8000 [Bug] Kyverno deployment violates its own best practice policy · Issue #12889 · kyverno/kyverno · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Bug] Kyverno deployment violates its own best practice policy #12889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
ccactus opened this issue Apr 25, 2025 · 1 comment
Open
2 tasks done

[Bug] Kyverno deployment violates its own best practice policy #12889

ccactus opened this issue Apr 25, 2025 · 1 comment
Assignees
@Rohanraj123
Labels
bug Something isn't working good first issue Good for newcomers helm Issues dealing with the Helm chart

Comments

@ccactus
Copy link
ccactus commented Apr 25, 2025

Kyverno Version

1.13.4

Description

One of the proposed best practice policies is to confirm that pods have the label app.kubernetes.io/name. However, kyverno itself violates this policy, after the major refactoring done here.

The Helm guideline lists app.kubernetes.io/name as a recommended label to include. The sample policy used is found here.

$ k get events -n kyverno
LAST SEEN   TYPE      REASON            OBJECT                                               MESSAGE
29m         Warning   PolicyViolation   pod/kyverno-admission-controller-6f6b464fd-r22kb     policy require-labels/check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-admission-controller-6f6b464fd    policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-admission-controller-7bb6fd9b4c   policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   deployment/kyverno-admission-controller              policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   pod/kyverno-background-controller-8857bcdc6-5pmwr    policy require-labels/check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-background-controller-8857bcdc6   policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-background-controller-977b5444    policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   deployment/kyverno-background-controller             policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   pod/kyverno-cleanup-controller-698b56fb69-jpt9m      policy require-labels/check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-cleanup-controller-698b56fb69     policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-cleanup-controller-7bdbbd9c47     policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   deployment/kyverno-cleanup-controller                policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   pod/kyverno-reports-controller-76ccc7bd59-h2jdl      policy require-labels/check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule check-for-labels failed at path /metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-reports-controller-76ccc7bd59     policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   replicaset/kyverno-reports-controller-8f669fc67      policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/
29m         Warning   PolicyViolation   deployment/kyverno-reports-controller                policy require-labels/autogen-check-for-labels fail: validation error: The label `app.kubernetes.io/name` is required. rule autogen-check-for-labels failed at path /spec/template/metadata/labels/app.kubernetes.io/name/

Cluster version: 1.31.x
Behavior observed in both 1.13.4 and 1.14.0. Pretty minor, but couldn't find any motivation as to why the name label was dropped in the refactor.

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@ccactus ccactus added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Apr 25, 2025
@Rohanraj123
Copy link
Contributor

/assign

@realshuting realshuting added good first issue Good for newcomers and removed triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 7, 2025
@realshuting realshuting added the helm Issues dealing with the Helm chart label May 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Rohanraj123 Rohanraj123

Labels
bug Something isn't working good first issue Good for newcomers helm Issues dealing with the Helm chart
Projects
Good First Issues
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ccactus @realshuting @Rohanraj123
0