Skip to content

Misconfigured Kubewarden mutating policies together with 3rd party Kubernetes Controllers can get stuck in an infinite loop

This document (000021328) is provided subject to the disclaimer at the end of this document.

Environment

  • Rancher v2.7+
  • Kubewarden

Situation

A Kubernetes resource, mutated by a Kubewarden mutating policy, is stuck in a reconciliation loop, as it is updated by both the Kubewarden policy and another controller

Resolution

The solution, as described in the Kubewarden documentation, is to perform the mutation within the mutating policy against:

  1. The lower type of resource (e.g: Pod).
  2. The highest type of resource (e.g: Deployment). Note: this could still lead to loops if a controller is managing those resources. For example controllers of GitOps solutions (like fleet, flux, argo, ...) or other 3rd party controllers that translate their own CRDs into Deployment objects.

Cause

Per the Kubewarden documentation:

"Mutating policies return requests that proceed through the Kubernetes API. If there are other Kubernetes Controllers that listen for those same resources, they may mutate them back in a follow-up request. This could lead to an infinite feedback loop of mutations."

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.