[Bug] Mutate policy panics Kyverno's background controller with segmentation violation
Kyverno Version
1.12
Kubernetes Version
1.29
Kubernetes Platform
AKS
Description
Hi, when I tried to use spec
spec:
mutateExistingOnPolicyUpdate: true
validationFailureAction: Enforce
background: true
rules:
- name: add-ingress-annotations
match:
resources:
kinds:
- Ingress
preconditions:
all:
- key: "{{request.operation}}"
operator: AnyIn
value:
- CREATE
- UPDATE
- key: "{{request.object.metadata.annotations.\"cert-manager.io/issuer-group\"}}"
operator: Equals
value: "certs"
- key: "{{ request.object.metadata.annotations.\"kubernetes.io/ingress.class\" || 'undef' }}"
operator: NotEquals
value: gce
mutate:
targets:
- apiVersion: networking.k8s.io/v1
kind: Ingress
patchStrategicMerge:
metadata:
annotations:
cert-manager.io/issuer: "something"
cert-manager.io/issuer-group: "certs.something.com"
cert-manager.io/issuer-kind: "something"then background controller crashes with error
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x3532150]
goroutine 342 [running]:
k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x46c7f40, 0x6a1ad00}, {0x3985cc0, 0x69330d0}, {0x6a1ad00, 0x0, 0x43b965?})
k8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:89 +0xee
k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc0020afa40?})
k8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:59 +0x108
panic({0x3985cc0?, 0x69330d0?})
runtime/panic.go:785 +0x132
github.com/kyverno/kyverno/pkg/policy.ruleChange({0x47256b0, 0xc00205e908}, {0x47256b0, 0xc002756d88})
github.com/kyverno/kyverno/pkg/policy/generate.go:299 +0x5d0
github.com/kyverno/kyverno/pkg/policy.(*policyController).updatePolicy(0xc002582140, {0x3fc7c80?, 0xc00205e908?}, {0x3fc7c80?, 0xc002756d88?})
github.com/kyverno/kyverno/pkg/policy/policy_controller.go:204 +0x2eb
k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...)
k8s.io/client-go@v0.31.1/tools/cache/controller.go:253
k8s.io/client-go/tools/cache.(*processorListener).run.func1()
k8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:976 +0xea
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x30?)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:226 +0x33
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc001c7bf70, {0x46836c0, 0xc001c20150}, 0x1, 0xc002612700)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:227 +0xaf
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00253ff70, 0x3b9aca00, 0x0, 0x1, 0xc002612700)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:204 +0x7f
k8s.io/apimachinery/pkg/util/wait.Until(...)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:161
k8s.io/client-go/tools/cache.(*processorListener).run(0xc002d6c240)
k8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:972 +0x5a
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1()
k8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:72 +0x4c
created by k8s.io/apimachinery/pkg/util/wait.(*Group).Start in goroutine 250
k8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:70 +0x73The problem is || 'undef' part. As soon as I remove it, Kyverno works well.
Kyverno version: 1.13.3
Kubernetes:
Client Version: v1.30.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.4
Steps to reproduce
- Apply yaml file with Kyverno policy with kubectl apply -f filename.yaml
- Check background's logs with command kubectl -n kyverno logs -f kyverno-background-controller
Expected behavior
Default values work perfectly for validation rules and per the documentation must work with mutations.
Screenshots
No response
Kyverno logs
2025-03-04T08:21:34Z ERR runtime/panic.go:262 > Observed a panic logger=klog panic="runtime error: invalid memory address or nil pointer dereference" panicGoValue="\"invalid memory address or nil pointer dereference\"" stacktrace="goroutine 342 [running]:\nk8s.io/apimachinery/pkg/util/runtime.logPanic({0x46c7f40, 0x6a1ad00}, {0x3985cc0, 0x69330d0})\n\tk8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:107 +0xbc\nk8s.io/apimachinery/pkg/util/runtime.handleCrash({0x46c7f40, 0x6a1ad00}, {0x3985cc0, 0x69330d0}, {0x6a1ad00, 0x0, 0x43b965?})\n\tk8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:82 +0x5e\nk8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc0020afa40?})\n\tk8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:59 +0x108\npanic({0x3985cc0?, 0x69330d0?})\n\truntime/panic.go:785 +0x132\ngithub.com/kyverno/kyverno/pkg/policy.ruleChange({0x47256b0, 0xc00205e908}, {0x47256b0, 0xc002756d88})\n\tgithub.com/kyverno/kyverno/pkg/policy/generate.go:299 +0x5d0\ngithub.com/kyverno/kyverno/pkg/policy.(*policyController).updatePolicy(0xc002582140, {0x3fc7c80?, 0xc00205e908?}, {0x3fc7c80?, 0xc002756d88?})\n\tgithub.com/kyverno/kyverno/pkg/policy/policy_controller.go:204 +0x2eb\nk8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...)\n\tk8s.io/client-go@v0.31.1/tools/cache/controller.go:253\nk8s.io/client-go/tools/cache.(*processorListener).run.func1()\n\tk8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:976 +0xea\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x30?)\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:226 +0x33\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc001c7bf70, {0x46836c0, 0xc001c20150}, 0x1, 0xc002612700)\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:227 +0xaf\nk8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00253ff70, 0x3b9aca00, 0x0, 0x1, 0xc002612700)\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:204 +0x7f\nk8s.io/apimachinery/pkg/util/wait.Until(...)\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:161\nk8s.io/client-go/tools/cache.(*processorListener).run(0xc002d6c240)\n\tk8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:972 +0x5a\nk8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1()\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:72 +0x4c\ncreated by k8s.io/apimachinery/pkg/util/wait.(*Group).Start in goroutine 250\n\tk8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:70 +0x73\n"
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x3532150]
goroutine 342 [running]:
k8s.io/apimachinery/pkg/util/runtime.handleCrash({0x46c7f40, 0x6a1ad00}, {0x3985cc0, 0x69330d0}, {0x6a1ad00, 0x0, 0x43b965?})
k8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:89 +0xee
k8s.io/apimachinery/pkg/util/runtime.HandleCrash({0x0, 0x0, 0xc0020afa40?})
k8s.io/apimachinery@v0.31.1/pkg/util/runtime/runtime.go:59 +0x108
panic({0x3985cc0?, 0x69330d0?})
runtime/panic.go:785 +0x132
github.com/kyverno/kyverno/pkg/policy.ruleChange({0x47256b0, 0xc00205e908}, {0x47256b0, 0xc002756d88})
github.com/kyverno/kyverno/pkg/policy/generate.go:299 +0x5d0
github.com/kyverno/kyverno/pkg/policy.(*policyController).updatePolicy(0xc002582140, {0x3fc7c80?, 0xc00205e908?}, {0x3fc7c80?, 0xc002756d88?})
github.com/kyverno/kyverno/pkg/policy/policy_controller.go:204 +0x2eb
k8s.io/client-go/tools/cache.ResourceEventHandlerFuncs.OnUpdate(...)
k8s.io/client-go@v0.31.1/tools/cache/controller.go:253
k8s.io/client-go/tools/cache.(*processorListener).run.func1()
k8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:976 +0xea
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1(0x30?)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:226 +0x33
k8s.io/apimachinery/pkg/util/wait.BackoffUntil(0xc001c7bf70, {0x46836c0, 0xc001c20150}, 0x1, 0xc002612700)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:227 +0xaf
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc00253ff70, 0x3b9aca00, 0x0, 0x1, 0xc002612700)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:204 +0x7f
k8s.io/apimachinery/pkg/util/wait.Until(...)
k8s.io/apimachinery@v0.31.1/pkg/util/wait/backoff.go:161
k8s.io/client-go/tools/cache.(*processorListener).run(0xc002d6c240)
k8s.io/client-go@v0.31.1/tools/cache/shared_informer.go:972 +0x5a
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1()
k8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:72 +0x4c
created by k8s.io/apimachinery/pkg/util/wait.(*Group).Start in goroutine 250
k8s.io/apimachinery@v0.31.1/pkg/util/wait/wait.go:70 +0x73Slack discussion
No response
Troubleshooting
-
I have read and followed the documentation AND the troubleshooting guide. -
I have searched other issues in this repository and mine is not recorded.