Open eitah opened 3 months ago
Thanks for opening your first issue here! Be sure to follow the issue template!
It's already called out somewhat here https://kyverno.io/docs/troubleshooting/ but I'd like to make the association more direct
Check and ensure you aren’t creating a resource that is either excluded from Kyverno’s processing by default, or that it hasn’t been created in an excluded Namespace. Kyverno uses a ConfigMap by default called kyverno in the Kyverno Namespace to filter out some of these things. The key name is resourceFilters and more details can be found here.
Description
https://kyverno.io/docs/writing-policies/generate/#clone-examples does not mention that excluded namespaces for clone secrets are unable to sync properly. This is an issue because we copied the
sync secrets
policy expecting that thematch
andexclude
blocks were unrelated to theclone
fields. In fact, the clone needs to be in an allowed namespace for the trigger in order for thesync
feature to work.Stemming from bug report here: https://github.com/kyverno/policies/issues/1056
Slack discussion
https://github.com/kyverno/policies/issues/1056