kyverno: [Bug] Kyverno ignores namespaceSelector for Generate Rules
Kyverno Version
1.7.2
Kubernetes Version
1.23.x
Kubernetes Platform
EKS
Kyverno Rule Type
Generate
Description
Hi,
we want to create a Kyverno Policy in all Namespaces that are labeled with “managed: true” and the default namespace. Looks like kyverno ignores the namespaceSelector and creates the Policy on the most of the namespaces, but not for kube-* and kyverno namespace itself. If we update an existing namespace without the Label “managed: true” the Kyverno policy would be also created.
Steps to reproduce
- Apply ClusterPolicy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: create-namespace-require-run-as-nonroot
annotations:
kyverno.io/kubernetes-version: 1.22-1.23
kyverno.io/kyverno-version: 1.6.0
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: 'Containers must be required to run as non-root
users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents
a policy such as this using `anyPattern` from being persisted properly in Kubernetes
1.23.0-1.23.2.'
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Require runAsNonRoot
spec:
rules:
- name: create-namespace-require-run-as-nonroot
match:
any:
- resources:
kinds:
- Namespace
namespaceSelector:
matchExpressions:
- key: managed
operator: In
values:
- "true"
- resources:
kinds:
- Namespace
namespaces:
- "default"
generate:
kind: Policy
apiVersion: kyverno.io/v1
name: namespace-require-run-as-nonroot
namespace: "{{ request.object.metadata.name }}"
data:
synchronize: true
metadata:
name: namespace-require-run-as-nonroot
namespace: "{{request.object.metadata.name}}"
spec:
validationFailureAction: audit
background: true
rules:
- name: namespace-require-run-as-nonroot
match:
resources:
kinds:
- Pod
validate:
message: >-
Running as root is not allowed.
anyPattern:
- spec:
containers:
- securityContext:
runAsNonRoot: true
- Create a new namespace without any Label
kubectl create ns this-is-a-new-namespace
- Check UpdateRequests and Policy in the Namespace
kubectl get updaterequests -A
NAMESPACE NAME POLICY RULETYPE RESOURCEKIND RESOURCENAME RESOURCENAMESPACE STATUS AGE
kyverno ur-566rr create-namespace-require-run-as-nonroot generate Namespace this-is-a-new-namespace Completed 42s
kubectl -n this-is-a-new-namespace get policies
NAME BACKGROUND ACTION READY
namespace-require-run-as-nonroot true audit true
Expected behavior
Create Kyverno Policie only for Namespaces with the label “managed: true” and default
For Validating and mutating Policies is the namespaceSelector working without Problems.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 21 (7 by maintainers)
Is it also possible that the ConfigMap configuration
namespaceSelectoris also impacted by this bug?My ConfigMap has the configuration:
Yet kyverno is still generating reports on the
monitoringnamespaceNot trying to derail here, just making sure I’ve found an issue pertaining to my symptoms. Thanks
/assign
It looks i can work on this. Picking this up😊