Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Panic when load configmap vars #5704

Closed
2 tasks done
realshuting opened this issue Dec 16, 2022 · 0 comments · Fixed by #5705
Closed
2 tasks done

[Bug] Panic when load configmap vars #5704

realshuting opened this issue Dec 16, 2022 · 0 comments · Fixed by #5705
Assignees
@realshuting
Labels
bug Something isn't working release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped.

Comments

@realshuting
Copy link
Member

realshuting commented Dec 16, 2022
edited

Kyverno Version

1.9-dev

Kubernetes Version

1.20.x

Kubernetes Platform

K3d

Kyverno Rule Type

verifyImages

Description

Kyverno panics when loading configmap variables.

I1216 08:19:56.595615       1 controller.go:32] setup/leader/controllers "msg"="starting controller" "name"="webhook-controller" "workers"=2
I1216 08:19:57.617815       1 request.go:682] Waited for 1.010869676s due to client-side throttling, not priority and fairness, request: GET:https://10.43.0.1:443/apis/discovery.k8s.io/v1
E1216 08:19:58.226196       1 runtime.go:79] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 1914 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic({0x2e22180?, 0x564bf50})
        k8s.io/apimachinery@v0.25.5/pkg/util/runtime/runtime.go:75 +0x99
k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc004b3ace0?})
        k8s.io/apimachinery@v0.25.5/pkg/util/runtime/runtime.go:49 +0x75
panic({0x2e22180, 0x564bf50})
        runtime/panic.go:884 +0x212
github.com/kyverno/kyverno/pkg/engine.fetchConfigMap({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0024a4870?}, 0x0?}, {{0xc0006d30bc, 0x4}, 0xc0021b6360, 0x0, 0x0, ...}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:352 +0x2e9
github.com/kyverno/kyverno/pkg/engine.loadConfigMap({0x3da3018?, 0xc0017ec880?}, {{0x3dad260?, 0xc0024a4870?}, 0xc000bc964a?}, {{0xc0006d30bc, 0x4}, 0xc0021b6360, 0x0, 0x0, ...}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:322 +0x79
github.com/kyverno/kyverno/pkg/engine.LoadContext({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0024a4870?}, 0x0?}, {0x3da4198, 0xc0026f77d0}, {0xc0020ebbf0, 0x1, 0x1}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:64 +0x3a5
github.com/kyverno/kyverno/pkg/engine.processImageValidationRule({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0022c2370?}, 0x1a?}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0, 0xc0013f3858)
        github.com/kyverno/kyverno/pkg/engine/imageVerifyValidate.go:31 +0x2e5
github.com/kyverno/kyverno/pkg/engine.validateResource.func1({0x3da3018, 0xc0017ec880}, {0x32cb602?, 0xa?})
        github.com/kyverno/kyverno/pkg/engine/validation.go:140 +0x505
github.com/kyverno/kyverno/pkg/tracing.ChildSpan1[...]({0x3da3018?, 0xc0017ec880?}, {0x32cb602?, 0x4?}, {0xc0022296b0?, 0x0?}, 0xc000c24760?, {0x0, 0x0, 0x0})
        github.com/kyverno/kyverno/pkg/tracing/childspan.go:46 +0xcd
github.com/kyverno/kyverno/pkg/engine.validateResource({0x3da3018, 0xc0017ec880}, {{0x3dad260, 0xc0022c2370}, 0x0}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0)
        github.com/kyverno/kyverno/pkg/engine/validation.go:120 +0x7cc
github.com/kyverno/kyverno/pkg/engine.Validate({0x3da3018, 0xc0017ec880}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0)
        github.com/kyverno/kyverno/pkg/engine/validation.go:48 +0x259
github.com/kyverno/kyverno/pkg/controllers/report/utils.(*scanner).validateResource(0xc000c25380, {0x3da3018, 0xc0017ec880}, {0xc0020a44b0}, 0xc001e3a420, {0x3dd52b8?, 0xc006092800})
        github.com/kyverno/kyverno/pkg/controllers/report/utils/scanner.go:89 +0x41e
github.com/kyverno/kyverno/pkg/controllers/report/utils.(*scanner).ScanResource(0xc000c25380, {0x3da3018, 0xc0017ec880}, {0x0?}, 0x0?, {0xc002cf8b90, 0x1, 0xc0017ec880?})
        github.com/kyverno/kyverno/pkg/controllers/report/utils/scanner.go:46 +0xfa
github.com/kyverno/kyverno/pkg/controllers/report/background.(*controller).updateReport(0xc000535d90, {0x3da3018, 0xc0017ec880}, {0x7fce0e04c1c8, 0xc000657908}, {{0xc001fc67d8, 0x5}, {0xc001fc67de, 0x2}, {0xc001fc785c, ...}}, ...)
        github.com/kyverno/kyverno/pkg/controllers/report/background/controller.go:244 +0x676
github.com/kyverno/kyverno/pkg/controllers/report/background.(*controller).reconcile(0xc000535d90, {0x3da3018, 0xc0017ec880}, {{0xc000ba89f8?, 0x40b6c7?}, 0x10?}, {0x2cb8ca0?, 0x73b5c23930392e01?}, {0xc0029e66c0, 0xb}, ...)
        github.com/kyverno/kyverno/pkg/controllers/report/background/controller.go:397 +0x31f
github.com/kyverno/kyverno/pkg/utils/controller.reconcile({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0009a3db0?}, 0x0?}, {0x2cb94e0?, 0xc004b3ace0}, 0xc0054ae4a0)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:155 +0x47c
github.com/kyverno/kyverno/pkg/utils/controller.processNextWorkItem({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0009a3db0?}, 0x0?}, 0x2a?, {0x3dbf7e0?, 0xc000c5ffc0?}, 0x4174f2?, 0xc0054ae4a0)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:100 +0x17e
github.com/kyverno/kyverno/pkg/utils/controller.worker(...)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:93
github.com/kyverno/kyverno/pkg/utils/controller.Run.func1.1.1({0x3da3018?, 0xc0017ec880?})
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:74 +0xcd
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1()
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:190 +0x25
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xa80?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:157 +0x3e
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc00029c1d8?, {0x3d78bc0, 0xc000cb50b0}, 0x1, 0xc002aae840)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:158 +0xb6
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc005dbe668?, 0x3b9aca00, 0x0, 0x60?, 0xc001f443c0?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:135 +0x89
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext({0x3da3018, 0xc0017ec880}, 0xc005dbe750, 0x32d8f41?, 0xf?, 0x0?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:190 +0x99
k8s.io/apimachinery/pkg/util/wait.UntilWithContext(...)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:101
github.com/kyverno/kyverno/pkg/utils/controller.Run.func1.1({{0x3dad260?, 0xc0009a3db0?}, 0xc005dbe788?})
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:74 +0x23e
created by github.com/kyverno/kyverno/pkg/utils/controller.Run.func1
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:70 +0x10a
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
        panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x29acda9]

goroutine 1914 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc004b3ace0?})
        k8s.io/apimachinery@v0.25.5/pkg/util/runtime/runtime.go:56 +0xd7
panic({0x2e22180, 0x564bf50})
        runtime/panic.go:884 +0x212
github.com/kyverno/kyverno/pkg/engine.fetchConfigMap({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0024a4870?}, 0x0?}, {{0xc0006d30bc, 0x4}, 0xc0021b6360, 0x0, 0x0, ...}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:352 +0x2e9
github.com/kyverno/kyverno/pkg/engine.loadConfigMap({0x3da3018?, 0xc0017ec880?}, {{0x3dad260?, 0xc0024a4870?}, 0xc000bc964a?}, {{0xc0006d30bc, 0x4}, 0xc0021b6360, 0x0, 0x0, ...}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:322 +0x79
github.com/kyverno/kyverno/pkg/engine.LoadContext({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0024a4870?}, 0x0?}, {0x3da4198, 0xc0026f77d0}, {0xc0020ebbf0, 0x1, 0x1}, ...)
        github.com/kyverno/kyverno/pkg/engine/jsonContext.go:64 +0x3a5
github.com/kyverno/kyverno/pkg/engine.processImageValidationRule({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0022c2370?}, 0x1a?}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0, 0xc0013f3858)
        github.com/kyverno/kyverno/pkg/engine/imageVerifyValidate.go:31 +0x2e5
github.com/kyverno/kyverno/pkg/engine.validateResource.func1({0x3da3018, 0xc0017ec880}, {0x32cb602?, 0xa?})
        github.com/kyverno/kyverno/pkg/engine/validation.go:140 +0x505
github.com/kyverno/kyverno/pkg/tracing.ChildSpan1[...]({0x3da3018?, 0xc0017ec880?}, {0x32cb602?, 0x4?}, {0xc0022296b0?, 0x0?}, 0xc000c24760?, {0x0, 0x0, 0x0})
        github.com/kyverno/kyverno/pkg/tracing/childspan.go:46 +0xcd
github.com/kyverno/kyverno/pkg/engine.validateResource({0x3da3018, 0xc0017ec880}, {{0x3dad260, 0xc0022c2370}, 0x0}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0)
        github.com/kyverno/kyverno/pkg/engine/validation.go:120 +0x7cc
github.com/kyverno/kyverno/pkg/engine.Validate({0x3da3018, 0xc0017ec880}, {0x3da4198, 0xc0026f77d0}, 0xc0020a29a0)
        github.com/kyverno/kyverno/pkg/engine/validation.go:48 +0x259
github.com/kyverno/kyverno/pkg/controllers/report/utils.(*scanner).validateResource(0xc000c25380, {0x3da3018, 0xc0017ec880}, {0xc0020a44b0}, 0xc001e3a420, {0x3dd52b8?, 0xc006092800})
        github.com/kyverno/kyverno/pkg/controllers/report/utils/scanner.go:89 +0x41e
github.com/kyverno/kyverno/pkg/controllers/report/utils.(*scanner).ScanResource(0xc000c25380, {0x3da3018, 0xc0017ec880}, {0x0?}, 0x0?, {0xc002cf8b90, 0x1, 0xc0017ec880?})
        github.com/kyverno/kyverno/pkg/controllers/report/utils/scanner.go:46 +0xfa
github.com/kyverno/kyverno/pkg/controllers/report/background.(*controller).updateReport(0xc000535d90, {0x3da3018, 0xc0017ec880}, {0x7fce0e04c1c8, 0xc000657908}, {{0xc001fc67d8, 0x5}, {0xc001fc67de, 0x2}, {0xc001fc785c, ...}}, ...)
        github.com/kyverno/kyverno/pkg/controllers/report/background/controller.go:244 +0x676
github.com/kyverno/kyverno/pkg/controllers/report/background.(*controller).reconcile(0xc000535d90, {0x3da3018, 0xc0017ec880}, {{0xc000ba89f8?, 0x40b6c7?}, 0x10?}, {0x2cb8ca0?, 0x73b5c23930392e01?}, {0xc0029e66c0, 0xb}, ...)
        github.com/kyverno/kyverno/pkg/controllers/report/background/controller.go:397 +0x31f
github.com/kyverno/kyverno/pkg/utils/controller.reconcile({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0009a3db0?}, 0x0?}, {0x2cb94e0?, 0xc004b3ace0}, 0xc0054ae4a0)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:155 +0x47c
github.com/kyverno/kyverno/pkg/utils/controller.processNextWorkItem({0x3da3018, 0xc0017ec880}, {{0x3dad260?, 0xc0009a3db0?}, 0x0?}, 0x2a?, {0x3dbf7e0?, 0xc000c5ffc0?}, 0x4174f2?, 0xc0054ae4a0)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:100 +0x17e
github.com/kyverno/kyverno/pkg/utils/controller.worker(...)
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:93
github.com/kyverno/kyverno/pkg/utils/controller.Run.func1.1.1({0x3da3018?, 0xc0017ec880?})
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:74 +0xcd
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1()
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:190 +0x25
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0xa80?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:157 +0x3e
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc00029c1d8?, {0x3d78bc0, 0xc000cb50b0}, 0x1, 0xc002aae840)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:158 +0xb6
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc005dbe668?, 0x3b9aca00, 0x0, 0x60?, 0xc001f443c0?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:135 +0x89
k8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext({0x3da3018, 0xc0017ec880}, 0xc005dbe750, 0x32d8f41?, 0xf?, 0x0?)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:190 +0x99
k8s.io/apimachinery/pkg/util/wait.UntilWithContext(...)
        k8s.io/apimachinery@v0.25.5/pkg/util/wait/wait.go:101
github.com/kyverno/kyverno/pkg/utils/controller.Run.func1.1({{0x3dad260?, 0xc0009a3db0?}, 0xc005dbe788?})
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:74 +0x23e
created by github.com/kyverno/kyverno/pkg/utils/controller.Run.func1
        github.com/kyverno/kyverno/pkg/utils/controller/run.go:70 +0x10a

Steps to reproduce

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: default
  name: keys
data:
  org: |-
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
    50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
    -----END PUBLIC KEY-----    
  org1:
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
    50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
    -----END PUBLIC KEY-----

Create this configmap and the below policy, Kyverno is in crashlookbabckoff.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-with-multi-keys
  annotations:
    policies.kyverno.io/title: Verify Image with Multiple Keys
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kyverno-version: 1.7.2
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: >-
      There may be multiple keys used to sign images based on
      the parties involved in the creation process. This image
      verification policy requires the named image be signed by
      two separate keys. It will search for a global "production"
      key in a ConfigMap called `key` in the `default` Namespace
      and also a Namespace key in the same ConfigMap.
spec:
  validationFailureAction: enforce
  background: true
  rules:
    - name: check-image-with-two-keys
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
      - name: keys
        configMap:
          name: keys
          namespace: default
      verifyImages:
        # check global key
        - image: "*"
          key: "{{ keys.data.org }}"
        # check image specific key - lookup via image name
        - image: "ghcr.io/stone-nucleus-366711/*"
          key: "{{ keys.data.{{image.name}}}}"

Expected behavior

Kyverno runs normally.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@realshuting realshuting added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Dec 16, 2022
@realshuting realshuting self-assigned this Dec 16, 2022
@realshuting realshuting added release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped. and removed triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Dec 16, 2022
@realshuting realshuting mentioned this issue Dec 16, 2022
Merged
9 tasks
@chipzoller chipzoller added the imageVerify Image verification support label Dec 16, 2022
@chipzoller chipzoller removed the imageVerify Image verification support label Dec 16, 2022
realshuting added a commit to realshuting/kyverno that referenced this issue Dec 16, 2022
@realshuting
add kuttl tests for kyverno#5704
4f91f34 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
@realshuting realshuting mentioned this issue Dec 16, 2022
Merged
realshuting added a commit that referenced this issue Dec 16, 2022
@realshuting
feat: add kuttl tests for #5704 (#5707)
69739f3 
* add kuttl tests for #5704

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
@realshuting realshuting mentioned this issue Dec 16, 2022
Merged
MdSahil-oss pushed a commit to MdSahil-oss/kyverno that referenced this issue Dec 29, 2022
@realshuting @MdSahil-oss
feat: add kuttl tests for kyverno#5704 (kyverno#5707)
174306a 
* add kuttl tests for kyverno#5704

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Md Sahil <Mohdssahil1@gmail.com>
MdSahil-oss pushed a commit to MdSahil-oss/kyverno that referenced this issue Jan 11, 2023
@realshuting @MdSahil-oss
feat: add kuttl tests for kyverno#5704 (kyverno#5707)
befff70 
* add kuttl tests for kyverno#5704

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
MdSahil-oss pushed a commit to MdSahil-oss/kyverno that referenced this issue Jan 11, 2023
@realshuting @MdSahil-oss
feat: add kuttl tests for kyverno#5704 (kyverno#5707)
90eb307 
* add kuttl tests for kyverno#5704

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@realshuting realshuting

Labels
bug Something isn't working release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Initializes configmap resolver in background components realshuting/kyverno
2 participants
@realshuting @chipzoller