New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] policies with both clone AND mutate rules (with targets
set) do not clone
#9571
Comments
@chipzoller @realshuting we should either document this as a known issue, or try and fix it in the next release. It's very common to want a policy that both "clones" a Secret, and also triggers restarts of Deployments that use that secret (listening to updates on the source secret, to avoid the fact that Kyverno ignores its own updates). But right now (1.11.4), these rules have to be in separate policies, or the clone wont apply. |
You need to set
|
@realshuting I am very confused by your response. I think we need to reopen this issue. The issue is not about whether the mutate rule fires on creation of the policy, it's about the clone rule not firing at all. Specifically, in 1.11.4 if there is a clone rule in a policy in addition to a mutate rule (with a target defined), then the clone rule does not ever trigger. Are you saying that this issue has been resolved already? |
I was testing against the latest main and it has no issue cloning the secret. Let me verify on 1.11.x. |
I can confirm that the clone rule in the combined policy doesn't work in 1.11.4. It looks like the issue has been fixed in main and will be available in 1.12, can you please verify the same? |
Kyverno Version
1.11.4
Description
In Kyverno 1.11.4 (and probably others too), if a ClusterPolicy contains both a clone and mutate rule (with
targets
set), the clone rule in the policy is never applied.Note the clone rule WILL apply if the mutate rule does not set
mutate.targets
.Steps to reproduce:
Secret/target-secret-1
is NOT created intarget-namespace-1
match
resource:ConfigMap/random-configmap
was annotated withmy_annotation: "2024-01-30T21:50:40Z"
Secret/target-secret-1
is still NOT created intarget-namespace-1
Slack discussion
No response
Troubleshooting
The text was updated successfully, but these errors were encountered: