[Bug] Kyverno 1.10.1+ broke ability to clone secrets with names > 63 characters

[thesuperzapper]

Kyverno Version

1.10.3

Description

First, its important to note that Kubernetes Secrets can have names up to 253 characters long.

In Kyverno 1.10.0, ClusterPolicies which cloned secrets were able to clone secrets of any name length, but in Kyverno 1.10.1+ it can only clone secrets with name length up to 63 characters.

This is because #7436 introduced a new label generate.kyverno.io/source-name which is added to the generated secret. However, labels are only allowed to be 63 characters in length, which obviously will not work if the source secret has a longer name than that.

I propose we either:

1. change it to an annotation (which can be multiple KB in length)
2. remove the generate.kyverno.io/source-name label
3. keep the label, but replace it with a hash that results in less than 63 characters (which might defeat the user-visibility of this label)

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[Chandan-DK]

@MariamFahmy98 Are you working on this? I think this is a duplicate of #4675. I had assigned myself #4675 previously. Is it ok if I continue working on it?

[MariamFahmy98]

Yeah sure. Go ahead. I will assign it to you.

[thesuperzapper]

@Chandan-DK I am interested in which approach you plan to take, I am partial to the idea of using annotations, because it will still be human readable, but can be uncapped in terms of length.

The only caveat is that it is a little more complex (and less efficient) to do filtering than with labels, so if that is a concern, we might have to use the hash approach.

[Chandan-DK]

@thesuperzapper This is the approach mentioned by @realshuting #4675 (comment)

[thesuperzapper]

@eddycharly, I just want to make sure this is going to be included in the next release of Kyverno, given its a significant regression. (It is preventing many people from upgrading beyond 1.10.0).

[thesuperzapper]

@realshuting @vishal-chdhry @MariamFahmy98, I just want to confirm the status of this issue, as it was a pretty significant regression in 1.10.1 and I strongly believe this must block the release of Kyverno 1.11.0.

[thesuperzapper]

@JimBugwadia @MariamFahmy98 I am quite worried about the progression of 1.11.0 release candidates when this issue is not resolved.

If this is not patched before the final 1.11.0, it will mean that 1.10.0 was the latest version that is correctly able to execute generate policies on secrets with names longer than 63 characters, as this was broken in 1.10.1.

I want to highlight that this is not the only recent case of a significant breaking regression that is not yet resolved, for example, #7718 (which is less pressing than the one in this thread, but still important).

I worry that breaking regressions are not seen as a priority to the maintainers of the Kyverno project. I will likely stop using Kyerno (and recommend others do the same) if the serious regression (raised in this thread) is not resolved before 1.11.0.

[JimBugwadia]

@thesuperzapper - thanks for the feedback. We discussed this earlier in the week and are tracking for 1.11.0.

[thesuperzapper]

This issue also affects mutate rules with targets defined, I have raised a separate issue:

• [Bug] mutate rules with targets fail to apply for trigger resources with names > 63 characters #9134

The mutate issue is present for all versions from 1.10.1 to 1.11.1, so 1.10.0 is still the only "safe" version (but it has lots of other issues that were fixed in later releases, so it's annoying to have to keep using it).