kyverno: [Bug] policy match Kind case-senstive

Kyverno Version

1.8.5

Description

I have an issue with a Kyverno ClusterPolicy skipping a resource it should match with. It seams like kyverno only supports kinds beginning with capital letters.

This issue happens both in a running cluster and using the CLI to test the policy.

It doesn’t matter if I only write the Kind or the fully qualified kind Group/Version/Kind It also doesn’t matter if the kind is upper or lower case in the ClusterPolicy match rule.

No matter what it only matches if the kind for the resource starts with a capital letter. I am not able to change the CRD since it is owned by the postgres-operator reepo and I also believe this is a general issue.

To recreate

  1. Create the following three files in a folder

# policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
spec:
  generateExistingOnPolicyUpdate: true
  rules:
    - name: test-rule
      match:
        any:
          - resources:
              kinds:
                -  "acid.zalan.do/v1/postgresdb"
      generate:
        synchronize: true
        apiVersion: networking.k8s.io/v1
        kind: NetworkPolicy
        name: dummy
        namespace: "{{request.object.metadata.namespace}}"

# postgres_lower.yaml
apiVersion: acid.zalan.do/v1
kind: postgresdb
metadata:
  name: acid-minimal-cluster
spec: {}

# postgres_upper.yaml
apiVersion: acid.zalan.do/v1
kind: Postgresdb
metadata:
  name: acid-minimal-cluster
spec: {}
  1. Then running the kyverno cli to show the issue:
foo@bar test % kyverno apply policy.yaml --resource postgres_lower.yaml

Applying 1 policy rule to 1 resource...

pass: 0, fail: 0, warn: 0, error: 0, skip: 1

foo@bar test % kyverno apply policy.yaml --resource postgres_upper.yaml

Applying 1 policy rule to 1 resource...

pass: 1, fail: 0, warn: 0, error: 0, skip: 0

As can be seen on the output, the kind: postgresdb is not matches but the kind: Postgresdb is even though the rule is acid.zalan.do/v1/postgresdb

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (8 by maintainers)

Most upvoted comments

I wasn’t aware that kind can start with a lowercase letter too.

why it compares title.String(kind) with gvk.Kind on line 26 in the pkg/utils/match/kind.go?

That was sort of way to allow users to specify kind as kinds: ["pod"] too, but now after seeing this case I feel rules should be strict, I saw a few existing policies that were defined with lowercase pod too, for eg: https://github.com/kyverno/kyverno/blob/main/test/cli/test/wildcard_match_label_selector/policy.yaml

+1
Vyom-Yadav on Jan 13, 2023

So i am reading line 25 incorrectly?, there is a comment: // if the kind is not found in the subresourceGVKToAPIResource, then it is not a subresource I read it as those that ain’t subresources. after line 25.

May bad, I think you are right, here we try to check the Kind itself, not the subresources.

@Vyom-Yadav - why it compares title.String(kind) with gvk.Kind on line 26 in the pkg/utils/match/kind.go?

+1
realshuting on Jan 13, 2023
Read more comments on GitHub
← kyverno: [Bug] Pod restart doesn't trigger when two rules combined in a policy
kyverno: [Bug] Policy Report not being created with verifyImages rule and KMS →