kyverno: [BUG] Kyverno crashes when applying policies

Describe the bug Kyverno crashes when applying policies. Before the crash pattern.go:229] "msg"="failed to convert to string" "error"="Could not convert \u003cnil\u003e to string" is printed numerous times in the log, then after a short period of time (5s-60s) the pod restarts. Upon describing the pod the following events are listed:

Warning  Unhealthy  20s                kubelet, mynode.example  Readiness probe failed: Get https://172.20.4.196:443/health/readiness: dial tcp 172.20.4.196:443: connect: connection refused
Warning  Unhealthy  19s                kubelet, mynode.example  Liveness probe failed: Get https://172.20.4.196:443/health/liveness: dial tcp 172.20.4.196:443: connect: connection refused

install.yaml: https://raw.githubusercontent.com/kyverno/kyverno/v1.2.0/definitions/install.yaml policies.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-policy-1
  annotations:
    policies.kyverno.io/category: Workload Isolation #TODO
    policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
      that provide a way to segment and isolate cluster resources across multiple 
      applications and users. As a best practice, workloads should be isolated with 
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used. #TODO
spec:
  background: false
  rules:
  - name: test-policy-1
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Test Policy!"
      pattern:
        metadata:
          labels:
            test: "1"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-policy-2
  annotations:
    policies.kyverno.io/category: Workload Isolation #TODO
    policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
      that provide a way to segment and isolate cluster resources across multiple 
      applications and users. As a best practice, workloads should be isolated with 
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used. #TODO
spec:
  background: false
  rules:
  - name: test-policy-2
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Test Policy!"
      pattern:
        metadata:
          labels:
            test: "2"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-policy-3
  annotations:
    policies.kyverno.io/category: Workload Isolation #TODO
    policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
      that provide a way to segment and isolate cluster resources across multiple 
      applications and users. As a best practice, workloads should be isolated with 
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used. #TODO
spec:
  background: false
  rules:
  - name: test-policy-3
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Test Policy!"
      pattern:
        metadata:
          labels:
            test: "3"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-policy-4
  annotations:
    policies.kyverno.io/category: Workload Isolation #TODO
    policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
      that provide a way to segment and isolate cluster resources across multiple 
      applications and users. As a best practice, workloads should be isolated with 
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used. #TODO
spec:
  background: true
  rules:
  - name: test-policy-4
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Test Policy!"
      pattern:
        metadata:
          labels:
            test: "4"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-policy-5
  annotations:
    policies.kyverno.io/category: Workload Isolation #TODO
    policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
      that provide a way to segment and isolate cluster resources across multiple 
      applications and users. As a best practice, workloads should be isolated with 
      namespaces. Namespaces should be required and the default (empty) namespace 
      should not be used. #TODO
spec:
  background: true
  rules:
  - name: test-policy-5
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Test Policy!"
      pattern:
        metadata:
          labels:
            test: "5"

To Reproduce Steps to reproduce the behavior:

  1. kubectl apply -f install.yaml
  2. kubectl apply -f policies.yaml
  3. kubectl logs -f <kyverno_pod>
  4. See error pattern.go:229] "msg"="failed to convert to string" "error"="Could not convert \u003cnil\u003e to string"
  5. kubectl describe pods <kyverno_pod>
  6. See event:
Warning  Unhealthy  20s                kubelet, mynode.example  Readiness probe failed: Get https://172.20.4.196:443/health/readiness: dial tcp 172.20.4.196:443: connect: connection refused
Warning  Unhealthy  19s                kubelet, mynode.example  Liveness probe failed: Get https://172.20.4.196:443/health/liveness: dial tcp 172.20.4.196:443: connect: connection refused

Expected behavior Kyverno should not crash when applying policies.

Screenshots n/a

Additional context Kubernetes version: 1.16.8 Kyverno version: 1.2.0

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

It seems to work on a fresh Kubernetes 1.16.8 cluster, therefore closing this issue. Created a new issue regarding the error log message: #1192

+1
f1ko on Oct 13, 2020
Read more comments on GitHub
← kyverno: [BUG] Kyverno ConfigMap name not consistent in Helm/Docs and install.yaml
kyverno: [Bug] Kyverno creates too many admissionReports →