upgrade-from-release-1.5 times out on update-workload-cluster

Job #13029371907 failed for 6a7a04c6:

(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)
(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)
(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)
(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)
(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)

This is being caused by the merge of !6842 (merged), which adds an additional check.

But this leads to failures, because the current logic is checking for the existence of the field on the management cluster validatingwebhookconfiguration, which, of course, is present when the policy is re-added.

Although is not that elegant, one possibility would be to do something similar to:

      if [[ "$namespace" == "sylva-system" ]]; then
        while kubectl get validatingwebhookconfigurations kyverno-resource-validating-webhook-cfg -o yaml | \
                yq -e '[.webhooks[] | select(.name | match("avoid-delete-mgmt-resources-flux"))] | length > 0' > /dev/null 2>&1
        do
          echo "(wait for the avoid-delete-mgmt-resources-flux webhook to be cleared...)"
          sleep 1
        done
      fi

So it would only apply to management clusters

cc @tmmorin

Edited Feb 09, 2026 by Dragos Gerea