UNCLASSIFIED - NO CUI

Kyverno Script Fails when Empty Templates Present

During the configuration of the ztunnel chart, it was found that Kyverno is unable to handle scenarios where empty templates may be generated:

https://repo1.dso.mil/big-bang/apps/sandbox/ztunnel/-/jobs/48630979#L56

image

Running a helm template allows all charts to render (including the empty one) without issue:

helm template ztunnel chart -n istio-system -f tests/test-values.yaml

After multiple attempts at workarounds there appears to be no avoiding this situation for certain helm charts. For example, adding upstream.global to the values.yaml will allow kyverno to work, but it will break helm templating. Further experimentation also provided no successful outcomes.

Additional digging revealed this is a known issue with the kyverno cli which is captured here:

https://github.com/kyverno/kyverno/issues/13219

While that issue has been around for several months without a fix, a workaround would be to use yq to select all non-empty charts and pipe that to kyverno.

  • Update kyverno script to include yq 'select(. != null)' to workaround inability to handle empty charts
Edited by Jimmy Bourque

UNCLASSIFIED - NO CUI