[Bug] Policy doesn't exclude namespaces when using exclude and/or preconditions

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

EKS

Description

Objective : Policy that applies PSS labels to all namespaces except for kube-system, kube-public, default and kube-node-lease

Labels to add : "pod-security.kubernetes.io/enforce": "baseline" "pod-security.kubernetes.io/warn": "restricted"

Policy :

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-ps-labels
spec:
  validationFailureAction: Audit
  failurePolicy: Ignore
  background: false
  rules:
    - name: add-ps-labels
      match:
        any:
          - resources:
              kinds:
                - Namespace
      exclude:
        any:
          - resources:
              kinds:
                - Namespace
              names:
                - default
                - kube-system
                - kube-public
                - kube-node-lease
      mutate:
        targets:
          - apiVersion: v1
            kind: Namespace
        foreach:
          - list: "[ 'pod-security.kubernetes.io/enforce', 'pod-security.kubernetes.io/warn' ]"
            preconditions:
              all:
                - key: "{{ keys(request.object.metadata.labels) || [] }}"
                  operator: AllNotIn
                  value: "[ '{{ element }}' ]"
            patchStrategicMerge:
              metadata:
                labels:
                  "pod-security.kubernetes.io/enforce": "baseline"
                  "pod-security.kubernetes.io/warn": "restricted"

Methods tried :

  • exclude
  • configMaps context to pass namespace list
  • preconditions

Versions:

Helm kyverno : 3.3.7 EKS: 1.30

Problem:

Kyverno doesn't respect exclude list of namespaces and mutates them. What's expected is exclude list of namespaces should not be mutated.

Steps to reproduce

  1. Deploy kyverno with the latest version using helm : 3.3.7
  2. Deploy above policy
  3. Create a new namespace to trigger the policy
  4. Verify excluded namespaces to see labels are applied to them including all other namespaces

Expected behavior

Labels should not be applied to excluded namepsaces

Screenshots

No response

Kyverno logs

Logs : 

`2025-02-24T16:11:25Z INF github.com/kyverno/kyverno/pkg/engine/handlers/mutation/common.go:48 > mutateResp.PatchedResource logger=engine.mutate new.kind=Namespace new.name=labels-ns new.namespace= policy.apply=All policy.name=add-ps-labels policy.namespace= resource={"Object":{"apiVersion":"v1","kind":"Namespace","metadata":{"creationTimestamp":"2024-10-29T19:15:38Z","labels":{"k8slens-edit-resource-version":"v1","kubernetes.io/metadata.name":"kube-system","pod-security.kubernetes.io/enforce":"baseline","pod-security.kubernetes.io/warn":"restricted"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kubernetes.io/metadata.name":{}}}},"manager":"kube-apiserver","operation":"Update","time":"2024-10-29T19:15:38Z"},{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{"f:k8slens-edit-resource-version":{}}}},"manager":"node-fetch","operation":"Update","time":"2025-02-19T15:11:38Z"}],"name":"kube-system","resourceVersion":"27464271","uid":"28f46c7c-fb3f-472c-804e-6a05c6f22c88"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}}} rule.name=add-ps-labels v=0`

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1740413685564239

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.