Skip to content

Maps and arrays could not be checked with nil pattern #1310

New issue
New issue
Open
Open
Maps and arrays could not be checked with nil pattern#1310
@aescrob

Description

@aescrob
aescrob
opened on Jul 4, 2025

Kyverno CLI 1.14.2/1.14.4 and Kyverno Playground 1.14.2 Outputs PASS. Once deployed (v1.14.4), hundreds of messages are logged:

github.com/kyverno/kyverno/pkg/engine/pattern/pattern.go:133 Maps and arrays could not be checked with nil pattern

I am using a Test resource based on a helm chart wich renders a resource like this:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-with-volume-null
spec:
  replicas: 3
  selector:
    matchLabels:
      app: deployment-with-volume-null
  template:
    metadata:
      labels:
        app: deployment-with-volume-null
    spec:
      containers:
      - name: nginx
        image: nginx
      volumes: null # this use case is due to malicious acm-chart template which sets volumes to null

Now i wanted to make the Kyverno Policy more robust like this (anyPattern):

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: validate-emptydir-sizelimit
  annotations:
    policies.kyverno.io/title: Validate required sizeLimit for emptyDir
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: audit
    policies.kyverno.io/subject: DaemonSet, Deployment, Job, StatefulSet
    policies.kyverno.io/description: >-
      DaemonSet, Deployment, Job and StatefulSet which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume.
      This policy ensures that any emptyDir volume has a sizeLimit set.
spec:
  rules:
  - name: require-emptydir-sizelimit
    match:
      any:
      - resources:
          kinds:
          - DaemonSet
          - Deployment
          - Job
          - StatefulSet
    skipBackgroundRequests: true
    validate:
      failureAction: Audit
      allowExistingViolations: false
      message: "Audit Only: An emptyDir volumes must have sizeLimit set."
      anyPattern:
      - pattern:
        =(spec):
          =(template):
            =(spec):
              =(volumes):
              - =(emptyDir):
                  sizeLimit: "?*"
      - pattern:
        =(spec):
          =(template):
            =(spec):
              volumes: null

kyverno test:

apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
  name: Test validate-emptydir-sizelimit
policies:
- ./policies/all_from_helm_template.yaml
resources:
- ./resources/validate_emptydir_sizelimit/deployment_with_volume_null.yaml
results:
- policy: validate-emptydir-sizelimit
  rule: require-emptydir-sizelimit
  resources: ["deployment-with-volume-null"]
  kind: Deployment
  result: pass

Tried to get rid of the message by changing the policy to volumes: "" - Kyverno Playground still says PASS, where as CLI fails.
Why do we have a different behaviour?
Is there another approach to catch this case?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions