mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-30 19:35:06 +00:00
Code Activity

feat (generate): add orphanDownstreamOnPolicyDelete to preserve downstream on policy deletion (#9579)

Browse source 
* add chainsaw tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add .orphanDownstreamOnPolicyDelete

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update codegen

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2024-01-31 19:50:38 +08:00 committed by GitHub
parent 4fd435919f
commit 635f160ae0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 400 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
api/kyverno/v1/common_types.go
View file

@ -626,6 +626,13 @@ type Generation struct {
// +optional // +optional
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"` Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
// OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
// them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
// See https://kyverno.io/docs/writing-policies/generate/#data-examples.
// Defaults to "false" if not specified.
// +optional
OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"`
// Data provides the resource declaration used to populate each generated resource. // Data provides the resource declaration used to populate each generated resource.
// At most one of Data or Clone must be specified. If neither are provided, the generated // At most one of Data or Clone must be specified. If neither are provided, the generated
// resource will be created with default data only. // resource will be created with default data only.
@ -675,7 +682,7 @@ func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace
} }
} }
generateType, _ := g.GetTypeAndSync() generateType, _, _ := g.GetTypeAndSyncAndOrphanDownstream()
if generateType == Data { if generateType == Data {
return errs return errs
} }
@ -776,11 +783,11 @@ const (
Clone GenerateType = "Clone" Clone GenerateType = "Clone"
) )
func (g *Generation) GetTypeAndSync() (GenerateType, bool) { func (g *Generation) GetTypeAndSyncAndOrphanDownstream() (GenerateType, bool, bool) {
if g.RawData != nil { if g.RawData != nil {
return Data, g.Synchronize return Data, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
} }
return Clone, g.Synchronize return Clone, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
} }
// CloneFrom provides the location of the source resource used to generate target resources. // CloneFrom provides the location of the source resource used to generate target resources.

4
api/kyverno/v1/rule_types.go
View file

@ -174,11 +174,11 @@ func (r *Rule) IsPodSecurity() bool {
return r.Validation.PodSecurity != nil return r.Validation.PodSecurity != nil
} }
func (r *Rule) GetGenerateTypeAndSync() (_ GenerateType, sync bool) { func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, orphanDownstream bool) {
if !r.HasGenerate() { if !r.HasGenerate() {
return return
} }
return r.Generation.GetTypeAndSync() return r.Generation.GetTypeAndSyncAndOrphanDownstream()
} }
func (r *Rule) GetAnyAllConditions() apiextensions.JSON { func (r *Rule) GetAnyAllConditions() apiextensions.JSON {

4
api/kyverno/v2beta1/rule_types.go
View file

@ -137,11 +137,11 @@ func (r *Rule) HasGenerate() bool {
return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{}) return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{})
} }
func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool) { func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool, orphanDownstream bool) {
if !r.HasGenerate() { if !r.HasGenerate() {
return return
} }
return r.Generation.GetTypeAndSync() return r.Generation.GetTypeAndSyncAndOrphanDownstream()
} }
// ValidateRuleType checks only one type of rule is defined per rule // ValidateRuleType checks only one type of rule is defined per rule

64
charts/kyverno/charts/crds/templates/kyverno.yaml
View file

@ -11067,6 +11067,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -15520,6 +15528,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -19949,6 +19965,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -24342,6 +24366,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -29011,6 +29043,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -33465,6 +33505,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -37895,6 +37943,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -42288,6 +42344,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

32
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -1115,6 +1115,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -5568,6 +5576,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -9997,6 +10013,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -14390,6 +14414,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

32
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -1116,6 +1116,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -5570,6 +5578,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -10000,6 +10016,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -14393,6 +14417,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

32
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -1115,6 +1115,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -5568,6 +5576,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -9997,6 +10013,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -14390,6 +14414,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

32
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -1116,6 +1116,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -5570,6 +5578,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -10000,6 +10016,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -14393,6 +14417,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

64
config/install-latest-testing.yaml
View file

@ -11285,6 +11285,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -15738,6 +15746,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -20167,6 +20183,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -24560,6 +24584,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -29231,6 +29263,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -33685,6 +33725,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.
@ -38115,6 +38163,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls whether
generated resources should be deleted when the rule that
generated them is deleted with synchronization enabled.
This option is only applicable to generate rules of the
data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. If should be kept in-sync with their source resource. If
@ -42508,6 +42564,14 @@ spec:
namespace: namespace:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
orphanDownstreamOnPolicyDelete:
description: OrphanDownstreamOnPolicyDelete controls
whether generated resources should be deleted when
the rule that generated them is deleted with synchronization
enabled. This option is only applicable to generate
rules of the data type. See https://kyverno.io/docs/writing-policies/generate/#data-examples.
Defaults to "false" if not specified.
type: boolean
synchronize: synchronize:
description: Synchronize controls if generated resources description: Synchronize controls if generated resources
should be kept in-sync with their source resource. should be kept in-sync with their source resource.

15
docs/user/crd/index.html
View file

@ -1895,6 +1895,21 @@ Optional. Defaults to &ldquo;false&rdquo; if not specified.</p>
</tr> </tr>
<tr> <tr>
<td> <td>
<code>orphanDownstreamOnPolicyDelete</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
See <a href="https://kyverno.io/docs/writing-policies/generate/#data-examples">https://kyverno.io/docs/writing-policies/generate/#data-examples</a>.
Defaults to &ldquo;false&rdquo; if not specified.</p>
</td>
</tr>
<tr>
<td>
<code>data</code><br/> <code>data</code><br/>
<em> <em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#json-v1-apiextensions"> <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#json-v1-apiextensions">

9
pkg/client/applyconfigurations/kyverno/v1/generation.go
View file

@ -28,6 +28,7 @@ import (
type GenerationApplyConfiguration struct { type GenerationApplyConfiguration struct {
*ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"` *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
Synchronize *bool `json:"synchronize,omitempty"` Synchronize *bool `json:"synchronize,omitempty"`
OrphanDownstreamOnPolicyDelete *bool `json:"orphanDownstreamOnPolicyDelete,omitempty"`
RawData *apiextensionsv1.JSON `json:"data,omitempty"` RawData *apiextensionsv1.JSON `json:"data,omitempty"`
Clone *CloneFromApplyConfiguration `json:"clone,omitempty"` Clone *CloneFromApplyConfiguration `json:"clone,omitempty"`
CloneList *CloneListApplyConfiguration `json:"cloneList,omitempty"` CloneList *CloneListApplyConfiguration `json:"cloneList,omitempty"`
@ -98,6 +99,14 @@ func (b *GenerationApplyConfiguration) WithSynchronize(value bool) *GenerationAp
return b return b
} }
// WithOrphanDownstreamOnPolicyDelete sets the OrphanDownstreamOnPolicyDelete field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the OrphanDownstreamOnPolicyDelete field is set to the value of the last call.
func (b *GenerationApplyConfiguration) WithOrphanDownstreamOnPolicyDelete(value bool) *GenerationApplyConfiguration {
b.OrphanDownstreamOnPolicyDelete = &value
return b
}
// WithRawData sets the RawData field in the declarative configuration to the given value // WithRawData sets the RawData field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the RawData field is set to the value of the last call. // If called multiple times, the RawData field is set to the value of the last call.

4
pkg/policy/generate.go
View file

@ -66,8 +66,8 @@ func (pc *policyController) createURForDownstreamDeletion(policy kyvernov1.Polic
var errs []error var errs []error
rules := autogen.ComputeRules(policy) rules := autogen.ComputeRules(policy)
for _, r := range rules { for _, r := range rules {
generateType, sync := r.GetGenerateTypeAndSync() generateType, sync, orphanDownstreamOnPolicyDelete := r.GetTypeAndSyncAndOrphanDownstream()
if sync && (generateType == kyvernov1.Data) { if sync && (generateType == kyvernov1.Data) && !orphanDownstreamOnPolicyDelete {
if err := pc.syncDataPolicyChanges(policy, true); err != nil { if err := pc.syncDataPolicyChanges(policy, true); err != nil {
errs = append(errs, err) errs = append(errs, err)
} }

11
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled, orphanDownstreamOnPolicyDelete preserves the downstream ConfigMap.
## Expected Behavior
If the generated configmap is retained, the test passes. If it is not, the test fails.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/9578

36
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml Executable file
View file

@ -0,0 +1,36 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-orphan-downstream-delete-policy
spec:
generateExisting: false
rules:
- exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
apiVersion: v1
data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
kind: ConfigMap
name: zk-kafka-address
namespace: '{{request.object.metadata.name}}'
synchronize: true
orphanDownstreamOnPolicyDelete: true
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-delete-rule

9
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml Executable file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-orphan-downstream-delete-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

4
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml Executable file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cpol-data-sync-orphan-downstream-delete-policy-ns

10
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
name: zk-kafka-address
namespace: cpol-data-sync-orphan-downstream-delete-policy-ns

5
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml Executable file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: zk-kafka-address
namespace: cpol-data-sync-delete-policy-ns

28
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,28 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: cpol-data-sync-delete-policy
spec:
steps:
- name: step-01
try:
- apply:
file: chainsaw-step-01-apply-1-1.yaml
- assert:
file: chainsaw-step-01-assert-1-1.yaml
- name: step-02
try:
- apply:
file: chainsaw-step-02-apply-1-1.yaml
- assert:
file: chainsaw-step-02-assert-1-1.yaml
- name: step-03
try:
- delete:
ref:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: cpol-data-sync-orphan-downstream-delete-policy
- assert:
file: chainsaw-step-02-assert-1-1.yaml