Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Namespace generate policy fails with request.operation precondition #2226

Closed
MnrGreg opened this issue Aug 2, 2021 · 5 comments · Fixed by #2455
Closed

[BUG] Namespace generate policy fails with request.operation precondition #2226

MnrGreg opened this issue Aug 2, 2021 · 5 comments · Fixed by #2455
Assignees
@NoSkillGirl
Labels
bug Something isn't working end user This label is used to track the issue that is raised by the end user. generation Issues pertaining to the generate ability.
Milestone
Kyverno Release 1...

Comments

@MnrGreg
Copy link
Contributor

MnrGreg commented Aug 2, 2021

Software version numbers

  • Kubernetes version: v1.20.5
  • Kyverno version: v1.4.2-rc2

Describe the bug
When using a request.operation precondition within a match/resource/kind=namespace generate policy (add-ns-quota), the generate request fails with "msg"="variable substitution failed for rule %s" "error"="Unknown key \"operation\" in path".

The request.operation is seemingly found to be null.

To intention is to restrict the generate policy processing to namespace CREATE operations only.

To Reproduce
Generate policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: To limit the number of objects, as well as the total amount of compute that may be consumed by a single namespace, create a default resource quota for each namespace.
  labels:
    app.kubernetes.io/version: v1.4.2
  name: add-ns-quota
spec:
  background: false
  rules:
    - generate:
        data:
          spec:
            hard:
              limits.cpu: 1600m
              limits.memory: 8Gi
              pods: 8
        kind: ResourceQuota
        name: default-resourcequota
        namespace: '{{request.object.metadata.name}}'
        synchronize: false
      match:
        resources:
          kinds:
            - Namespace
      name: generate-resourcequota
      preconditions:
        all:
          - key: '{{request.object.metadata.labels.businessunit}}'
            operator: NotEquals
            value: ""
          - key: '{{serviceAccountName}}'
            operator: In
            value:
              - svcanamespaceprovisioner
          - key: '{{request.operation}}'
            operator: NotIn
            value:
              - UPDATE
              - DELETE
  validationFailureAction: enforce

Resource yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: tsengineering-nstest4-dev
  labels:
    businessunit: tsengineering

Kyverno log:

I0729 03:28:03.163656       1 generate.go:76] GenerateController "msg"="applying generate policy rule" "apiVersion"="v1" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" 
I0729 03:28:03.165254       1 vars.go:232] Generate "msg"="variable substituted" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/all/0/key" "value"="tsengineering" "variable"="{{request.object.metadata.labels.businessunit}}"
I0729 03:28:03.165466       1 vars.go:232] Generate "msg"="variable substituted" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/all/1/key" "value"="svcanamespaceprovisioner" "variable"="{{serviceAccountName}}"
I0729 03:28:03.165644       1 vars.go:56] Generate "msg"="Variable \"request.operation\" is not resolved in preconditions. Considering it as an empty string" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" 
I0729 03:28:03.165675       1 vars.go:232] Generate "msg"="variable substituted" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/all/2/key" "value"="" "variable"="{{request.operation}}"
I0729 03:28:03.166626       1 vars.go:232] Generate "msg"="variable substituted" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/all/0/key" "value"="tsengineering" "variable"="{{request.object.metadata.labels.businessunit}}"
I0729 03:28:03.167713       1 vars.go:232] Generate "msg"="variable substituted" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/all/1/key" "value"="svcanamespaceprovisioner" "variable"="{{serviceAccountName}}"
I0729 03:28:03.169743       1 vars.go:232] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/generate/namespace" "value"="tsengineering-nstest4-dev" "variable"="{{request.object.metadata.name}}"
I0729 03:28:03.169931       1 vars.go:232] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/preconditions/all/0/key" "value"="tsengineering" "variable"="{{request.object.metadata.labels.businessunit}}"
I0729 03:28:03.170075       1 vars.go:232] GenerateController "msg"="variable substituted" "apiVersion"="v1" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "path"="/preconditions/all/1/key" "value"="svcanamespaceprovisioner" "variable"="{{serviceAccountName}}"
E0729 03:28:03.170215       1 generate.go:230] GenerateController "msg"="variable substitution failed for rule %s" "error"="Unknown key \"operation\" in path" "apiVersion"="v1" "kind"="Namespace" "name"="tsengineering-nstest4-dev" "namespace"="" "policy"="add-ns-quota" "generate-resourcequota"=null
I0729 03:28:03.186844       1 status.go:36]  "msg"="updated generate request status"  "name"="gr-v22rq" "status"="Failed"

Generate request:

apiVersion: kyverno.io/v1
kind: GenerateRequest
metadata:
  creationTimestamp: "2021-07-29T03:06:38Z"
  generateName: gr-
  generation: 1
  labels:
    generate.kyverno.io/policy-name: add-ns-quota
    generate.kyverno.io/resource-kind: Namespace
    generate.kyverno.io/resource-name: tsengineering-nstest4-dev
    generate.kyverno.io/resource-namespace: ""
  name: gr-v22rq
  namespace: kyverno
  resourceVersion: "36404014"
  uid: c15c5d4e-69d1-4b22-beab-471942ede569
spec:
  context:
    userInfo:
      clusterRoles: null
      roles: null
      userInfo:
        groups:
        - system:serviceaccounts
        - system:serviceaccounts:kube-provisioner
        - system:authenticated
        uid: 57b77f8b-ce96-4f17-a2f8-9b55fb68a128
        username: system:serviceaccount:kube-provisioner:svcanamespaceprovisioner
  policy: add-ns-quota
  resource:
    apiVersion: v1
    kind: Namespace
    name: tsengineering-nstest4-dev
status:
  message: Unknown key "operation" in path
  state: Failed

Expected behavior
Generate controller should correctly determine the request.operation to be CREATE. Generate request should be constructed successfully.
@MnrGreg MnrGreg added the bug Something isn't working label Aug 2, 2021
@chipzoller
Copy link
Member

This non-resolution of request.operation for a generate rule has also been recently observed in this Slack thread.

@JimBugwadia JimBugwadia added this to the Kyverno Release 1.4.3 milestone Aug 3, 2021
@realshuting realshuting added the end user This label is used to track the issue that is raised by the end user. label Aug 4, 2021
@NoSkillGirl
Copy link
Contributor

I have debugged the issue. This is same as #2095.

@NoSkillGirl NoSkillGirl mentioned this issue Aug 4, 2021
Closed
1 task
@NoSkillGirl NoSkillGirl added the generation Issues pertaining to the generate ability. label Sep 15, 2021
@realshuting
Copy link
Member

Can we trigger the generate policy on an UPDATE/DELETE admission request?

@NoSkillGirl
Copy link
Contributor

We can trigger the generate policy on UPDATE but not on DELETE

@MnrGreg
Copy link
Contributor Author

MnrGreg commented Sep 24, 2021

The objective was to trigger on CREATE but as the operation value was being logged a NULL the logic was trigger on neither UPDATE nor DELETE.

I.e.

operator: NotIn
            value:
              - UPDATE
              - DELETE

This was referenced Sep 25, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NoSkillGirl NoSkillGirl

Labels
bug Something isn't working end user This label is used to track the issue that is raised by the end user. generation Issues pertaining to the generate ability.
Projects
None yet
Milestone
Kyverno Release 1.5.0
5 participants
@JimBugwadia @MnrGreg @realshuting @chipzoller @NoSkillGirl