Mutate policy on existing resource not working only for k8s tls secret #1051
-
Kyverno Version1.7 Kubernetes Version1.28 Kubernetes PlatformGKE DescriptionHi Tream, I am creating a cluster policy to add labels on the kubernetes tls secrets but when i am applying attached policy then it is adding lables to all secret which is present in k8s cluster including tls secret. Can you please help me with the solution only add labels to tls secret. Thanks apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: label-existing-tls-secrets
annotations:
policies.kyverno.io/title: Label Existing TLS Secrets
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Secret
kyverno.io/kyverno-version: 1.7.0
policies.kyverno.io/minversion: 1.7.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
Adds a specific label to all existing TLS secrets.
spec:
mutateExistingOnPolicyUpdate: true
rules:
- name: label-existing-tls-secrets-rule
match:
resources:
kinds:
- Secret
preconditions:
all:
- key: "{{ request.object.type }}"
operator: Equals
value: kubernetes.io/tls
mutate:
targets:
- apiVersion: v1
kind: Secret
preconditions:
all:
- key: "{{ request.object.type }}"
operator: Equals
value: kubernetes.io/tls
patchStrategicMerge:
metadata:
labels:
monitor-cert: "true"Steps to reproduce
Generate self-signed certificate and keyopenssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=example.com" Create a TLS secret in Kuberneteskubectl create secret tls dummy-tls-secret --cert=tls.crt --key=tls.key 3.applying the attached policy Expected behaviorIt should add labels only to the tls secret ScreenshotsNo response Kyverno logsNo response Slack discussionNo response Troubleshooting
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 2 replies
-
|
If you want to only update matching admission requests, try; |
Beta Was this translation helpful? Give feedback.
-
|
Hi @jim Bugwadia , I think you did not get my issue .I wanted to add labels to the Kubernetes tls secret only for existing tls secret but the policy attached in the issue adding labels to normal k8s secret as well . So, looking for a policy which will only add labels to tls Kubernetes secret. Just to confirm without with parameter mutateExistingOnPolicyUpdate it is working fine for new created secret but my requirement is for existing tls k8s secret. |
Beta Was this translation helpful? Give feedback.
-
|
Not a bug, converted to discussion. You aren't using the apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: label-existing-tls-secrets
spec:
mutateExistingOnPolicyUpdate: true
rules:
- name: label-existing-tls-secrets-rule
match:
any:
- resources:
kinds:
- Secret
preconditions:
all:
- key: "{{ request.object.type }}"
operator: Equals
value: kubernetes.io/tls
mutate:
targets:
- apiVersion: v1
kind: Secret
preconditions:
all:
- key: "{{ target.type }}"
operator: Equals
value: kubernetes.io/tls
patchStrategicMerge:
metadata:
labels:
monitor-cert: "true" |
Beta Was this translation helpful? Give feedback.
-
|
This was also posted, and answered, on Slack: https://kubernetes.slack.com/archives/CLGR9BJU9/p1718419116347769 |
Beta Was this translation helpful? Give feedback.
-
|
Hi @chipzoller , Thanks for the provided policy it is working for both existing resources and newly created resources. Just curious to know so this policy is executed by background controller or admission controller . Thanks |
Beta Was this translation helpful? Give feedback.
-
|
Background |
Beta Was this translation helpful? Give feedback.
Not a bug, converted to discussion.
You aren't using the
targetvariable as explained in the docs.