From 60a8384fd417ca8403ecefd6ddc9c5d20d755935 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 8 Aug 2024 15:11:20 +0300 Subject: [PATCH] feat: add tests for different values of generateExisting (#10807) Signed-off-by: Mariam Fahmy --- api/kyverno/v1/common_types.go | 4 -- api/kyverno/v1/spec_types.go | 22 +++------ api/kyverno/v2beta1/spec_types.go | 22 +++------ pkg/background/generate/generate.go | 8 ++- pkg/policy/generate.go | 14 +++++- pkg/utils/fuzz/policy_spec.go | 6 --- .../sync-multiple-resources/policy.yaml | 2 +- .../README.md | 17 +++++++ .../chainsaw-test.yaml | 27 ++++++++++ .../existing-resources.yaml | 13 +++++ .../fail-generated-resources.yaml | 21 ++++++++ .../generated-resources.yaml | 25 ++++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 49 +++++++++++++++++++ .../README.md | 17 +++++++ .../chainsaw-test.yaml | 27 ++++++++++ .../existing-resources.yaml | 13 +++++ .../fail-generated-resources.yaml | 21 ++++++++ .../generated-resources.yaml | 25 ++++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 49 +++++++++++++++++++ .../policy-fail-2-ns-cluster-target.yaml | 2 +- .../policy-pass-1-ns-namespaced-target.yaml | 2 +- .../policy-pass-2-no-ns-cluster-target.yaml | 2 +- .../README.md | 7 +++ .../chainsaw-test.yaml | 14 ++++++ .../policy.yaml | 31 ++++++++++++ .../target-namespace-scope/policy-fail-1.yaml | 2 +- .../target-namespace-scope/policy-fail-2.yaml | 2 +- .../target-namespace-scope/policy-fail-3.yaml | 2 +- .../target-namespace-scope/policy-pass.yaml | 2 +- .../README.md | 7 +++ .../chainsaw-test.yaml | 14 ++++++ .../policy.yaml | 32 ++++++++++++ 34 files changed, 466 insertions(+), 53 deletions(-) create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md create mode 100755 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md create mode 100755 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 8b0071e59b..0204faafda 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -781,10 +781,6 @@ type Generation struct { CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"` } -func (g *Generation) IsGenerateExisting() *bool { - return g.GenerateExisting -} - type CloneList struct { // Namespace specifies source resource namespace. Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 0c59937b40..901cf0f651 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -254,19 +254,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -340,15 +337,8 @@ func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) } return errs } diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 25a5e0ea81..11f72bf2b3 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -223,19 +223,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -300,15 +297,8 @@ func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) } return errs } diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index a7d669c7e9..408f532fed 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -95,7 +95,7 @@ func NewGenerateController( } func (c *GenerateController) ProcessUR(ur *kyvernov2.UpdateRequest) error { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) var err error var genResources []kyvernov1.ResourceSpec logger.Info("start processing UR", "ur", ur.Name, "resourceVersion", ur.GetResourceVersion()) @@ -198,7 +198,7 @@ func (c *GenerateController) getTriggerForCreateOperation(spec kyvernov2.UpdateR } func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, ur kyvernov2.UpdateRequest, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, error) { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) logger.V(3).Info("applying generate policy rule") policy, err := c.getPolicySpec(ur) @@ -237,6 +237,10 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u var applicableRules []string // Removing UR if rule is failed. Used when the generate condition failed but ur exist for _, r := range engineResponse.PolicyResponse.Rules { + if r.Name() != ur.Spec.GetRuleName() { + continue + } + if r.Status() != engineapi.RuleStatusPass { logger.V(4).Info("querying all update requests") selector := labels.SelectorFromSet(labels.Set(map[string]string{ diff --git a/pkg/policy/generate.go b/pkg/policy/generate.go index 692d7097e4..9ba2d61644 100644 --- a/pkg/policy/generate.go +++ b/pkg/policy/generate.go @@ -41,10 +41,22 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt var errors []error var triggers []*unstructured.Unstructured ruleType := kyvernov2.Generate + spec := policy.GetSpec() policyNew := policy.CreateDeepCopy() policyNew.GetSpec().Rules = nil - for _, rule := range policy.GetSpec().Rules { + for _, rule := range spec.Rules { + // check if the rule sets the generateExisting field. + // if not, use the policy level setting + generateExisting := rule.Generation.GenerateExisting + if generateExisting != nil { + if !*generateExisting { + continue + } + } else if !spec.GenerateExisting { + continue + } + triggers = getTriggers(pc.client, rule, policy.IsNamespaced(), policy.GetNamespace(), pc.log) policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule}) for _, trigger := range triggers { diff --git a/pkg/utils/fuzz/policy_spec.go b/pkg/utils/fuzz/policy_spec.go index 24d175e1c0..f39fed8c07 100644 --- a/pkg/utils/fuzz/policy_spec.go +++ b/pkg/utils/fuzz/policy_spec.go @@ -96,12 +96,6 @@ func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) { } spec.MutateExistingOnPolicyUpdate = mutateExistingOnPolicyUpdate - generateExistingOnPolicyUpdate, err := ff.GetBool() - if err != nil { - return *spec, err - } - spec.GenerateExistingOnPolicyUpdate = &generateExistingOnPolicyUpdate - generateExisting, err := ff.GetBool() if err != nil { return *spec, err diff --git a/test/cli/test-generate/sync-multiple-resources/policy.yaml b/test/cli/test-generate/sync-multiple-resources/policy.yaml index 989217f234..5b98527800 100644 --- a/test/cli/test-generate/sync-multiple-resources/policy.yaml +++ b/test/cli/test-generate/sync-multiple-resources/policy.yaml @@ -10,7 +10,7 @@ metadata: Sync Secret and Configmap from kube-system namespace spec: failurePolicy: Ignore - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: sync-controller-secret match: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md new file mode 100644 index 0000000000..7cbbb97453 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case one rule sets the `generateExisting` field whereas the other don't set it. It is expected that rules which don't set the field will use the higher level value `spec.generateExisting`. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces and it doesn't set the field. It is expected that the rule will use the `spec.generateExisting` value which is `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml new file mode 100755 index 0000000000..125d03a474 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configurations-for-generate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml new file mode 100644 index 0000000000..ab3740d2bd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml new file mode 100644 index 0000000000..96b86fb5dc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml new file mode 100644 index 0000000000..f61700ca9f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml new file mode 100644 index 0000000000..8017a12787 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml new file mode 100644 index 0000000000..a2b525e907 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + generateExisting: false + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md new file mode 100644 index 0000000000..f183346bb5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case the rules have a different value for the `generateExisting` field. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces sets the `generateExisting` to `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml new file mode 100755 index 0000000000..231349992e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-generate-existing-values +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml new file mode 100644 index 0000000000..ab3740d2bd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml new file mode 100644 index 0000000000..96b86fb5dc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml new file mode 100644 index 0000000000..f61700ca9f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml new file mode 100644 index 0000000000..8017a12787 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml new file mode 100644 index 0000000000..302c9f5712 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: false + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml index 10821ad2a7..3a1e456670 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml index 8908257a95..295eaa21bd 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: user-per-namespace-pass-2 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml index bd8c77fe62..3d2ac19a25 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 0000000000..4666824960 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 0000000000..b160f2e70b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 0000000000..8969b27855 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-policy +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml index 2291bdd1aa..116b459c8e 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-1 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml index 81d76143de..e68fe76496 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-2 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml index 41c369ce2d..f09121c55a 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-3 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml index ec0d97e11c..3ed90d8922 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml @@ -4,7 +4,7 @@ metadata: name: user-per-namespace-pass namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 0000000000..4666824960 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 0000000000..b160f2e70b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 0000000000..a2e909e980 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-policy + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file