Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Creation of CleanupPolicy to delete specific Secret fails due to admission webhook RBAC error #10198

Open
2 tasks done
steadyk opened this issue May 7, 2024 · 0 comments · May be fixed by #10221
Open
2 tasks done

[Bug] Creation of CleanupPolicy to delete specific Secret fails due to admission webhook RBAC error #10198

steadyk opened this issue May 7, 2024 · 0 comments · May be fixed by #10221
Assignees
@MariamFahmy98
Labels
bug Something isn't working cleanup Clean-up controller functionality in 1.9+.
Milestone
Kyverno Release 1...

Comments

@steadyk
Copy link

steadyk commented May 7, 2024

Kyverno Version

1.11.4

Kubernetes Version

1.28.x

Kubernetes Platform

KinD

Kyverno Rule Type

Cleanup

Description

We tried to add the following CleanupPolicy to delete a certain Secret periodically:

apiVersion: kyverno.io/v2beta1
kind: CleanupPolicy
metadata:
  name: test-secret-removal
spec:
  match:
    any:
    - resources:
        kinds:
        - Secret
        names:
        - test-secret
  schedule: "*/10 * * * *"

For this we added the following additional RBAC rules for the cleanup controller to the Helm chart values:

cleanupController:
  rbac:
    clusterRole:
      extraResources:
      - apiGroups:
        - ''
        resources:
        - secrets
        verbs:
        - get
        - list
      - apiGroups:
        - ''
        resources:
        - secrets
        resourceNames:
        - test-secret
        verbs:
        - get
        - list
        - delete

The attempted creation of the new CleanupPolicy results in an error of the admission webhook:

admission webhook "kyverno-cleanup-controller.kyverno.svc" denied the request: cleanup controller has no permission to delete kind Secret

We were only able to create the CleanupPolicy after giving the cleanup controller permissions for delete on every Secret.

Note that we add get and list verbs on both rules though this might not be necessary.

We are also unsure whether there might be a discrepancy between the admission webhook validation and the actual requested permissions for the cleanup controller.

Steps to reproduce

  1. Add RBAC rules to cleanup controller as described above
  2. Try to apply CleanupPolicy as described above

Expected behavior

CleanupPolicy is successfully applied and is able to delete the given Secret specified by resource name.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@steadyk steadyk added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 7, 2024
@MariamFahmy98 MariamFahmy98 self-assigned this May 8, 2024
@MariamFahmy98 MariamFahmy98 added cleanup Clean-up controller functionality in 1.9+. and removed triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 8, 2024
@MariamFahmy98 MariamFahmy98 linked a pull request May 10, 2024 that will close this issue
Open
8 tasks
@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.2 milestone May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MariamFahmy98 MariamFahmy98

Labels
bug Something isn't working cleanup Clean-up controller functionality in 1.9+.
Projects
None yet
Milestone
Kyverno Release 1.13.0
Development

Successfully merging a pull request may close this issue.

fix: add the resource name to the SubjectAccessReview MariamFahmy98/kyverno
3 participants
@realshuting @MariamFahmy98 @steadyk