kyverno icon indicating copy to clipboard operation
kyverno copied to clipboard
verified publisher icon kyverno

[Bug] when adding to a list (patchesJson6902) the content is overridden

Open rubroboletus opened this issue 1 year ago • 1 comments

Kyverno Version

1.13.4

Description

We need to add "default" values to securityContext.sysctls of all pods, when they do not have already declared own values. So I have created a simple policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-tcp-keepalive
spec:
  rules:
  - name: add-default-tcp-keepalive
    match:
      any:
      - resources:
          kinds:
          - Pod
          operations:
          - CREATE
          - UPDATE
    exclude:
      any:
      - resources:
          kinds:
          - Pod
          operations:
          - CREATE
          - UPDATE
          annotations:
            mmb_keepalive: "false"
    preconditions:
      any:
      - key: "net.ipv4.tcp_keepalive_time"
        operator: AnyNotIn
        value: "{{ request.object.spec.securityContext.sysctls[].name || '' }}"
        message: "net.ipv4.tcp_keepalive_time is not found in {{ request.object.spec.securityContext.sysctls[].name || '' }}"
    mutate:
      patchesJson6902: |-
        - path: "/spec/securityContext/sysctls"
          op: add
          value:
            - name: net.ipv4.tcp_keepalive_probes
              value: "3"
            - name: net.ipv4.tcp_keepalive_time
              value: "600"
            - name: net.ipv4.tcp_keepalive_intlvl
              value: "60"

and a simple pod definition with some sysctl defined:

apiVersion: v1
kind: Pod
metadata:
  name: svc-keepalive-test
spec:
  containers:
  - name: app
    image: ubuntu:latest
    command: ["/bin/sh"]
    args: ["-c", "while true; do echo $(date -u); sleep 5; done"]
  securityContext:
    sysctls:
    - name: net.ipv4.ip_local_port_range
      value: "1024 65535"

when I try to apply this policy on pod, using kyverno cli (kyverno -v=9 apply policy.yaml --resource pod.yaml) I see that sysctls are overridden and not added.

Applying 1 policy rule(s) to 1 resource(s)...
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted path=/preconditions/any/0/message v=3 value=null variable="{{ request.object.spec.securityContext.sysctls[].name || '' }}"
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted path=/preconditions/any/0/value v=3 value=null variable="{{ request.object.spec.securityContext.sysctls[].name || '' }}"
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted logger=engine.mutate new.kind=Pod new.name=robi-svc-keepalive new.namespace=default path= policy.apply=All policy.name=add-default-tcp-keepalive policy.namespace= rule.name=add-default-tcp-keepalive v=3 value=["net.ipv4.ip_local_port_range"] variable="{{ request.object.spec.securityContext.sysctls[].name || '' }}"
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/handlers/mutation/mutate_resource.go:54 > processing mutate rule logger=engine.mutate new.kind=Pod new.name=robi-svc-keepalive new.namespace=default policy.apply=All policy.name=add-default-tcp-keepalive policy.namespace= rule.name=add-default-tcp-keepalive v=3
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted logger=engine.mutate new.kind=Pod new.name=robi-svc-keepalive new.namespace=default path=/preconditions/any/0/value policy.apply=All policy.name=add-default-tcp-keepalive policy.namespace= rule.name=add-default-tcp-keepalive v=3 value=["net.ipv4.ip_local_port_range"] variable="{{ request.object.spec.securityContext.sysctls[].name || '' }}"
2025-03-21T08:05:22Z -2 ../../../../runner/work/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted logger=engine.mutate new.kind=Pod new.name=robi-svc-keepalive new.namespace=default path=/preconditions/any/0/message policy.apply=All policy.name=add-default-tcp-keepalive policy.namespace= rule.name=add-default-tcp-keepalive v=3 value=["net.ipv4.ip_local_port_range"] variable="{{ request.object.spec.securityContext.sysctls[].name || '' }}"

policy add-default-tcp-keepalive applied to default/Pod/robi-svc-keepalive:
apiVersion: v1
kind: Pod
metadata:
  name: svc-keepalive-test
  namespace: default
spec:
  containers:
  - args:
    - -c
    - while true; do echo $(date -u); sleep 5; done
    command:
    - /bin/sh
    image: ubuntu:latest
    name: app
  securityContext:
    sysctls:
    - name: net.ipv4.tcp_keepalive_probes
      value: "3"
    - name: net.ipv4.tcp_keepalive_time
      value: "600"
    - name: net.ipv4.tcp_keepalive_intlvl
      value: "60"

---


Mutation:
Mutation has been applied successfully.
pass: 1, fail: 0, warn: 0, error: 0, skip: 0

Slack discussion

No response

Troubleshooting

  • [x] I have read and followed the documentation AND the troubleshooting guide.
  • [x] I have searched other issues in this repository and mine is not recorded.

rubroboletus avatar Mar 21 '25 08:03 rubroboletus

Hi, @rubroboletus. I'm Dosu, and I'm helping the kyverno team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • You reported a bug in Kyverno version 1.13.4.
  • The issue involves a policy that should append values to securityContext.sysctls but instead overrides them.
  • You provided examples of the policy and pod definitions to demonstrate the problem.
  • There have been no comments or additional activity on this issue.

Next Steps:

  • Could you please confirm if this issue is still relevant with the latest version of Kyverno? If so, feel free to comment to keep the discussion open.
  • If there is no further activity, this issue will be automatically closed in 60 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Jun 20 '25 16:06 dosubot[bot]