Environment: kOps running k8s version 1.29
Kyverno version is 1.12.6, but since that is not available in dropdown, I picked up 1.12.5.
Attempt to add node metadata as a label to pod is not successful due to permission error on serviceaccount even though the requisite permission is given.
Steps to reproduce
We are trying to add node topology keys as a label to pods (NOT as annotations, but as labels) and came up with this clusterpolicy:
Error from server: error when creating "foobar.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: path: spec.rules[0].mutate.targets.: auth check fails, additional privileges are required for the service account 'system:serviceaccount:kyverno:kyverno-background-controller': cannot update/v1/Pod in namespace {{ request.object.metadata.namespace }}
auth can-i tells this:
$ kubectl auth can-i update pods --as system:serviceaccount:kyverno:kyverno-background-controller
no
However the clusterrole has this set of permissions:
Kyverno Version
1.12.5
Kubernetes Version
1.29.x
Kubernetes Platform
Other (specify in description)
Kyverno Rule Type
Mutate
Description
Environment: kOps running k8s version 1.29 Kyverno version is 1.12.6, but since that is not available in dropdown, I picked up 1.12.5.
Attempt to add node metadata as a label to pod is not successful due to permission error on serviceaccount even though the requisite permission is given.
Steps to reproduce
We are trying to add node topology keys as a label to pods (NOT as annotations, but as labels) and came up with this clusterpolicy:
When applied, we get an error like this:
auth can-i
tells this:However the clusterrole has this set of permissions:
So we have given update permission to pod. Also kyverno resourceFilter is not filtering Pod/binding resources.
What might be wrong here as far as permission is concerned?
Expected behavior
The policy to be applied.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting