[BUG] 1.5.4-rc2 exclude clusterRole from Policy broken

[MaxRink]

Software version numbers
State the version numbers of applications involved in the bug.

• Kubernetes version: 1.20.13
• Kubernetes platform (if applicable; ex., EKS, GKE, OpenShift): CAPI
• Kyverno version: 1.5.4-rc2

Describe the bug
We have the following Policy that doesnt work after an upgrade from 1.5.2 to 1.5.4-rc2:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-labels
  labels:
    policy.schiff.telekom.de: enforced
  annotations:
    policies.kyverno.io/title: Restrict Labels on Namespaces
    policies.kyverno.io/category: Labels
    policies.kyverno.io/minversion: 1.3.0
    policies.kyverno.io/description: >-
      This policy prevents the use of an label beginning with a common
      key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either
      don't set reserved labels or to force them to
      use a newer version of an label.
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: restrict-labels
    match:
      resources:
        kinds:
        - Namespace
    exclude:
      clusterRoles:
      - cluster-admin
    validate:
      message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces'
      pattern:
        metadata:
          labels:
            platform.das-schiff.telekom.de/owner: "!das-schiff"
            # For forward compatibility
            =(schiff.telekom.de/owner): "!schiff"

The exclusion for clusterAdmin doesnt apply anymore, thus creation of a namespace with those labels fails.

k apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: kyverno-system-tst
  labels:
    name: kyverno-system-tst
    schiff.telekom.de/owner: schiff
    platform.das-schiff.telekom.de/owner: das-schiff
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Namespace//kyverno-system-tst was blocked due to the following policies

restrict-labels:
  restrict-labels: 'validation error: Every namespace has to have `platform.das-schiff.telekom.de/owner`
    label. It must not have value `das-schiff` which is reserved for system namespaces.
    Rule restrict-labels failed at path /metadata/labels/schiff.telekom.de/owner/'

To Reproduce
Steps to reproduce the behavior:
Apply the policy
Try to create the NS as cluster-admin

Expected behavior
i am able to create the NS
Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[chipzoller]

Does it work if you nest the exclusion under an any or all tag? We recently fixed a bug there and this might be a consequence of that.

[MaxRink]

Does it work if you nest the exclusion under an any or all tag? We recently fixed a bug there and this might be a consequence of that.

I dont know, we rolled back to 1.5.2 as that bug basically prevents usage of our clusters

[chipzoller]

Looks like this didn't get fixed as initially reported in #2819. Exclusion of clusterRoles is now entirely broken, whether placed under any/all or not.

[chipzoller]

Regression re prioritized for Kyverno 1.5.4.

[MaxRink]

Regression re prioritized for Kyverno 1.5.4.

Which is already released :S

[chipzoller]

1.6.0

[dkulchinsky]

@chipzoller @JimBugwadia considering this is quite a regression and we had to upgrade to 1.5.5 due other bugs in previous versions, would you consider cherry-picking this for a patch release in 1.5? I'm not sure how far away 1.6 is, but looks like there's still plenty of issues open on the 1.6 milestone.

[chipzoller]

1.6 is within the next couple weeks.

[JimBugwadia]

@dkulchinsky - the team is currently working on getting an 1.6 RC completed, in the next day or so. As Chip mentioned, getting the release completed may have a couple of weeks.

The fix looks fairly localized, so should be OK to cherry-pick / merge to 1.5.x. Do you want to submit a PR? Otherwise, we can revisit after the RC.

@realshuting - any additional thoughts?

[dkulchinsky]

@dkulchinsky - the team is currently working on getting an 1.6 RC completed, in the next day or so. As Chip mentioned, getting the release completed may have a couple of weeks.

The fix looks fairly localized, so should be OK to cherry-pick / merge to 1.5.x. Do you want to submit a PR? Otherwise, we can revisit after the RC.

@realshuting - any additional thoughts?

Thanks @JimBugwadia, just looked at the fix, indeed looks simple enough so happy to try a PR for 1.5, this is impacting us with several policies, so would be great to have patch release with this fix asap (we also can't go back to 1.5.2 because of other bugs there were fixed since than)

[dkulchinsky]

@JimBugwadia @realshuting looking at cherry picking this for 1.5, but seems that it depends on a function (checkForRBACInfo) that seem to be introduced in 1.6 dev branch, so I may need some guidance on how we want to address this for 1.5? should I backport this function as well?

[JimBugwadia]

Hi @dkulchinsky - yes it seems like that function will need to be back ported as well:

kyverno/pkg/webhooks/common.go

Line 156 in 5ad0d15

func checkForRBACInfo(rule kyverno.Rule) bool {

It looks fairly independent, so should not require pulling in anything additions.

Let me know if you run into any issues with porting it.

[dkulchinsky]

I think I managed to get it sorted @JimBugwadia

#3072

/cc @realshuting