kyverno: [BUG] Validate that negation anchor is empty or null

Software version numbers State the version numbers of applications involved in the bug.

  • Kubernetes version: 1.19.3
  • Kyverno version: 1.3.5

Describe the bug Kyverno needs to validate an incoming rule and if the negation anchor (X(foo)) is specified for a field, that value needs to be null, nil, or undefined. It should not have a value in it.

To Reproduce Steps to reproduce the behavior:

  1. Create this policy. See that - X(key): "node-role.kubernetes.io/master" is used here.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-controlplane-scheduling
  annotations:
    policies.kyverno.io/title: Restrict control plane scheduling
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: >-
      This policy prevents users from setting a toleration
      in a Pod spec which allows running on control plane nodes
      with the taint key "node-role.kubernetes.io/master".         
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: restrict-controlplane-scheduling
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: Pods may not use tolerations which schedule on control plane nodes.
      pattern:
        spec:
          =(tolerations):
            - X(key): "node-role.kubernetes.io/master"
  1. Notice Kyverno allows this to be created even though the negation anchor does not work by supplying a value (it checks that the key is not defined, not that its value is not present).

Expected behavior Kyverno should reject this policy because the value of the negated field is non-null.

Additional context This is how the same policy should be written instead:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-controlplane-scheduling
  annotations:
    policies.kyverno.io/title: Restrict control plane scheduling
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: >-
      This policy prevents users from setting a toleration
      in a Pod spec which allows running on control plane nodes
      with the taint key "node-role.kubernetes.io/master".   
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: restrict-controlplane-scheduling-master
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: Pods may not use tolerations which schedule on control plane nodes.
      pattern:
        spec:
          =(tolerations):
            - key: "!node-role.kubernetes.io/master"

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (15 by maintainers)

Most upvoted comments

Yes, it seems like improving the docs and comments is the best we can do for now.

But looking back, it brought lots of confusion with the negation anchor, people were struggling with null, nil, “”. After we introduce schema validation for validate policies, I believe what you suggested is the clearest solution.

I’m moving this issue out of 1.4.2 milestone, @vyankd - can we add comments in the samples and add notes in the doc?

+1
realshuting on Jul 23, 2021

Having a hard time understanding what you mean. What I was trying to say was that Kyverno should validate these policies before they’re accepted and reject if the negation is used on a key which specifies a value.

+1
chipzoller on Jul 21, 2021
Read more comments on GitHub
← kyverno: [Bug] Update Requests stuck in pending/fail infinite loop when deleting k8s resources too quickly
kyverno: [BUG] Validation fails but Resource creates anyways →