[Bug] Policy doesn't exclude namespaces when using exclude and/or preconditions

[parvez99]

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

EKS

Description

Objective : Policy that applies PSS labels to all namespaces except for kube-system, kube-public, default and kube-node-lease

Labels to add : "pod-security.kubernetes.io/enforce": "baseline" "pod-security.kubernetes.io/warn": "restricted"

Policy :

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-ps-labels
spec:
  validationFailureAction: Audit
  failurePolicy: Ignore
  background: false
  rules:
    - name: add-ps-labels
      match:
        any:
          - resources:
              kinds:
                - Namespace
      exclude:
        any:
          - resources:
              kinds:
                - Namespace
              names:
                - default
                - kube-system
                - kube-public
                - kube-node-lease
      mutate:
        targets:
          - apiVersion: v1
            kind: Namespace
        foreach:
          - list: "[ 'pod-security.kubernetes.io/enforce', 'pod-security.kubernetes.io/warn' ]"
            preconditions:
              all:
                - key: "{{ keys(request.object.metadata.labels) || [] }}"
                  operator: AllNotIn
                  value: "[ '{{ element }}' ]"
            patchStrategicMerge:
              metadata:
                labels:
                  "pod-security.kubernetes.io/enforce": "baseline"
                  "pod-security.kubernetes.io/warn": "restricted"

Methods tried :

• exclude
• configMaps context to pass namespace list
• preconditions

Versions:

Helm kyverno : 3.3.7
EKS: 1.30

Problem:

Kyverno doesn't respect exclude list of namespaces and mutates them. What's expected is exclude list of namespaces should not be mutated.

Steps to reproduce

1. Deploy kyverno with the latest version using helm : 3.3.7
2. Deploy above policy
3. Create a new namespace to trigger the policy
4. Verify excluded namespaces to see labels are applied to them including all other namespaces

Expected behavior

Labels should not be applied to excluded namepsaces

Screenshots

No response

Kyverno logs

Logs : 

`2025-02-24T16:11:25Z INF github.com/kyverno/kyverno/pkg/engine/handlers/mutation/common.go:48 > mutateResp.PatchedResource logger=engine.mutate new.kind=Namespace new.name=labels-ns new.namespace= policy.apply=All policy.name=add-ps-labels policy.namespace= resource={"Object":{"apiVersion":"v1","kind":"Namespace","metadata":{"creationTimestamp":"2024-10-29T19:15:38Z","labels":{"k8slens-edit-resource-version":"v1","kubernetes.io/metadata.name":"kube-system","pod-security.kubernetes.io/enforce":"baseline","pod-security.kubernetes.io/warn":"restricted"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{".":{},"f:kubernetes.io/metadata.name":{}}}},"manager":"kube-apiserver","operation":"Update","time":"2024-10-29T19:15:38Z"},{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:labels":{"f:k8slens-edit-resource-version":{}}}},"manager":"node-fetch","operation":"Update","time":"2025-02-19T15:11:38Z"}],"name":"kube-system","resourceVersion":"27464271","uid":"28f46c7c-fb3f-472c-804e-6a05c6f22c88"},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}}} rule.name=add-ps-labels v=0`

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1740413685564239

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[eloo-abi]

@parvez99 i'm running into a similar issue :/

i want to add a label to all namespaces (also existing) exclude just a few one.
according to the docs (https://kyverno.io/docs/writing-policies/mutate/#mutate-existing-resources) the exclude in match will not work here because the "targets" in mutate will differ

so my current test (which is NOT working) looks like this

  mutateExistingOnPolicyUpdate: true
  rules:
    - name: label-existing-namespaces-exclude-knative
      match:
        any:
          - resources:
              kinds:
                - Namespace
      mutate:
        targets:
          - apiVersion: v1
            kind: Namespace
            preconditions:
              all:
              - key: "{{target.metadata.name}}"
                operator: AllNotIn
                values: &excludedNamespaces
                - knative-system
        patchStrategicMerge:
          metadata:
            labels:
              webhooks.knative.dev/exclude: "true"
    - name: remove-labels-from-excluded-namespaces-exclude-knative
      match:
        all:
          - resources:
              kinds:
                - Namespace
      mutate:
        targets:
          - apiVersion: v1
            kind: Namespace
            preconditions:
              all:
              - key: "{{target.metadata.name}}"
                operator: AnyIn
                values: *excludedNamespaces
        patchesJson6902: |-
          - op: remove
            path: /metadata/labels/webhooks.knative.dev~1exclude

in my case since the preconditions was added to targets to exclude some namespaces noting is working anymore.
not the adding of labels nor the removal..

maybe it would be great if the following example could be enhance with a some "excludes"
https://kyverno.io/policies/other/label-existing-namespaces/label-existing-namespaces/