Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Unable to remove nonexistent key (regression at 1.12.0) #10199

Closed
2 tasks done
michelesr opened this issue May 7, 2024 · 4 comments · Fixed by #10252
Closed
2 tasks done

[Bug] Unable to remove nonexistent key (regression at 1.12.0) #10199

michelesr opened this issue May 7, 2024 · 4 comments · Fixed by #10252
Assignees
@vishal-chdhry
Labels
bug Something isn't working regression Issues (bugs) which are regressions from an earlier release. release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped.
Milestone
Kyverno Release 1...

Comments

@michelesr
Copy link

michelesr commented May 7, 2024
edited

Kyverno Version

1.12.0

Kubernetes Version

1.29.x

Kubernetes Platform

EKS

Kyverno Rule Type

Mutate

Description

When deploying a pod with 2 cluster policies that should mutate it, sometimes the creation request fails. I can reproduce both on EKS 1.29 and k3s (version v1.29.2+k3s1).

$ while kubectl apply -f pod.yaml; do kubectl delete -f pod.yaml; done
Error from server (InternalError): error when creating "pod.yaml": Internal error occurred: error in remove for path: '/spec/containers/1/securityContext/privileged': Unable to remove nonexistent key: privileged: missing value

The error is sporadic, and different fields are reported missing when the error is triggered multiple times.

Yaml files cannot be uploaded directly and the policies are quite long, here's an archive with the resources manifests:

resources.tar.gz

Steps to reproduce

  1. Deploy the provided policy manifest
  2. Deploy the provided pod manifest
  3. Observe the error (if it doesn't reproduce, delete the pod and retry)

Expected behavior

The pod is deployed correctly, just like in previous kyverno versions.

Screenshots

No response

Kyverno logs

2024-05-07T14:45:52Z    INFO    webhooks.resource.mutate        mutation/mutation.go:113        mutation rules from policy applied successfully {"gvk": "/v1, Kind=Pod", "gvr": {"group":"","version":"v1","resource":"pods"}, "namespace": "default", "name": "foo", "operation": "CREATE", "uid": "5ab1fa77-7bd9-4d0e-9797-a54063d4a93b", "user": {"username":"system:admin","groups":["system:masters","system:authenticated"]}, "roles": [], "clusterroles": ["cluster-admin", "system:basic-user", "system:discovery", "system:public-info-viewer"], "resource.gvk": "/v1, Kind=Pod", "kind": "Pod", "URLParams": "", "policy": "enforce-docker-hub-ecr-proxy", "rules": ["prepend-container-image-registry", "prepend-library-prefix"]}
2024-05-07T14:45:52Z    ERROR   webhooks.resource.mutate        resource/utils.go:40    failed to patch resource:       {"gvk": "/v1, Kind=Pod", "gvr": {"group":"","version":"v1","resource":"pods"}, "namespace": "default", "name": "foo", "operation": "CREATE", "uid": "5ab1fa77-7bd9-4d0e-9797-a54063d4a93b", "user": {"username":"system:admin","groups":["system:masters","system:authenticated"]}, "roles": [], "clusterroles": ["cluster-admin", "system:basic-user", "system:discovery", "system:public-info-viewer"], "resource.gvk": "/v1, Kind=Pod", "kind": "Pod", "URLParams": "", "patch": "[{\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext\",\"value\":{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":false,\"runAsGroup\":1000,\"runAsNonRoot\":true,\"runAsUser\":1000}}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"nginxinc/nginx-unprivileged:latest\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/imagePullPolicy\",\"value\":\"IfNotPresent\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/name\",\"value\":\"nginx\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/image\",\"value\":\"foo\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/imagePullPolicy\",\"value\":\"Always\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/name\",\"value\":\"php\"}, {\"op\":\"add\",\"path\":\"/spec/containers/1/securityContext/capabilities\",\"value\":{\"drop\":[\"ALL\"]}}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/privileged\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/readOnlyRootFilesystem\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsGroup\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsNonRoot\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsUser\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/allowPrivilegeEscalation\"}, {\"op\":\"add\",\"path\":\"/spec/securityContext/runAsNonRoot\",\"value\":true}, {\"op\":\"add\",\"path\":\"/spec/securityContext/seccompProfile\",\"value\":{\"type\":\"RuntimeDefault\"}}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"xxxxxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/docker-hub/nginxinc/nginx-unprivileged:latest\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/imagePullPolicy\",\"value\":\"IfNotPresent\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/0/name\",\"value\":\"nginx\"}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/runAsUser\",\"value\":1000}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/allowPrivilegeEscalation\",\"value\":false}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/privileged\",\"value\":false}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/readOnlyRootFilesystem\",\"value\":false}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/runAsGroup\",\"value\":1000}, {\"op\":\"add\",\"path\":\"/spec/containers/0/securityContext/runAsNonRoot\",\"value\":true}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/image\",\"value\":\"xxxxxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/docker-hub/library/foo:latest\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/imagePullPolicy\",\"value\":\"Always\"}, {\"op\":\"replace\",\"path\":\"/spec/containers/1/name\",\"value\":\"php\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsNonRoot\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsUser\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/allowPrivilegeEscalation\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/privileged\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/readOnlyRootFilesystem\"}, {\"op\":\"remove\",\"path\":\"/spec/containers/1/securityContext/runAsGroup\"}]", "resource": "{\"kind\":\"Pod\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"foo\",\"namespace\":\"default\",\"creationTimestamp\":null,\"annotations\":{\"kubectl.kubernetes.io/last-applied-configuration\":\"{\\\"apiVersion\\\":\\\"v1\\\",\\\"kind\\\":\\\"Pod\\\",\\\"metadata\\\":{\\\"annotations\\\":{},\\\"name\\\":\\\"foo\\\",\\\"namespace\\\":\\\"default\\\"},\\\"spec\\\":{\\\"containers\\\":[{\\\"image\\\":\\\"foo\\\",\\\"name\\\":\\\"php\\\"},{\\\"image\\\":\\\"nginxinc/nginx-unprivileged:latest\\\",\\\"imagePullPolicy\\\":\\\"IfNotPresent\\\",\\\"name\\\":\\\"nginx\\\",\\\"securityContext\\\":{\\\"allowPrivilegeEscalation\\\":false,\\\"privileged\\\":false,\\\"readOnlyRootFilesystem\\\":false,\\\"runAsGroup\\\":1000,\\\"runAsNonRoot\\\":true,\\\"runAsUser\\\":1000}}]}}\\n\"},\"managedFields\":[{\"manager\":\"kubectl-client-side-apply\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2024-05-07T14:45:52Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:spec\":{\"f:containers\":{\"k:{\\\"name\\\":\\\"nginx\\\"}\":{\".\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:securityContext\":{\".\":{},\"f:allowPrivilegeEscalation\":{},\"f:privileged\":{},\"f:readOnlyRootFilesystem\":{},\"f:runAsGroup\":{},\"f:runAsNonRoot\":{},\"f:runAsUser\":{}},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{}},\"k:{\\\"name\\\":\\\"php\\\"}\":{\".\":{},\"f:image\":{},\"f:imagePullPolicy\":{},\"f:name\":{},\"f:resources\":{},\"f:terminationMessagePath\":{},\"f:terminationMessagePolicy\":{}}},\"f:dnsPolicy\":{},\"f:enableServiceLinks\":{},\"f:restartPolicy\":{},\"f:schedulerName\":{},\"f:securityContext\":{},\"f:terminationGracePeriodSeconds\":{}}}}]},\"spec\":{\"volumes\":[{\"name\":\"kube-api-access-5mxbv\",\"projected\":{\"sources\":[{\"serviceAccountToken\":{\"expirationSeconds\":3607,\"path\":\"token\"}},{\"configMap\":{\"name\":\"kube-root-ca.crt\",\"items\":[{\"key\":\"ca.crt\",\"path\":\"ca.crt\"}]}},{\"downwardAPI\":{\"items\":[{\"path\":\"namespace\",\"fieldRef\":{\"apiVersion\":\"v1\",\"fieldPath\":\"metadata.namespace\"}}]}}],\"defaultMode\":420}}],\"containers\":[{\"name\":\"php\",\"image\":\"foo\",\"resources\":{},\"volumeMounts\":[{\"name\":\"kube-api-access-5mxbv\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\"},{\"name\":\"nginx\",\"image\":\"nginxinc/nginx-unprivileged:latest\",\"resources\":{},\"volumeMounts\":[{\"name\":\"kube-api-access-5mxbv\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"IfNotPresent\",\"securityContext\":{\"privileged\":false,\"runAsUser\":1000,\"runAsGroup\":1000,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":false,\"allowPrivilegeEscalation\":false}}],\"restartPolicy\":\"Always\",\"terminationGracePeriodSeconds\":30,\"dnsPolicy\":\"ClusterFirst\",\"serviceAccountName\":\"default\",\"serviceAccount\":\"default\",\"securityContext\":{},\"schedulerName\":\"default-scheduler\",\"tolerations\":[{\"key\":\"node.kubernetes.io/not-ready\",\"operator\":\"Exists\",\"effect\":\"NoExecute\",\"tolerationSeconds\":300},{\"key\":\"node.kubernetes.io/unreachable\",\"operator\":\"Exists\",\"effect\":\"NoExecute\",\"tolerationSeconds\":300}],\"priority\":0,\"enableServiceLinks\":true,\"preemptionPolicy\":\"PreemptLowerPriority\"},\"status\":{}}", "error": "error in remove for path: '/spec/containers/1/securityContext/runAsNonRoot': unable to remove nonexistent key: runAsNonRoot: missing value", "errorVerbose": "missing value\ngithub.com/evanphx/json-patch/v5.init\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/merge.go:106\nruntime.doInit1\n\truntime/proc.go:6735\nruntime.doInit\n\truntime/proc.go:6702\nruntime.main\n\truntime/proc.go:249\nruntime.goexit\n\truntime/asm_arm64.s:1197\nunable to remove nonexistent key: runAsNonRoot\ngithub.com/evanphx/json-patch/v5.(*partialDoc).remove\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:628\ngithub.com/evanphx/json-patch/v5.Patch.remove\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:969\ngithub.com/evanphx/json-patch/v5.Patch.ApplyIndentWithOptions\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1260\ngithub.com/evanphx/json-patch/v5.Patch.ApplyWithOptions\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1210\ngithub.com/evanphx/json-patch/v5.Patch.Apply\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1204\ngithub.com/kyverno/kyverno/pkg/engine/utils.ApplyPatchNew\n\tgithub.com/kyverno/kyverno/pkg/engine/utils/utils.go:70\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.processResourceWithPatches\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/utils.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.patchRequest\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/utils.go:29\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.(*resourceHandlers).Mutate\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/handlers.go:178\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.func3\n\tgithub.com/kyverno/kyverno/pkg/webhooks/server.go:293\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.FromAdmissionFunc.AdmissionHandler.WithTrace.func6.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.FromAdmissionFunc.AdmissionHandler.WithTrace.func6\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.withFilter.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/filter.go:48\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.WithTrace.func2.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.WithTrace.func2\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.withTopLevelGVK.func7\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/enrich.go:61\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.WithTrace.func8.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.WithTrace.func8\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.withRoles.func9\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/enrich.go:44\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.WithTrace.func10.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.WithTrace.func10\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.withOperationFilter.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/filter.go:59\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithOperationFilter.AdmissionHandler.WithTrace.func11.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithOperationFilter.AdmissionHandler.WithTrace.func11\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.withMetrics.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/metrics.go:39\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.WithMetrics.AdmissionHandler.WithTrace.func1.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\nerror in remove for path: '/spec/containers/1/securityContext/runAsNonRoot'\ngithub.com/evanphx/json-patch/v5.Patch.remove\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:971\ngithub.com/evanphx/json-patch/v5.Patch.ApplyIndentWithOptions\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1260\ngithub.com/evanphx/json-patch/v5.Patch.ApplyWithOptions\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1210\ngithub.com/evanphx/json-patch/v5.Patch.Apply\n\tgithub.com/evanphx/json-patch/v5@v5.9.0/patch.go:1204\ngithub.com/kyverno/kyverno/pkg/engine/utils.ApplyPatchNew\n\tgithub.com/kyverno/kyverno/pkg/engine/utils/utils.go:70\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.processResourceWithPatches\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/utils.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.patchRequest\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/utils.go:29\ngithub.com/kyverno/kyverno/pkg/webhooks/resource.(*resourceHandlers).Mutate\n\tgithub.com/kyverno/kyverno/pkg/webhooks/resource/handlers.go:178\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.func3\n\tgithub.com/kyverno/kyverno/pkg/webhooks/server.go:293\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.FromAdmissionFunc.AdmissionHandler.WithTrace.func6.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.registerWebhookHandlers.FromAdmissionFunc.AdmissionHandler.WithTrace.func6\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.withFilter.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/filter.go:48\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.WithTrace.func2.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithFilter.AdmissionHandler.WithTrace.func2\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.withTopLevelGVK.func7\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/enrich.go:61\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.WithTrace.func8.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithTopLevelGVK.AdmissionHandler.WithTrace.func8\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.withRoles.func9\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/enrich.go:44\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.WithTrace.func10.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithRoles.AdmissionHandler.WithTrace.func10\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.withOperationFilter.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/filter.go:59\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithOperationFilter.AdmissionHandler.WithTrace.func11.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks.NewServer.func1.AdmissionHandler.WithOperationFilter.AdmissionHandler.WithTrace.func11\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.withMetrics.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/metrics.go:39\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.WithMetrics.AdmissionHandler.WithTrace.func1.1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:43\ngithub.com/kyverno/kyverno/pkg/tracing.Span1[...]\n\tgithub.com/kyverno/kyverno/pkg/tracing/span.go:43\ngithub.com/kyverno/kyverno/pkg/webhooks/handlers.AdmissionHandler.WithMetrics.AdmissionHandler.WithTrace.func1\n\tgithub.com/kyverno/kyverno/pkg/webhooks/handlers/trace.go:38"}

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@michelesr michelesr added bug Something isn't working triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels May 7, 2024
@welcome Welcome
Copy link

welcome bot commented May 7, 2024

Thanks for opening your first issue here! Be sure to follow the issue template!

@michelesr
Copy link
Author

The regression is caused by 46f02a8, according to git bisect. I tried to revert the commit (fixing conflicts on best of my knowledge just to get it to run) and the error can't reproduce anymore.

@chipzoller
Copy link
Member

cc @JimBugwadia

@realshuting realshuting added this to the Kyverno Release 1.12.2 milestone May 8, 2024
@realshuting realshuting removed the triage Default label assigned to all new issues indicating label curation is needed to fully organize. label May 8, 2024
@realshuting
Copy link
Member

I'm able to reproduce the issue with the following two policies. Interesting that she issue didn't occur when I combined two rules into one policy:

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-security-context
spec:
  background: false
  rules:
  - name: add-containers-security-context
    match:
      any:
      - resources:
          kinds:
          - Pod
    preconditions:
      all:
      - key: '{{ request.operation || "" }}'
        operator: Equals
        value: CREATE
    mutate:
      foreach:
        - list: request.object.spec.containers
          patchStrategicMerge:
            spec:
              containers:
                - name: '{{ element.name }}' 
                  securityContext:
                    +(allowPrivilegeEscalation): false
                    +(capabilities):
                      drop: ['ALL']
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-image
spec:
  background: false
  rules:
  - name: mutate-image
    match: 
      any:
      - resources:
          kinds:
            - Pod
    preconditions: 
      all:
      - key: '{{ request.operation || "" }}'
        operator: Equals
        value: CREATE
    mutate:
      foreach:
        - list: request.object.spec.containers
          patchStrategicMerge:
            spec:
              containers:
                - name: '{{ element.name }}' 
                  image: abc/efg:latest

@realshuting realshuting added the regression Issues (bugs) which are regressions from an earlier release. label May 16, 2024
@realshuting realshuting added the release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped. label May 16, 2024
@vishal-chdhry vishal-chdhry mentioned this issue May 17, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishal-chdhry vishal-chdhry

Labels
bug Something isn't working regression Issues (bugs) which are regressions from an earlier release. release-critical Critical issues which MUST be addressed in the specified milestone. These cannot get bumped.
Projects
None yet
Milestone
Kyverno Release 1.12.2
Development

Successfully merging a pull request may close this issue.

fix: deepcopy patched resource in foreach mutate vishal-chdhry/kyverno
4 participants
@michelesr @realshuting @chipzoller @vishal-chdhry