Bug: Kyverno ClusterPolicy - disallow-nodeport-services

Bug

Description

kyverno-policies HelmRelease fails reconciliation when istiod is enabled but no NodePort gateways are configured.

When istiod is enabled but no NodePort istio gateways are configured, the disallow-nodeport-services ClusterPolicy fails validation because the names field renders as null instead of being omitted entirely. This prevents the kyverno-policies HelmRelease from reconciling.

Relevant Logs

# Snippet from HR Description Failure
Message: Helm install failed for release kyverno/kyverno-kyverno-policies with chart kyverno-policies@3.3.4-bb.19: ClusterPolicy.kyverno.io "disallow-nodeport-services" is invalid: spec.rules[0].exclude.any[1].resources.names: Invalid value: "null": spec.rules[0].exclude.any[1].resources.names in body must be of type array: "null"

# Snippet from Secret: bigbang-kyverno-policies-values
  disallow-nodeport-services:
      exclude:
        any:
        - resources:
            kinds:
            - Service
            names: null
            namespaces:
            - istio-system
        - resources:
            kinds:
            - Service
            names:
            - main-ingressgateway
            namespaces:
            - istio-gateway

Suggestion

Update this logic to only iterate over the $nodePortIngressGateways list if it's not empty.

disallow-nodeport-services:
  validationFailureAction: Enforce
  {{- if or $nodePortIngressGateways .Values.istiod.enabled }}
  exclude:
    any:
    - resources:
        kinds:
        - Service
        {{- if $nodePortIngressGateways }}
        names:
        {{- range $name := $nodePortIngressGateways }}
        - {{ $name }}
        {{- end }}
        {{- end }}

BigBang Version

3.18.0