New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Kyverno 1.10.1+ broke ability to clone secrets with names > 63 characters #8447
Comments
@MariamFahmy98 Are you working on this? I think this is a duplicate of #4675. I had assigned myself #4675 previously. Is it ok if I continue working on it? |
Yeah sure. Go ahead. I will assign it to you. |
@Chandan-DK I am interested in which approach you plan to take, I am partial to the idea of using annotations, because it will still be human readable, but can be uncapped in terms of length. The only caveat is that it is a little more complex (and less efficient) to do filtering than with labels, so if that is a concern, we might have to use the hash approach. |
@thesuperzapper This is the approach mentioned by @realshuting #4675 (comment) |
@eddycharly, I just want to make sure this is going to be included in the next release of Kyverno, given its a significant regression. (It is preventing many people from upgrading beyond |
@realshuting @vishal-chdhry @MariamFahmy98, I just want to confirm the status of this issue, as it was a pretty significant regression in |
@JimBugwadia @MariamFahmy98 I am quite worried about the progression of If this is not patched before the final I want to highlight that this is not the only recent case of a significant breaking regression that is not yet resolved, for example, #7718 (which is less pressing than the one in this thread, but still important). I worry that breaking regressions are not seen as a priority to the maintainers of the Kyverno project. I will likely stop using Kyerno (and recommend others do the same) if the serious regression (raised in this thread) is not resolved before |
@thesuperzapper - thanks for the feedback. We discussed this earlier in the week and are tracking for 1.11.0. |
This issue also affects
The mutate issue is present for all versions from |
Kyverno Version
1.10.3
Description
First, its important to note that Kubernetes Secrets can have names up to 253 characters long.
In Kyverno
1.10.0
, ClusterPolicies which cloned secrets were able to clone secrets of any name length, but in Kyverno1.10.1+
it can only clone secrets with name length up to 63 characters.This is because #7436 introduced a new label
generate.kyverno.io/source-name
which is added to the generated secret. However, labels are only allowed to be 63 characters in length, which obviously will not work if the source secret has a longer name than that.I propose we either:
generate.kyverno.io/source-name
labelSlack discussion
No response
Troubleshooting
The text was updated successfully, but these errors were encountered: