Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Copy secret into every namespace. #10708

Open
2 tasks done
eitah opened this issue Jul 19, 2024 · 5 comments
Open
2 tasks done

[Bug] Copy secret into every namespace. #10708

eitah opened this issue Jul 19, 2024 · 5 comments
Assignees
@realshuting
Labels
end user This label is used to track the issue that is raised by the end user. enhancement New feature or request generation Issues pertaining to the generate ability. release-high High issues which SHOULD be addressed in the specified milestone. These may get bumped.
Milestone
Kyverno Release 1...

Comments

@eitah
Copy link

eitah commented Jul 19, 2024

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

GKE

Description

Im trying to write a generate rule inspired by sync secrets which will take an incoming secret and replicate it everywhere. The issue I'm having is twofold

I can't use a clone policy targeting the incoming secret because of #8025
Instead I tried using a cloneList policy selecting all secrets in the originating namespace and copying them, but the rule does not copy the incoming request object, I assume because it doesn't exist yet.

A note: I see in the logs it can't reconcile the namespaces array into a single namespace, I think because I'm not passing it in correctly. I've tried {{ namespaces }} without the brackets, etc, but nothing seems to work. Is there an easy way to express "put this in every namespace you see"?

Steps to reproduce

  1. Add a clone secrets policy per the below
  - name: sync-new-label-secrets
    match:
      any:
      - resources:
          kinds:
            - Secret
          operations:
            - CREATE
          selector:
            matchLabels:
              label-key: label-value
    context:
      - name: namespaces
        apiCall:
          urlPath: "/apis/networking.k8s.io/v1/Namespaces"
          jmesPath: "items[?metadata.labels.\"label-key\"=='label-value'].metadata.name"
    generate:
      apiVersion: v1
      namespace: "{{ namespaces[] }}"
      synchronize: true
      cloneList:
        namespace: origin-namespace
        kinds:
          - v1/Secret
        selector:
          matchLabels:
            label-key: label-value
  1. Create a secret in origin-namespace
  2. The secret is not synced to destination namespaces with the right labels.

Expected behavior

I would expect the secret to have been synced.

Screenshots

No response

Kyverno logs

^[[Akyverno-admission-controller-776987899-dfmzz kyverno 2024-07-19T15:55:24Z	INFO	setup.cluster-policy	logging/controller.go:45	resource added	{"type": "ClusterPolicy", "name": "sync-secrets"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	PolicyController	policy/policy_controller.go:181	policy created	{"uid": "366bfd08-0134-4490-904d-1837756679bf", "kind": "ClusterPolicy", "namespace": "", "name": "sync-secrets"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	PolicyController.handleMutate.sync-secrets	policy/mutate.go:15	update URs on policy event
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	PolicyController.handleGenerate.sync-secrets	policy/generate.go:21	update URs on policy event
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	PolicyController	policy/policy_controller.go:421	creating new UR for generate
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-d4bkn", "policy": "sync-secrets", "resource": "v1/Namespace//concourse-shared-secrets", "ur": "ur-d4bkn", "resourceVersion": "538873"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "ur": "ur-t7jbc", "resourceVersion": "538878"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\"],\"synchronize\":true},\"m|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "ur": "ur-t7jbc", "resourceVersion": "538881"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\"],\"synchronize\":true},\"m|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "ur": "ur-t7jbc", "resourceVersion": "538884"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\"],\"synchronize\":true},\"m|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:24Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "ur": "ur-t7jbc", "resourceVersion": "538887"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\"],\"synchronize\":true},\"m|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-8htxx", "policy": "sync-secrets", "resource": "v1/Namespace//new-ns01", "ur": "ur-8htxx", "resourceVersion": "538894"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "ur": "ur-t7jbc", "resourceVersion": "538895"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-t7jbc", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/foo", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:458	created generate target resource	{"name": "ur-8htxx", "policy": "sync-secrets", "resource": "v1/Namespace//new-ns01", "target": "//new-ns01/"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "ur": "ur-wmrvj", "resourceVersion": "538904"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "ur": "ur-wmrvj", "resourceVersion": "538907"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "ur": "ur-wmrvj", "resourceVersion": "538910"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "ur": "ur-wmrvj", "resourceVersion": "538913"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "ur": "ur-wmrvj", "resourceVersion": "538916"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:25Z	ERROR	background	generate/generate.go:384	variable substitution failed for rule	{"name": "ur-wmrvj", "policy": "sync-secrets", "resource": "v1/Secret/concourse-shared-secrets/bar", "rule": "", "error": "v1.Rule.Generation: v1.Generation.ResourceSpec: Namespace: ReadString: expects \" or n, but found [, error found in kyverno/policies#10 byte of ...|mespace\":[\"concourse|..., bigger context ...|es.io/component\":\"concourse-team\"}}},\"namespace\":[\"concourse-shared-secrets\",\"new-ns01\"],\"synchroniz|..."}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:41Z	INFO	background	generate/generate.go:101	start processing UR	{"name": "ur-fqgd9", "policy": "sync-secrets", "resource": "v1/Namespace//new-ns01", "ur": "ur-fqgd9", "resourceVersion": "538975"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:55:52Z	INFO	PolicyController	policy/policy_controller.go:228	policy deleted	{"uid": "366bfd08-0134-4490-904d-1837756679bf", "kind": "ClusterPolicy", "namespace": "", "name": "sync-secrets"}
kyverno-admission-controller-776987899-dfmzz kyverno 2024-07-19T15:55:52Z	INFO	setup.cluster-policy	logging/controller.go:68	resource deleted	{"type": "ClusterPolicy", "name": "sync-secrets"}
kyverno-background-controller-86b9f95c96-c8f2q controller 2024-07-19T15:57:00Z	INFO	PolicyController.forceReconciliation	policy/policy_controller.go:366	reconciling generate and mutateExisting policies	{"scan interval": "1h0m0s"}

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@eitah eitah added the bug Something isn't working label Jul 19, 2024
@realshuting realshuting transferred this issue from kyverno/policies Jul 23, 2024
@welcome Welcome
Copy link

welcome bot commented Jul 23, 2024

Thanks for opening your first issue here! Be sure to follow the issue template!

@realshuting realshuting added enhancement New feature or request generation Issues pertaining to the generate ability. end user This label is used to track the issue that is raised by the end user. and removed bug Something isn't working labels Jul 23, 2024
@realshuting
Copy link
Member

Hi @eitah - here's a similar request to copy a resource into multiple namespaces, you probably need the foreach, see:

kyverno/KDP#52 (comment)

@realshuting realshuting added this to the Kyverno Release 1.13.0 milestone Jul 23, 2024
@realshuting
Copy link
Member

Related to #3542.

@realshuting realshuting added the release-high High issues which SHOULD be addressed in the specified milestone. These may get bumped. label Jul 24, 2024
@realshuting realshuting self-assigned this Jul 24, 2024
@realshuting
Copy link
Member

With the proposed KDP, I craft a policy to achieve this use case;

spec:
  rules:
  - name: generate-network-policies
    match:
      any:
      - resources:
          kinds:
            - Secret
          operations:
            - CREATE
          selector:
            matchLabels:
              label-key: label-value
    context:
      - name: namespaces
        apiCall:
          urlPath: "/apis/networking.k8s.io/v1/Namespaces"
          jmesPath: "items[?metadata.labels.\"label-key\"=='label-value'].metadata.name"
    generate:
      foreach:
        - list: "{{namespaces}}"
          dataList:
            - metadata: "{{request.object.metadata}}"
              data: "{{request.object.data}}"

@eitah
Copy link
Author

eitah commented Aug 19, 2024

Thank you! When is Kyverno 13 expected? I saw from this page Milestone 85 is due, but that can't be the entire release, can it? https://github.com/kyverno/kyverno/milestone/85

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@realshuting realshuting

Labels
end user This label is used to track the issue that is raised by the end user. enhancement New feature or request generation Issues pertaining to the generate ability. release-high High issues which SHOULD be addressed in the specified milestone. These may get bumped.
Projects
None yet
Milestone
Kyverno Release 1.14.0
Development

No branches or pull requests
2 participants
@eitah @realshuting