kyverno: [Bug] "failed to create UpdateRequest"- labels issue

Kyverno Version

1.7.0

Description

Hello,

My team and I are setting up Kyverno on our clusters. We are in a phase of testing policies (Validating, Mutating, Generating). During the Mutating part, we tried to use this policy which permit to scale a deployment to zero if it is failing multiple times.

We did a basic deployment supposed to failed, and we saw that the policy wasn’t applied. In the logs of the Kyverno Pods we can see something like this:

E0613 10:28:15.204401       1 generator.go:66] updaterequest-generator "msg"="failed to create UpdateRequest, retrying" "error"="UpdateRequest.kyverno.io \"ur-8nfcp\" is invalid: metadata.labels: Invalid value: \"kyverno-test/scale-deployment-zero\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')" "kind"="Pod" "ruleType"="mutate" "name"="ur-" "namespace"="kyverno"

It seems the issue here is during the generation of the UpdateRequest object, cause the label isn’t valid. Seems the generator is trying to define labels like this:

labels:
  "kyverno-test/scale-deployment-zero"

So we tried another mutating policy and it works perfectly. But in the logs we don’t see a UpdateRequest generation phase.

Do you have an idea on what is going on with the policy ? We are a bit lost right now, I don’t know if this is a real issue or a configuration mistakes.

FYI: Kyverno is deployed in the kyverno namespace, the policy and the deployment are in a kyverno-test namespace. I copy/paste my policy + my deployment test in a comment below 👇🏻

Thanks for you help.

Slack discussion

No response

Troubleshooting

I have read and followed the documentation AND the troubleshooting guide.
I have searched other issues in this repository and mine is not recorded.

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 19 (8 by maintainers)

Commits related to this issue

Fix [BUG] #4152 and [BUG] #4104 still exist Signed-off-by: Byron Ibarra V <bibarrav@falabella.cl> — committed to bibarrav/kyverno by deleted user 2 years ago
Fix [BUG] #4152 and [BUG] #4104 still exist Signed-off-by: Byron Ibarra V <bibarrav@falabella.cl> — committed to bibarrav/kyverno by deleted user 2 years ago

Most upvoted comments

This is the policy used:

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: sync-spot-controller-data
  annotations:
    policies.kyverno.io/title: Sync Spot Controller Data
    policies.kyverno.io/category: RightSizing
    policies.kyverno.io/subject: Spot.io
    policies.kyverno.io/minversion: 1.7.0
    policies.kyverno.io/description: >-
      Sync Secret and Configmap from kube-system namespace to cloud-services-system.
      Those objects are required to run spot-io-right-size-cm-update, to get spot
      recommendations and create/update configmaps with name <Deployment-Name>-rightsize.
spec:
  failurePolicy: Ignore
  generateExistingOnPolicyUpdate: true
  rules:
    - name: sync-spot-controller-secret
      match:
        all:
          - resources:
              kinds:
                - CronJob
              names:
                - spot-io-right-size-cm-update
      generate:
        apiVersion: v1
        kind: Secret
        name: spotinst-kubernetes-cluster-controller
        namespace: "{{request.object.metadata.namespace}}"
        synchronize: true
        clone:
          namespace: kube-system
          name: spotinst-kubernetes-cluster-controller
    - name: sync-spot-controller-configmap
      match:
        all:
          - resources:
              kinds:
                - CronJob
              names:
                - spot-io-right-size-cm-update
      generate:
        apiVersion: v1
        kind: ConfigMap
        name: spotinst-kubernetes-cluster-controller-config
        namespace: "{{request.object.metadata.namespace}}"
        synchronize: true
        clone:
          namespace: kube-system
          name: spotinst-kubernetes-cluster-controller-config

bibarrav on Jun 30, 2022

@vmarlier raised the PR to fix the bug, if you don’t mind, you can test the fix using the image ghcr.io/prateekpandey14/kyverno:fix-4104

prateekpandey14 on Jun 15, 2022

(Are you planning to release a minor update soon ?)

Yes, we are working on 1.7.1 minor release including this fix by early next week.

prateekpandey14 on Jun 15, 2022

Also, I don’t know why Kyverno is trying to create an UpdateRequest object since it is a generation on this one, and there is a dedicated GenerateRequest CRD…

@vmarlier from kyverno 1.7.0 onwards GenerateRequest has been deprecated and replaced by UpdateRequest resource, now for each generate rule UpdateRequest resource get created. while upgrading from lower version to 1.7.0 , UR gets created for each GR in cluster.

prateekpandey14 on Jun 14, 2022