Skip to content

[Bug] mutateExistingOnPolicyUpdate using wildcard match on namespace is not working

Kyverno Version

1.15.0

Description

Version: 1.15.1

What are you attempting?

I want to create a ClusterPolicy that adds an imagePullSecret to all ServiceAccounts lacking one, but only within a certain subset of namespaces (prefixed by "tn-"). Full policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: patch-tenant-serviceaccounts-with-acr-pull-secret
  annotations:
    policies.kyverno.io/title: Add Image Pull Secret to ServiceAccounts
    policies.kyverno.io/category: ServiceAccount
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: ServiceAccount
    policies.kyverno.io/description: >-
      Automatically adds the new acr-pull-secret to ServiceAccounts in tenant namespaces that don't have any
      imagePullSecrets defined. This ensures all pods can pull images from our
      Azure Container Registry.
    policies.kyverno.io/namespace: "tn-*"
spec:
  background: true
  mutateExistingOnPolicyUpdate: true
  rules:
    - name: add-acr-pull-secret
      match:
        any:
        - resources:
            kinds:
              - ServiceAccount
            namespaces:
              - "tn-*"
      mutate:
        targets:
          - apiVersion: v1
            kind: ServiceAccount
            namespace: "{{ request.object.metadata.namespace }}"
            name: "{{ request.object.metadata.name }}"
            preconditions:
              all:
              - key: "{{ contains(keys(target), 'imagePullSecrets') }}"
                operator: Equals
                value: false
        patchStrategicMerge:
          imagePullSecrets:
            - name: acr-pull-secret

What do you expect to happen?

All ServiceAccounts within "tn-*" namespaces that lack an ImagePullSecret will have one added. Additionally, all ServiceAccounts passing through the API server will be mutated with this policy as well.

What actually happens?

Only the ServiceAccounts passing through the API server are mutated as desired.

Suspected reason

The functionality for fetching preexisting resources doesn't do wildcard matching properly (at least for the namespaces, possibly other fields as well).

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1760691989238579

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.