Publish Kyverno and Kubernetes compatible matrix

[realshuting]

No description provided.

[chipzoller]

We can probably go ahead and publish this since 1.3.0 was released. Are we claiming 1.3.0 supports K8s 1.14-1.20 at this time? Should we start the matrix with 1.3.0 and list only it? Going forward, it might be good to specify this compatibility on the releases, which we can then pick up and copy into the docs.

[chipzoller]

@realshuting can you comment, please?

[realshuting]

There may be a problem for supporting 1.20, see this issue.

We can claim 1.3.0 supports K8s 1.14-1.19.

[chipzoller]

If that's the case, then max version would be 1.18 since the Ingress containing API graduated to stable in 1.19 (not 1.20). Do we want to make that claim if the only blocker is the CLI when testing policy? And this isn't fixed in 1.3.0?

[realshuting]

Kyverno 1.3.0 uses K8s 1.18 client library, and networking.k8s.io/v1beta1 was dropped in 1.19, so it causes errors with CLI. To fix it in CLI, we need to upgrade the client version.

While for Kyverno controller, this shouldn't matter as Kyverno always fetches the Kind with the preferred API version.

[chipzoller]

Can we claim support through 1.20 with an exception for this known issue in the CLI? Is that reasonable?

[realshuting]

Sounds good to me, @JimBugwadia do you see any other exceptions?

[JimBugwadia]

Yes, that seems fine to me as well!

[bitva77]

end user here.

Is there anyway to add an "ignore-api-version-errors" options or something to the CLI? Or a way to dynamically include/override other API versions?

Our Ingresses are set at networking.k8s.io/v1 and our manifests are in one file. So even if we're trying to just validate a kinds: Deployment , the whole thing fails because the CLI seems to validate every kind anyways.

This won't be the last time this issue comes up, I imagine.

[chipzoller]

Hi @bitva77 , since you're commenting on a (closed) PR which is not super related, would you open this instead on the main Kyverno repo, please?

[JimBugwadia]

@bitva77 - you can limit policy rules to match a kind (see: https://kyverno.io/docs/writing-policies/match-exclude/) and the CLI should skip other types. If this does not work, please log an issue here: https://github.com/kyverno/kyverno/issues or reach out on the slack channel.

[realshuting]

Kyverno v1.3.0 does not support K8s 1.15 and all previous versions, as all CRDs are defined with apiextensions.k8s.io/v1, which was introduced in K8s 1.16.

Kyverno v1.2.1 supports K8s 1.14 and 1.15.

cc @chipzoller @JimBugwadia

[chipzoller]

Ok so min version for 1.3.0 is 1.16, correct?

[realshuting]

Yes correct.

[yuriydzobak]

Hi
What's about CIlium?

Error: failed to load resources
Cause: no kind "CiliumNetworkPolicy" is registered for version "cilium.io/v2" in scheme "pkg/runtime/scheme.go:100"

I tried to skip but no luck =(

    exclude:
      resources:
        kinds:
        - CiliumNetworkPolicy
        - cilium.io/v2 

[realshuting]

Hi @yuriydzobak, cilium.io/v2 is the apiVersion, not the kind. Kyverno currently takes Kind only in kinds, here's the working PR that extends kinds to match by Group and Version.

[realshuting]

Kyverno v1.3.0 does not support K8s 1.15 and all previous versions, as all CRDs are defined with apiextensions.k8s.io/v1, which was introduced in K8s 1.16.

Kyverno v1.2.1 supports K8s 1.14 and 1.15.

cc @chipzoller @JimBugwadia

@chipzoller - are you sending the update? Otherwise I can pick this up.

[chipzoller]

Sorry, I dropped the ball on this one due to work overload. If you can pick it up, that's great.

[realshuting]

Sure I can send the update!