[Bug] generate policy validation failing to match apiGroup #7618
Description
Kyverno Version
1.10.0
Kubernetes Version
1.26.x
Kubernetes Platform
KinD
Kyverno Rule Type
Generate
Description
When there are multiple policy kinds, the generate policy validation is falsely failing because it is ignoring apiGroup.
Steps to reproduce
- create a new kind cluster
- install nginx-ingress
helm install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1
- install kyverno with extraResources
cat <<EOF | helm install kyverno kyverno/kyverno -n kyverno --create-namespace --wait -f -
backgroundController:
rbac:
clusterRole:
extraResources:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- create
EOF
- validate there are multiple polices
> k api-resources | grep -w policies
policies pol k8s.nginx.org/v1 true Policy
policies pol kyverno.io/v1 true Policy
- validate auths
❯ k auth can-i create policy --as system:serviceaccount:kyverno:kyverno-background-controller
no
❯ k auth can-i create policy.kyverno.io --as system:serviceaccount:kyverno:kyverno-background-controller
yes
- try to apply policy
❯ cat <<EOF | kubectl apply -f -
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-namespace-label
spec:
validationFailureAction: Enforce
rules:
- name: require-labels
match:
all:
- resources:
kinds:
- Namespace
validate:
pattern:
metadata:
labels:
AppID: "?*"
- name: generate-add-labels-policy
match:
all:
- resources:
kinds:
- Namespace
generate:
synchronize: true
apiVersion: kyverno.io/v1
kind: Policy
name: add-labels-policy
namespace: '{{request.object.metadata.name}}'
data:
spec:
rules:
- name: add-labels
match:
all:
- resources:
kinds:
- Pod
- Service
- PersistentVolumeClaim
mutate:
patchStrategicMerge:
metadata:
labels:
AppID: '{{request.object.metadata.labels.AppID}}'
EOF
Expected behavior
policy applies with no error
clusterpolicy.kyverno.io/require-namespace-label created
but is producing this error
Error from server: error when creating "STDIN": admission webhook "validate-policy.kyverno.svc" denied the request: path: spec.rules[1].generate..: kyverno does not have permissions to 'create' resource Policy/{{request.object.metadata.name}}. Grant proper permissions to the background controller
When I update the apiGroup to '*', the policy is able to validate and apply
❯ cat <<EOF | helm upgrade kyverno kyverno/kyverno -n kyverno -f -
backgroundController:
rbac:
clusterRole:
extraResources:
- apiGroups:
- '*'
resources:
- policies
verbs:
- create
EOF
Screenshots
No response
Kyverno logs
No response
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1687200808930939
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.