-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] auto-gen should not update metadata
paths
#1805
Comments
There are use cases that we want to update metadata:
...
spec:
template:
metadata:
...
spec: From the Slack conversation, the match resources have both |
Yes, this is referring to the the top-level metadata only |
Rethinking based on @realshuting's insights above....perhaps the only thing we need to make sure of is that if multiple controllers are specified in the policy, Kyverno does not apply any auto-gen behaviors: For example, this policy should not trigger any auto-gen rules: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-old-flux
spec:
validationFailureAction: enforce
background: false
rules:
- name: block-old-flux
match:
resources:
kinds:
- Deployment
- CronJob
- Job
- StatefulSet
- DaemonSet
- Pod
validate:
message: Cannot use old Flux v1 annotation.
pattern:
metadata:
=(annotations):
X(fluxcd.io/*): "*?" But this policy will (as it only is on the pod) and the controller level rules will update apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: block-old-flux
spec:
validationFailureAction: enforce
background: false
rules:
- name: block-old-flux
match:
resources:
kinds:
- Pod
validate:
message: Cannot use old Flux v1 annotation.
pattern:
metadata:
=(annotations):
X(fluxcd.io/*): "*?" Does that make sense? Any other constraints? |
I agree with this. And further, this use case is an example for the need for allowing a wildcard (
Yes, and the only reason the policy with the multiple |
Yes, its certainly conceivable but what we need to determine is whether this a common real world use case which justifies the performance penalty of evaluating the rule for each admission review request including ones like |
That's exactly right, yes. |
Software version numbers
1.3.4-rc4
Describe the bug
The auto-gen feature translates pod level paths under
spec
tospec.template.spec
for pod controllers.However, seems like it also attempts to translates metadata paths.
See slack discussion: https://kubernetes.slack.com/archives/CLGR9BJU9/p1618520060345800
To Reproduce
Use policy:
Use this resource:
This updates the CronJob to:
Expected behavior
The metadata path is not updated.
The text was updated successfully, but these errors were encountered: