UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

SKIP UPGRADE: Update disallow-deprecated-apis to include precondition check for api version

Merged SKIP UPGRADE: Update disallow-deprecated-apis to include precondition check for api version
fix-deprecated-apis into main
All threads resolved!
Merged Rob Ferguson requested to merge fix-deprecated-apis into main
All threads resolved!

Related to https://github.com/kyverno/policies/pull/332

  • Includes updates to match fix in upstream policy
  • Disables disallow-deprecated-apis in test-values.yaml
Edited by Micah Nagel

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Rob Ferguson assigned to @rob.ferguson

    assigned to @rob.ferguson

  • Rob Ferguson changed title from Update disallow-deprecated-apis to include precondition check for api version to DEBUG - Update disallow-deprecated-apis to include precondition check for api version

    changed title from Update disallow-deprecated-apis to include precondition check for api version to DEBUG - Update disallow-deprecated-apis to include precondition check for api version

  • Rob Ferguson added 1 commit

    added 1 commit

    • 047da059 - Update disallow-deprecated-apis to include precondition check for api version

    Compare with previous version

  • Rob Ferguson added 1 commit

    added 1 commit

    • c25ca668 - Update disallow-deprecated-apis to include precondition check for api version

    Compare with previous version

  • Rob Ferguson
    Rob Ferguson @rob.ferguson ·
    Author Developer

    I have disabled the deprecated-apis test policy in test-values.yaml because it never becomes ready. I believe it is caused by this issue - https://github.com/kyverno/kyverno/issues/3580

    • Rob Ferguson
      Rob Ferguson @rob.ferguson ·
      Author Developer
      Resolved by Rob Ferguson

      @michaelmcleroy Just wanted to summarize and get your thoughts. In the process of testing some of the other Kyverno policy changes I noticed main was failing to do a clean install. I poked around at it and determined it was running into an issue with the disallow-deprecated-apis policy. During the install it was failing with:

      Release "kyverno-policies" does not exist. Installing it now.
W0816 20:29:21.690654    1182 warnings.go:70] Policies that match Pods apply to all Pods including those created and managed by controllers excluded from autogen. Use preconditions to exclude the Pods managed by controllers which are excluded from autogen. Refer to https://kyverno.io/docs/writing-policies/autogen/ for details.
Error: admission webhook "validate-policy.kyverno.svc" denied the request: the kind defined in the any match resource is invalid: unable to convert GVK to GVR for kinds [admissionregistration.k8s.io/v1beta1/ValidatingWebhookConfiguration admissionregistration.k8s.io/v1beta1/MutatingWebhookConfiguration apiextensions.k8s.io/v1beta1/CustomResourceDefinition apiregistration.k8s.io/v1beta1/APIService authentication.k8s.io/v1beta1/TokenReview authorization.k8s.io/v1beta1/SubjectAccessReview authorization.k8s.io/v1beta1/LocalSubjectAccessReview authorization.k8s.io/v1beta1/SelfSubjectAccessReview certificates.k8s.io/v1beta1/CertificateSigningRequest coordination.k8s.io/v1beta1/Lease extensions/v1beta1/Ingress networking.k8s.io/v1beta1/Ingress networking.k8s.io/v1beta1/IngressClass rbac.authorization.k8s.io/v1beta1/ClusterRole rbac.authorization.k8s.io/v1beta1/ClusterRoleBinding rbac.authorization.k8s.io/v1beta1/Role rbac.authorization.k8s.io/v1beta1/RoleBinding scheduling.k8s.io/v1beta1/PriorityClass storage.k8s.io/v1beta1/CSIDriver storage.k8s.io/v1beta1/CSINode storage.k8s.io/v1beta1/StorageClass storage.k8s.io/v1beta1/VolumeAttachment], err: kind 'ValidatingWebhookConfiguration' not found in apiVersion 'admissionregistration.k8s.io/v1beta1'

      I searched around and saw that they had updated the upstream policy to workaround this issue by adding a precondition that would check for the appropriate apiVersion. Assuming that would fix our issue in CI I created this MR. Unfortunately I ended up running into a different issue arising from the use of a wildcard * in the amended policy. That error is:

      E0817 18:47:21.842887       1 configmanager.go:334] WebhookConfigManager/reconcileWebhook "msg"="failed to update webhook configurations for policy" "error"="unable to update admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration: kyverno-resource-validating-webhook-cfg: ValidatingWebhookConfiguration.admissionregistration.k8s.io \"kyverno-resource-validating-webhook-cfg\" is invalid: webhooks[1].rules[0].apiVersions: Invalid value: []string{\"v1\", \"v1beta1\", \"v2beta1\", \"*\"}: if '*' is present, must not specify other API versions" "namespace"="" "policy"="check-deprecated-apis"

      The issue is mentioned as being partially fixed in the release notes for 1.7.2 but awaiting a complete fix in 1.7.3 or 1.8.0.

      I think this means we probably need to temporarily disable the disallow-deprecated-apis in the test-values.yaml and wait for an upstream fix.

  • Rob Ferguson added statusreview label

    added statusreview label

  • Rob Ferguson changed title from DEBUG - Update disallow-deprecated-apis to include precondition check for api version to Update disallow-deprecated-apis to include precondition check for api version

    changed title from DEBUG - Update disallow-deprecated-apis to include precondition check for api version to Update disallow-deprecated-apis to include precondition check for api version

  • Rob Ferguson changed the description

    changed the description

  • Rob Ferguson requested review from @michaelmcleroy

    requested review from @michaelmcleroy

  • Rob Ferguson requested review from @toladipupo

    requested review from @toladipupo

  • Rob Ferguson resolved all threads

    resolved all threads

  • Micah Nagel changed title from Update disallow-deprecated-apis to include precondition check for api version to SKIP UPGRADE: Update disallow-deprecated-apis to include precondition check for api version

    changed title from Update disallow-deprecated-apis to include precondition check for api version to SKIP UPGRADE: Update disallow-deprecated-apis to include precondition check for api version

  • Micah Nagel
    Micah Nagel @micah.nagel ·
    Contributor

    Added SKIP UPGRADE so that the pipeline passes. Since this is broken on main the upgrade pipeline will never succeed (and this is ok).

  • Michael McLeroy
  • Michael McLeroy
  • Rob Ferguson added 1 commit

    added 1 commit

    • 555a794a - Apply comment to disable deprecated api policy

    Compare with previous version

  • Rob Ferguson added 1 commit

    added 1 commit

    • 972c673a - apply pattern to deprecated HPA kinds

    Compare with previous version

  • Michael McLeroy
  • Rob Ferguson resolved all threads

    resolved all threads

  • Rob Ferguson added 1 commit

    added 1 commit

    • 7931141c - Include autoscaling/v2beta1 api version

    Compare with previous version

  • Rob Ferguson mentioned in merge request !32 (merged)

    mentioned in merge request !32 (merged)

  • Michael McLeroy approved this merge request

    approved this merge request

  • Michael McLeroy merged

    merged

  • Michael McLeroy mentioned in commit 557e7b78

    mentioned in commit 557e7b78

    • Please register or sign in to reply

    UNCLASSIFIED - NO CUI