Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Unique host and path ingress policy is blocking updates #1163

Open
2 tasks done
Fauli opened this issue Sep 17, 2024 · 9 comments
Open
2 tasks done

[Bug] Unique host and path ingress policy is blocking updates #1163

Fauli opened this issue Sep 17, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@Fauli
Copy link

Fauli commented Sep 17, 2024

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

AKS

Description

I'm refering to #833

I'm using v1.12.3, and am still facing this issue. Not sure if it was ever resolved?
My policy is the stadard one from the documentation:
https://kyverno.io/policies/other/unique-ingress-host-and-path/unique-ingress-host-and-path/

Upon editing an existing ingress, I face:

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

Do you know if this has ever been fixed and tested?

Steps to reproduce

  1. Create ingress with any host & path combination
  2. Update the same ingress
  3. Save

Expected behavior

Save works, ingress is only colloding with itself, so should be fine.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@Fauli Fauli added the bug Something isn't working label Sep 17, 2024
@realshuting
Copy link
Member

Hi @Fauli - we have Chainsaw tests covering this policy https://github.com/kyverno/policies/tree/main/other/unique-ingress-host-and-path/.chainsaw-test.

I tried locally using 1.12.5 and was not able to replicate the issue, I installed the policy, and created the following ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: goodingress01
spec:
  rules:
  - host: bar
    http:
      paths:
      - backend:
          service:
            name: demo-svc
            port:
              number: 8080
        path: /foo
        pathType: Prefix

And updated the path /foo to /bar, and it went through:

$ k edit ingress goodingress01
ingress.networking.k8s.io/goodingress01 edited

Please share detailed resource manifests so we can reproduce the issue.

@Fauli
Copy link
Author

Fauli commented Sep 19, 2024

Hello @realshuting

Thanks for the quick reply!
Some further details: The update works when the path is change, but not if i.e. the annotation is updated, but the path stays the same.

My exact steps for re-creation are:

  1. Create file /tmp/test.yaml with the content you provided.

  2. Run command: kubectl apply -f /tmp/test.yaml
    This produces: ingress.networking.k8s.io/goodingress01 created

  3. Edit the created ingress. Add any annotation, in my test, I'm adding "test": "ok" using kubectl edit ingress goodingress01
    This produces

error: ingresses.networking.k8s.io "goodingress01" could not be patched: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Ingress/fauli/goodingress01 was blocked due to the following policies

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

You can run `kubectl replace -f /tmp/kubectl-edit-3492521222.yaml` to try this update again.

For the last step, you can also just use this command and get the same result:
kubectl annotate ingress goodingress01 test=ok

Let me know if you have any further questions regarding the recreation steps.

@realshuting
Copy link
Member

Still not able to reproduce it -

  1. With the policy installed:
✗ k get cpol                               
NAME                           ADMISSION   BACKGROUND   VALIDATE ACTION   READY   AGE     MESSAGE
unique-ingress-host-and-path   true        false        Audit             True    2m33s   Ready
  1. I can add the annotation to the ingress:
✗ k annotate ingress goodingress01 test=ok
ingress.networking.k8s.io/goodingress01 annotated

I'm running 1.12.5.

@Fauli
Copy link
Author

Fauli commented Sep 23, 2024

Hello @realshuting
I see you have the policy as Audit, not Enforced, then the update will not be blocked anyways.
Nevertheless, I'm updating the chart on my end and will test it again 👍

@Fauli
Copy link
Author

Fauli commented Sep 23, 2024

Hello @realshuting

I updated to /kyverno/kyverno:v1.12.5 and ran the tests again:

 $ k annotate ingress goodingress01 test=ok
Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Ingress/fauli/goodingress01 was blocked due to the following policies

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

Still facing the same issue. I guess your test works because you only run the policy in audit, and not enforce to actually prevent the creation of a second ingress with an already existing combination of host and path?

@realshuting
Copy link
Member

Nice catch @Fauli - let me try it again.

@realshuting
Copy link
Member

realshuting commented Sep 25, 2024

I can confirm the issue exists in 1.12.5 but not 1.13.0-beta.1:

$ k get cpol                                        
NAME                           ADMISSION   BACKGROUND   READY   AGE     MESSAGE
unique-ingress-host-and-path   true        false        True    2m32s   Ready

$ k get cpol -o yaml | grep validationFailureAction:
    validationFailureAction: Enforce

$ k annotate ingress goodingress01 foo=bar                                 
ingress.networking.k8s.io/goodingress01 annotated

You can expect the fix in 1.13.0 GA release.

@Fauli
Copy link
Author

Fauli commented Sep 30, 2024

Hello @realshuting

Thanks for the update!
Do you, by any chance, know when 1.13 is planned for release?

@realshuting
Copy link
Member

Hello @realshuting

Thanks for the update! Do you, by any chance, know when 1.13 is planned for release?

We are on 1.13.0-rc.1 and trying to get kyverno/kyverno#3837 in. We will cut rc.2 once it's completed and hopefully GA comes after that.

@realshuting realshuting modified the milestone: 1.13 Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants