search

kyverno / policies

Kyverno policies for security and best practices
Apache License 2.0
319 stars 229 forks source link

Sync secret doesn't seem to work #912

Closed kohend closed 6 months ago

kohend commented 6 months ago

Kyverno Version

1.10.1

Kubernetes Version

1.25.4

Kubernetes Platform

Other (specify in description)

Description

I'm trying to sync the cert-manager created tls certificate using kyverno, I may have made the wrong policy, but it seems consistent with the docs. It doesn't sync or even behaves as if there's anything to sync. Running on OCI (OKE)

Steps to reproduce

  1. Install cert-manager and kyverno on system namespace and istio on istio-system
  2. create a cluster policy: 
    apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: copy-tls-secret
spec:
rules:
- name: copy-secret
match:
  all:
  - resources:
      kinds:
      - Secret
      namespaces:
      - system
      names:
      - cert-manager-tls
generate:
  apiVersion: v1
  kind: Secret
  name: cert-manager-tls
  namespace: istio-system
  synchronize: true
  clone:
    namespace: system
    name: cert-manager-tls

Expected behavior

That when the secret is updated, it'll sync that secret

Screenshots

No response

Kyverno logs

I0222 16:46:49.304891       1 generate.go:97] background "msg"="start processing UR" "name"="ur-h6h9x" "policy"="copy-tls-secret" "resource"="v1/Secret/monitoring/prometheus-kube-prometheus-stack-prometheus-tls-assets-0" "resourceVersion"="392682470" "ur"="ur-h6h9x"

Slack discussion

No response

Troubleshooting

chipzoller commented 6 months ago

Please tell us your actual Kyverno and Kubernetes versions used.

kohend commented 6 months ago

Edited to specify exact versions

chipzoller commented 6 months ago

Have you installed Kyverno into the Namespace named system?

kohend commented 6 months ago

Yes

chipzoller commented 6 months ago

That is why the policy does not work. Kyverno excludes its own Namespace by default as mentioned in the documentation, so therefore it does not "see" modifications to a Secret also located in that same Namespace. Kyverno should not be installed in a Namespace co-located with other components. It should be installed in its own Namespace. The subjects of policies may not be in Kyverno's Namespace regardless of the type of rule.

kohend commented 4 months ago

Thank you, as I was not the one that installed the cluster, I didn't think of checking that.