Kyverno - MutatingWebhookConfiguration reconciliation loop on helmrelease/status v2beta2 apiVersion
The MutatingWebhookConfiguration/kyverno-resource-mutating-webhook-cfg is continuously reconciled with alternating states for the helmreleases/status subresource on (and only on) v2beta2 API versions.
The v2 API versions is untouched and stable.
Observed behavior: \
Generation increments every X seconds
The webhook rule for helm.toolkit.fluxcd.io/v2beta2 alternates between: \
- State A: resources: [helmreleases, helmreleases/status] \
- State B: resources: [helmreleases] (missing /status)
No actual HelmRelease v2beta2 resources exist in the cluster (only v2 is used)
- apiGroups:
- helm.toolkit.fluxcd.io
apiVersions:
- v2
operations:
- CREATE
- UPDATE
resources:
- helmreleases
- helmreleases/status
scope: Namespaced
- apiGroups:
- helm.toolkit.fluxcd.io
apiVersions:
- v2beta2
operations:
- CREATE
- UPDATE
resources:
- helmreleases <<<<<<<<
- helmreleases/status <<<<<<<<<< added and deleted in a loop
scope: NamespacedEdited by Remi Le Trocquer