Skip to content

[Bug] The generated VAPs aren't deleted in case Kyverno policy can't be translated #8830

New issue
New issue
Closed
#8887
Closed
[Bug] The generated VAPs aren't deleted in case Kyverno policy can't be translated#8830
#8887
Assignees
MariamFahmy98
Labels
VAPIssues related to ValidatingAdmissionPolicy support.bugSomething isn't working
Milestone
Kyverno Release 1.12.0
@MariamFahmy98

Description

@MariamFahmy98
MariamFahmy98
opened on Nov 4, 2023

Kyverno Version

1.11.0

Description

The generated ValidatingAdmissionPolicies aren't deleted in case a Kyverno policy is modified and it can be no longer translated to VAPs.

Steps to reproduce:

  1. Create a Kyverno policy that can be translated to VAPs:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-path
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: host-path
      match:
        any:
        - resources:
            kinds:
            - Deployment
            - StatefulSet
            operations:
            - CREATE
            - UPDATE
      validate:
        cel:
          expressions:
            - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
              message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
  1. Check that VAPS are generated:
$ kubectl get validatingadmissionpolicy
NAME                 VALIDATIONS   PARAMKIND   AGE
disallow-host-path   1             <unset>     35s
$ kubectl get validatingadmissionpolicybindings
NAME                         POLICYNAME           PARAMREF   AGE
disallow-host-path-binding   disallow-host-path   <unset>    41s
  1. Check the policy status:
$ kubectl get cpol disallow-host-path -o yaml
status:
  validatingadmissionpolicy:
    generated: true
    message: ""
  1. Modify Kyverno policy as follows:
$ kubectl edit cpol disallow-host-path 
- match:
      any:
      - resources:
          kinds:
          - Deployment
          - StatefulSet
          namespaces:
          - prod
          operations:
          - CREATE
          - UPDATE

namspaces field is added.

  1. Check the policy status:
status:
  validatingadmissionpolicy:
    generated: false
    message: 'skip generating ValidatingAdmissionPolicy: Namespaces / Annotations
      in resource description isn''t applicable.'
  1. Check the validatingadmissionpolicies:
$ kubectl get validatingadmissionpolicy
NAME                 VALIDATIONS   PARAMKIND   AGE
disallow-host-path   1             <unset>     2m25s
$ kubectl get validatingadmissionpolicybindings
NAME                         POLICYNAME           PARAMREF   AGE
disallow-host-path-binding   disallow-host-path   <unset>    2m32s

ValidatingAdmissionPolicies should be deleted since Kyverno policies can't be translated.

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

Metadata

Metadata

Assignees

Labels

VAPIssues related to ValidatingAdmissionPolicy support.bugSomething isn't working

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions