kyverno: [BUG] OwnerRefInvalidNamespace warnings on webhook configurations

Software version numbers State the version numbers of applications involved in the bug.

  • Kubernetes version: 1.20.5 (AKS)
  • Kyverno version: 1.3.5

Describe the bug Kyverno’s validating and mutating webhook configurations are giving us OwnerRefInvalidNamespace warnings with the message

ownerRef [extensions/v1beta1/Deployment, namespace: , name: kyverno, uid: 7e785db9-8088-4976-9f9e-0fdbb9032023] does not exist in namespace ""

This would suggest an invalid ownerRef which would cause issues with the garbage collection, but the webhooks seem to still be deleted as expected when the kyverno deployment is deleted despite this warning.

We can reproduce these warnings consistently by deleting and re-creating the kyverno deployment, but we’ve also had it happen once seemingly at random.

To Reproduce Steps to reproduce the behavior:

  1. Installed kyverno using a Flux Kustomization
  2. Deleted the kyverno deployment and let Flux reconcile it to re-create it
  3. Observed the warnings in Azure Monitor

Additional context We’re using Flux 2 to control the cluster state with GitOps, including Kyverno and its policies. Kyverno is installed in the kyverno namespace.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (11 by maintainers)

Most upvoted comments

@NoSkillGirl Just updated to 1.4.1 and that seems to have stopped the warnings. Thanks!

+1
jack-jarvis on Jul 6, 2021
Read more comments on GitHub
← kyverno: [BUG] Openshift DeploymentConfig resources being stripped of fields
kyverno: [Bug] Pod restart doesn't trigger when two rules combined in a policy →