kyverno: [BUG] Background scan doesn't work

Software version numbers

  • Kubernetes version: 1.19.10
  • Kyverno version: v1.4.2

Describe the bug Background scan doesn’t work.

To Reproduce Applying:

apiVersion: v1
kind: Namespace
metadata:
  name: test

Then:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
  namespace: kyverno
spec:
  background: true
  validationFailureAction: audit # even with enforce
  rules:
    - name: test
      match:
        any:
          - resources:
              kinds:
                - Namespace
      validate:
        message: "Metadata label 'name' is required."
        pattern:
          metadata:
            labels:
              name: "?*"

Doesn’t raise any error in clusterpolicyreport.

Expected behavior This should raise an error in a clusterpolicyreport because of background: true.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 20 (11 by maintainers)

Most upvoted comments

@vyankyGH have you applied the resources before create the ClusterPolicy for the ConfigMap ?

Yes, I’m able to reproduce the issue. I have raised PR. It will get fix once PR merged.

+1
vyankyGH on Sep 13, 2021

I think we’re experiencing this too, strangely it seems to be that the background scan is “missing” namespaces. We see in the logs only 3 out of several namespaces are being picked up.

+1
Alan01252 on Aug 26, 2021
Read more comments on GitHub
← kyverno: [Bug] Attestation verification fails if signatures differ
kyverno: [Bug] Background scans emit warning events on conditional anchor mismatch →