You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A generate policy which generates a Namespaced resource is allowed to be created without containing the namespace field. This leads to a failure of the generation and a logged message which is misleading:
E0828 14:01:18.272095 1 generate.go:237] GenerateController "msg"="failed to apply generate rule" "error"="the server does not allow this method on the requested resource" "apiVersion"="v1" "kind"="Service" "name"="lbtest" "namespace"="default" "policy"="demo-ownerref" "resource"="lbtest" "rule"="demo-ownerref-svc-cm" "suggestion"="users need to grant Kyverno's service account additional privileges"
To Reproduce
Steps to reproduce the behavior:
Create the policy referenced here but delete or comment out the namespace field.
Create a Service resource perhaps as referenced here.
See Kyverno does not generate the downstream ConfigMap.
See error in logs as shown above.
See a failed GenerateRequest.
Expected behavior
Kyverno needs to do either or both of two things:
Validate the generate policy and see that the generated kind is Namespaced but it does not contain the namespace field. Reject the policy as invalid and print a message back to stdout which explains this.
Print an accurate message in the logs and corresponding GenerateRequest that the proposed generated resource requires a namespace reference in order to be successfully generated.
Additional context
The suggestion potentially sends users on a wild goose chase as it does not point to the cause of the problem.
The text was updated successfully, but these errors were encountered:
I had the same kind of issue but in a reversed way :
I created a policy to generate a non-namespaced resource, but forget to remove the namespace (coming from another policy copy/paste)
And when kyverno tried to generate it :
kyverno-7d97cd77f6-dzlzj kyverno E0920 16:31:18.976962 1 generate.go:237] GenerateController "msg"="failed to apply generate rule" "error"="the server could not find the requested resource" "apiVersion"="v1" "kind"="Namespace" "name"="demo-ns" "namespace"="" "policy"="ns-rolebinding" "resource"="demo-ns" "rule"="ns-rbac-definition" "suggestion"="users need to grant Kyverno's service account additional privileges"
This is not very easy to debug, I spent all day on this...
So I agree with @chipzoller for the pre-validation to explain that the generated resources is or is not namespaced and so that the clusterpolicy generate section must or must not mention the namespace.
I do not know if I must open a new issue for this as it is quite similar...
Software version numbers
State the version numbers of applications involved in the bug.
Describe the bug
A
generate
policy which generates a Namespaced resource is allowed to be created without containing thenamespace
field. This leads to a failure of the generation and a logged message which is misleading:To Reproduce
Steps to reproduce the behavior:
namespace
field.Expected behavior
Kyverno needs to do either or both of two things:
generate
policy and see that the generated kind is Namespaced but it does not contain thenamespace
field. Reject the policy as invalid and print a message back to stdout which explains this.namespace
reference in order to be successfully generated.Additional context
The suggestion potentially sends users on a wild goose chase as it does not point to the cause of the problem.
The text was updated successfully, but these errors were encountered: