kyverno/test/cli/test-generate/clone-list/policy.yaml

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Sample
    policies.kyverno.io/description: 'Secrets like registry credentials often need
      to exist in multiple Namespaces so Pods there have access. Manually duplicating
      those Secrets is time consuming and error prone. This policy will copy all Secrets
      with the appropriate label which exists in the `default` Namespace to new Namespaces
      when they are created. It will also push updates to the copied Secrets should the
      source Secret be changed.'
    policies.kyverno.io/subject: Secret
    policies.kyverno.io/title: Clone List Secrets
  name: clone-list-secrets
spec:
  admission: true
  background: true
  rules:
  - generate:
      cloneList:
        namespace: default
        kinds:
          - v1/Secret
          - v1/ConfigMap
        selector:
          matchLabels:
            allowedToBeCloned: "true"
      namespace: '{{request.object.metadata.name}}'
      synchronize: true
    match:
      any:
      - resources:
          kinds:
          - Namespace
    name: clone-list-labelled-secrets
  validationFailureAction: Audit
fix: Provide kind list hints to the fake dynamic client. (#9036) * fix: Provide kind list hints to the fake dynamic client. If one uses the `cloneList` option of `generate` without this, a panic occurs. Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * Added test for `cloneList`. Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * fix: ttl cleanup not working with cluster wide resources (#9060) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * Fix Helm chart to not error when replicas defined (#9066) Fixes #8941 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * fix: add nodeSelector to the reports cleanup helm hook (#9065) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * optimize JSON context processing using in-memory maps (#8322) * optimize JSON context processing using in memory maps Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix excessive logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate resource diff Signed-off-by: Jim Bugwadia <jim@nirmata.com> * uncomment tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * copy resource, as it can be modified Signed-off-by: Jim Bugwadia <jim@nirmata.com> * clear prior resource to prevent mutating original Signed-off-by: Jim Bugwadia <jim@nirmata.com> * linter fix Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix ImageInfo to unstructured conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix custom image extractors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not update mutated resource in JSON context Signed-off-by: Jim Bugwadia <jim@nirmata.com> * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * Ran `gci` to silence a lint warning. Signed-off-by: Anton Chernev <anton.chernev@gmail.com> * Added a log message when an invalid or incomplete `cloneList` kind is supplied. Signed-off-by: Anton Chernev <anton.chernev@gmail.com> --------- Signed-off-by: Anton Chernev <anton.chernev@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: Anton Chernev <a-anchernov@expediagroup.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2023-12-07 06:03:27 +00:00			`---`
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`annotations:`
			`policies.kyverno.io/category: Sample`
			`policies.kyverno.io/description: 'Secrets like registry credentials often need`
			`to exist in multiple Namespaces so Pods there have access. Manually duplicating`
			`those Secrets is time consuming and error prone. This policy will copy all Secrets`
			with the appropriate label which exists in the `default` Namespace to new Namespaces
			`when they are created. It will also push updates to the copied Secrets should the`
			`source Secret be changed.'`
			`policies.kyverno.io/subject: Secret`
			`policies.kyverno.io/title: Clone List Secrets`
			`name: clone-list-secrets`
			`spec:`
			`admission: true`
			`background: true`
			`rules:`
			`- generate:`
			`cloneList:`
			`namespace: default`
			`kinds:`
			`- v1/Secret`
			`- v1/ConfigMap`
			`selector:`
			`matchLabels:`
			`allowedToBeCloned: "true"`
			`namespace: '{{request.object.metadata.name}}'`
			`synchronize: true`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Namespace`
			`name: clone-list-labelled-secrets`
			`validationFailureAction: Audit`