[Bug] Unique host and path ingress policy is blocking updates

[Fauli]

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

AKS

Description

I'm refering to #833

I'm using v1.12.3, and am still facing this issue. Not sure if it was ever resolved?
My policy is the stadard one from the documentation:
https://kyverno.io/policies/other/unique-ingress-host-and-path/unique-ingress-host-and-path/

Upon editing an existing ingress, I face:

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

Do you know if this has ever been fixed and tested?

Steps to reproduce

1. Create ingress with any host & path combination
2. Update the same ingress
3. Save

Expected behavior

Save works, ingress is only colloding with itself, so should be fine.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[realshuting]

Hi @Fauli - we have Chainsaw tests covering this policy https://github.com/kyverno/policies/tree/main/other/unique-ingress-host-and-path/.chainsaw-test.

I tried locally using 1.12.5 and was not able to replicate the issue, I installed the policy, and created the following ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: goodingress01
spec:
  rules:
  - host: bar
    http:
      paths:
      - backend:
          service:
            name: demo-svc
            port:
              number: 8080
        path: /foo
        pathType: Prefix

And updated the path /foo to /bar, and it went through:

$ k edit ingress goodingress01
ingress.networking.k8s.io/goodingress01 edited

Please share detailed resource manifests so we can reproduce the issue.

[Fauli]

Hello @realshuting

Thanks for the quick reply!
Some further details: The update works when the path is change, but not if i.e. the annotation is updated, but the path stays the same.

My exact steps for re-creation are:

1. Create file /tmp/test.yaml with the content you provided.

2. Run command: kubectl apply -f /tmp/test.yaml
   This produces: ingress.networking.k8s.io/goodingress01 created

3. Edit the created ingress. Add any annotation, in my test, I'm adding "test": "ok" using kubectl edit ingress goodingress01
   This produces

error: ingresses.networking.k8s.io "goodingress01" could not be patched: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Ingress/fauli/goodingress01 was blocked due to the following policies

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

You can run `kubectl replace -f /tmp/kubectl-edit-3492521222.yaml` to try this update again.

For the last step, you can also just use this command and get the same result:
kubectl annotate ingress goodingress01 test=ok

Let me know if you have any further questions regarding the recreation steps.

[realshuting]

Still not able to reproduce it -

1. With the policy installed:

✗ k get cpol                               
NAME                           ADMISSION   BACKGROUND   VALIDATE ACTION   READY   AGE     MESSAGE
unique-ingress-host-and-path   true        false        Audit             True    2m33s   Ready

2. I can add the annotation to the ingress:

✗ k annotate ingress goodingress01 test=ok
ingress.networking.k8s.io/goodingress01 annotated

I'm running 1.12.5.

[Fauli]

Hello @realshuting
I see you have the policy as Audit, not Enforced, then the update will not be blocked anyways.
Nevertheless, I'm updating the chart on my end and will test it again 👍

[Fauli]

Hello @realshuting

I updated to /kyverno/kyverno:v1.12.5 and ran the tests again:

 $ k annotate ingress goodingress01 test=ok
Error from server: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Ingress/fauli/goodingress01 was blocked due to the following policies

unique-ingress-host-and-path:
  check-host-path-combo: 'validation failure: The Ingress host and path combination
    must be unique across the cluster.'

Still facing the same issue. I guess your test works because you only run the policy in audit, and not enforce to actually prevent the creation of a second ingress with an already existing combination of host and path?

[realshuting]

Nice catch @Fauli - let me try it again.

[realshuting]

I can confirm the issue exists in 1.12.5 but not 1.13.0-beta.1:

$ k get cpol                                        
NAME                           ADMISSION   BACKGROUND   READY   AGE     MESSAGE
unique-ingress-host-and-path   true        false        True    2m32s   Ready

$ k get cpol -o yaml | grep validationFailureAction:
    validationFailureAction: Enforce

$ k annotate ingress goodingress01 foo=bar                                 
ingress.networking.k8s.io/goodingress01 annotated

You can expect the fix in 1.13.0 GA release.

[Fauli]

Hello @realshuting

Thanks for the update!
Do you, by any chance, know when 1.13 is planned for release?

[realshuting]

Hello @realshuting

Thanks for the update! Do you, by any chance, know when 1.13 is planned for release?

We are on 1.13.0-rc.1 and trying to get kyverno/kyverno#3837 in. We will cut rc.2 once it's completed and hopefully GA comes after that.