Remove policy validation prevent loop for generate (#7388)

* remove checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * update tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2023-06-02 19:53:16 +08:00 · 2023-06-02 19:53:16 +08:00 · 3db7c41a62
commit 3db7c41a62
parent 8ac1975f5f
8 changed files with 14 additions and 25 deletions
--- a/pkg/validation/policy/generate.go
+++ b/pkg/validation/policy/generate.go
@ -11,7 +11,6 @@ import (
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/utils/strings/slices"
 )

 func immutableGenerateFields(new, old kyvernov1.PolicyInterface) error {
@ -106,17 +105,6 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources
 	return nil
 }

-func loopInGenerate(rule kyvernov1.Rule) error {
-	if !rule.HasGenerate() {
-		return nil
-	}
-
-	if slices.Contains(rule.MatchResources.GetKinds(), rule.Generation.Kind) {
-		return fmt.Errorf("the rule would result in an endless loop, the trigger and the target resources are the same kind: %s", rule.Generation.Kind)
-	}
-	return nil
-}
-
 func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
 	new := new(kyvernov1.Rule)
 	rule.DeepCopyInto(new)
--- a/pkg/validation/policy/validate.go
+++ b/pkg/validation/policy/validate.go
@ -220,10 +220,6 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
 		if err := validateKinds(rule.ExcludeResources.Kinds, rule, mock, background, client); err != nil {
 			return warnings, fmt.Errorf("path: spec.rules[%d].exclude.kinds: %v", i, err)
 		}
-
-		if err := loopInGenerate(rule); err != nil {
-			return warnings, fmt.Errorf("path: spec.rules[%d]: %v", i, err)
-		}
 	}

 	for i, rule := range rules {
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml
@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - file: policy.yaml
-  shouldFail: true
+  shouldFail: false
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md
@ -1,12 +1,12 @@
 ## Description

-This test ensures that a generate policy cannot have the same kind defined in the trigger and the target resources. Otherwise it would result in an endless loop.
+This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop.

 ## Expected Behavior

-The test fails if the policy creation is allowed, otherwise passes.
+The test passes if the policy creation is allowed, otherwise fails.


 ## Reference Issue(s)

-https://github.com/kyverno/kyverno/issues/7017
+https://github.com/kyverno/kyverno/issues/7280
--- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pol-generate-prevent-loop-ns
--- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/02-pass.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/02-pass.yaml
@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - file: policy.yaml
-  shouldFail: true
+  shouldFail: false
--- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md
+++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md
@ -1,12 +1,12 @@
 ## Description

-This test ensures that a generate policy cannot have the same kind defined in the trigger and the target resources. Otherwise it would result in an endless loop.
+This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop.

 ## Expected Behavior

-The test fails if the policy creation is allowed, otherwise passes.
+The test passes if the policy creation is allowed, otherwise fails.


 ## Reference Issue(s)

-https://github.com/kyverno/kyverno/issues/7017
+https://github.com/kyverno/kyverno/issues/7280
--- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml
@ -2,6 +2,7 @@ apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
  name: pol-generate-prevent-loop
+  namespace: pol-generate-prevent-loop-ns
 spec:
  rules:
  - name: pol-generate-prevent-loop
@ -16,7 +17,7 @@ spec:
      apiVersion: v1
      kind: ConfigMap
      name: corp-{{ random('[0-9a-z]{8}') }}
-      namespace: "{{request.namespace}}"
+      namespace: pol-generate-prevent-loop-ns
      synchronize: false
      data:
        data: