PREQUEL-2025-0087

Kyverno JMESPath query failure due to unknown keyMedium

Impact: 7/10

Mitigation: 5/10

PREQUEL-2025-0087View on GitHub

KyvernoKubernetesPolicy Management

Description

Kyverno policies with JMESPath expressions are failing due to references to keys that don't exist in the target resources. This happens when policies attempt to access object properties that aren't present in the resources being validated, resulting in \"Unknown key\" errors during policy validation.\n

Mitigation

- Review and update JMESPath expressions in Kyverno policies to ensure they reference valid keys in the resources\n- Add precondition checks to verify a path exists before evaluating it:\n preconditions:\n all:\n - key: \"{{ request.object.spec.ipWhiteList }}\"\n operator: NotEquals\n value: null\n- Use the 'has' function in JMESPath to check if a key exists before accessing it\n- For conditional validation, consider using anyPattern or validationFailureAction: audit to soften policy enforcement\n- Implement more robust testing of policies against sample resources before deployment\n- Add error handling in policies using JMESPath's built-in functions like if_else() or contains()\n

References

• https://release-1-9-0.kyverno.io/docs/writing-policies/jmespath/
• https://jmespath.org/specification.html
• https://github.com/kyverno/kyverno/issues/1934