Skip to content

[Bug] Combination of synchronize:true and generateExisting:true seems to cause long objects create/update

Kyverno Version

1.11.5

Kubernetes Version

1.32.x

Kubernetes Platform

Other (specify in description)

Kyverno Rule Type

Generate

Description

Combination of generate.synchronize: true per object and and generateExisting: true seems to cause long objects create/update. I suspect that errors below indicate some kind of race condition inside controller. Therefore it terminates reconcile operation over and over. If to wait 10-20-30 minutes, at some point all requested objects get created or updated.

Steps to reproduce

  1. Apply generate policy with both options enabled like
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: eso-bootstrap-policy
spec:
  generateExisting: true
  rules:
    - name: create-eso-sa
      match:
        resources:
          kinds:
            - Namespace
      generate:
        orphanDownstreamOnPolicyDelete: true
        synchronize: true
        apiVersion: v1
        kind: ServiceAccount
        name: vault-secret-store
        namespace: "{{request.object.metadata.name}}"

    - name: create-eso-crb
      match:
        resources:
          kinds:
            - Namespace
      generate:
        synchronize: true
        orphanDownstreamOnPolicyDelete: true
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        name: "vault-tokenreviewer-crb-{{ request.object.metadata.name }}"        
        data:
          roleRef:
            kind: ClusterRole
            name: vault-tokenreviewer
          subjects:
            - kind: ServiceAccount
              name: vault-secret-store
              namespace: "{{request.object.metadata.name}}"

Expected behavior

I expect that objects will be created or updated according to policy with minumum delay.

Screenshots

No response

Kyverno logs

2025-11-12T12:47:01Z ERR github.com/kyverno/kyverno/pkg/background/generate/generator.go:209 > failed to update resource error="Operation cannot be fulfilled on clusterrolebindings.rbac.authorization.k8s.io \"vault-tokenreviewer-crb-yandex-system\": the object has been modified; please apply your changes to the latest version and try again" logger=background name=ur-7rxs9 policy=eso-bootstrap-policy rule=create-eso-crb target=rbac.authorization.k8s.io/v1/ClusterRoleBinding//vault-tokenreviewer-crb-yandex-system trigger=/yandex-system
2025-11-12T12:47:01Z ERR github.com/kyverno/kyverno/pkg/background/generate/controller.go:301 > failed to apply generate rule error="Operation cannot be fulfilled on clusterrolebindings.rbac.authorization.k8s.io \"vault-tokenreviewer-crb-yandex-system\": the object has been modified; please apply your changes to the latest version and try again" logger=background name=ur-7rxs9 policy=eso-bootstrap-policy trigger=/yandex-system

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.