kyverno: [Bug] Webhooks are removed when Kyverno deployment scaled to zero
Kyverno Version
1.9.0
Kubernetes Version
1.26.x
Kubernetes Platform
Minikube
Kyverno Rule Type
Validate
Description
Hi all!
Since version 1.9.0 the validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg gets deleted when the deployment is scaled down to 0.
If there is no webhook in place anymore, creation of resources is not blocked anymore as it was with prior versions (considering flag failurePolicy: Fail ). This potentially opens door for attackers.
I know this feature came into play to cleanup webhooks when uninstalling with helm. There it is fine. But I don’t see that is also has to be cleaned up when “just” scaling down.
What do you think?
Steps to reproduce
- scale down deployment to 0 with
kubectl scale deploy kyverno --replicas=0 -n kyverno - webhook is gone, check with
kubectl get validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg -n kyverno
Expected behavior
Webhook should still be still in place. Creation of ressources affected should fail when failurePolicy: Fail, should be okay when failurePolicy: Ignore
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.
About this issue
- Original URL
- State: closed
- Created a year ago
- Reactions: 1
- Comments: 18 (8 by maintainers)
Thanks. This does seem like a problem so I’ll create a new issue.
On the other hand, scaling down kyverno to 0 and the webhooks around is going to make the cluster unhappy. We want to prevent outages as much as possible.