From 635f160ae0e5ac2e122d1e42bc39174676b4417a Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 31 Jan 2024 19:50:38 +0800 Subject: [PATCH] feat (generate): add `orphanDownstreamOnPolicyDelete` to preserve downstream on policy deletion (#9579) * add chainsaw tests Signed-off-by: ShutingZhao * add .orphanDownstreamOnPolicyDelete Signed-off-by: ShutingZhao * update codegen Signed-off-by: ShutingZhao * update docs Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- api/kyverno/v1/common_types.go | 15 +++-- api/kyverno/v1/rule_types.go | 4 +- api/kyverno/v2beta1/rule_types.go | 4 +- .../charts/crds/templates/kyverno.yaml | 64 +++++++++++++++++++ .../data/crds/kyverno.io_clusterpolicies.yaml | 32 ++++++++++ .../data/crds/kyverno.io_policies.yaml | 32 ++++++++++ .../kyverno/kyverno.io_clusterpolicies.yaml | 32 ++++++++++ config/crds/kyverno/kyverno.io_policies.yaml | 32 ++++++++++ config/install-latest-testing.yaml | 64 +++++++++++++++++++ docs/user/crd/index.html | 15 +++++ .../kyverno/v1/generation.go | 9 +++ pkg/policy/generate.go | 4 +- .../README.md | 11 ++++ .../chainsaw-step-01-apply-1-1.yaml | 36 +++++++++++ .../chainsaw-step-01-assert-1-1.yaml | 9 +++ .../chainsaw-step-02-apply-1-1.yaml | 4 ++ .../chainsaw-step-02-assert-1-1.yaml | 10 +++ .../chainsaw-step-04-error-1-1.yaml | 5 ++ .../chainsaw-test.yaml | 28 ++++++++ 19 files changed, 400 insertions(+), 10 deletions(-) create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 2dfb8bca38..7af2396a21 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -626,6 +626,13 @@ type Generation struct { // +optional Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"` + // OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated + // them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. + // See https://kyverno.io/docs/writing-policies/generate/#data-examples. + // Defaults to "false" if not specified. + // +optional + OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"` + // Data provides the resource declaration used to populate each generated resource. // At most one of Data or Clone must be specified. If neither are provided, the generated // resource will be created with default data only. @@ -675,7 +682,7 @@ func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace } } - generateType, _ := g.GetTypeAndSync() + generateType, _, _ := g.GetTypeAndSyncAndOrphanDownstream() if generateType == Data { return errs } @@ -776,11 +783,11 @@ const ( Clone GenerateType = "Clone" ) -func (g *Generation) GetTypeAndSync() (GenerateType, bool) { +func (g *Generation) GetTypeAndSyncAndOrphanDownstream() (GenerateType, bool, bool) { if g.RawData != nil { - return Data, g.Synchronize + return Data, g.Synchronize, g.OrphanDownstreamOnPolicyDelete } - return Clone, g.Synchronize + return Clone, g.Synchronize, g.OrphanDownstreamOnPolicyDelete } // CloneFrom provides the location of the source resource used to generate target resources. diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go index b8bfdc3a2f..c61736cde2 100644 --- a/api/kyverno/v1/rule_types.go +++ b/api/kyverno/v1/rule_types.go @@ -174,11 +174,11 @@ func (r *Rule) IsPodSecurity() bool { return r.Validation.PodSecurity != nil } -func (r *Rule) GetGenerateTypeAndSync() (_ GenerateType, sync bool) { +func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, orphanDownstream bool) { if !r.HasGenerate() { return } - return r.Generation.GetTypeAndSync() + return r.Generation.GetTypeAndSyncAndOrphanDownstream() } func (r *Rule) GetAnyAllConditions() apiextensions.JSON { diff --git a/api/kyverno/v2beta1/rule_types.go b/api/kyverno/v2beta1/rule_types.go index 903641dd62..5793b622b7 100644 --- a/api/kyverno/v2beta1/rule_types.go +++ b/api/kyverno/v2beta1/rule_types.go @@ -137,11 +137,11 @@ func (r *Rule) HasGenerate() bool { return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{}) } -func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool) { +func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool, orphanDownstream bool) { if !r.HasGenerate() { return } - return r.Generation.GetTypeAndSync() + return r.Generation.GetTypeAndSyncAndOrphanDownstream() } // ValidateRuleType checks only one type of rule is defined per rule diff --git a/charts/kyverno/charts/crds/templates/kyverno.yaml b/charts/kyverno/charts/crds/templates/kyverno.yaml index 227c4f3a1c..b3d7b155d5 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.yaml @@ -11067,6 +11067,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -15520,6 +15528,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -19949,6 +19965,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -24342,6 +24366,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -29011,6 +29043,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -33465,6 +33505,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -37895,6 +37943,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -42288,6 +42344,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index ccda23a704..8211d5224a 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -1115,6 +1115,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -5568,6 +5576,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -9997,6 +10013,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -14390,6 +14414,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 7e7b7527a2..10bc7926d4 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -1116,6 +1116,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -5570,6 +5578,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -10000,6 +10016,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -14393,6 +14417,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index ccda23a704..8211d5224a 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -1115,6 +1115,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -5568,6 +5576,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -9997,6 +10013,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -14390,6 +14414,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 7e7b7527a2..10bc7926d4 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -1116,6 +1116,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -5570,6 +5578,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -10000,6 +10016,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -14393,6 +14417,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index c7af852d77..29d7e60390 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -11285,6 +11285,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -15738,6 +15746,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -20167,6 +20183,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -24560,6 +24584,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -29231,6 +29263,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -33685,6 +33725,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. @@ -38115,6 +38163,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls whether + generated resources should be deleted when the rule that + generated them is deleted with synchronization enabled. + This option is only applicable to generate rules of the + data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. If @@ -42508,6 +42564,14 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + orphanDownstreamOnPolicyDelete: + description: OrphanDownstreamOnPolicyDelete controls + whether generated resources should be deleted when + the rule that generated them is deleted with synchronization + enabled. This option is only applicable to generate + rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples. + Defaults to "false" if not specified. + type: boolean synchronize: description: Synchronize controls if generated resources should be kept in-sync with their source resource. diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 598ab84a27..b2f0dc2fa4 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1895,6 +1895,21 @@ Optional. Defaults to “false” if not specified.

+orphanDownstreamOnPolicyDelete
+ +bool + + + +(Optional) +

OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated +them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. +See https://kyverno.io/docs/writing-policies/generate/#data-examples. +Defaults to “false” if not specified.

+ + + + data
diff --git a/pkg/client/applyconfigurations/kyverno/v1/generation.go b/pkg/client/applyconfigurations/kyverno/v1/generation.go index 6da532f2a9..27d5e543a8 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/generation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/generation.go @@ -28,6 +28,7 @@ import ( type GenerationApplyConfiguration struct { *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"` Synchronize *bool `json:"synchronize,omitempty"` + OrphanDownstreamOnPolicyDelete *bool `json:"orphanDownstreamOnPolicyDelete,omitempty"` RawData *apiextensionsv1.JSON `json:"data,omitempty"` Clone *CloneFromApplyConfiguration `json:"clone,omitempty"` CloneList *CloneListApplyConfiguration `json:"cloneList,omitempty"` @@ -98,6 +99,14 @@ func (b *GenerationApplyConfiguration) WithSynchronize(value bool) *GenerationAp return b } +// WithOrphanDownstreamOnPolicyDelete sets the OrphanDownstreamOnPolicyDelete field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the OrphanDownstreamOnPolicyDelete field is set to the value of the last call. +func (b *GenerationApplyConfiguration) WithOrphanDownstreamOnPolicyDelete(value bool) *GenerationApplyConfiguration { + b.OrphanDownstreamOnPolicyDelete = &value + return b +} + // WithRawData sets the RawData field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RawData field is set to the value of the last call. diff --git a/pkg/policy/generate.go b/pkg/policy/generate.go index f0a107c5f0..7bd7ca2fda 100644 --- a/pkg/policy/generate.go +++ b/pkg/policy/generate.go @@ -66,8 +66,8 @@ func (pc *policyController) createURForDownstreamDeletion(policy kyvernov1.Polic var errs []error rules := autogen.ComputeRules(policy) for _, r := range rules { - generateType, sync := r.GetGenerateTypeAndSync() - if sync && (generateType == kyvernov1.Data) { + generateType, sync, orphanDownstreamOnPolicyDelete := r.GetTypeAndSyncAndOrphanDownstream() + if sync && (generateType == kyvernov1.Data) && !orphanDownstreamOnPolicyDelete { if err := pc.syncDataPolicyChanges(policy, true); err != nil { errs = append(errs, err) } diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md new file mode 100644 index 0000000000..fe942eb018 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled, orphanDownstreamOnPolicyDelete preserves the downstream ConfigMap. + +## Expected Behavior + +If the generated configmap is retained, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/9578 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 0000000000..eef03ad0c1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + orphanDownstreamOnPolicyDelete: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 0000000000..d2ac636871 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 0000000000..65e71f6cdc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml new file mode 100644 index 0000000000..e6733a490e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-orphan-downstream-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml new file mode 100755 index 0000000000..9dcf695191 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml new file mode 100755 index 0000000000..33ac3d2451 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-delete-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-orphan-downstream-delete-policy + - assert: + file: chainsaw-step-02-assert-1-1.yaml