diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index c87903d86e..95cde07077 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -2,6 +2,8 @@ package policy import ( "context" + "crypto/md5" //nolint:gosec + "encoding/hex" "encoding/json" "errors" "fmt" @@ -245,11 +247,10 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } } - if oldPolicy != nil { - if err := immutableGenerateFields(policy, oldPolicy); err != nil { - return warnings, err - } + if err := immutableGenerateFields(policy, oldPolicy); err != nil { + return warnings, err } + // validate Cluster Resources in namespaced policy // For namespaced policy, ClusterResource type field and values are not allowed in match and exclude if namespaced { @@ -1387,32 +1388,58 @@ func checkForStatusSubresource(ruleTypeJson []byte, allKinds []string, warnings } func immutableGenerateFields(new, old kyvernov1.PolicyInterface) error { + if new == nil || old == nil { + return nil + } + if !new.GetSpec().HasGenerate() { return nil } - oldRuleNames := make(map[string]kyvernov1.Generation, len(old.GetSpec().Rules)) - for _, rule := range old.GetSpec().Rules { - oldRuleNames[rule.Name] = rule.Generation + oldRuleHashes, err := buildHashes(old.GetSpec().Rules) + if err != nil { + return err + } + newRuleHashes, err := buildHashes(new.GetSpec().Rules) + if err != nil { + return err } - newRuleNames := make(map[string]kyvernov1.Generation, len(new.GetSpec().Rules)) - for _, rule := range new.GetSpec().Rules { - newRuleNames[rule.Name] = rule.Generation - } - - for newRuleName, newGenerate := range newRuleNames { - oldGenerate, ok := oldRuleNames[newRuleName] - if !ok { - continue + switch len(old.GetSpec().Rules) <= len(new.GetSpec().Rules) { + case true: + if newRuleHashes.IsSuperset(oldRuleHashes) { + return nil + } else { + return errors.New("change of immutable fields for a generate rule is disallowed") } - - oldGenerate.Synchronize = newGenerate.Synchronize - oldGenerate.SetData(newGenerate.GetData()) - - if !reflect.DeepEqual(newGenerate, oldGenerate) { - return fmt.Errorf("cannot change downstream, or clone sources for a generate rule") + case false: + if oldRuleHashes.IsSuperset(newRuleHashes) { + return nil + } else { + return errors.New("rule deletion - change of immutable fields for a generate rule is disallowed") } } return nil } + +func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule { + new := new(kyvernov1.Rule) + rule.DeepCopyInto(new) + new.Generation.Synchronize = true + new.Generation.SetData(nil) + return new +} + +func buildHashes(rules []kyvernov1.Rule) (sets.Set[string], error) { + ruleHashes := sets.New[string]() + for _, rule := range rules { + r := resetMutableFields(rule) + data, err := json.Marshal(r) + if err != nil { + return ruleHashes, fmt.Errorf("failed to create hash from the generate rule %v", err) + } + hash := md5.Sum(data) //nolint:gosec + ruleHashes.Insert(hex.EncodeToString(hash[:])) + } + return ruleHashes, nil +} diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index a58350d384..443029219b 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -2307,85 +2307,6 @@ func Test_ImmutableGenerateFields(t *testing.T) { newPolicy []byte expectedErr bool }{ - { - name: "update-rule-name", - oldPolicy: []byte(` - { - "apiVersion": "kyverno.io/v2beta1", - "kind": "ClusterPolicy", - "metadata": { - "name": "cpol-clone-sync-modify-source" - }, - "spec": { - "rules": [ - { - "name": "cpol-clone-sync-modify-source-secret", - "match": { - "any": [ - { - "resources": { - "kinds": [ - "Namespace" - ] - } - } - ] - }, - "generate": { - "apiVersion": "v1", - "kind": "Secret", - "name": "regcred", - "namespace": "{{request.object.metadata.name}}", - "synchronize": true, - "clone": { - "namespace": "default", - "name": "regcred" - } - } - } - ] - } - } - `), - newPolicy: []byte(` - { - "apiVersion": "kyverno.io/v2beta1", - "kind": "ClusterPolicy", - "metadata": { - "name": "cpol-clone-sync-modify-source" - }, - "spec": { - "rules": [ - { - "name": "updated-rule-name", - "match": { - "any": [ - { - "resources": { - "kinds": [ - "Namespace" - ] - } - } - ] - }, - "generate": { - "apiVersion": "v1", - "kind": "Secret", - "name": "regcred", - "namespace": "{{request.object.metadata.name}}", - "synchronize": true, - "clone": { - "namespace": "default", - "name": "regcred" - } - } - } - ] - } - }`), - expectedErr: false, - }, { name: "update-apiVersion", oldPolicy: []byte(` diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml index b5e26cd00f..2bebbe7ce1 100644 --- a/test/conformance/kuttl/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml +++ b/test/conformance/kuttl/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml @@ -5,7 +5,7 @@ metadata: spec: generateExisting: true rules: - - name: existing-basic-create-rule-data + - name: existing-basic-create-rule match: any: - resources: diff --git a/test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml b/test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml index c72b3a8ba1..6170cdb090 100644 --- a/test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml +++ b/test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml @@ -46,7 +46,7 @@ spec: clone: name: regcred namespace: default - - name: pol-clone-nosync-delete-rule-lr + - name: pol-clone-sync-delete-rule-lr match: any: - resources: @@ -57,7 +57,7 @@ spec: kind: LimitRange name: genlr namespace: default - synchronize: false + synchronize: true clone: name: sourcelr namespace: default diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-downstream/README.md b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-downstream/README.md index 88568312f4..f263e5d7a0 100644 --- a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-downstream/README.md +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-downstream/README.md @@ -1,6 +1,6 @@ ## Description -This test ensures that modification of the downstream rseource defined in a generate ClusterPolicy is disallowed. +This test ensures that modification of the downstream resource defined in a generate ClusterPolicy is disallowed. ## Expected Behavior diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml new file mode 100644 index 0000000000..469825657e --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml new file mode 100644 index 0000000000..08942b2ba2 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml new file mode 100644 index 0000000000..3b72946d09 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml @@ -0,0 +1,13 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: update-rule-name.yaml + shouldFail: true +- file: update-rule-match.yaml + shouldFail: true +- file: update-rule-exclude.yaml + shouldFail: true +- file: update-rule-preconditions.yaml + shouldFail: true +- file: update-rule-generate-synchronize.yaml + shouldFail: false diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/README.md b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/README.md new file mode 100644 index 0000000000..058357b4f5 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the rule spec fields defined in a generate ClusterPolicy is disallowed except `spec.generate.synchronize`. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6440 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml new file mode 100644 index 0000000000..944b6f957c --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml new file mode 100644 index 0000000000..9f99a98aeb --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml new file mode 100644 index 0000000000..2cdf7920cf --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + - Secret + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml new file mode 100644 index 0000000000..6532976e90 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: i-changed-this + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml new file mode 100644 index 0000000000..09f670ea83 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-downstream/README.md b/test/conformance/kuttl/generate/validation/policy/immutable-downstream/README.md index db7a20ff81..52253577e3 100644 --- a/test/conformance/kuttl/generate/validation/policy/immutable-downstream/README.md +++ b/test/conformance/kuttl/generate/validation/policy/immutable-downstream/README.md @@ -1,6 +1,6 @@ ## Description -This test ensures that modification of the downstream rseource defined in a generate Policy is disallowed. +This test ensures that modification of the downstream resource defined in a generate Policy is disallowed. ## Expected Behavior diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-assert.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-assert.yaml new file mode 100644 index 0000000000..0bc6b8b3b1 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-policy.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-policy.yaml new file mode 100644 index 0000000000..e32cee6c08 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/01-policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/02-update.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/02-update.yaml new file mode 100644 index 0000000000..3b72946d09 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/02-update.yaml @@ -0,0 +1,13 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: update-rule-name.yaml + shouldFail: true +- file: update-rule-match.yaml + shouldFail: true +- file: update-rule-exclude.yaml + shouldFail: true +- file: update-rule-preconditions.yaml + shouldFail: true +- file: update-rule-generate-synchronize.yaml + shouldFail: false diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/README.md b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/README.md new file mode 100644 index 0000000000..974cfe8432 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the rule spec fields defined in a generate Policy is disallowed except `spec.generate.synchronize`. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6440 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml new file mode 100644 index 0000000000..174d61b34d --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + names: + - test + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml new file mode 100644 index 0000000000..f5f2fa2e20 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml new file mode 100644 index 0000000000..94a5bbdaaa --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + - ServiceAccount + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml new file mode 100644 index 0000000000..4880676682 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: i-changed-this + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml new file mode 100644 index 0000000000..f9451450ab --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExistingOnPolicyUpdate: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"