kyverno: [BUG] Scaling Deployment passing through validation

Software version numbers

  • Kubernetes version: 1.19.15
  • Kubernetes platform: EKS
  • Kyverno version: 1.5.7

Describe the bug Validating ClusterPolicies what should validate Deployment replicas number, allows to scale up/down with kubectl scale.

To Reproduce Steps to reproduce the behavior:

  1. Create ClusterPolicy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: nginx-test
spec:
  background: true
  failurePolicy: Fail
  rules:
  - match:
      resources:
        kinds:
        - Deployment
        names:
        - nginx-test
        namespaces:
        - default
    name: validate-nginx-test
    validate:
      message: 'nginx-test needs to have 0 replicas'
      pattern:
        spec:
          replicas: 0
  validationFailureAction: enforce
  1. Create deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-test
  labels:
    k8s-app: nginx-test
spec:
  replicas: 0
  selector:
    matchLabels:
      k8s-app: nginx-test
  template:
    metadata:
      labels:
        k8s-app: nginx-test
    spec:
      containers:
      - image: nginx
        name: nginx-test
  1. Scale deployment with kubectl scale deployment nginx-test --replicas=1
  2. Describe deployment nginx-test and see PolicyViolation, but deployment itself is scaled up, even ClusterPolicy is in enforcing
  Type     Reason             Age    From                   Message
  ----     ------             ----   ----                   -------
  Normal   ScalingReplicaSet  2m53s  deployment-controller  Scaled up replica set nginx-test-869bb55b75 to 1
  Warning  PolicyViolation    70s    policy-controller      policy 'nginx-test' (Validation) rule 'validate-nginx-test' failed. validation error: nginx-test needs to have 0 replicas. Rule validate-nginx-test failed at path /spec/replicas/

$kubectl get policyreports polr-ns-default -ojson | jq '.results[]|select(.result=="fail")'
{
  "message": "validation error: nginx-test needs to have 0 replicas. Rule validate-nginx-test failed at path /spec/replicas/",
  "policy": "nginx-test",
  "resources": [
    {
      "apiVersion": "apps/v1",
      "kind": "Deployment",
      "name": "nginx-test",
      "namespace": "default",
      "uid": "a7e79e2c-062a-4f49-8d04-8a2d22323e5c"
    }
  ],
  "result": "fail",
  "rule": "validate-nginx-test",
  "scored": true,
  "source": "Kyverno",
  "timestamp": {
    "nanos": 0,
    "seconds": 1643377416
  }
}

$kubectl get clusterpolicies                                                                 [14:52:44]
NAME                 BACKGROUND   ACTION    READY
nginx-test           true         enforce   true

Expected behavior Scale up/down to some other value of replicas then set in ClusterPolicy shouldn’t be allowed.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 16 (10 by maintainers)

Most upvoted comments

This issue is covered in an LFX Mentorship posted here: https://mentorship.lfx.linuxfoundation.org/project/9ac41a72-62f4-48e9-8630-5f9be261e2bf

There are multiple applicants and preference will be given to them first.

+1
chipzoller on Aug 20, 2022
Read more comments on GitHub
← kyverno: [Bug] SBOM is not associated with digest corresponding to released tag
kyverno: [Bug] slow with multiple CRD →