When enabling the Kyverno add-on as it exists in the repo, CAPZ clusters get stuck in provisioning state and in the CAPI log we can see the following:
E0523 21:28:55.370777 1 controller.go:329] "Reconciler error" err="failed to patch AzureManagedControlPlane default/aks0: admission webhook \"validation.azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io\" denied the request: AzureManagedControlPlane.infrastructure.cluster.x-k8s.io \"aks0\" is invalid: [Spec.VirtualNetwork.Name: Invalid value: \"aks0\": Virtual Network Name is immutable, Spec.VirtualNetwork.CIDRBlock: Invalid value: \"10.224.0.0/12\": Virtual Network CIDRBlock is immutable, Spec.VirtualNetwork.Subnet.Name: Invalid value: \"aks0\": Subnet Name is immutable, Spec.VirtualNetwork.Subnet.CIDRBlock: Invalid value: \"10.224.0.0/16\": Subnet CIDRBlock is immutable, Spec.VirtualNetwork.ResourceGroup: Invalid value: \"aks0\": Virtual Network Resource Group is immutable]" controller="cluster" controllerGroup="cluster.x-k8s.io" controllerKind="Cluster" Cluster="default/aks0" namespace="default" name="aks0" reconcileID="e071179a-9bac-49b0-b2d7-9b2d140f40c8"
It is likely that the installation of Kyverno is blocking some webhook or other operations prohibiting CAPZ from functioning.
When enabling the Kyverno add-on as it exists in the repo, CAPZ clusters get stuck in provisioning state and in the CAPI log we can see the following:
It is likely that the installation of Kyverno is blocking some webhook or other operations prohibiting CAPZ from functioning.