An unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected.
In pkg/engine/mutate/mutation.go, the ForEach function performs a bare type assertion on a map value that can be nil:
patcher := NewPatcher(fe["patchStrategicMerge"], fe["patchesJson6902"].(string))
When a forEach rule uses a patchesJson6902 field containing a variable substitution (e.g., {{ element.nonexistent }}) that resolves to nil at runtime, the type assertion .(string) on a nil interface{} triggers an unrecoverable Go panic:
panic: interface conversion: interface {} is nil, not string
When a mutateExisting rule triggers, the admission controller creates an UpdateRequest resource that the background controller processes asynchronously. This resource survives controller restarts, re-triggering the panic on every restart until the policy or UpdateRequest is deleted.
The background controller processes mutateExisting rules in worker goroutines where k8s.io/apimachinery/pkg/util/runtime.HandleCrash catches panics but re-panics by default, killing the process. The admission controller survives because Go's net/http server absorbs panics in handler goroutines via defer recover(), though the connection is dropped.
The vulnerable code was introduced in #10702. Kyverno versions v1.13.0 to v1.17.1 are affected.
Apply the following manifest:
# --- PoC A: Namespaced Policy crashes the background controller ---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: poc-background-crash
namespace:...
1.16.41.17.2Exploitability
AV:NAC:LPR:LUI:NScope
S:CImpact
C:NI:NA:H7.7/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H