New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Panic in ForceMutate #1896
Comments
I have researched the issue. The reason is in invalid strategic merge patch logic during handling the array of maps. Policy: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-safe-to-evict
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that
use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation
cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
spec:
rules:
- name: annotate-empty-dir
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec:
volumes:
- (emptyDir): {}
- name: annotate-host-path
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
annotations:
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
spec:
volumes:
- (hostPath):
path: "*" Patch: {"spec": {"template": {"metadata": {"annotations": {"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}}, "spec": {"volumes": []}}}} Resource: {"apiVersion":"","kind":"StatefulSet","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"podManagementPolicy":"","replicas":0,"revisionHistoryLimit":0,"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"serviceName":"","template":{"metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"activeDeadlineSeconds":0,"affinity":{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"preference":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]}]}},"podAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]},"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]}},"automountServiceAccountToken":false,"containers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"dnsConfig":{"nameservers":[""],"options":[{"name":"","value":""}],"searches":[""]},"dnsPolicy":"","enableServiceLinks":false,"ephemeralContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"targetContainerName":"","terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"hostAliases":[{"hostnames":[""],"ip":""}],"hostIPC":false,"hostNetwork":false,"hostPID":false,"hostname":"","imagePullSecrets":[{"name":""}],"initContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"nodeName":"","nodeSelector":{},"overhead":{},"preemptionPolicy":"","priority":0,"priorityClassName":"","readinessGates":[{"conditionType":""}],"restartPolicy":"","runtimeClassName":"","schedulerName":"","securityContext":{"fsGroup":0,"fsGroupChangePolicy":"","runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"supplementalGroups":[0],"sysctls":[{"name":"","value":""}],"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"serviceAccount":"","serviceAccountName":"","setHostnameAsFQDN":false,"shareProcessNamespace":false,"subdomain":"","terminationGracePeriodSeconds":0,"tolerations":[{"effect":"","key":"","operator":"","tolerationSeconds":0,"value":""}],"topologySpreadConstraints":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"maxSkew":0,"topologyKey":"","whenUnsatisfiable":""}],"volumes":[{"awsElasticBlockStore":{"fsType":"","partition":0,"readOnly":false,"volumeID":""},"azureDisk":{"cachingMode":"","diskName":"","diskURI":"","fsType":"","kind":"","readOnly":false},"azureFile":{"readOnly":false,"secretName":"","shareName":""},"cephfs":{"monitors":[""],"path":"","readOnly":false,"secretFile":"","secretRef":{"name":""},"user":""},"cinder":{"fsType":"","readOnly":false,"secretRef":{"name":""},"volumeID":""},"configMap":{"defaultMode":0,"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"csi":{"driver":"","fsType":"","nodePublishSecretRef":{"name":""},"readOnly":false,"volumeAttributes":{}},"downwardAPI":{"defaultMode":0,"items":[{"fieldRef":{"apiVersion":"","fieldPath":""},"mode":0,"path":"","resourceFieldRef":{"containerName":"","divisor":"","resource":""}}]},"emptyDir":{"medium":"","sizeLimit":""},"ephemeral":{"readOnly":false,"volumeClaimTemplate":{"metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"accessModes":[""],"dataSource":{"apiGroup":"","kind":"","name":""},"resources":{"limits":{},"requests":{}},"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"storageClassName":"","volumeMode":"","volumeName":""}}},"fc":{"fsType":"","lun":0,"readOnly":false,"targetWWNs":[""],"wwids":[""]},"flexVolume":{"driver":"","fsType":"","options":{},"readOnly":false,"secretRef":{"name":""}},"flocker":{"datasetName":"","datasetUUID":""},"gcePersistentDisk":{"fsType":"","partition":0,"pdName":"","readOnly":false},"gitRepo":{"directory":"","repository":"","revision":""},"glusterfs":{"endpoints":"","path":"","readOnly":false},"hostPath":{"path":"","type":""},"iscsi":{"chapAuthDiscovery":false,"chapAuthSession":false,"fsType":"","initiatorName":"","iqn":"","iscsiInterface":"","lun":0,"portals":[""],"readOnly":false,"secretRef":{"name":""},"targetPortal":""},"name":"","nfs":{"path":"","readOnly":false,"server":""},"persistentVolumeClaim":{"claimName":"","readOnly":false},"photonPersistentDisk":{"fsType":"","pdID":""},"portworxVolume":{"fsType":"","readOnly":false,"volumeID":""},"projected":{"defaultMode":0,"sources":[{"configMap":{"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"downwardAPI":{"items":[{"fieldRef":{"apiVersion":"","fieldPath":""},"mode":0,"path":"","resourceFieldRef":{"containerName":"","divisor":"","resource":""}}]},"secret":{"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"serviceAccountToken":{"audience":"","expirationSeconds":0,"path":""}}]},"quobyte":{"group":"","readOnly":false,"registry":"","tenant":"","user":"","volume":""},"rbd":{"fsType":"","image":"","keyring":"","monitors":[""],"pool":"","readOnly":false,"secretRef":{"name":""},"user":""},"scaleIO":{"fsType":"","gateway":"","protectionDomain":"","readOnly":false,"secretRef":{"name":""},"sslEnabled":false,"storageMode":"","storagePool":"","system":"","volumeName":""},"secret":{"defaultMode":0,"items":[{"key":"","mode":0,"path":""}],"optional":false,"secretName":""},"storageos":{"fsType":"","readOnly":false,"secretRef":{"name":""},"volumeName":"","volumeNamespace":""},"vsphereVolume":{"fsType":"","storagePolicyID":"","storagePolicyName":"","volumePath":""}}]}},"updateStrategy":{"rollingUpdate":{"partition":0},"type":""},"volumeClaimTemplates":[{"apiVersion":"","kind":"","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"accessModes":[""],"dataSource":{"apiGroup":"","kind":"","name":""},"resources":{"limits":{},"requests":{}},"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"storageClassName":"","volumeMode":"","volumeName":""},"status":{"accessModes":[""],"capacity":{},"conditions":[{"lastProbeTime":"","lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"phase":""}}]},"status":{"collisionCount":0,"conditions":[{"lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"currentReplicas":0,"currentRevision":"","observedGeneration":0,"readyReplicas":0,"replicas":0,"updateRevision":"","updatedReplicas":0}} Patched Resource:
Sorry for this format. I'm not controlling the resource that will be created so they are such large. If you look at the first rule, you will see: volumes:
- (emptyDir): {} After this part is processed, we have the patch provided above. Is it a correct patch? Do we really expect volumes to be empty there? |
cc: @realshuting {"spec": {"template": {"metadata": {"annotations": {"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}}}}} |
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* finished walkMap Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * added validation to the patchStrategicMerge Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * finished fixing tests Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * fixed part of old tests Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * patchStrategicMerge anchor preprocessing is finished Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * fix #1915 and #1896 Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * fix lint errors Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * removed debug logs Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * added failing test Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * Fix unnecessary deletion Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Software version numbers
State the version numbers of applications involved in the bug.
Describe the bug
When installing policy
test/best_practices/add_safe_to_evict.yaml
, Kyverno throws a panic:cc @kacejot
The text was updated successfully, but these errors were encountered: