policies
policies copied to clipboard
Published
20 hours ago •
kyverno
kyverno
[Bug] "logical and" does not work
Kyverno Version
1.8.x
Kubernetes Version
1.23.x
Kubernetes Platform
AKS
Description
I try to write a policy which requires to have topologySpreadConstraints for the topologyKeys "kubernetes.io/hostname" and "topology.kubernetes.io/zone"
Using the "|" operator instead of the "&" operator works, but then only 1 of the topologyKeys needs to be availbale.
I want to have both topologyKeys available.
Steps to reproduce
policy.yaml:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: spread-pods
annotations:
policies.kyverno.io/title: Spread Pods Across Nodes & Zones
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Deployment, Pod
policies.kyverno.io/description: >-
Deployments to a Kubernetes cluster with multiple availability zones often need to
distribute those replicas to align with those zones to ensure site-level failures
do not impact availability.
spec:
validationFailureAction: audit
background: true
failurePolicy: Ignore
rules:
- name: spread-pods
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
validate:
message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone is required"
pattern:
spec:
template:
spec:
topologySpreadConstraints:
- topologyKey: kubernetes.io/hostname & topology.kubernetes.io/zone
resource.yaml:
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: memcached
namespace: monitoring
labels:
app: thanos-memcached
spec:
selector:
matchLabels:
app: thanos-memcached
serviceName: memcached
replicas: 3
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: thanos-memcached
annotations:
sidecar.istio.io/inject: "false"
spec:
securityContext:
fsGroup: 1001
containers:
- name: memcached
image: memcached:1.6.17-alpine
command:
- memcached
- -m 2048
- -o
- modern
- -v
ports:
- name: tcp-memcached
containerPort: 11211
livenessProbe:
tcpSocket:
port: tcp-memcached
initialDelaySeconds: 30
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: tcp-memcached
initialDelaySeconds: 5
timeoutSeconds: 1
resources:
requests:
cpu: 500m
memory: 2Gi
limits:
memory: 2Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1001
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: thanos-memcached
- maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app: thanos-memcached
kyverno apply policy.yaml --resource resource.yaml
Applying 1 policy rule to 1 resource...
policy spread-pods -> resource monitoring/StatefulSet/memcached failed:
1. spread-pods: validation error: topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone is required. rule spread-pods failed at path /spec/template/spec/topologySpreadConstraints/0/topologyKey/
pass: 0, fail: 1, warn: 0, error: 0, skip: 0
Expected behavior
Policy does not fail.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
- [X] I have read and followed the documentation AND the troubleshooting guide.
- [X] I have searched other issues in this repository and mine is not recorded.
