Skip to content

[Bug] polr for resources having a policyexception become incorrect after some seconds

Kyverno Version

1.15.2

Description

policyreports for resources that have a policyException are correct at admission time, but after some seconds they are overwritten with wrong data This is a big problem IMHO as it makes reporting untrustable

How to reproduce

in the Helm chart I have this defined

features:
  policyExceptions:
    enabled: true
    namespace: 'kyverno-exceptions'

I see that both the admission-controller and the reports-controller have the right command-line parameters

--enablePolicyException=true
--exceptionNamespace=kyverno-exceptions

I create a dummy vpol that always fails

apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: my-policy
spec:
  validationActions:
    - Audit
  failurePolicy: Ignore
  autogen:
    podControllers:
      controllers: []
  evaluation:
    background:
      enabled: true
  matchConstraints:
    resourceRules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
        operations: ["CREATE","UPDATE"]
  validations:
    - expression: "0 == 1"
      message: 'always fails'

and I create an exception for pods called foo

apiVersion: policies.kyverno.io/v1alpha1
kind: PolicyException
metadata:
  name: allow-if-called-foo
  namespace: kyverno-exceptions
spec:
  policyRefs:
    - name: my-policy
      kind: ValidatingPolicy
  matchConditions:
    - name: allowed-for-foo
      expression: object.metadata.name == 'foo'

I submit both, and then create a pod called foo

apiVersion: v1
kind: Pod
metadata:
  name: foo
spec:
  containers:
  - name: dummy-pod
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      runAsNonRoot: true
      seccompProfile:
        type: "RuntimeDefault"

10-15 seconds or so after admission I have the expected policy report

apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
  creationTimestamp: "2025-10-22T14:47:01Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: kyverno
  name: 67c01b33-7846-44c9-94a7-0783097f7b62
  namespace: my-namespace
  ownerReferences:
  - apiVersion: v1
    kind: Pod
    name: foo
    uid: 67c01b33-7846-44c9-94a7-0783097f7b62
  resourceVersion: "677530"
  uid: 5d9de7c5-65ef-4788-a068-cfcf33223d54
results:
- message: 'rule is skipped due to policy exception: kyverno-exceptions/allow-if-called-foo'
  policy: my-policy
  properties:
    exceptions: allow-if-called-foo
    process: background scan
  result: skip
  rule: exception
  scored: true
  source: KyvernoValidatingPolicy
  timestamp:
    nanos: 0
    seconds: 1761144401
scope:
  apiVersion: v1
  kind: Pod
  name: foo
  namespace: my-namespace
  uid: 67c01b33-7846-44c9-94a7-0783097f7b62
summary:
  error: 0
  fail: 0
  pass: 0
  skip: 1
  warn: 0

BUT

30 seconds later or so the report is updated, but wrong this time, and then it stays like this forever

apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
  creationTimestamp: "2025-10-22T14:47:01Z"
  generation: 2
  labels:
    app.kubernetes.io/managed-by: kyverno
  name: 67c01b33-7846-44c9-94a7-0783097f7b62
  namespace: my-namespace
  ownerReferences:
  - apiVersion: v1
    kind: Pod
    name: foo
    uid: 67c01b33-7846-44c9-94a7-0783097f7b62
  resourceVersion: "677670"
  uid: 5d9de7c5-65ef-4788-a068-cfcf33223d54
results:
- message: always fails
  policy: my-policy
  properties:
    process: background scan
  result: fail
  scored: true
  source: KyvernoValidatingPolicy
  timestamp:
    nanos: 0
    seconds: 1761144431
scope:
  apiVersion: v1
  kind: Pod
  name: foo
  namespace: my-namespace
  uid: 67c01b33-7846-44c9-94a7-0783097f7b62
summary:
  error: 0
  fail: 1
  pass: 0
  skip: 0
  warn: 0

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.