🤖 Generated by the Daily AI Assistant
Problem
The verify-app-images Kyverno ImageValidatingPolicy webhook (ivpol.{mutate,validate}.kyverno.svc-fail, timeout=10s, fail-closed) intermittently returns context deadline exceeded while doing keyless cosign verification (which reaches Fulcio/Rekor/ghcr at admission time). When that happens during a deploy-prod merge_group run, legitimate first-party app pods are denied inside the 20-minute apps health-check window → the apps Kustomization times out → the whole merge_group is evicted.
Observed live on the wedding-app rollout: RS wedding-app-684f95779 logged FailedCreate … ivpol.mutate.kyverno.svc-fail … context deadline exceeded ×19 over ~4h, interleaved with clean policy responses. This transient timeout is independent of policy correctness — even a correctly-trusted image can be denied when verification is slow, and in the merge queue that stalls every platform PR, not just the app being rolled out.
Why it matters
A network/latency blip in sigstore or the registry shouldn't be able to wedge the entire platform merge queue or stall an app rollout. Today it can, because image verification is a fail-closed 10s webhook on the hot admission path.
Proposed direction (investigate, pick one)
- Raise the image-verification webhook timeout (10s → ~30s) so cold cosign verifications complete.
- Enable Kyverno's cosign verification-result caching (and/or warm the TUF/Rekor cache) so repeat admissions don't re-hit the network.
- Consider audit-with-retry for first-party images so a transient verify failure doesn't hard-deny a legitimate, already-published image.
Rough size
S–M: a Kyverno HelmRelease values / policy webhook-config change plus a short investigation of which mitigation is safe (must not weaken the security posture the policy exists for).
Problem
The
verify-app-imagesKyvernoImageValidatingPolicywebhook (ivpol.{mutate,validate}.kyverno.svc-fail,timeout=10s, fail-closed) intermittently returnscontext deadline exceededwhile doing keyless cosign verification (which reaches Fulcio/Rekor/ghcr at admission time). When that happens during adeploy-prodmerge_grouprun, legitimate first-party app pods are denied inside the 20-minuteappshealth-check window → theappsKustomization times out → the wholemerge_groupis evicted.Observed live on the wedding-app rollout: RS
wedding-app-684f95779loggedFailedCreate … ivpol.mutate.kyverno.svc-fail … context deadline exceeded×19 over ~4h, interleaved with clean policy responses. This transient timeout is independent of policy correctness — even a correctly-trusted image can be denied when verification is slow, and in the merge queue that stalls every platform PR, not just the app being rolled out.Why it matters
A network/latency blip in sigstore or the registry shouldn't be able to wedge the entire platform merge queue or stall an app rollout. Today it can, because image verification is a fail-closed 10s webhook on the hot admission path.
Proposed direction (investigate, pick one)
Rough size
S–M: a Kyverno HelmRelease values / policy webhook-config change plus a short investigation of which mitigation is safe (must not weaken the security posture the policy exists for).