Skip to content

fix(policy): image-verification webhook timeouts (context deadline exceeded) can wedge the merge queue #2431

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem

The verify-app-images Kyverno ImageValidatingPolicy webhook (ivpol.{mutate,validate}.kyverno.svc-fail, timeout=10s, fail-closed) intermittently returns context deadline exceeded while doing keyless cosign verification (which reaches Fulcio/Rekor/ghcr at admission time). When that happens during a deploy-prod merge_group run, legitimate first-party app pods are denied inside the 20-minute apps health-check window → the apps Kustomization times out → the whole merge_group is evicted.

Observed live on the wedding-app rollout: RS wedding-app-684f95779 logged FailedCreate … ivpol.mutate.kyverno.svc-fail … context deadline exceeded ×19 over ~4h, interleaved with clean policy responses. This transient timeout is independent of policy correctness — even a correctly-trusted image can be denied when verification is slow, and in the merge queue that stalls every platform PR, not just the app being rolled out.

Why it matters

A network/latency blip in sigstore or the registry shouldn't be able to wedge the entire platform merge queue or stall an app rollout. Today it can, because image verification is a fail-closed 10s webhook on the hot admission path.

Proposed direction (investigate, pick one)

  • Raise the image-verification webhook timeout (10s → ~30s) so cold cosign verifications complete.
  • Enable Kyverno's cosign verification-result caching (and/or warm the TUF/Rekor cache) so repeat admissions don't re-hit the network.
  • Consider audit-with-retry for first-party images so a transient verify failure doesn't hard-deny a legitimate, already-published image.

Rough size

S–M: a Kyverno HelmRelease values / policy webhook-config change plus a short investigation of which mitigation is safe (must not weaken the security posture the policy exists for).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    👀 In Review

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions