Nick Gentoli

Kyverno CEL Autogen Bug Investigation

Problem Summary

When using Kyverno MutatingPolicy (CEL-based) targeting v1/pods, the policy is incorrectly evaluated against pod controllers (e.g., DaemonSet, Deployment) even when autogen is explicitly disabled. This leads to evaluation errors like no such key: containers because variables are not properly translated for controllers, and the webhook filtering logic is flawed.

Investigation Findings

1. Autogen Annotation is Ignored

The standard annotation pod-policies.kyverno.io/autogen-controllers: none is effectively ignored for CEL policies. The engine logic that decides whether to trigger autogen for CEL policies relies solely on the resource matching rules.

Rook + Ceph CSI Operator

`invalid value specified for ceph.dir.subvolume` when creating volume

workaournd remove the subvolumeGroup key in config.json from the ceph-csi-config ConfigMap

not able to attach volume

set mon connection version: add ms_mode: prefer-secure
set right port for connection (3300)

IntelliJ is missing device resources included from Android Studio.

These files can be found under in the Android Studio repo under artwork\resources\device-art-resources - https://android.googlesource.com/platform/tools/adt/idea/+/refs/heads/mirror-goog-studio-main/artwork/resources/device-art-resources/ (permalink)

Then copied to Android SDK - $env:ANDROID_HOME\platforms\android-<version>\skins (e.g. C:\Users\$env:USERNAME\AppData\Local\Android\Sdk\platforms\android-34\skins)

cni config folder is different
- check existing cni for directory and volume mount and env var

OKE @ v1.26.2 have OKE CNI without ipvlan. Native veth chaining works.

CNI Config (merged from /etc/cni/net.d/10-oci.conflist on the OS):

apiVersion: v1
kind: ConfigMap
metadata:
  name: cni-configuration
  namespace: cilium # same namespace as cilium (e.g. kube-system)
data:

Allow inspecting host file system via ssh

Pod manifest (generated with ChatGPT, works)

apiVersion: v1
kind: Pod
metadata:
  name: alpine-ssh
spec:
  hostNetwork: true

mgr plugin fails with

1

debug 2022-12-06T03:08:59.856+0000 7f183006f700  0 [rook ERROR rook.rook_cluster] No storage class exists matching configured Rook orchestrator storage class which currently is <local>. This storage class can be set in ceph config (mgr/rook/storage_class)
debug 2022-12-06T03:08:59.857+0000 7f183006f700  0 [rook ERROR orchestrator._interface] No storage class exists matching name provided in ceph config at mgr/rook/storage_class
Traceback (most recent call last):
  File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 125, in wrapper
    return OrchResult(f(*args, **kwargs))
  File "/usr/share/ceph/mgr/rook/module.py", line 229, in get_inventory

	#!/bin/bash


	# eth4 is the gateway
	# br0 is a PD enabled subnet without ULA

	ip6tables -t nat -A POSTROUTING -o eth4 -m set --match-set UBIOS6CUSTOM1_subnets src -m set \! --match-set UBIOS_ALL_NETv6_br0 dst -j MASQUERADE

	locals {
	bgp_subnets = [
	for i in range(2) : cidrsubnet("169.254.125.0/24", 7, i + 1) # skip range 0 to avoid 169.254.125.0
	]

	bgp_ip_ranges = [
	for net in local.bgp_subnets : {
	net = net
	addrs = [for i in range(2) : cidrhost(net, i)]
	}

	$ sudo /run/bin/machine-config-daemon pivot quay.io/openshift/okd-content@sha256:fa1104b5fd668474d8787ddde8de9d9a1cad86ff3d6b478d988e32b61e43415a
	...
	Downgraded:
	aardvark-dns 1.4.0-1.fc36 -> 1.3.0-1.fc36
	amd-gpu-firmware 20221214-145.fc36 -> 20221109-144.fc36
	bash 5.2.15-1.fc36 -> 5.2.9-2.fc36
	btrfs-progs 6.1-2.fc36 -> 6.0.2-1.fc36
	clevis 18-10.fc36 -> 18-9.fc36
	clevis-dracut 18-10.fc36 -> 18-9.fc36
	clevis-luks 18-10.fc36 -> 18-9.fc36