[Bug] Kyverno Policy not working as expected with allowed Tolerations list.
### Kyverno Version
1.12
Kubernetes Version
1.29
Kubernetes Platform
EKS
Description
I am trying to use Kyverno Namespaced Policy to allow POD's spec contains combination of allowed tolerations list and deny if any other tolerations. this a specific requirement from product team as we are offering customer to create their own namespaces and play with it and we don't want to them modify the existing tolerations.
Steps to reproduce
-
Apply the kyverno policy.
`apiVersion: kyverno.io/v1 kind: Policy metadata: name: kishorekyvernons-allowed-tolerations namespace: develop annotations: policies.kyverno.io/title: "Flexible Tolerations Policy" policies.kyverno.io/category: "Pod Security" policies.kyverno.io/severity: "high" policies.kyverno.io/description: "Ensures pods only use tolerations from the allowed set" spec: validationFailureAction: Enforce background: false rules: - name: validate-tolerations match: resources: kinds: - Pod validate: message: "Pod tolerations must be from the allowed set of tolerations" foreach: - list: "request.object.spec.tolerations" deny: conditions: all: - key: "{{ element }}" operator: AnyNotIn value: - key: "node.kubernetes.io/unreachable" effect: "NoExecute" value: "" - key: "node.kubernetes.io/not-ready" effect: "NoExecute" value: "" - key: "node.kubernetes.io/not-ready" effect: "NoExecute" operator: "Exists" - key: "node.kubernetes.io/unreachable" effect: "NoExecute" operator: "Exists" - key: "nvidia.com/gpu" effect: "NoSchedule" value: "present" - key: "tenant" effect: "NoSchedule" operator: "Equal" value: "develop" - key: "tenant" effect: "NoExecute" operator: "Equal" value: "develop" - key: "target" effect: "NoSchedule" operator: "Equal" value: "k8s" - key: "target" effect: "NoExecute" operator: "Equal" value: "k8s"`
try to create a pod using below pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: python-pod
spec:
containers:
- name: python-container
image: python:3.9
command: ["python","-m","http.server","8080"]
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
- effect: NoSchedule
key: nvidia.com/gpu
operator: Equal
value: present
- effect: NoSchedule
key: tenant
operator: Equal
value: kishorekyvernons
- effect: NoExecute
key: tenant
operator: Equal
value: kishorekyvernons
- effect: NoSchedule
key: target
operator: Equal
value: k8s
- effect: NoExecute
key: target
operator: Equal
value: k8sExpected behavior
ideally it should block the pod creation but I am able to create the pod irrespective of any values of tenant and any other tolerations .
Screenshots
No response
Kyverno logs
Slack discussion
No response
Troubleshooting
-
I have read and followed the documentation AND the troubleshooting guide. -
I have searched other issues in this repository and mine is not recorded.