mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
fix: cloneList sync behavior (#7466)
* fix flaky tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 (#7463)
Bumps [docker/login-action](https://github.com/docker/login-action) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](f4ef78c080...465a07811f)
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump slsa-framework/slsa-github-generator (#7462)
Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.6.0 to 1.7.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.6.0...v1.7.0)
---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix cloneList sync behavior
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* skip creating duplicate URs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add kuttl tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add kuttl tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add kuttl tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* renam
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix
Signed-off-by: ShutingZhao <shuting@nirmata.com>
---------
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit is contained in:
shuting
GitHub
parent
575cc7066a
commit
5fa6e1fa48
44 changed files with 545 additions and 37 deletions
|
|
@ -315,8 +315,11 @@ func GetPatchedAndGeneratedResource(resourceBytes []byte) (unstructured.Unstruct
|
|||
if err != nil {
|
||||
return unstructured.Unstructured{}, err
|
||||
}
|
||||
resource := *getResource[0]
|
||||
return resource, nil
|
||||
if len(getResource) > 0 && getResource[0] != nil {
|
||||
resource := *getResource[0]
|
||||
return resource, nil
|
||||
}
|
||||
return unstructured.Unstructured{}, err
|
||||
}
|
||||
|
||||
// GetKindsFromRule will return the kinds from policy match block
|
||||
|
|
|
|||
|
|
@ -7,8 +7,10 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/background/common"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"go.uber.org/multierr"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
func (c *GenerateController) deleteDownstream(policy kyvernov1.PolicyInterface, ur *kyvernov1beta1.UpdateRequest) (err error) {
|
||||
|
|
@ -61,28 +63,60 @@ func (c *GenerateController) deleteDownstreamForClone(policy kyvernov1.PolicyInt
|
|||
common.GenerateRuleLabel: rule.Name,
|
||||
kyvernov1.LabelAppManagedBy: kyvernov1.ValueKyvernoApp,
|
||||
}
|
||||
downstreams, err := FindDownstream(c.client, rule.Generation.GetAPIVersion(), rule.Generation.GetKind(), labels)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
sources := []kyvernov1.ResourceSpec{rule.Generation.ResourceSpec}
|
||||
if rule.Generation.CloneList.Kinds != nil {
|
||||
srcs, err := c.getCloneSources(ur, rule)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to get clone sources for the cloneList : %v", err)
|
||||
}
|
||||
sources = srcs
|
||||
}
|
||||
|
||||
var errs []error
|
||||
failedDownstreams := []kyvernov1.ResourceSpec{}
|
||||
for _, downstream := range downstreams.Items {
|
||||
if err := c.client.DeleteResource(context.TODO(), downstream.GetAPIVersion(), downstream.GetKind(), downstream.GetNamespace(), downstream.GetName(), false); err != nil && !apierrors.IsNotFound(err) {
|
||||
failedDownstreams = append(failedDownstreams, common.ResourceSpecFromUnstructured(downstream))
|
||||
errs = append(errs, err)
|
||||
for _, source := range sources {
|
||||
downstreams, err := FindDownstream(c.client, source.GetAPIVersion(), source.GetKind(), labels)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var errs []error
|
||||
failedDownstreams := []kyvernov1.ResourceSpec{}
|
||||
for _, downstream := range downstreams.Items {
|
||||
if err := c.client.DeleteResource(context.TODO(), downstream.GetAPIVersion(), downstream.GetKind(), downstream.GetNamespace(), downstream.GetName(), false); err != nil && !apierrors.IsNotFound(err) {
|
||||
failedDownstreams = append(failedDownstreams, common.ResourceSpecFromUnstructured(downstream))
|
||||
errs = append(errs, err)
|
||||
}
|
||||
}
|
||||
if len(errs) != 0 {
|
||||
c.log.Error(multierr.Combine(errs...), "failed to clean up downstream resources on source deletion")
|
||||
_, err = c.statusControl.Failed(ur.GetName(),
|
||||
fmt.Sprintf("failed to clean up downstream resources on source deletion: %v", multierr.Combine(errs...)),
|
||||
failedDownstreams)
|
||||
} else {
|
||||
_, err = c.statusControl.Success(ur.GetName(), nil)
|
||||
}
|
||||
if err != nil {
|
||||
c.log.Error(err, "failed to update ur status")
|
||||
}
|
||||
}
|
||||
if len(errs) != 0 {
|
||||
c.log.Error(multierr.Combine(errs...), "failed to clean up downstream resources on source deletion")
|
||||
_, err = c.statusControl.Failed(ur.GetName(),
|
||||
fmt.Sprintf("failed to clean up downstream resources on source deletion: %v", multierr.Combine(errs...)),
|
||||
failedDownstreams)
|
||||
} else {
|
||||
_, err = c.statusControl.Success(ur.GetName(), nil)
|
||||
}
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *GenerateController) getCloneSources(ur *kyvernov1beta1.UpdateRequest, rule kyvernov1.Rule) (sources []kyvernov1.ResourceSpec, err error) {
|
||||
source, err := c.getTriggerForDeleteOperation(ur.Spec)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
labels := source.GetLabels()
|
||||
if _, ok := labels[common.GenerateTypeCloneSourceLabel]; ok {
|
||||
return []kyvernov1.ResourceSpec{newResourceSpec(source.GetAPIVersion(), source.GetKind(), source.GetNamespace(), source.GetName())}, nil
|
||||
}
|
||||
|
||||
for _, kind := range rule.Generation.CloneList.Kinds {
|
||||
g, v, k, _ := kubeutils.ParseKindSelector(kind)
|
||||
sources = append(sources, newResourceSpec(schema.GroupVersion{Group: g, Version: v}.String(), k, "", ""))
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -133,9 +133,9 @@ func (c *GenerateController) getTrigger(spec kyvernov1beta1.UpdateRequestSpec) (
|
|||
} else {
|
||||
operation := spec.Context.AdmissionRequestInfo.Operation
|
||||
if operation == admissionv1.Delete {
|
||||
return getTriggerForDeleteOperation(spec, c)
|
||||
return c.getTriggerForDeleteOperation(spec)
|
||||
} else if operation == admissionv1.Create {
|
||||
return getTriggerForCreateOperation(spec, c)
|
||||
return c.getTriggerForCreateOperation(spec)
|
||||
} else {
|
||||
newResource, oldResource, err := admissionutils.ExtractResources(nil, *admissionRequest)
|
||||
if err != nil {
|
||||
|
|
@ -152,7 +152,7 @@ func (c *GenerateController) getTrigger(spec kyvernov1beta1.UpdateRequestSpec) (
|
|||
}
|
||||
}
|
||||
|
||||
func getTriggerForDeleteOperation(spec kyvernov1beta1.UpdateRequestSpec, c *GenerateController) (*unstructured.Unstructured, error) {
|
||||
func (c *GenerateController) getTriggerForDeleteOperation(spec kyvernov1beta1.UpdateRequestSpec) (*unstructured.Unstructured, error) {
|
||||
request := spec.Context.AdmissionRequestInfo.AdmissionRequest
|
||||
_, oldResource, err := admissionutils.ExtractResources(nil, *request)
|
||||
if err != nil {
|
||||
|
|
@ -167,7 +167,7 @@ func getTriggerForDeleteOperation(spec kyvernov1beta1.UpdateRequestSpec, c *Gene
|
|||
return &oldResource, nil
|
||||
}
|
||||
|
||||
func getTriggerForCreateOperation(spec kyvernov1beta1.UpdateRequestSpec, c *GenerateController) (*unstructured.Unstructured, error) {
|
||||
func (c *GenerateController) getTriggerForCreateOperation(spec kyvernov1beta1.UpdateRequestSpec) (*unstructured.Unstructured, error) {
|
||||
admissionRequest := spec.Context.AdmissionRequestInfo.AdmissionRequest
|
||||
trigger, err := common.GetResource(c.client, spec, c.log)
|
||||
if err != nil || trigger == nil {
|
||||
|
|
|
|||
|
|
@ -15,9 +15,10 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
utils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
|
|
@ -109,7 +110,7 @@ func (h *generationHandler) handleTrigger(
|
|||
var appliedRules, failedRules []engineapi.RuleResponse
|
||||
policyContext := policyContext.WithPolicy(policy)
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
policyContext = policyContext.WithNamespaceLabels(utils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
}
|
||||
engineResponse := h.engine.ApplyBackgroundChecks(ctx, policyContext)
|
||||
for _, rule := range engineResponse.PolicyResponse.Rules {
|
||||
|
|
@ -282,6 +283,21 @@ func (h *generationHandler) processRequest(ctx context.Context, policyContext *e
|
|||
pKey := common.PolicyKey(pNamespace, pName)
|
||||
for _, rule := range policy.GetSpec().Rules {
|
||||
if rule.Name == pRuleName && rule.Generation.Synchronize {
|
||||
gvk, subresource := policyContext.ResourceKind()
|
||||
if err := engineutils.MatchesResourceDescription(
|
||||
old,
|
||||
rule,
|
||||
policyContext.AdmissionInfo(),
|
||||
policyContext.NamespaceLabels(),
|
||||
policy.GetNamespace(),
|
||||
gvk,
|
||||
subresource,
|
||||
policyContext.Operation(),
|
||||
); err == nil {
|
||||
h.log.V(4).Info("skip creating UR as the admission resource is both the source and the trigger")
|
||||
continue
|
||||
}
|
||||
|
||||
ur := buildURSpec(kyvernov1beta1.Generate, pKey, rule.Name, generateutils.TriggerFromLabels(labels), deleteDownstream)
|
||||
if err := h.urGenerator.Apply(ctx, ur); err != nil {
|
||||
e := event.NewBackgroundFailedEvent(err, pKey, pRuleName, event.GeneratePolicyController, &new)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-cpol
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-trigger-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-target-ns
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-cpol
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: "?*"
|
||||
kinds:
|
||||
- Secret
|
||||
namespaces:
|
||||
- clone-list-sync-same-trigger-source-trigger-ns
|
||||
generate:
|
||||
namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}'
|
||||
synchronize: true
|
||||
cloneList:
|
||||
namespace: clone-list-sync-same-trigger-source-trigger-ns
|
||||
kinds:
|
||||
- v1/Secret
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- trigger.yaml
|
||||
assert:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-trigger-ns
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
error:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure the downstream target is deleted when the source is deleted, for a generate cloneList type of policy. This is a corner case because the source and the trigger is the same resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is deleted, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7281
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-target-ns
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-target-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
allowedToBeCloned: "true"
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-target-ns
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-update-source-cpol
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-update-source-trigger-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-update-source-target-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-update-source-target-ns-2
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-list-sync-same-trigger-source-update-source-cpol
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: "?*"
|
||||
kinds:
|
||||
- Secret
|
||||
namespaces:
|
||||
- clone-list-sync-same-trigger-source-update-source-trigger-ns
|
||||
generate:
|
||||
namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}'
|
||||
synchronize: true
|
||||
cloneList:
|
||||
namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns
|
||||
kinds:
|
||||
- v1/Secret
|
||||
selector:
|
||||
matchLabels:
|
||||
allowedToBeCloned: "true"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- trigger.yaml
|
||||
assert:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
allowedToBeCloned: "true"
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-2
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assertion:
|
||||
- target-2.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure a new downstream target is created when the source matches a different namespace, for a generate cloneList type of policy. This is a corner case because the source and the trigger is the same resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The new downstream resource should be created after the trigger is updated. Otherwise the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7281
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-2
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-update-source-target-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-1
|
||||
labels:
|
||||
allowedToBeCloned: "true"
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-update-source-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
allowedToBeCloned: "true"
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-1
|
||||
name: mysecret
|
||||
namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-cpol
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-trigger-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-target-ns
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-cpol
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: "?*"
|
||||
kinds:
|
||||
- Secret
|
||||
namespaces:
|
||||
- clone-sync-same-trigger-source-trigger-ns
|
||||
generate:
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}'
|
||||
name: mysecret
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: clone-sync-same-trigger-source-trigger-ns
|
||||
name: mysecret
|
||||
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- trigger.yaml
|
||||
assert:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-trigger-ns
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
error:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure the downstream target is deleted when the source is deleted, for a generate clone type of policy. This is a corner case because the source and the trigger is the same resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the downstream resource is deleted, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7281
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-target-ns
|
||||
labels:
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-target-ns
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-target-ns
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-update-source-cpol
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-update-source-trigger-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-update-source-target-ns-1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-update-source-target-ns-2
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: clone-sync-same-trigger-source-update-source-cpol
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-secret
|
||||
match:
|
||||
all:
|
||||
- resources:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: "?*"
|
||||
kinds:
|
||||
- Secret
|
||||
namespaces:
|
||||
- clone-sync-same-trigger-source-update-source-trigger-ns
|
||||
generate:
|
||||
namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}'
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
name: mysecret
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: clone-sync-same-trigger-source-update-source-trigger-ns
|
||||
name: mysecret
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- trigger.yaml
|
||||
assert:
|
||||
- target.yaml
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
allowedToBeCloned: "true"
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-2
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-update-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: sleep 3
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
assertion:
|
||||
- target-2.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a corner case test to ensure a new downstream target is created when the source matches a different namespace, for a generate clone type of policy. This is a corner case because the source and the trigger is the same resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The new downstream resource should be created after the trigger is updated. Otherwise the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/7281
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-2
|
||||
labels:
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-update-source-target-ns-2
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-1
|
||||
labels:
|
||||
location: europe
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-update-source-target-ns-1
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
location: europe
|
||||
annotations:
|
||||
myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-1
|
||||
name: mysecret
|
||||
namespace: clone-sync-same-trigger-source-update-source-trigger-ns
|
||||
type: Opaque
|
||||
data:
|
||||
foo: YmFy
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-sync-delete-trigger
|
||||
namespace: pol-data-sync-delete-trigger-ns
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -1,14 +1,3 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: pol-data-sync-delete-trigger
|
||||
namespace: pol-data-sync-delete-trigger-ns
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue