Skip to content

Misconfigured Kubewarden mutating policies together with 3rd party Kubernetes Controllers can get stuck in an infinite loop

Article Number: 000021328

Environment

  • Rancher v2.7+
  • Kubewarden

Situation

A Kubernetes resource, mutated by a Kubewarden mutating policy, is stuck in a reconciliation loop, as it is updated by both the Kubewarden policy and another controller

Cause

Per the Kubewarden documentation:

"Mutating policies return requests that proceed through the Kubernetes API. If there are other Kubernetes Controllers that listen for those same resources, they may mutate them back in a follow-up request. This could lead to an infinite feedback loop of mutations."

Resolution

The solution, as described in the Kubewarden documentation, is to perform the mutation within the mutating policy against:

  1. The lower type of resource (e.g: Pod).
  2. The highest type of resource (e.g: Deployment). Note: this could still lead to loops if a controller is managing those resources. For example controllers of GitOps solutions (like fleet, flux, argo, ...) or other 3rd party controllers that translate their own CRDs into Deployment objects.