From 3db7c41a62e8b6ad5cd8e0dfa1d18b3cf0419ce3 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 2 Jun 2023 19:53:16 +0800 Subject: [PATCH] Remove policy validation prevent loop for generate (#7388) * remove checks Signed-off-by: ShutingZhao * update tests Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/validation/policy/generate.go | 12 ------------ pkg/validation/policy/validate.go | 4 ---- .../prevent-loop/{01-fail.yaml => 01-pass.yaml} | 2 +- .../validation/clusterpolicy/prevent-loop/README.md | 6 +++--- .../validation/policy/prevent-loop/01-ns.yaml | 4 ++++ .../prevent-loop/{01-fail.yaml => 02-pass.yaml} | 2 +- .../validation/policy/prevent-loop/README.md | 6 +++--- .../validation/policy/prevent-loop/policy.yaml | 3 ++- 8 files changed, 14 insertions(+), 25 deletions(-) rename test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/{01-fail.yaml => 01-pass.yaml} (79%) create mode 100644 test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml rename test/conformance/kuttl/generate/validation/policy/prevent-loop/{01-fail.yaml => 02-pass.yaml} (79%) diff --git a/pkg/validation/policy/generate.go b/pkg/validation/policy/generate.go index 69df60ff81..1ce8e2451f 100644 --- a/pkg/validation/policy/generate.go +++ b/pkg/validation/policy/generate.go @@ -11,7 +11,6 @@ import ( kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/utils/strings/slices" ) func immutableGenerateFields(new, old kyvernov1.PolicyInterface) error { @@ -106,17 +105,6 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources return nil } -func loopInGenerate(rule kyvernov1.Rule) error { - if !rule.HasGenerate() { - return nil - } - - if slices.Contains(rule.MatchResources.GetKinds(), rule.Generation.Kind) { - return fmt.Errorf("the rule would result in an endless loop, the trigger and the target resources are the same kind: %s", rule.Generation.Kind) - } - return nil -} - func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule { new := new(kyvernov1.Rule) rule.DeepCopyInto(new) diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 0159c1290f..193ddfdd3a 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -220,10 +220,6 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf if err := validateKinds(rule.ExcludeResources.Kinds, rule, mock, background, client); err != nil { return warnings, fmt.Errorf("path: spec.rules[%d].exclude.kinds: %v", i, err) } - - if err := loopInGenerate(rule); err != nil { - return warnings, fmt.Errorf("path: spec.rules[%d]: %v", i, err) - } } for i, rule := range rules { diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-fail.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml similarity index 79% rename from test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-fail.yaml rename to test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml index fd300fcae1..7f2dc5ad36 100644 --- a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-fail.yaml +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep apply: - file: policy.yaml - shouldFail: true \ No newline at end of file + shouldFail: false \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md index 7c4b8091ad..de89752734 100644 --- a/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/prevent-loop/README.md @@ -1,12 +1,12 @@ ## Description -This test ensures that a generate policy cannot have the same kind defined in the trigger and the target resources. Otherwise it would result in an endless loop. +This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop. ## Expected Behavior -The test fails if the policy creation is allowed, otherwise passes. +The test passes if the policy creation is allowed, otherwise fails. ## Reference Issue(s) -https://github.com/kyverno/kyverno/issues/7017 \ No newline at end of file +https://github.com/kyverno/kyverno/issues/7280 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml b/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml new file mode 100644 index 0000000000..d30f4dab16 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-generate-prevent-loop-ns \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-fail.yaml b/test/conformance/kuttl/generate/validation/policy/prevent-loop/02-pass.yaml similarity index 79% rename from test/conformance/kuttl/generate/validation/policy/prevent-loop/01-fail.yaml rename to test/conformance/kuttl/generate/validation/policy/prevent-loop/02-pass.yaml index fd300fcae1..7f2dc5ad36 100644 --- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/01-fail.yaml +++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/02-pass.yaml @@ -2,4 +2,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep apply: - file: policy.yaml - shouldFail: true \ No newline at end of file + shouldFail: false \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md b/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md index 7c4b8091ad..de89752734 100644 --- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md +++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/README.md @@ -1,12 +1,12 @@ ## Description -This test ensures that a generate policy cannot have the same kind defined in the trigger and the target resources. Otherwise it would result in an endless loop. +This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop. ## Expected Behavior -The test fails if the policy creation is allowed, otherwise passes. +The test passes if the policy creation is allowed, otherwise fails. ## Reference Issue(s) -https://github.com/kyverno/kyverno/issues/7017 \ No newline at end of file +https://github.com/kyverno/kyverno/issues/7280 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml b/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml index 3a86cbe8df..a2a6616560 100644 --- a/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml +++ b/test/conformance/kuttl/generate/validation/policy/prevent-loop/policy.yaml @@ -2,6 +2,7 @@ apiVersion: kyverno.io/v1 kind: Policy metadata: name: pol-generate-prevent-loop + namespace: pol-generate-prevent-loop-ns spec: rules: - name: pol-generate-prevent-loop @@ -16,7 +17,7 @@ spec: apiVersion: v1 kind: ConfigMap name: corp-{{ random('[0-9a-z]{8}') }} - namespace: "{{request.namespace}}" + namespace: pol-generate-prevent-loop-ns synchronize: false data: data: