Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy doesn't work when match.resources.kinds is set to Policy/ClusterPolicy #2149

Closed
abdulhaseeb2 opened this issue Jul 15, 2021 · 1 comment · Fixed by #2275
Closed

Policy doesn't work when match.resources.kinds is set to Policy/ClusterPolicy #2149

abdulhaseeb2 opened this issue Jul 15, 2021 · 1 comment · Fixed by #2275
Assignees
@vyankyGH
Labels
bug Something isn't working end user This label is used to track the issue that is raised by the end user.
Milestone
Kyverno Release 1...

Comments

@abdulhaseeb2
Copy link

abdulhaseeb2 commented Jul 15, 2021
edited
Loading

Software version numbers

  • Controller-gen version v0.4.0
  • Kubernetes v1.20.2
  • Kyverno version: v1.4.0 or code against main branch

Describe the bug
If we try to create a ClusterPolicy with match.resource.kinds value set to either Policy/ClusterPolicy, the policy does not work. But if we update kinds from Policy/ClusterPolicy to for example Pod the policy will start working.

To Reproduce
Steps to reproduce the behavior:

  1. Apply the following ClusterPolicy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: deny-unauthorized-access
  annotations:
    policies.kyverno.io/title: Deny Unauthorized Access
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: high
    policies.kyverno.io/subject: kyverno.io/v1/Policy
    policies.kyverno.io/description: >-
      Deny CREATE/UPDATE/DELETE action for Kyverno.io.Policy
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: deny-kyverno-policy
    match:
      resources:
        kinds:
          - kyverno.io/v1/Policy
    validate:
      message: "Unauthorized. Access denied to resource"
      deny:
        conditions:
        - key: "{{request.operation}}"
          operator: In
          value:
          - CREATE
          - DELETE
          - UPDATE
  1. Apply the following Policy to test ClusterPolicy: deny-unauthorized-access
apiVersion: kyverno.io/v1
kind: Policy
metadata:
 name: disallow-latest-tag
 namespace: test-namespace
 annotations:
   policies.kyverno.io/title: Deny Pods with latest tag
   policies.kyverno.io/category: Best Practices
   policies.kyverno.io/severity: high
   policies.kyverno.io/subject: Pod
   policies.kyverno.io/description: >-
     Deny Creation of Pods with latest image tag
spec:
 validationFailureAction: audit
 rules:
 - name: validate-image-tag
   match:
     resources:
       kinds:
       - Pod
   validate:
     message: "Using a mutable image tag e.g. 'latest' is not allowed."
     pattern:
       spec:
         containers:
         - image: "!*:latest"
  1. Policy: disallow-latest-tag would be successfully created

Expected behavior
ClusterPolicy should have rejected the API request to create Policy
@abdulhaseeb2 abdulhaseeb2 added the bug Something isn't working label Jul 15, 2021
@vyankyGH vyankyGH self-assigned this Jul 16, 2021
@vyankyGH
Copy link
Contributor

@abdulhaseeb2 Thanks for creating issue. Will check on it.

@realshuting realshuting added the end user This label is used to track the issue that is raised by the end user. label Aug 4, 2021
@vyankyGH vyankyGH mentioned this issue Aug 20, 2021
Merged
4 tasks
@realshuting realshuting added this to the Kyverno Release 1.5.0 milestone Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vyankyGH vyankyGH

Labels
bug Something isn't working end user This label is used to track the issue that is raised by the end user.
Projects
None yet
Milestone
Kyverno Release 1.4.3
Development

Successfully merging a pull request may close this issue.

Validation for generate loops and support ClusterPolicy/Policy in match block vyankyGH/kyverno
3 participants
@vyankyGH @realshuting @abdulhaseeb2