Publish Kyverno and Kubernetes compatible matrix about website HOT 19 CLOSED

Hi @bitva77 , since you're commenting on a (closed) PR which is not super related, would you open this instead on the main Kyverno repo, please?

from website.

@bitva77 - you can limit policy rules to match a kind (see: https://kyverno.io/docs/writing-policies/match-exclude/) and the CLI should skip other types. If this does not work, please log an issue here: https://github.com/kyverno/kyverno/issues or reach out on the slack channel.

from website.

Hi @yuriydzobak, cilium.io/v2 is the apiVersion, not the kind. Kyverno currently takes Kind only in kinds, here's the working PR that extends kinds to match by Group and Version.

from website.

Sure I can send the update!

from website.

We can probably go ahead and publish this since 1.3.0 was released. Are we claiming 1.3.0 supports K8s 1.14-1.20 at this time? Should we start the matrix with 1.3.0 and list only it? Going forward, it might be good to specify this compatibility on the releases, which we can then pick up and copy into the docs.

from website.

@realshuting can you comment, please?

from website.

There may be a problem for supporting 1.20, see this issue.

We can claim 1.3.0 supports K8s 1.14-1.19.

from website.

If that's the case, then max version would be 1.18 since the Ingress containing API graduated to stable in 1.19 (not 1.20). Do we want to make that claim if the only blocker is the CLI when testing policy? And this isn't fixed in 1.3.0?

from website.

Kyverno 1.3.0 uses K8s 1.18 client library, and networking.k8s.io/v1beta1 was dropped in 1.19, so it causes errors with CLI. To fix it in CLI, we need to upgrade the client version.

While for Kyverno controller, this shouldn't matter as Kyverno always fetches the Kind with the preferred API version.

from website.

Can we claim support through 1.20 with an exception for this known issue in the CLI? Is that reasonable?

from website.

Sounds good to me, @JimBugwadia do you see any other exceptions?

from website.

Yes, that seems fine to me as well!

from website.

end user here.

Is there anyway to add an "ignore-api-version-errors" options or something to the CLI? Or a way to dynamically include/override other API versions?

Our Ingresses are set at networking.k8s.io/v1 and our manifests are in one file. So even if we're trying to just validate a kinds: Deployment , the whole thing fails because the CLI seems to validate every kind anyways.

This won't be the last time this issue comes up, I imagine.

from website.

Kyverno v1.3.0 does not support K8s 1.15 and all previous versions, as all CRDs are defined with apiextensions.k8s.io/v1, which was introduced in K8s 1.16.

Kyverno v1.2.1 supports K8s 1.14 and 1.15.

cc @chipzoller @JimBugwadia

from website.

Ok so min version for 1.3.0 is 1.16, correct?

from website.

Yes correct.

from website.

Hi
What's about CIlium?

Error: failed to load resources
Cause: no kind "CiliumNetworkPolicy" is registered for version "cilium.io/v2" in scheme "pkg/runtime/scheme.go:100"

I tried to skip but no luck =(

    exclude:
      resources:
        kinds:
        - CiliumNetworkPolicy
        - cilium.io/v2 

from website.

Kyverno v1.3.0 does not support K8s 1.15 and all previous versions, as all CRDs are defined with apiextensions.k8s.io/v1, which was introduced in K8s 1.16.

Kyverno v1.2.1 supports K8s 1.14 and 1.15.

cc @chipzoller @JimBugwadia

@chipzoller - are you sending the update? Otherwise I can pick this up.

from website.

Sorry, I dropped the ball on this one due to work overload. If you can pick it up, that's great.

from website.