tYSFQ2aUNpOXp0CjNwZmRDR2oxQXgvK1JFK0ZwN1NJTGI4K3luRG1nOEtVdWl6eU5FNDNLMFhzYUdGUXE4Nis2UzlKWHVYOWwrUzUKeUt0cWMvSEpaTEt6Q1NqNzcxLy9SOHFWTDFMZ0tyblNaZ09ML3hIc0U3ZHlheTJrS21CaCtpNXd2NXptNXJ4UQpqRzlPcDBzaDdtK1JPYm5sUXdha0M1OXhKdk9ZN1FRRGN5N0F6OEdUMDlwVGFSNE1HYjAvZjhhcExmN05NL1VpCmJwc3FLRU5BNTZtSzdWK1FzWkV4RFRDS1dyRFZONkNnZ1hkckxncmVHSVpVCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    service:
      name: kyverno-svc
      namespace: kyverno
      path: /validate/ignore
      port: 443
  failurePolicy: Ignore
  matchPolicy: Equivalent
  name: validate.kyverno.svc-ignore
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    - DELETE
    - CONNECT
    resources:
    - '*'
    scope: '*'
  sideEffects: NoneOnDryRun
  timeoutSeconds: 10

Expected behavior

Resource is blocked.

Screenshots

No response

Kyverno logs

1 handlers.go:109] webhooks/resource/validate "msg"="received an admission request in validating webhook" "clusterroles"=["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"] "gvk"={"group":"","version":"v1","kind":"ConfigMap"} "gvr"={"group":"","version":"v1","resource":"configmaps"} "kind"="ConfigMap" "name"="one" "namespace"="default" "operation"="CREATE" "resource.gvk"={"Group":"","Version":"v1","Kind":"ConfigMap"} "roles"=null "uid"="63fd5c8e-777d-4d44-8b8d-8c98ca67b267" "user"={"username":"system:admin","groups":["system:masters","system:authenticated"]}

1 handlers.go:120] webhooks/resource/validate "msg"="no policies matched admission request" "clusterroles"=["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"] "gvk"={"group":"","version":"v1","kind":"ConfigMap"} "gvr"={"group":"","version":"v1","resource":"configmaps"} "kind"="ConfigMap" "name"="one" "namespace"="default" "operation"="CREATE" "resource.gvk"={"Group":"","Version":"v1","Kind":"ConfigMap"} "roles"=null "uid"="63fd5c8e-777d-4d44-8b8d-8c98ca67b267" "user"={"username":"system:admin","groups":["system:masters","system:authenticated"]}

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingwebhook

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions