mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: delete VAPs in case Kyverno policies can't be translated (#8887) (#9019)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
gcp-cherry-pick-bot[bot] 2023-11-27 07:15:45 +00:00 committed by GitHub
parent 53fa22bc74
commit 3aa662accc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 154 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
pkg/controllers/validatingadmissionpolicy-generate/controller.go
View file

@ -297,6 +297,10 @@ func (c *controller) buildValidatingAdmissionPolicyBinding(vapbinding *admission
return nil
}
func constructVapBindingName(vapName string) string {
return vapName + "-binding"
}
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
policy, err := c.getClusterPolicy(name)
if err != nil {
@ -326,34 +330,50 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
return nil
}
vapName := policy.GetName()
vapBindingName := constructVapBindingName(vapName)
observedVAP, vapErr := c.getValidatingAdmissionPolicy(vapName)
observedVAPbinding, vapBindingErr := c.getValidatingAdmissionPolicyBinding(vapBindingName)
if ok, msg := canGenerateVAP(spec); !ok {
// delete the ValidatingAdmissionPolicy if exist
if vapErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
if err != nil {
return err
}
}
// delete the ValidatingAdmissionPolicyBinding if exist
if vapBindingErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
if err != nil {
return err
}
}
c.updateClusterPolicyStatus(ctx, *policy, false, msg)
return nil
}
polName := policy.GetName()
observedVAP, err := c.getValidatingAdmissionPolicy(polName)
if err != nil {
if !apierrors.IsNotFound(err) {
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
if vapErr != nil {
if !apierrors.IsNotFound(vapErr) {
c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
return vapErr
}
observedVAP = &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: polName,
Name: vapName,
},
}
}
observedVAPbinding, err := c.getValidatingAdmissionPolicyBinding(polName + "-binding")
if err != nil {
if !apierrors.IsNotFound(err) {
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
if vapBindingErr != nil {
if !apierrors.IsNotFound(vapBindingErr) {
c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
return vapBindingErr
}
observedVAPbinding = &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: polName + "-binding",
Name: vapBindingName,
},
}
}

6
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/02-validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
assert:
- validatingadmissionpolicy.yaml
- validatingadmissionpolicybinding.yaml

6
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/03-update-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- updated-policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/04-check-validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
error:
- validatingadmissionpolicy.yaml
- validatingadmissionpolicybinding.yaml

9
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

23
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/policy.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
spec:
validationFailureAction: Enforce
background: false
rules:
- name: host-path-cel
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
operations:
- CREATE
- UPDATE
validate:
cel:
expressions:
- expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."

25
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/updated-policy.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
spec:
validationFailureAction: Enforce
background: true
rules:
- name: host-path-cel
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
operations:
- CREATE
- UPDATE
namespaces:
- prod
validate:
cel:
expressions:
- expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."

29
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-path-cel
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-cel
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
validations:
- expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume,
!has(volume.hostPath))'
message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath
must be unset.

13
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/validatingadmissionpolicybinding.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-path-cel-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-cel
spec:
policyName: disallow-host-path-cel
validationActions: [Deny]