[Bug] failurePolicy of Ignore causes some invalid resources to be admitted #8916
Description
Kyverno Version
1.10.3
Kubernetes Version
1.26.x
Kubernetes Platform
K3d
Kyverno Rule Type
Validate
Description
When setting the failurePolicy to Ignore for a policy that was set to Enforce, I expected the admission webhook to still deny requests when validation of a resource fails. Instead, I saw that the validation error that was previously present after resource denial was ignored and the violating resource was permitted.
It seems that for this specific policy, the validation fails because of an execution error and not a failed rule like other policies.
Steps to reproduce
kubectl apply -f ./disallow-annotation-pod.yaml
Error from server: error when creating "./disallow-annotation-pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Pod/default/disallow-annotations-example was blocked due to the following policies
disallow-annotations:
disallow-annotations: 'validation error: One or more annotations is not allowed
per the policies disallowed values list. rule disallow-annotations execution error:
resource value ''disallowed'' does not match ''!disallowed'' at path /metadata/annotations/kyverno-policies-test/key/'Setting the failurePolicy to Ignore:
kubectl patch cpol disallow-annotations -p '{"spec": {"failurePolicy": "Ignore"}}' --type='merge'Applying the same resource:
kubectl apply -f ./disallow-annotation-pod.yaml
Warning: policy disallow-annotations.disallow-annotations: validation error: One or more annotations is not allowed per the policies disallowed values list. rule disallow-annotations execution error: resource value 'disallowed' does not match '!disallowed' at path /metadata/annotations/kyverno-policies-test/key/
pod/disallow-annotations-example createdYAML to reproduce:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-annotations
spec:
background: true
failurePolicy: Ignore
rules:
- match:
all:
- resources:
kinds:
- Pod
name: disallow-annotations
validate:
message: One or more annotations is not allowed per the policies disallowed
values list.
pattern:
metadata:
=(annotations):
=(kyverno-policies-test/key): '!disallowed'
X(kyverno-policies-test/disallowed): ?*
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
---
apiVersion: v1
kind: Pod
metadata:
name: disallow-annotations-example
namespace: default
annotations:
kyverno-policies-test/key: disallowed
spec:
containers:
- name: example
image: busybox
args: ["sleep", "infinity"]Expected behavior
The resource should have been denied after setting the failurePolicy to Ignore.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.