kyverno: [Bug] Kyverno loops over generate and keeps tracking deleted namespaces

Kyverno Version

1.6.x

Kubernetes Version

1.21.x

Kubernetes Platform

GKE

Kyverno Rule Type

Generate

Description

Hi, on our cluster we are facing two problems, we have installed kyverno using helm with chart version 2.3.1. We have a set of generate policies that adds network policies to the namespaces that have a custom label, the problems are:

  1. When i label the namespace kyverno applies all the policies but loops indefinitely on applying the last one, even if it is already applied:
I0329 10:22:52.236658       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:22:54.036206       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:22:56.040055       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:22:57.838344       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:22:59.842633       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:23:05.035673       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:23:10.435933       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy" 
I0329 10:23:15.836649       1 generate.go:474] GenerateController "msg"="updated generate target resource" "apiVersion"="v1" "genAPIVersion"="" "genKind"="NetworkPolicy" "genName"="default-deny" "genNamespace"="test-ddellarocca" "kind"="Namespace" "name"="test-ddellarocca" "namespace"="" "policy"="add-deny-all-networkpolicy"
  1. If i delete the namespace before removing the label kyverno keep on asking to the api server the namespace whereas it should stop if the namespace doesn’t exists
I0329 10:24:33.228351       1 request.go:665] Waited for 1.997329454s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:34.427701       1 request.go:665] Waited for 2.391256384s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:35.428111       1 request.go:665] Waited for 2.397631074s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:36.628120       1 request.go:665] Waited for 2.39745307s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:37.827836       1 request.go:665] Waited for 1.996113302s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:38.828043       1 request.go:665] Waited for 1.997743029s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:39.828248       1 request.go:665] Waited for 1.797362657s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:41.028047       1 request.go:665] Waited for 1.798169948s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:42.028255       1 request.go:665] Waited for 1.797260591s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:43.228098       1 request.go:665] Waited for 1.797491508s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:45.234116       1 request.go:665] Waited for 2.002546635s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:46.428085       1 request.go:665] Waited for 1.797486218s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:47.627328       1 request.go:665] Waited for 1.595836768s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:49.628354       1 request.go:665] Waited for 1.996486703s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:50.828028       1 request.go:665] Waited for 1.996530022s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:51.828379       1 request.go:665] Waited for 1.997939753s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:53.027352       1 request.go:665] Waited for 1.595576416s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:54.027382       1 request.go:665] Waited for 1.596875848s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:55.028235       1 request.go:665] Waited for 1.596996055s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:56.227596       1 request.go:665] Waited for 1.596875537s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:57.227687       1 request.go:665] Waited for 1.59736527s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:58.227956       1 request.go:665] Waited for 1.597054363s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:24:59.228079       1 request.go:665] Waited for 1.596453935s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:00.243062       1 request.go:665] Waited for 1.609542063s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:02.428137       1 request.go:665] Waited for 1.997845292s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:03.627426       1 request.go:665] Waited for 2.189640728s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:04.627466       1 request.go:665] Waited for 2.102778288s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:05.827474       1 request.go:665] Waited for 2.195419002s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:06.827581       1 request.go:665] Waited for 1.796772865s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:07.827610       1 request.go:665] Waited for 1.997418464s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:08.828012       1 request.go:665] Waited for 2.197109983s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:11.228262       1 request.go:665] Waited for 2.396561739s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca
I0329 10:25:13.628192       1 request.go:665] Waited for 2.396597574s due to client-side throttling, not priority and fairness, request: GET:https://10.209.128.1:443/api/v1/namespaces/test-ddellarocca

Steps to reproduce

  1. Install kyverno on a cluster
  2. Apply a generate policy for a network policy that matches a custom label
  3. Watch kyverno logs to check looping on generate
  4. Delete the namespace without removing the label first
  5. In the kyverno logs it keeps asking api server for the namespace

Expected behavior

Kyverno should not loop over generating resources, and when i delete the namespace it should stop managing it.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (5 by maintainers)

Most upvoted comments

Hi @prateekpandey14 thanks for the reply, I’m testing it right now and it seems to be working fine. I’ll let it run for a couple of days to check if there are any problem.

+1
ddellarocca on Apr 4, 2022
Read more comments on GitHub
← kyverno: [Bug] Kyverno JSON logs produce duplicate keys
kyverno: [BUG] Kyverno may silently fail to generate resource →