Closed F-Fx closed 1 month ago
Describe output of installed policy
Name: podsecurity-subrule-restricted-force
Namespace:
Labels: <none>
Annotations: kyverno.io/kubernetes-version: 1.24
kyverno.io/kyverno-version: 1.8.0
policies.kyverno.io/category: Pod Security, EKS Best Practices
policies.kyverno.io/description:
The restricted profile of the Pod Security Standards, which is inclusive of the baseline profile, is a collection of all the most common c...
policies.kyverno.io/minversion: 1.8.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Restricted Pod Security Standards
API Version: kyverno.io/v1
Kind: ClusterPolicy
Metadata:
Creation Timestamp: 2024-08-07T06:41:10Z
Generation: 9
Resource Version: 275694070
UID: c306065f-8735-4c56-a311-a2c4ae7233e1
Spec:
Background: true
Rules:
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Match:
Any:
Resources:
Kinds:
Pod
Name: restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Validation Failure Action: enforce
Status:
Autogen:
Rules:
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Resources:
Generate:
Clone:
Clone List:
Match:
Any:
Resources:
Kinds:
DaemonSet
Deployment
Job
StatefulSet
Resources:
Mutate:
Name: autogen-restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Exclude:
Any:
Resources:
Namespaces:
calico-system
cattle-fleet-system
cattle-impersonation-system
cattle-system
default
istio-system
kbp-learn
kube-node-lease
kube-public
kube-system
kyverno-policy-test
local
local-path-storage
monitoring
policy-reporter
sec-kyverno-cert01
sec-kyverno-lp01
test-monitor
tigera-operator
restrict-root2
Resources:
Generate:
Clone:
Clone List:
Match:
Any:
Resources:
Kinds:
CronJob
Resources:
Mutate:
Name: autogen-cronjob-restricted
Validate:
Message: TEST MESSAGE TEST MESSAGE
Pod Security:
Level: restricted
Version: latest
Conditions:
Last Transition Time: 2024-08-07T06:41:11Z
Message:
Reason: Succeeded
Status: True
Type: Ready
Ready: true
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning PolicyViolation 6m kyverno-admission Pod restrict-root/privileged-pod-root: [restricted] fail (blocked)
Custom messages do not work with the podSecurity subrule. The message is automatically provided by the PSA libraries. To use custom messages you must use traditional validate rules similar to how the policies Helm chart.
Kyverno Version
1.8
Kubernetes Version
1.23
Kubernetes Platform
Other (specify in description)
Description
k8s v1.23.17+rke2r1
Message not working in "Restricted Pod Security Standards" policy
but in policy like below it`s work fine
Steps to reproduce
Expected behavior
Denied the request log with message "TEST MESSAGE TEST MESSAGE"
Screenshots
No response
Kyverno logs
Slack discussion
No response
Troubleshooting