kyverno: [Bug] after upgrading to Kyverno 1.8.0

Kyverno Version

1.8.0

Description

Hi,

After upgrading to Kyverno 1.8.0 I noticed this errors on Kubernetes 1.22.6;

I1011 15:02:30.144429       1 logr.go:261] dynamic-client "msg"="schema not found" "apiVersion"="coordination.k8s.io/v1" "error : "="kind 'coordination.k8s.io/*/Lease' not found in apiVersion '
E1011 15:02:30.146029       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:30.146089       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authorization.k8s.io","Version":"v1","Resource":"subjectaccessreviews"}
E1011 15:02:30.148831       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:30.148872       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authorization.k8s.io","Version":"v1","Resource":"localsubjectaccessreviews"}
E1011 15:02:30.151448       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server could not find the requested resource" "gvr"={"Group":"authorization.k
I1011 15:02:30.151481       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"batch","Version":"v1","Resource":"cronjobs"}
I1011 15:02:30.952177       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"networking.k8s.io","Version":"v1","Resource":"ingresses"}
I1011 15:02:31.147448       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authorization.k8s.io","Version":"v1","Resource":"selfsubjectaccessreviews"}
E1011 15:02:31.236257       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:31.753833       1 logr.go:261] dynamic-client "msg"="schema not found" "apiVersion"="v1" "error : "="kind 'events.k8s.io/*/Event' not found in apiVersion 'v1'" "kind"="events.k8s.io
I1011 15:02:31.838766       1 logr.go:261] dynamic-client "msg"="schema not found" "apiVersion"="discovery.k8s.io/v1" "error : "="kind 'discovery.k8s.io/*/EndpointSlice' not found in apiVersion
I1011 15:02:31.851666       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authorization.k8s.io","Version":"v1","Resource":"subjectaccessreviews"}
E1011 15:02:32.036322       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:32.036402       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authentication.k8s.io","Version":"v1","Resource":"tokenreviews"}
E1011 15:02:32.040840       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:32.040876       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"authorization.k8s.io","Version":"v1","Resource":"selfsubjectaccessreviews"}
E1011 15:02:32.043675       1 logr.go:279] resource-report-controller "msg"="failed to create watcher" "error"="the server does not allow this method on the requested resource" "gvr"={"Group":"
I1011 15:02:32.043725       1 logr.go:261] resource-report-controller "msg"="start watcher ..." "gvr"={"Group":"networking.k8s.io","Version":"v1","Resource":"ingresses"}

Kyverno is taking 100% cpu.

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 34 (30 by maintainers)

Most upvoted comments

I tried with 1.8.0 and 1.8.1, there were reports for Events, that’s crazy as it should be disallowed by the api server, I don’t even know how this is possible 🤔

Anyway, in 1.8.1 no reports are created for Events so it should help but I still see strange reports. I will check later and we will cut 1.8.2 as soon as this is fixed.

+4
eddycharly on Oct 17, 2022

👍 We will cut RC1 on Monday, let’s talk once it’s done.

+1
eddycharly on Oct 14, 2022

We had the problem on 4 clusters. They have from 20 to 50 nodes.

I’ll test it again today on the dev cluster, with all rules set to “background: false”.

+1
monotek on Oct 13, 2022

After removing the deprecated-api cpol things settled indeed. Will this be fixed in Kyverno 1.8.1?

Yes

+1
eddycharly on Oct 12, 2022
Read more comments on GitHub
← kyverno: [Bug] admission reports piled up causing etcd turned into read-only mode
kyverno: [Bug] Attestation verification fails if signatures differ →