cel policy blocks deletion of resources [Bug]

[anushkamittal2001]

Kyverno Version

1.12.5

Kubernetes Version

1.27.x

Kubernetes Platform

KinD

Kyverno Rule Type

Validate

Description

After applying cel policy in enforce mode, a good resource gets accepted, a bad resource gets blocked. But when I try to delete the good resource. it get blocked.

Steps to reproduce

1. policy

   apiVersion: kyverno.io/v1
   kind: ClusterPolicy
   metadata:
   name: restrict-binding-system-groups
   annotations:
   policies.kyverno.io/title: Restrict Binding System Groups in CEL expressions
   policies.kyverno.io/category: RBAC Best Practices in CEL 
   policies.kyverno.io/severity: medium
   policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC
   policies.kyverno.io/minversion: 1.11.0
   kyverno.io/kubernetes-version: "1.26"
   policies.kyverno.io/description: >-
     Certain system groups exist in Kubernetes which grant permissions that
     are used for certain system-level functions yet typically never appropriate
     for other users. This policy prevents creating bindings for system:masters group.      
   spec:
   validationFailureAction: Enforce
   background: true
   rules:
   - name: restrict-masters
     match:
       any:
       - resources:
           kinds:
             - RoleBinding
             - ClusterRoleBinding
     validate:
       cel:
         expressions:
           - expression: "object.roleRef.name != 'system:masters'"
             message: "Binding to system:masters is not allowed."

2. good res

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
   name: goodcrb01
   subjects:
   - kind: Group
   name: secret-reader
   apiGroup: rbac.authorization.k8s.io
   roleRef:
   kind: ClusterRole
   name: manager
   apiGroup: rbac.authorization.k8s.io

3. bad resource

   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
   name: badcrb01
   subjects:
   - kind: Group
   name: bar
   apiGroup: rbac.authorization.k8s.io
   roleRef:
   kind: ClusterRole
   name: "system:masters"
   apiGroup: rbac.authorization.k8s.io

Result

Downloads ) k apply -f /Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac.yaml                                                                                                  
clusterpolicy.kyverno.io/restrict-binding-system-groups created
Downloads ) k apply -f /Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac-good-res.yaml                                                                                         
clusterrolebinding.rbac.authorization.k8s.io/goodcrb01 created
Downloads ) k apply -f /Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac-bad-res.yaml                                                                                          
Error from server: error when creating "/Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac-bad-res.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource ClusterRoleBinding//badcrb01 was blocked due to the following policies 

restrict-binding-system-groups:
  restrict-masters: Binding to system:masters is not allowed.
Downloads ) k delete -f /Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac-good-res.yaml                                                                                        
Error from server: error when deleting "/Users/nirmata/Desktop/go-nctl/anushka-test/cel-pol-rbac-good-res.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource ClusterRoleBinding//goodcrb01 was blocked due to the following policies 

restrict-binding-system-groups:
  restrict-masters: 'expression ''object.roleRef.name != ''system:masters'''' resulted
    in error: no such key: roleRef'

Expected behavior

I should have seen the good resource get deleted.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

• [X] I have read and followed the documentation AND the troubleshooting guide.
• [X] I have searched other issues in this repository and mine is not recorded.

[MariamFahmy98]

You should set the operations to CREATE and UPDATE as follows:

- resources:
    kinds:
      - RoleBinding
      - ClusterRoleBinding
    operations:
      - CREATE
      - UPDATE

This is because there are recent changes to apply cel policies to a deleted resource so by default, all operations are set.

Let me know if this solves the issue.

[anushkamittal2001]

Let me check this out. Thanks @MariamFahmy98

[anushkamittal2001]

@MariamFahmy98 Could you help me understand why the good pod gets created but doesnt get deleted.

If it is a good pod both should be allowed right

[MariamFahmy98]

@MariamFahmy98 Could you help me understand why the good pod gets created but doesnt get deleted.

If it is a good pod both should be allowed right

By not setting operations, the policy defaults to all operations. Therefore, when deleting the pod, the policy is applied and the CEL expression fails with the error no such key: roleRef'. This is because the resource is deleted and there is no roleRef field so it is important to set operations to CREATE and UPDATE to avoid applying policies on deleted resource.

[anushkamittal2001]

Thanks @MariamFahmy98! Is there documentation for this that you can point me to?