Skip to content

[Bug] [CLI] Error on mutate.foreach loop with precondition

Kyverno CLI Version

1.15.0

Description

A mutate cluster policy with a foreach loop containing preconditions with existence/non-existence expressions throws the error Failed to parse value type doesn't match key type

This appears to be a similar bug to #3131 (closed) (which has been resolved) but affecting mutate rather than validate.

Steps to reproduce

  1. Apply this policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: all-mutate-vpa-enforce-resource-policy
spec:
  validationFailureAction: Audit
  rules:
    match:
      any:
      - resources:
          kinds:
          - VerticalPodAutoscaler
    mutate:
      foreach:
      - list: request.object.spec.resourcePolicy.containerPolicies[]
        patchesJson6902: |-
          - path: /spec/resourcePolicy/containerPolicies/{{elementIndex}}/maxAllowed/memory
            op: add
            value: '16Gi'
        preconditions:
          any:
          - key: '{{ element.maxAllowed.memory || '''' }}'
            message: maxAllowed.memory not found. Setting that to 16Gi
            operator: Equals
            value: ""
      - list: request.object.spec.resourcePolicy.containerPolicies[]
        patchesJson6902: |-
          - path: /spec/resourcePolicy/containerPolicies/{{elementIndex}}/maxAllowed/memory
            op: replace
            value: '16Gi'
        preconditions:
          any:
          - key: '{{ element.maxAllowed.memory || '''' }}'
            message: maxAllowed.memory specified is greater than maximum allowed.
              Setting that to 16Gi
            operator: GreaterThan
            value: 16Gi
    name: all-mutate-set-max-memory-allowed
  1. Create a resource that will match the resource kind. In this example VerticalPodAutoscaler 
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: vpa-test-500mi
  namespace: system-test
  labels:
    test: kyverno-mutation
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nonexistent-deployment
  updatePolicy:
    updateMode: "Off"
  resourcePolicy:
    containerPolicies:
      - containerName: test-container
        maxAllowed:
          memory: '500Mi'
        controlledResources: ['memory']
  1. view error in log
error: parse error: 
   level: error
   logger: engine.mutate
   message: Failed to parse value type doesn't match key type
   new.kind: VerticalPodAutoscaler
   new.name: vpa-test-500mi
   new.namespace: system-test
   policy.apply: All
   policy.name: all-mutate-vpa-enforce-resource-policy
   policy.namespace:
   rule.name: all-mutate-set-max-memory-allowed

Expected behavior

Each rule in the list should successfully be executed

Screenshots

No response

Kyverno logs

Slack discussion

No response

Troubleshooting

  • I have read and followed the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.