8000 [Bug] ArgoCD integration issue: Kyverno verifyImages policy blocks both deletion and synchronization · Issue #1293 · kyverno/policies · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
[Bug] ArgoCD integration issue: Kyverno verifyImages policy blocks both deletion and synchronization #1293
New issue
New issue
Open
Open
[Bug] ArgoCD integration issue: Kyverno verifyImages policy blocks both deletion and synchronization#1293
@mr0n3Tw0

Description

@mr0n3Tw0
mr0n3Tw0
opened on May 13, 2025

Kyverno Version:
v1.13.2

Kubernetes Version:
v1.31.7

Kubernetes Platform:
AWS EKS

Description:
When using the verifyImages policy type in Kyverno in combination with ArgoCD (version v2.14.7), both application deletion and synchronization fail. This issue significantly impacts the ability to manage deployments through ArgoCD when image verification policies are enabled.

Steps to reproduce:

  1. Set up an ArgoCD application managed with Kyverno policies.
  2. Apply a verifyImages policy with the following configuration:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image
spec:
  validationFailureAction: Enforce
  rules:
    - name: verify-my-app
      match:
        any:
          - resources:
              kinds:
                - Deployment
              namespaces:
                - "my-app-namespace"
      preconditions:
        - key: "{{ request.object.spec.replicas }}"
          operator: GreaterThan
          value: 0
      verifyImages:
        - imageReferences:
            - "my-image-registry.com/my-app-image*"
          mutateDigest: true
          imageRegistryCredentials:
            secrets:
              - my-app-pull-secret
  1. Attempt to delete or synchronize the application using ArgoCD.
  2. Observe the error message as described above.

Expected behavior:
ArgoCD should be able to delete or synchronize applications that have a Kyverno verifyImages policy applied, as long as the policy conditions are met (e.g., having a digest for the specified image).

Actual Behavior:
When attempting to delete or synchronize a deployment managed by ArgoCD, the following error occurs:
one or more objects failed to apply, reason: error when patching "/dev/shm/5898210957": admission webhook "validate.kyverno.svc-ignore" denied the request: resource Deployment/my-app-namespace/my-app was blocked due to the following policies verify-image:my-app-image: missing digest for my-image-registry.com/my-app-image:1.0.1010

Additional Information:
The issue may be related to how ArgoCD and Kyverno interact when managing application states, particularly when using image verification policies. It appears that Kyverno enforces image digest checks even when the intended action is a synchronization or deletion, leading to blocked operations.

Kyverno logs:
2025-05-13T22:33:27Z TRC github.com/kyverno/kyverno/pkg/engine/handlers/validation/validate_image.go:110 > missing digest image=my-image-registry.com/my-app-image:1.0.1010 logger=engine.validate new.kind=Deployment new.name=my-app new.namespace=my-app-namespace policy.apply=All policy.name=verify-image policy.namespace= rule.name= verify-my-app v=2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0