kyverno icon indicating copy to clipboard operation
kyverno copied to clipboard
verified publisher icon kyverno

[Bug] [CLI] anyPattern fails despite no matches in resource

Open andrewhibbert opened this issue 2 years ago • 7 comments

Kyverno CLI Version

1.10.6

Description

anyPattern fails despite no matches in resource

Steps to reproduce

  1. See https://playground.kyverno.io/#/?content=N4IgDg9gNglgxgTxALhAQzDAagUwE4DOMEAdsgAQDWCAbvi[…]QAWQAOq2wQAALSuI1KADbFD4wAEwADk%2B1o0UBanAOYLAWn8D6yWQA==
  2. Resource contains no matches - i.e. uses matchExpressions instead of matchLabels so should fail, however it passes. If you comment out the second pattern in anyPattern it fails

Expected behavior

It fails

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • [X] I have read and followed the troubleshooting guide.
  • [X] I have searched other issues in this repository and mine is not recorded.

andrewhibbert avatar Mar 12 '24 15:03 andrewhibbert 

-> $ kyverno test -v10 .
I0312 15:28:02.915413    1125 manager.go:215]  "msg"="unable to cache OpenAPISchema" "definitionName"="io.k8s.api.authentication.v1.TokenRequest" "reason"="gvk not found by the given definition name io.k8s.api.authentication.v1.TokenRequest, [v1/TokenRequest]"
I0312 15:28:02.915472    1125 manager.go:215]  "msg"="unable to cache OpenAPISchema" "definitionName"="io.k8s.api.autoscaling.v1.Scale" "reason"="gvk not found by the given definition name io.k8s.api.autoscaling.v1.Scale, [v1/Scale apps/v1/Scale apps/v1/Scale apps/v1/Scale]"
I0312 15:28:02.915702    1125 manager.go:215]  "msg"="unable to cache OpenAPISchema" "definitionName"="io.k8s.api.policy.v1.Eviction" "reason"="gvk not found by the given definition name io.k8s.api.policy.v1.Eviction, [v1/Eviction]"
I0312 15:28:02.915759    1125 manager.go:215]  "msg"="unable to cache OpenAPISchema" "definitionName"="io.k8s.api.storage.v1.TokenRequest" "reason"="gvk not found by the given definition name io.k8s.api.storage.v1.TokenRequest, [v1/TokenRequest]"

Executing enforce-podantiaffinity...
I0312 15:28:02.921204    1125 common.go:289]  "msg"="Defaulting request.operation to CREATE"
I0312 15:28:02.921234    1125 common.go:110]  "msg"="reading policies" "path"="../policy.yaml"
I0312 15:28:02.931728    1125 common.go:202]  "msg"="read policies" "errors"=0 "policies"=30
I0312 15:28:02.931821    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.931833    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.931840    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.931849    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-hard-pod-anti-affinity-with-hostname-min-available"
I0312 15:28:02.931856    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.931862    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-hard-pod-anti-affinity-with-hostname-min-available"
I0312 15:28:02.931870    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-hard-pod-anti-affinity-with-hostname-max-unavailable"
I0312 15:28:02.931876    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.931883    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-hard-pod-anti-affinity-with-hostname-max-unavailable"
I0312 15:28:02.931891    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-soft-pod-anti-affinity-with-zone"
I0312 15:28:02.931896    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.931902    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-soft-pod-anti-affinity-with-zone"
I0312 15:28:02.932533    1125 common.go:895]  "msg"="mutated Policy:" "{\"kind\":\"ClusterPolicy\",\"apiVersion\":\"kyverno.io/v1\",\"metadata\":{\"name\":\"enforce-podantiaffinity\",\"creationTimestamp\":null,\"labels\":{\"app.kubernetes.io/component\":\"kyverno\",\"app.kubernetes.io/instance\":\"release-name\",\"app.kubernetes.io/managed-by\":\"Helm\",\"app.kubernetes.io/name\":\"entellect-kyverno-policies\",\"app.kubernetes.io/part-of\":\"entellect-kyverno-policies\",\"app.kubernetes.io/version\":\"0.1.0\",\"helm.sh/chart\":\"entellect-kyverno-policies-0.1.0\"},\"annotations\":{\"policies.kyverno.io/category\":\"Best Practices\",\"policies.kyverno.io/description\":\"This policy enforces that podAntiAffinity is used when there are multiple replicas and a corresponding PodDisruptionBudget. It enforces restricted use of  preferredDuringSchedulingIgnoredDuringExecution only when the PodDisruptionBudget allows for a substantial amount of downtime. It ensures that if the topologyKey for the pod affinity is related to zones then only preferredDuringSchedulingIgnoredDuringExecution should be used.\",\"policies.kyverno.io/minversion\":\"1.10.0\",\"policies.kyverno.io/severity\":\"medium\",\"policies.kyverno.io/subject\":\"Deployment\",\"policies.kyverno.io/title\":\"Enforce pod antiaffinity\"}},\"spec\":{\"rules\":[{\"name\":\"enforce-pod-anti-affinity-pdb\",\"context\":[{\"name\":\"pdb_count\",\"apiCall\":{\"urlPath\":\"/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets\",\"jmesPath\":\"items[?label_match(spec.selector.matchLabels, ` {{request.object.spec.template.metadata.labels}} `)] | length(@)\"}}],\"match\":{\"resources\":{\"kinds\":[\"Deployment\",\"StatefulSet\"],\"operations\":[\"CREATE\",\"UPDATE\"]}},\"exclude\":{\"resources\":{}},\"preconditions\":{\"all\":[{\"key\":\"{{ request.object.spec.replicas }}\",\"operator\":\"GreaterThan\",\"value\":1},{\"key\":\"{{ pdb_count }}\",\"operator\":\"GreaterThan\",\"value\":0}]},\"mutate\":{},\"validate\":{\"message\":\"You must use podAntiAffinity when using multiple replicas and a PDB\",\"anyPattern\":[{\"spec\":{\"template\":{\"spec\":{\"affinity\":{\"podAntiAffinity\":{\"^(requiredDuringSchedulingIgnoredDuringExecution)\":[{\"labelSelector\":{\"matchLabels\":\"{{ request.object.spec.template.metadata.labels }}\"},\"topologyKey\":\"kubernetes.io/hostname\"}]}}}}}},{\"spec\":{\"template\":{\"spec\":{\"affinity\":{\"podAntiAffinity\":{\"^(preferredDuringSchedulingIgnoredDuringExecution)\":[{\"podAffinityTerm\":{\"labelSelector\":{\"matchLabels\":\"{{ request.object.spec.template.metadata.labels }}\"},\"topologyKey\":\"kubernetes.io/hostname\",\"weight\":1}}]}}}}}}]},\"generate\":{\"clone\":{},\"cloneList\":{}}}],\"failurePolicy\":\"Ignore\",\"validationFailureAction\":\"audit\",\"background\":true},\"status\":{\"ready\":false,\"autogen\":{},\"rulecount\":{\"validate\":0,\"generate\":0,\"mutate\":0,\"verifyimages\":0}}}"="(MISSING)"
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-pod-anti-affinity-pdb-pass1 namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass1]] template:map[metadata:map[labels:map[app:enforce-pod-anti-affinity-pdb-pass1]] spec:map[affinity:map[podAntiAffinity:map[preferredDuringSchedulingIgnoredDuringExecution:[map[podAffinityTerm:map[labelSelector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass1]] topologyKey:kubernetes.io/hostname weight:1]] map[podAffinityTerm:map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-pod-anti-affinity-pdb-pass1]]]] topologyKey:topology.kubernetes.io/zone weight:1]]] requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass1]] topologyKey:topology.kubernetes.io/zone] map[labelSelector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass1]] topologyKey:kubernetes.io/hostname]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-pod-anti-affinity-pdb-pass2 namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass2]] template:map[metadata:map[labels:map[app:enforce-pod-anti-affinity-pdb-pass2]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchLabels:map[app:enforce-pod-anti-affinity-pdb-pass2]] topologyKey:kubernetes.io/hostname]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-pass namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-pass]] template:map[metadata:map[labels:map[app:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-pass]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-pass]]]] topologyKey:topology.kubernetes.io/zone] map[labelSelector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-pass]] topologyKey:kubernetes.io/hostname]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-hard-pod-anti-affinity-with-hostname-min-available-fail namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-min-available-fail]] template:map[metadata:map[labels:map[app:enforce-hard-pod-anti-affinity-with-hostname-min-available-fail]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-hard-pod-anti-affinity-with-hostname-min-available-fail]]]] topologyKey:kubernetes.io/hostname] map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-hard-pod-anti-affinity-with-hostname-min-available-fail]]]] topologyKey:topology.kubernetes.io/zone]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-fail namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-fail]] template:map[metadata:map[labels:map[app:enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-fail]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-hard-pod-anti-affinity-with-hostname-max-unavailable-fail]]]] topologyKey:topology.kubernetes.io/zone]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-hard-pod-anti-affinity-with-hostname-min-available-pass namespace:default] spec:map[replicas:3 selector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-min-available-pass]] template:map[metadata:map[labels:map[app:enforce-hard-pod-anti-affinity-with-hostname-min-available-pass]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-hard-pod-anti-affinity-with-hostname-min-available-pass]]]] topologyKey:topology.kubernetes.io/zone] map[labelSelector:map[matchLabels:map[app:enforce-hard-pod-anti-affinity-with-hostname-min-available-pass]] topologyKey:kubernetes.io/hostname]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-soft-pod-anti-affinity-with-zone-fail namespace:default] spec:map[replicas:4 selector:map[matchLabels:map[app:enforce-soft-pod-anti-affinity-with-zone-fail]] template:map[metadata:map[labels:map[app:enforce-soft-pod-anti-affinity-with-zone-fail]] spec:map[affinity:map[podAntiAffinity:map[requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-soft-pod-anti-affinity-with-zone-fail]]]] topologyKey:kubernetes.io/hostname] map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-soft-pod-anti-affinity-with-zone-fail]]]] topologyKey:topology.kubernetes.io/zone]]]]]]]]}
skipping unused resource, resource : &{map[apiVersion:apps/v1 kind:Deployment metadata:map[name:enforce-soft-pod-anti-affinity-with-zone-pass namespace:default] spec:map[replicas:4 selector:map[matchLabels:map[app:enforce-soft-pod-anti-affinity-with-zone-pass]] template:map[metadata:map[labels:map[app:enforce-soft-pod-anti-affinity-with-zone-pass]] spec:map[affinity:map[podAntiAffinity:map[preferredDuringSchedulingIgnoredDuringExecution:[map[podAffinityTerm:map[labelSelector:map[matchLabels:map[app:enforce-soft-pod-anti-affinity-with-zone-pass]] topologyKey:topology.kubernetes.io/zone] weight:1]] requiredDuringSchedulingIgnoredDuringExecution:[map[labelSelector:map[matchExpressions:[map[key:app operator:In values:[enforce-soft-pod-anti-affinity-with-zone-pass]]]] topologyKey:kubernetes.io/hostname]]]]]]]]}
applying 1 policy to 1 resource...
I0312 15:28:02.936998    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.937013    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.937021    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.937070    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.937077    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.937083    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.937529    1125 vars.go:376]  "msg"="variable substituted" "path"="/context/0/apiCall/urlPath" "value"=null "variable"="{{request.namespace}}"
I0312 15:28:02.937620    1125 vars.go:376]  "msg"="variable substituted" "path"="/context/0/apiCall/jmesPath" "value"=null "variable"="{{request.object.spec.template.metadata.labels}}"
I0312 15:28:02.938087    1125 vars.go:376]  "msg"="variable substituted" "path"="/preconditions/all/0/key" "value"=null "variable"="{{ request.object.spec.replicas }}"
I0312 15:28:02.938171    1125 vars.go:376]  "msg"="variable substituted" "path"="/preconditions/all/1/key" "value"=null "variable"="{{ pdb_count }}"
I0312 15:28:02.938659    1125 vars.go:376]  "msg"="variable substituted" "path"="/validate/anyPattern/0/spec/template/spec/affinity/podAntiAffinity/^(requiredDuringSchedulingIgnoredDuringExecution)/0/labelSelector/matchLabels" "value"=null "variable"="{{ request.object.spec.template.metadata.labels }}"
I0312 15:28:02.939042    1125 vars.go:376]  "msg"="variable substituted" "path"="/validate/anyPattern/1/spec/template/spec/affinity/podAntiAffinity/^(preferredDuringSchedulingIgnoredDuringExecution)/0/podAffinityTerm/labelSelector/matchLabels" "value"=null "variable"="{{ request.object.spec.template.metadata.labels }}"
I0312 15:28:02.939320    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.939338    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.939345    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.939958    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.939974    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.939981    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940002    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940009    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.940015    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940067    1125 common.go:425]  "msg"="applying policy on resource" "policy"="enforce-podantiaffinity" "resource"="default/Deployment/enforce-pod-anti-affinity-pdb-fail"
I0312 15:28:02.940559    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940575    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.940582    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940635    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940644    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.940652    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940664    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940671    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.940678    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940693    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.940699    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.940705    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.941219    1125 contextloaderfactory.go:108] DefaultContextLoaderFactory "msg"="disabled loading of APICall context entry %s" "pdb_count"="(MISSING)"
I0312 15:28:02.941397    1125 vars.go:376] engine.validate "msg"="variable substituted" "new.kind"="Deployment" "new.name"="enforce-pod-anti-affinity-pdb-fail" "new.namespace"="default" "path"="" "policy.apply"="All" "policy.name"="enforce-podantiaffinity" "policy.namespace"="" "rule.name"="enforce-pod-anti-affinity-pdb" "value"=3 "variable"="{{ request.object.spec.replicas }}"
I0312 15:28:02.941515    1125 vars.go:376] engine.validate "msg"="variable substituted" "new.kind"="Deployment" "new.name"="enforce-pod-anti-affinity-pdb-fail" "new.namespace"="default" "path"="" "policy.apply"="All" "policy.name"="enforce-podantiaffinity" "policy.namespace"="" "rule.name"="enforce-pod-anti-affinity-pdb" "value"=1 "variable"="{{ pdb_count }}"
I0312 15:28:02.942458    1125 vars.go:376] engine.validate "msg"="variable substituted" "new.kind"="Deployment" "new.name"="enforce-pod-anti-affinity-pdb-fail" "new.namespace"="default" "path"="/0/spec/template/spec/affinity/podAntiAffinity/^(requiredDuringSchedulingIgnoredDuringExecution)/0/labelSelector/matchLabels" "policy.apply"="All" "policy.name"="enforce-podantiaffinity" "policy.namespace"="" "rule.name"="enforce-pod-anti-affinity-pdb" "value"={"app":"enforce-pod-anti-affinity-pdb-fail"} "variable"="{{ request.object.spec.template.metadata.labels }}"
I0312 15:28:02.943152    1125 vars.go:376] engine.validate "msg"="variable substituted" "new.kind"="Deployment" "new.name"="enforce-pod-anti-affinity-pdb-fail" "new.namespace"="default" "path"="/1/spec/template/spec/affinity/podAntiAffinity/^(preferredDuringSchedulingIgnoredDuringExecution)/0/podAffinityTerm/labelSelector/matchLabels" "policy.apply"="All" "policy.name"="enforce-podantiaffinity" "policy.namespace"="" "rule.name"="enforce-pod-anti-affinity-pdb" "value"={"app":"enforce-pod-anti-affinity-pdb-fail"} "variable"="{{ request.object.spec.template.metadata.labels }}"
I0312 15:28:02.943405    1125 validate.go:77]  "msg"="Pattern and resource have different structures." "current"="<nil>" "expected"="map[string]interface {}" "path"="/spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/0/labelSelector/matchLabels/"
I0312 15:28:02.943434    1125 validate.go:77]  "msg"="Pattern and resource have different structures." "current"="<nil>" "expected"="map[string]interface {}" "path"="/spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/1/labelSelector/matchLabels/"
I0312 15:28:02.943471    1125 validate_resource.go:314] engine.validate "msg"="validation rule failed" "anyPattern[%d]"=0 "new.kind"="Deployment" "new.name"="enforce-pod-anti-affinity-pdb-fail" "new.namespace"="default" "path"="/spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/" "policy.apply"="All" "policy.name"="enforce-podantiaffinity" "policy.namespace"="" "rule.name"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944349    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944361    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.944368    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944389    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944395    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.944401    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944428    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944435    1125 rule.go:286] autogen "msg"="generating rule for cronJob"
I0312 15:28:02.944441    1125 rule.go:233] autogen "msg"="processing rule" "rulename"="enforce-pod-anti-affinity-pdb"
I0312 15:28:02.944523    1125 test_command.go:1155]  "msg"="result mismatch" "expected"="fail" "key"="enforce-podantiaffinity-enforce-pod-anti-affinity-pdb-default-Deployment-enforce-pod-anti-affinity-pdb-fail" "received"="pass"

│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│
│ # │ POLICY                  │ RULE                          │ RESOURCE                                              │ RESULT │
│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│
│ 1 │ enforce-podantiaffinity │ enforce-pod-anti-affinity-pdb │ default/Deployment/enforce-pod-anti-affinity-pdb-fail │ Fail   │
│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│

Test Summary: 0 tests passed and 1 tests failed

Aggregated Failed Test Cases :
│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│
│ # │ POLICY                  │ RULE                          │ RESOURCE                                              │ RESULT │
│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│
│ 1 │ enforce-podantiaffinity │ enforce-pod-anti-affinity-pdb │ default/Deployment/enforce-pod-anti-affinity-pdb-fail │ Fail   │
│───│─────────────────────────│───────────────────────────────│───────────────────────────────────────────────────────│────────│

andrewhibbert avatar Mar 12 '24 15:03 andrewhibbert

My guess is this has to do specifically with use of anyPattern along with the "existence" anchor.

chipzoller avatar Mar 13 '24 23:03 chipzoller

That is required because there can be multiple requiredDuringSchedulingIgnoredDuringExecution and preferredDuringSchedulingIgnoredDuringExecution

andrewhibbert avatar Mar 14 '24 11:03 andrewhibbert

Are there any updates?

andrewhibbert avatar Apr 02 '24 17:04 andrewhibbert

Hi, @andrewhibbert. I'm Dosu, and I'm helping the kyverno team manage their backlog. I'm marking this issue as stale.

Issue Summary

  • You reported a bug in Kyverno CLI version 1.10.6 where anyPattern fails without matches.
  • You provided logs and a Kyverno playground example for reproduction.
  • @chipzoller suggested the issue might relate to anyPattern with the "existence" anchor.
  • You clarified the necessity of anyPattern due to multiple scheduling entries.
  • You inquired about updates, but the issue remains unresolved.

Next Steps

  • Please confirm if this issue is still relevant to the latest version of Kyverno.
  • If it is, feel free to comment to keep the discussion open; otherwise, it will be automatically closed in 60 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Jan 10 '25 16:01 dosubot[bot]

Still an issue

andrewhibbert avatar Jan 10 '25 16:01 andrewhibbert

@realshuting, the user @andrewhibbert has confirmed that the issue with anyPattern in Kyverno CLI version 1.10.6 is still relevant. Could you please assist them with this?

dosubot[bot] avatar Jan 10 '25 16:01 dosubot[bot]

not stale

andrewhibbert avatar Aug 26 '25 17:08 andrewhibbert