Thanks to visit codestin.com
Credit goes to github.com

Skip to content

MutatingAdmissionPolicy / MutatingAdmissionPolicyBinding fails when using ConfigMap as parameters #134184

New issue
New issue
Open
Open
MutatingAdmissionPolicy / MutatingAdmissionPolicyBinding fails when using ConfigMap as parameters#134184
Assignees
aryasoni98
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-sigIndicates an issue or PR lacks a `sig/foo` label and requires one.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@adrianrademann

Description

@adrianrademann
adrianrademann
opened on Sep 21, 2025

What happened?

When configuring MAP/MAPB with a ConfigMap as the paramRef the Kube-API returns:

Error from server (Forbidden): policy 'add-default-priority-class-to-workload' with binding 'add-default-priority-class-to-workload-prod' denied request: failed to configure binding: no params found for policy binding with `Deny` parameterNotFoundAction

What did you expect to happen?

The admission controller to be able to evaluate the policy.

How can we reproduce it (as minimally and precisely as possible)?

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: add-default-priority-class-to-workload
spec:
  failurePolicy: Fail
  matchConditions:
  - expression: '!has(object.spec.priorityClassName)'
    name: priority-class-not-present
  matchConstraints:
    resourceRules:
    - apiGroups:
      - ''
      apiVersions:
      - v1
      operations:
      - CREATE
      resources:
      - pods
  mutations:
  - applyConfiguration:
      expression: |-
        Object{
            spec: Object.spec{
                priorityClassName: params.data.defaultPriorityClassName
            }
        }
    patchType: ApplyConfiguration
  paramKind:
    apiVersion: v1
    kind: ConfigMap
  reinvocationPolicy: Never
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicyBinding
metadata:
  name: add-default-priority-class-to-workload-prod
spec:
  paramRef:
    namespace: kube-system
    name: admission-params-default-priority-class-prod
    parameterNotFoundAction: Deny
  policyName: add-default-priority-class-to-workload
  matchResources:
    matchPolicy: Equivalent
    namespaceSelector:
      matchLabels:
        env: prod
---
apiVersion: v1
data:
  defaultPriorityClassName: prod
kind: ConfigMap
metadata:
  name: admission-params-default-priority-class-prod
  namespace: kube-system
---
apiVersion: scheduling.k8s.io/v1
description: Default for production namespaces
globalDefault: false
kind: PriorityClass
metadata:
  name: prod
value: 1000
---
apiVersion: v1
kind: Namespace
metadata:
  name: prod
  labels:
    env: prod
---
apiVersion: v1
kind: Pod
metadata:
  namespace: prod
spec:
  containers:
  - args:
    - sleep
    - 5d
    image: curlimages/curl:8.6.0
    name: x

Anything else we need to know?

I already tried creating the resources one by one (configmap -> policy -> binding -> pod) but it didn't resolve the issue.

Kubernetes version

v1.34.1-rc1+k3s1

Cloud provider

OnPrem

OS version

Fedora CoreOS 42.20250623.3.1

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)

No response

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.needs-sigIndicates an issue or PR lacks a `sig/foo` label and requires one.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions