8000 [Bug] namespaceSelector not working 1.14.1 · Issue #13093 · kyverno/kyverno · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Bug] namespaceSelector not working 1.14.1 #13093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
Nextgeo90 opened this issue May 9, 2025 · 1 comment
Open
2 tasks done

[Bug] namespaceSelector not working 1.14.1 #13093

Nextgeo90 opened this issue May 9, 2025 · 1 comment
Assignees
@lavishpal
Labels
bug Something isn't working good first issue Good for newcomers validation Issues pertaining to the validate ability.
Milestone
Kyverno Release 1...

Comments

@Nextgeo90
Copy link
Nextgeo90 commented May 9, 2025
edited
Loading

Kyverno Version

1.14.1

Description

Hi,

In summary I found an issue in kyverno 1.14.1 which affects the usage of spec.EmitWarning and namespaceSelectors
it does not matter if you use matchLabels or matchExpressions.

Bug found

New installation of Kyverno 1.14.1, applying the same policies than 1.13.3 and I discovered that when you use the namespaceSelector under a rule in Audit mode the spec.emitWarning is not working.

Environment used

Openshift --- > Server Version: 4.16.36
Kubernetes Version --- > v1.29.11+148a389
oc client --- > 4.16.0-202502111405.p0.gcf533b5.assembly.stream.el9-cf533b5

What I want to achieve

To use the option of spec.emitWarning in order to warn the users that something is not compliance before activate the policy in Enforce mode. Looks like the ability to use a namespaceSelector with specific labels in order to apply a policy to namespaces that contains specific labels is not working anymore and is not showing a Warning message once we create an object which is not compliance with this rule.

Example of Policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-volume-types
  annotations:
    policies.kyverno.io/title: Restrict StorageClass
    policies.kyverno.io/category: Policies
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: PersistentVolume
    policies.kyverno.io/description: >-
      Deny policy in to prevent users to use StorageClass that are not allowed
      As Openshift ODF is going to be removed, we need to prevent the usage of old SC
      This policy blocks any other StorageClass for pvc other than those in the allow list.
spec:
  emitWarning: true
  background: true
  rules:
    - name: restricted-storageclass
      match:
        any:
        - resources:
            kinds:
            - PersistentVolumeClaim
            - PersistentVolume
            namespaceSelector:
              matchExpressions:
              - key: customer_project
                operator: In
                values:
                - "true"
              - key: COMPANY
                operator: In
                values:
                - "company1"
              - key: ENTITY
                operator: In
                values:
                - "entity1"

      preconditions:
        all:
          - key: "{{ request.operation }}"
            operator: Equals
            value: "CREATE"
          - key: "{{ request.object.metadata.namespace || '' }}"
            operator: Equals
            value: "*-dev"
      validate:
        failureAction: Audit
        message: >-
          Only the following StorageClass for volumes may be used: aws-efs, gp3-csi, jenkins-master,
          jenkins-slave, postgres-gp3.
        deny:
          conditions:
            all:
            - key: "{{ request.object.spec.storageClassName }}"
              operator: AnyNotIn
              value:
              - aws-efs
              - gp3-csi
              - jenkins-master
              - jenkins-slave
              - postgres-gp3

Example of object

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  annotations:
    volume.beta.kubernetes.io/storage-provisioner: efs.csi.aws.com
    volume.kubernetes.io/storage-provisioner: efs.csi.aws.com
  finalizers:
  - kubernetes.io/pvc-protection
  labels:
  name: alertmanager-main-db-alertmanager-main-22
  namespace: pruebas-dev
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: thin

Example of Namespace

apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    openshift.io/sa.scc.mcs: s0:c32,c24
    openshift.io/sa.scc.supplemental-groups: 1001040000/10000
    openshift.io/sa.scc.uid-range: 1001040000/10000
  labels:
    COMPANY: company1
    ENTITY: entity1
    customer_project: "true"
    kubernetes.io/metadata.name: pruebas-dev
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: v1.24
  name: pruebas-dev
spec:
  finalizers:
  - kubernetes

Other information.

I have confirmed via Slack with a user that this could be an issue of the newer version of Kyverno, as it was working under 1.13.3 and not in 1.14.1

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1746712157755789

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@Nextgeo90 Nextgeo90 added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 9, 2025
@dosubot dosubot bot added the validation Issues pertaining to the validate ability. label May 9, 2025
@realshuting realshuting removed the triage Default label assigned to all new issues indicating label curation is needed to fully organize. label May 9, 2025
@realshuting realshuting added this to the Kyverno Release 1.14.2 milestone May 9, 2025
@realshuting realshuting added the good first issue Good for newcomers label May 9, 2025
@lavishpal
Copy link
Contributor

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lavishpal lavishpal

Labels
bug Something isn't working good first issue Good for newcomers validation Issues pertaining to the validate ability.
Projects
Good First Issues
Status: No status
Milestone
Kyverno Release 1.14.2
Development

No branches or pull requests
3 participants
@realshuting @lavishpal @Nextgeo90
0