Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Panic in ForceMutate #1896

Closed
realshuting opened this issue May 7, 2021 · 3 comments · Fixed by #2156
Closed

[BUG] Panic in ForceMutate #1896

realshuting opened this issue May 7, 2021 · 3 comments · Fixed by #2156
Assignees
@kacejot
Labels
bug Something isn't working mutation Issues pertaining to the mutate ability.
Milestone
Kyverno Release 1...

Comments

@realshuting
Copy link
Member

Software version numbers
State the version numbers of applications involved in the bug.

  • Kyverno version: v1.3.6-rc2

Describe the bug
When installing policy test/best_practices/add_safe_to_evict.yaml, Kyverno throws a panic:

2021/05/07 22:36:09 http: panic serving 172.17.0.1:23739: runtime error: index out of range [0] with length 0
goroutine 16379 [running]:
net/http.(*conn).serve.func1(0xc00117f220)
	/usr/local/go/src/net/http/server.go:1801 +0x147
panic(0x1b9cbe0, 0xc0009db720)
	/usr/local/go/src/runtime/panic.go:975 +0x3e9
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditionOnArray(0x3093e18, 0x0, 0x0, 0xc000c2eae0, 0x1, 0x1, 0xc0020af470, 0xe, 0xc0012f9e98, 0x4528fe, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:80 +0x4ce
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditions(0x23c34e0, 0xc0003fc080, 0x1944f60, 0xc0013aa8c0, 0x1944f60, 0xc000b2a000, 0xc0020af470, 0xe, 0xe, 0x0, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:48 +0x5dd
github.com/kyverno/kyverno/pkg/engine/mutate.validateNonAnchorOverlayMap(0xc001f622a0, 0xc00473ac90, 0xc0020af46a, 0x6, 0x1, 0x0, 0x0, 0x0, 0x0)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:173 +0x1fb
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditionOnMap(0xc001f622a0, 0xc00473a900, 0xc0020af46a, 0x6, 0x6, 0xc0020af46a, 0x6, 0x6, 0xc0012fa218)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:66 +0x1dd
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditions(0x23c34e0, 0xc0003fc080, 0x1a3ac60, 0xc001f622a0, 0x1a3ac60, 0xc00473a900, 0xc0020af46a, 0x6, 0x6, 0x0, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:45 +0x492
github.com/kyverno/kyverno/pkg/engine/mutate.validateNonAnchorOverlayMap(0xc001f620f0, 0xc00473ab70, 0x1c9b6b6, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:173 +0x1fb
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditionOnMap(0xc001f620f0, 0xc00473a870, 0x1c9b6b6, 0x1, 0x2c, 0xc0010f6d80, 0xc, 0xc, 0x1ca227e)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:66 +0x1dd
github.com/kyverno/kyverno/pkg/engine/mutate.checkConditions(0x23c3f00, 0xc0041ad680, 0x1a3ac60, 0xc001f620f0, 0x1a3ac60, 0xc00473a870, 0x1c9b6b6, 0x1, 0xc0041ad680, 0x7f251d0fdf18, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:45 +0x492
github.com/kyverno/kyverno/pkg/engine/mutate.meetConditions(...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/overlayCondition.go:15
github.com/kyverno/kyverno/pkg/engine/mutate.ProcessStrategicMergePatch(0xc0009db680, 0x12, 0x1a3ac60, 0xc00473a870, 0xc001f620f0, 0x23c3f00, 0xc0041ad680, 0xc0009db680, 0x12, 0x1ca0cca, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/mutate/strategicMergePatch.go:33 +0x43e
github.com/kyverno/kyverno/pkg/engine.ForceMutate(0x0, 0x0, 0xc001a678e0, 0xd, 0xc001a678b0, 0xd, 0xc0014926e0, 0x11, 0x0, 0x0, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/engine/forceMutate.go:93 +0xb38
github.com/kyverno/kyverno/pkg/openapi.(*Controller).ValidatePolicyMutation(0xc000076a80, 0xc001a678e0, 0xd, 0xc001a678b0, 0xd, 0xc0014926e0, 0x11, 0x0, 0x0, 0x0, ...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/openapi/validation.go:134 +0x568
github.com/kyverno/kyverno/pkg/openapi.(*Controller).ValidatePolicyFields(...)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/openapi/validation.go:80
github.com/kyverno/kyverno/pkg/policy.Validate(0xc0014fab60, 0xc0002c8280, 0xc0041bd500, 0xc000076a80, 0x0, 0x0)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/policy/validate.go:166 +0x5b8
github.com/kyverno/kyverno/pkg/webhooks.(*WebhookServer).policyValidation(0xc0007c6900, 0xc0014fa820, 0x0)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/webhooks/policyvalidation.go:41 +0x5cb
github.com/kyverno/kyverno/pkg/webhooks.(*WebhookServer).handlerFunc.func1(0x23b4140, 0xc000d907e0, 0xc001b0c200)
	/Users/shutingzhao/go/src/github.com/realshuting/kyverno/pkg/webhooks/server.go:276 +0x437
net/http.HandlerFunc.ServeHTTP(0xc004907be0, 0x23b4140, 0xc000d907e0, 0xc001b0c200)
	/usr/local/go/src/net/http/server.go:2042 +0x44
github.com/julienschmidt/httprouter.(*Router).Handler.func1(0x23b4140, 0xc000d907e0, 0xc001b0c200, 0x0, 0x0, 0x0)
	/Users/shutingzhao/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:275 +0x1e7
github.com/julienschmidt/httprouter.(*Router).ServeHTTP(0xc004911680, 0x23b4140, 0xc000d907e0, 0xc001b0c200)
	/Users/shutingzhao/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387 +0xc7e
net/http.serverHandler.ServeHTTP(0xc000730380, 0x23b4140, 0xc000d907e0, 0xc001b0c200)
	/usr/local/go/src/net/http/server.go:2843 +0xa3
net/http.(*conn).serve(0xc00117f220, 0x23b8740, 0xc001771540)
	/usr/local/go/src/net/http/server.go:1925 +0x8ad
created by net/http.(*Server).Serve
	/usr/local/go/src/net/http/server.go:2969 +0x36c

cc @kacejot
@realshuting realshuting added the bug Something isn't working label May 7, 2021
@realshuting realshuting added this to the Kyverno Release 1.3.6 milestone May 7, 2021
@realshuting realshuting self-assigned this May 7, 2021
@realshuting realshuting mentioned this issue May 7, 2021
Merged
1 task
@realshuting
Copy link
Member Author

@kacejot - I sent #1898 to temporarily remove the check for strategicMergePatch, can you please investigate the issue?

@realshuting realshuting assigned kacejot and unassigned realshuting May 7, 2021
@realshuting realshuting mentioned this issue May 12, 2021
Open
@kacejot
Copy link
Contributor

kacejot commented May 19, 2021

I have researched the issue. The reason is in invalid strategic merge patch logic during handling the array of maps.
I have dumped the resource, the patch and the result resource:

Policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata: 
  name: add-safe-to-evict
  annotations:
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: The Kubernetes cluster autoscaler does not evict pods that 
      use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods. 
spec: 
  rules: 
  - name: annotate-empty-dir
    match: 
      resources: 
        kinds: 
        - Pod
    mutate: 
      patchStrategicMerge:
        metadata:
          annotations:
            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
        spec:          
          volumes: 
          - (emptyDir): {}
  - name: annotate-host-path
    match: 
      resources: 
        kinds: 
        - Pod
    mutate: 
      patchStrategicMerge:
        metadata:
          annotations:
            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
        spec:          
          volumes: 
          - (hostPath):
              path: "*"

Patch:

{"spec": {"template": {"metadata": {"annotations": {"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}}, "spec": {"volumes": []}}}}

Resource:

{"apiVersion":"","kind":"StatefulSet","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"podManagementPolicy":"","replicas":0,"revisionHistoryLimit":0,"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"serviceName":"","template":{"metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"activeDeadlineSeconds":0,"affinity":{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"preference":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]}]}},"podAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]},"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]}},"automountServiceAccountToken":false,"containers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"dnsConfig":{"nameservers":[""],"options":[{"name":"","value":""}],"searches":[""]},"dnsPolicy":"","enableServiceLinks":false,"ephemeralContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"targetContainerName":"","terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"hostAliases":[{"hostnames":[""],"ip":""}],"hostIPC":false,"hostNetwork":false,"hostPID":false,"hostname":"","imagePullSecrets":[{"name":""}],"initContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"nodeName":"","nodeSelector":{},"overhead":{},"preemptionPolicy":"","priority":0,"priorityClassName":"","readinessGates":[{"conditionType":""}],"restartPolicy":"","runtimeClassName":"","schedulerName":"","securityContext":{"fsGroup":0,"fsGroupChangePolicy":"","runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"supplementalGroups":[0],"sysctls":[{"name":"","value":""}],"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"serviceAccount":"","serviceAccountName":"","setHostnameAsFQDN":false,"shareProcessNamespace":false,"subdomain":"","terminationGracePeriodSeconds":0,"tolerations":[{"effect":"","key":"","operator":"","tolerationSeconds":0,"value":""}],"topologySpreadConstraints":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"maxSkew":0,"topologyKey":"","whenUnsatisfiable":""}],"volumes":[{"awsElasticBlockStore":{"fsType":"","partition":0,"readOnly":false,"volumeID":""},"azureDisk":{"cachingMode":"","diskName":"","diskURI":"","fsType":"","kind":"","readOnly":false},"azureFile":{"readOnly":false,"secretName":"","shareName":""},"cephfs":{"monitors":[""],"path":"","readOnly":false,"secretFile":"","secretRef":{"name":""},"user":""},"cinder":{"fsType":"","readOnly":false,"secretRef":{"name":""},"volumeID":""},"configMap":{"defaultMode":0,"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"csi":{"driver":"","fsType":"","nodePublishSecretRef":{"name":""},"readOnly":false,"volumeAttributes":{}},"downwardAPI":{"defaultMode":0,"items":[{"fieldRef":{"apiVersion":"","fieldPath":""},"mode":0,"path":"","resourceFieldRef":{"containerName":"","divisor":"","resource":""}}]},"emptyDir":{"medium":"","sizeLimit":""},"ephemeral":{"readOnly":false,"volumeClaimTemplate":{"metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"accessModes":[""],"dataSource":{"apiGroup":"","kind":"","name":""},"resources":{"limits":{},"requests":{}},"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"storageClassName":"","volumeMode":"","volumeName":""}}},"fc":{"fsType":"","lun":0,"readOnly":false,"targetWWNs":[""],"wwids":[""]},"flexVolume":{"driver":"","fsType":"","options":{},"readOnly":false,"secretRef":{"name":""}},"flocker":{"datasetName":"","datasetUUID":""},"gcePersistentDisk":{"fsType":"","partition":0,"pdName":"","readOnly":false},"gitRepo":{"directory":"","repository":"","revision":""},"glusterfs":{"endpoints":"","path":"","readOnly":false},"hostPath":{"path":"","type":""},"iscsi":{"chapAuthDiscovery":false,"chapAuthSession":false,"fsType":"","initiatorName":"","iqn":"","iscsiInterface":"","lun":0,"portals":[""],"readOnly":false,"secretRef":{"name":""},"targetPortal":""},"name":"","nfs":{"path":"","readOnly":false,"server":""},"persistentVolumeClaim":{"claimName":"","readOnly":false},"photonPersistentDisk":{"fsType":"","pdID":""},"portworxVolume":{"fsType":"","readOnly":false,"volumeID":""},"projected":{"defaultMode":0,"sources":[{"configMap":{"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"downwardAPI":{"items":[{"fieldRef":{"apiVersion":"","fieldPath":""},"mode":0,"path":"","resourceFieldRef":{"containerName":"","divisor":"","resource":""}}]},"secret":{"items":[{"key":"","mode":0,"path":""}],"name":"","optional":false},"serviceAccountToken":{"audience":"","expirationSeconds":0,"path":""}}]},"quobyte":{"group":"","readOnly":false,"registry":"","tenant":"","user":"","volume":""},"rbd":{"fsType":"","image":"","keyring":"","monitors":[""],"pool":"","readOnly":false,"secretRef":{"name":""},"user":""},"scaleIO":{"fsType":"","gateway":"","protectionDomain":"","readOnly":false,"secretRef":{"name":""},"sslEnabled":false,"storageMode":"","storagePool":"","system":"","volumeName":""},"secret":{"defaultMode":0,"items":[{"key":"","mode":0,"path":""}],"optional":false,"secretName":""},"storageos":{"fsType":"","readOnly":false,"secretRef":{"name":""},"volumeName":"","volumeNamespace":""},"vsphereVolume":{"fsType":"","storagePolicyID":"","storagePolicyName":"","volumePath":""}}]}},"updateStrategy":{"rollingUpdate":{"partition":0},"type":""},"volumeClaimTemplates":[{"apiVersion":"","kind":"","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"accessModes":[""],"dataSource":{"apiGroup":"","kind":"","name":""},"resources":{"limits":{},"requests":{}},"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"storageClassName":"","volumeMode":"","volumeName":""},"status":{"accessModes":[""],"capacity":{},"conditions":[{"lastProbeTime":"","lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"phase":""}}]},"status":{"collisionCount":0,"conditions":[{"lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"currentReplicas":0,"currentRevision":"","observedGeneration":0,"readyReplicas":0,"replicas":0,"updateRevision":"","updatedReplicas":0}}

Patched Resource:

{"apiVersion":"","kind":"StatefulSet","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"podManagementPolicy":"","replicas":0,"revisionHistoryLimit":0,"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"serviceName":"","template":{"metadata":{"annotations":{"cluster-autoscaler.kubernetes.io/safe-to-evict":"true"},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"activeDeadlineSeconds":0,"affinity":{"nodeAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"preference":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchFields":[{"key":"","operator":"","values":[""]}]}]}},"podAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]},"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""},"weight":0}],"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"namespaces":[""],"topologyKey":""}]}},"automountServiceAccountToken":false,"containers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"dnsConfig":{"nameservers":[""],"options":[{"name":"","value":""}],"searches":[""]},"dnsPolicy":"","enableServiceLinks":false,"ephemeralContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"targetContainerName":"","terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"hostAliases":[{"hostnames":[""],"ip":""}],"hostIPC":false,"hostNetwork":false,"hostPID":false,"hostname":"","imagePullSecrets":[{"name":""}],"initContainers":[{"args":[""],"command":[""],"env":[{"name":"","value":"","valueFrom":{"configMapKeyRef":{"key":"","name":"","optional":false},"fieldRef":{"apiVersion":"","fieldPath":""},"resourceFieldRef":{"containerName":"","divisor":"","resource":""},"secretKeyRef":{"key":"","name":"","optional":false}}}],"envFrom":[{"configMapRef":{"name":"","optional":false},"prefix":"","secretRef":{"name":"","optional":false}}],"image":"","imagePullPolicy":"","lifecycle":{"postStart":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}},"preStop":{"exec":{"command":[""]},"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"tcpSocket":{"host":"","port":""}}},"livenessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"name":"","ports":[{"containerPort":0,"hostIP":"","hostPort":0,"name":"","protocol":""}],"readinessProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"resources":{"limits":{},"requests":{}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"add":[""],"drop":[""]},"privileged":false,"procMount":"","readOnlyRootFilesystem":false,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"startupProbe":{"exec":{"command":[""]},"failureThreshold":0,"httpGet":{"host":"","httpHeaders":[{"name":"","value":""}],"path":"","port":"","scheme":""},"initialDelaySeconds":0,"periodSeconds":0,"successThreshold":0,"tcpSocket":{"host":"","port":""},"timeoutSeconds":0},"stdin":false,"stdinOnce":false,"terminationMessagePath":"","terminationMessagePolicy":"","tty":false,"volumeDevices":[{"devicePath":"","name":""}],"volumeMounts":[{"mountPath":"","mountPropagation":"","name":"","readOnly":false,"subPath":"","subPathExpr":""}],"workingDir":""}],"nodeName":"","nodeSelector":{},"overhead":{},"preemptionPolicy":"","priority":0,"priorityClassName":"","readinessGates":[{"conditionType":""}],"restartPolicy":"","runtimeClassName":"","schedulerName":"","securityContext":{"fsGroup":0,"fsGroupChangePolicy":"","runAsGroup":0,"runAsNonRoot":false,"runAsUser":0,"seLinuxOptions":{"level":"","role":"","type":"","user":""},"seccompProfile":{"localhostProfile":"","type":""},"supplementalGroups":[0],"sysctls":[{"name":"","value":""}],"windowsOptions":{"gmsaCredentialSpec":"","gmsaCredentialSpecName":"","runAsUserName":""}},"serviceAccount":"","serviceAccountName":"","setHostnameAsFQDN":false,"shareProcessNamespace":false,"subdomain":"","terminationGracePeriodSeconds":0,"tolerations":[{"effect":"","key":"","operator":"","tolerationSeconds":0,"value":""}],"topologySpreadConstraints":[{"labelSelector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"maxSkew":0,"topologyKey":"","whenUnsatisfiable":""}],"volumes":[]}},"updateStrategy":{"rollingUpdate":{"partition":0},"type":""},"volumeClaimTemplates":[{"apiVersion":"","kind":"","metadata":{"annotations":{},"clusterName":"","creationTimestamp":"","deletionGracePeriodSeconds":0,"deletionTimestamp":"","finalizers":[""],"generateName":"","generation":0,"labels":{},"managedFields":[{"apiVersion":"","fieldsType":"","fieldsV1":{},"manager":"","operation":"","time":""}],"name":"","namespace":"","ownerReferences":[{"apiVersion":"","blockOwnerDeletion":false,"controller":false,"kind":"","name":"","uid":""}],"resourceVersion":"","selfLink":"","uid":""},"spec":{"accessModes":[""],"dataSource":{"apiGroup":"","kind":"","name":""},"resources":{"limits":{},"requests":{}},"selector":{"matchExpressions":[{"key":"","operator":"","values":[""]}],"matchLabels":{}},"storageClassName":"","volumeMode":"","volumeName":""},"status":{"accessModes":[""],"capacity":{},"conditions":[{"lastProbeTime":"","lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"phase":""}}]},"status":{"collisionCount":0,"conditions":[{"lastTransitionTime":"","message":"","reason":"","status":"","type":""}],"currentReplicas":0,"currentRevision":"","observedGeneration":0,"readyReplicas":0,"replicas":0,"updateRevision":"","updatedReplicas":0}}

Sorry for this format. I'm not controlling the resource that will be created so they are such large.
Above we have the result of the first rule. As you can see patched resource has empty volumes field and this causes panic when the second rule is processed.

If you look at the first rule, you will see:

          volumes: 
          - (emptyDir): {}

After this part is processed, we have the patch provided above. Is it a correct patch? Do we really expect volumes to be empty there?

@kacejot
Copy link
Contributor

kacejot commented May 19, 2021

cc: @realshuting
As for me, we should have patch like this for the first rule.

{"spec": {"template": {"metadata": {"annotations": {"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}}}}}

@chipzoller chipzoller added the mutation Issues pertaining to the mutate ability. label Jul 15, 2021
kacejot added a commit to kacejot/kyverno that referenced this issue Jul 16, 2021
@kacejot
fix kyverno#1915 and kyverno#1896
742501b 
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
@kacejot kacejot mentioned this issue Jul 16, 2021
Merged
6 tasks
realshuting pushed a commit that referenced this issue Jul 23, 2021
@kacejot
Patch strategic merge preprocessing: implement anchor handling (#2156)
4c7ca97 
* finished walkMap

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* added validation to the patchStrategicMerge

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* finished fixing tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed part of old tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* patchStrategicMerge anchor preprocessing is finished

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fix #1915 and #1896

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fix lint errors

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* removed debug logs

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* added failing test

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* Fix unnecessary deletion

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
@realshuting realshuting mentioned this issue Jul 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kacejot kacejot

Labels
bug Something isn't working mutation Issues pertaining to the mutate ability.
Projects
None yet
Milestone
Kyverno Release 1.4.2
Development

Successfully merging a pull request may close this issue.

Patch strategic merge preprocessing: implement anchor handling kacejot/kyverno
3 participants
@kacejot @realshuting @chipzoller