You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I raise sync secret policy and i update the upstream secret, I see no change to the downstream secret. This extends to both editing the secret to change a label and deleting the upstream secret entirely. Does it have to do with excluding the namespace that the clone secret is derived from?
Steps to reproduce
Apply the below kyverno sync-secrets policy. Edit or delete the parent secret and observe that the child secrets are unaffected.
The policy:
# this is a Generate rule which creates new Kubernetes resources based on a# policy and optionally keep them in sync. See more:# https://kyverno.io/docs/writing-policies/generate/apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:
name: sync-secretsannotations:
policies.kyverno.io/title: Sync Secretspolicies.kyverno.io/category: my-teampolicies.kyverno.io/subject: Secretpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: >- Copy the wildcard secret into every namespace and keep it in sync.spec:
generateExisting: truebackground: falserules:
- name: sync-wildcard-secretmatch:
any:
- resources:
kinds:
- Namespaceexclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kube-node-lease
- kyvernogenerate:
kind: SecretapiVersion: v1name: wildcardnamespace: "{{ request.object.metadata.name }}"synchronize: trueclone:
namespace: kube-systemname: wildcard
then either kubectl edit or kubectl delete the original secret and observe no change in the data inside the child secrets.
Is it because the clone source of the secret is in a namespace that is being excluded?
The below logs are when deleting the child secrets where evidence is shown of the sync being respected. No logs are produced when the clone source is deleted.
the problem I'm trying to solve by excluding the namespace where the clone secret is is that Kyverno does not own the clone secret and it should not try to write to that namespace.
Is there another way besides rules.exclude to tell the below policy to ignore updates to the cloned secret's namespace?
namespace: "{{ request.object.metadata.name }}"
An obvious workaround is to name the copy of the secret something else (i.e. wildcard-copy) but that's logistically complicated.
kube-system is excluded in webhooks by default, therefore whether it's listed in the exclude block in this policy is irrelevant. Kyverno must be able to "see" admission events on clone sources, and with it being excluded in the webhook this isn't possible. You can change the webhook exclusions either during install or on day2 by modifying Kyverno's ConfigMap.
Kyverno Version
1.12
Kubernetes Version
1.28
Kubernetes Platform
GKE
Description
When I raise
sync secret
policy and i update the upstream secret, I see no change to the downstream secret. This extends to both editing the secret to change a label and deleting the upstream secret entirely. Does it have to do with excluding the namespace that theclone
secret is derived from?Steps to reproduce
Apply the below kyverno sync-secrets policy. Edit or delete the parent secret and observe that the child secrets are unaffected.
The policy:
then either
kubectl edit
orkubectl delete
the original secret and observe no change in the data inside the child secrets.Expected behavior
Per https://kyverno.io/docs/writing-policies/generate/#clone-source I expected to see the downstream copies of the secret deleted.
Is it because the clone source of the secret is in a namespace that is being excluded?
The below logs are when deleting the child secrets where evidence is shown of the sync being respected. No logs are produced when the clone source is deleted.
Screenshots
No response
Kyverno logs
Slack discussion
No response
Troubleshooting
The text was updated successfully, but these errors were encountered: