diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index 2dfb8bca38..7af2396a21 100644
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -626,6 +626,13 @@ type Generation struct {
// +optional
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
+ // OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+ // them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+ // See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ // Defaults to "false" if not specified.
+ // +optional
+ OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"`
+
// Data provides the resource declaration used to populate each generated resource.
// At most one of Data or Clone must be specified. If neither are provided, the generated
// resource will be created with default data only.
@@ -675,7 +682,7 @@ func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace
}
}
- generateType, _ := g.GetTypeAndSync()
+ generateType, _, _ := g.GetTypeAndSyncAndOrphanDownstream()
if generateType == Data {
return errs
}
@@ -776,11 +783,11 @@ const (
Clone GenerateType = "Clone"
)
-func (g *Generation) GetTypeAndSync() (GenerateType, bool) {
+func (g *Generation) GetTypeAndSyncAndOrphanDownstream() (GenerateType, bool, bool) {
if g.RawData != nil {
- return Data, g.Synchronize
+ return Data, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
}
- return Clone, g.Synchronize
+ return Clone, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
}
// CloneFrom provides the location of the source resource used to generate target resources.
diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go
index b8bfdc3a2f..c61736cde2 100644
--- a/api/kyverno/v1/rule_types.go
+++ b/api/kyverno/v1/rule_types.go
@@ -174,11 +174,11 @@ func (r *Rule) IsPodSecurity() bool {
return r.Validation.PodSecurity != nil
}
-func (r *Rule) GetGenerateTypeAndSync() (_ GenerateType, sync bool) {
+func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, orphanDownstream bool) {
if !r.HasGenerate() {
return
}
- return r.Generation.GetTypeAndSync()
+ return r.Generation.GetTypeAndSyncAndOrphanDownstream()
}
func (r *Rule) GetAnyAllConditions() apiextensions.JSON {
diff --git a/api/kyverno/v2beta1/rule_types.go b/api/kyverno/v2beta1/rule_types.go
index 903641dd62..5793b622b7 100644
--- a/api/kyverno/v2beta1/rule_types.go
+++ b/api/kyverno/v2beta1/rule_types.go
@@ -137,11 +137,11 @@ func (r *Rule) HasGenerate() bool {
return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{})
}
-func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool) {
+func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool, orphanDownstream bool) {
if !r.HasGenerate() {
return
}
- return r.Generation.GetTypeAndSync()
+ return r.Generation.GetTypeAndSyncAndOrphanDownstream()
}
// ValidateRuleType checks only one type of rule is defined per rule
diff --git a/charts/kyverno/charts/crds/templates/kyverno.yaml b/charts/kyverno/charts/crds/templates/kyverno.yaml
index 227c4f3a1c..b3d7b155d5 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.yaml
@@ -11067,6 +11067,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -15520,6 +15528,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -19949,6 +19965,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -24342,6 +24366,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -29011,6 +29043,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -33465,6 +33505,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -37895,6 +37943,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -42288,6 +42344,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
index ccda23a704..8211d5224a 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
@@ -1115,6 +1115,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -5568,6 +5576,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -9997,6 +10013,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -14390,6 +14414,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
index 7e7b7527a2..10bc7926d4 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
@@ -1116,6 +1116,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -5570,6 +5578,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -10000,6 +10016,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -14393,6 +14417,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
index ccda23a704..8211d5224a 100644
--- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
@@ -1115,6 +1115,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -5568,6 +5576,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -9997,6 +10013,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -14390,6 +14414,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml
index 7e7b7527a2..10bc7926d4 100644
--- a/config/crds/kyverno/kyverno.io_policies.yaml
+++ b/config/crds/kyverno/kyverno.io_policies.yaml
@@ -1116,6 +1116,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -5570,6 +5578,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -10000,6 +10016,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -14393,6 +14417,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index c7af852d77..29d7e60390 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -11285,6 +11285,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -15738,6 +15746,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -20167,6 +20183,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -24560,6 +24584,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -29231,6 +29263,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -33685,6 +33725,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
@@ -38115,6 +38163,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls whether
+ generated resources should be deleted when the rule that
+ generated them is deleted with synchronization enabled.
+ This option is only applicable to generate rules of the
+ data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If
@@ -42508,6 +42564,14 @@ spec:
namespace:
description: Namespace specifies resource namespace.
type: string
+ orphanDownstreamOnPolicyDelete:
+ description: OrphanDownstreamOnPolicyDelete controls
+ whether generated resources should be deleted when
+ the rule that generated them is deleted with synchronization
+ enabled. This option is only applicable to generate
+ rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+ Defaults to "false" if not specified.
+ type: boolean
synchronize:
description: Synchronize controls if generated resources
should be kept in-sync with their source resource.
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 598ab84a27..b2f0dc2fa4 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -1895,6 +1895,21 @@ Optional. Defaults to “false” if not specified.
+orphanDownstreamOnPolicyDelete
+
+bool
+
+ |
+
+(Optional)
+ OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+Defaults to “false” if not specified.
+ |
+
+
+
data
diff --git a/pkg/client/applyconfigurations/kyverno/v1/generation.go b/pkg/client/applyconfigurations/kyverno/v1/generation.go
index 6da532f2a9..27d5e543a8 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/generation.go
+++ b/pkg/client/applyconfigurations/kyverno/v1/generation.go
@@ -28,6 +28,7 @@ import (
type GenerationApplyConfiguration struct {
*ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
Synchronize *bool `json:"synchronize,omitempty"`
+ OrphanDownstreamOnPolicyDelete *bool `json:"orphanDownstreamOnPolicyDelete,omitempty"`
RawData *apiextensionsv1.JSON `json:"data,omitempty"`
Clone *CloneFromApplyConfiguration `json:"clone,omitempty"`
CloneList *CloneListApplyConfiguration `json:"cloneList,omitempty"`
@@ -98,6 +99,14 @@ func (b *GenerationApplyConfiguration) WithSynchronize(value bool) *GenerationAp
return b
}
+// WithOrphanDownstreamOnPolicyDelete sets the OrphanDownstreamOnPolicyDelete field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the OrphanDownstreamOnPolicyDelete field is set to the value of the last call.
+func (b *GenerationApplyConfiguration) WithOrphanDownstreamOnPolicyDelete(value bool) *GenerationApplyConfiguration {
+ b.OrphanDownstreamOnPolicyDelete = &value
+ return b
+}
+
// WithRawData sets the RawData field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RawData field is set to the value of the last call.
diff --git a/pkg/policy/generate.go b/pkg/policy/generate.go
index f0a107c5f0..7bd7ca2fda 100644
--- a/pkg/policy/generate.go
+++ b/pkg/policy/generate.go
@@ -66,8 +66,8 @@ func (pc *policyController) createURForDownstreamDeletion(policy kyvernov1.Polic
var errs []error
rules := autogen.ComputeRules(policy)
for _, r := range rules {
- generateType, sync := r.GetGenerateTypeAndSync()
- if sync && (generateType == kyvernov1.Data) {
+ generateType, sync, orphanDownstreamOnPolicyDelete := r.GetTypeAndSyncAndOrphanDownstream()
+ if sync && (generateType == kyvernov1.Data) && !orphanDownstreamOnPolicyDelete {
if err := pc.syncDataPolicyChanges(policy, true); err != nil {
errs = append(errs, err)
}
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md
new file mode 100644
index 0000000000..fe942eb018
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled, orphanDownstreamOnPolicyDelete preserves the downstream ConfigMap.
+
+## Expected Behavior
+
+If the generated configmap is retained, the test passes. If it is not, the test fails.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/9578
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml
new file mode 100755
index 0000000000..eef03ad0c1
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: cpol-data-sync-orphan-downstream-delete-policy
+spec:
+ generateExisting: false
+ rules:
+ - exclude:
+ any:
+ - resources:
+ namespaces:
+ - kube-system
+ - default
+ - kube-public
+ - kyverno
+ generate:
+ apiVersion: v1
+ data:
+ data:
+ KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+ ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+ kind: ConfigMap
+ metadata:
+ labels:
+ somekey: somevalue
+ kind: ConfigMap
+ name: zk-kafka-address
+ namespace: '{{request.object.metadata.name}}'
+ synchronize: true
+ orphanDownstreamOnPolicyDelete: true
+ match:
+ any:
+ - resources:
+ kinds:
+ - Namespace
+ name: cpol-data-sync-delete-rule
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml
new file mode 100755
index 0000000000..d2ac636871
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: cpol-data-sync-orphan-downstream-delete-policy
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml
new file mode 100755
index 0000000000..65e71f6cdc
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cpol-data-sync-orphan-downstream-delete-policy-ns
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml
new file mode 100644
index 0000000000..e6733a490e
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+ KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+ ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+ labels:
+ somekey: somevalue
+ name: zk-kafka-address
+ namespace: cpol-data-sync-orphan-downstream-delete-policy-ns
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml
new file mode 100755
index 0000000000..9dcf695191
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: zk-kafka-address
+ namespace: cpol-data-sync-delete-policy-ns
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml
new file mode 100755
index 0000000000..33ac3d2451
--- /dev/null
+++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml
@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ creationTimestamp: null
+ name: cpol-data-sync-delete-policy
+spec:
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: chainsaw-step-01-apply-1-1.yaml
+ - assert:
+ file: chainsaw-step-01-assert-1-1.yaml
+ - name: step-02
+ try:
+ - apply:
+ file: chainsaw-step-02-apply-1-1.yaml
+ - assert:
+ file: chainsaw-step-02-assert-1-1.yaml
+ - name: step-03
+ try:
+ - delete:
+ ref:
+ apiVersion: kyverno.io/v1
+ kind: ClusterPolicy
+ name: cpol-data-sync-orphan-downstream-delete-policy
+ - assert:
+ file: chainsaw-step-02-assert-1-1.yaml
|