This issue was actually caught in the latest 1.11.5 of 1.11. group (I haven't tried 1.11.4). And I verified it works in 1.12.0. Hence it appears it was fixed in 1.12. Due to other issues on 1.12, I have to use a version from 1.11.. It would be nice to backport the fix to 1.11 latest.
Here are 2 policies. Their match blocks are exclusive with the given resources.
1) policy1.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: abc
spec:
background: false
rules:
- name: abcrule
match:
all:
- resources:
kinds:
- VirtualService
operations:
- UPDATE
selector:
matchLabels:
hello: notExists. # no resources have this label
mutate:
patchStrategicMerge:
metadata:
labels:
newlabel: here
Since no resources have the "hello: notExists", this rule won't be applied to the given resources.
2) policy2.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-test3
namespace: default
spec:
background: false
rules:
- name: rule1
match:
all:
- resources:
kinds:
- VirtualService
operations:
- UPDATE
- CREATE
preconditions:
all:
- key: "{{ request.object.metadata.name }}"
operator: Equals
value: trigger
mutate:
targets:
- apiVersion: networking.istio.io/v1beta1
kind: VirtualService
name: target
foreach:
- list: request.object.spec.http[]. # per route rule of the trigger resource
patchesJson6902: |-
- op: add # mutate the target virtual service by adding rules from the trigger resource
path: '/spec/http/{{elementIndex}}'
value: {{ element }}
This policy mutates an existing virtual service upon a triggering virtual service. Per route rule of the trigger resource, it mutates the target virtual service by adding rules from the trigger resource.
The same rules were copied twice. In 1.12.0, it worked and copied only once.
In 1.11.5, If I delete the policy1 and repeat the same scenario, it works. Hence it appears somehow policy1 affected policy2 rule execution in 1.11.5. BTW this happens when policy1 has mutation rule. If policy1 has a validate or generate rule, it works as expected in 1.11.5.
Kyverno Version
1.11.4
Description
This issue was actually caught in the latest 1.11.5 of 1.11. group (I haven't tried 1.11.4). And I verified it works in 1.12.0. Hence it appears it was fixed in 1.12. Due to other issues on 1.12, I have to use a version from 1.11.. It would be nice to backport the fix to 1.11 latest.
Here are 2 policies. Their match blocks are exclusive with the given resources. 1) policy1.yaml
Since no resources have the "hello: notExists", this rule won't be applied to the given resources.
2) policy2.yaml
This policy mutates an existing virtual service upon a triggering virtual service. Per route rule of the trigger resource, it mutates the target virtual service by adding rules from the trigger resource.
3) target.yaml
4) trigger.yaml
Steps to Reproduce:
I expected this output:
But I got this:
The same rules were copied twice. In 1.12.0, it worked and copied only once.
In 1.11.5, If I delete the policy1 and repeat the same scenario, it works. Hence it appears somehow policy1 affected policy2 rule execution in 1.11.5. BTW this happens when policy1 has mutation rule. If policy1 has a validate or generate rule, it works as expected in 1.11.5.
Slack discussion
No response
Troubleshooting