diff --git a/pkg/background/common/labels.go b/pkg/background/common/labels.go
index d1736913b0..1b7754985e 100644
--- a/pkg/background/common/labels.go
+++ b/pkg/background/common/labels.go
@@ -13,12 +13,6 @@ import (
"k8s.io/client-go/tools/cache"
)
-const (
- LabelKeyKind = "kyverno.io/generated-by-kind"
- LabelKeyNamespace = "kyverno.io/generated-by-namespace"
- LabelKeyName = "kyverno.io/generated-by-name"
-)
-
type Object interface {
GetName() string
GetNamespace() string
@@ -35,8 +29,6 @@ func ManageLabels(unstr *unstructured.Unstructured, triggerResource unstructured
// handle managedBy label
managedBy(labels)
- // handle generatedBy label
- generatedBy(labels, triggerResource)
PolicyInfo(labels, policy, ruleName)
@@ -95,28 +87,6 @@ func managedBy(labels map[string]string) {
}
}
-func generatedBy(labels map[string]string, triggerResource unstructured.Unstructured) {
- checkGeneratedBy(labels, LabelKeyKind, triggerResource.GetKind())
- checkGeneratedBy(labels, LabelKeyNamespace, triggerResource.GetNamespace())
- checkGeneratedBy(labels, LabelKeyName, triggerResource.GetName())
-}
-
-func checkGeneratedBy(labels map[string]string, key, value string) {
- value = trimByLength(value, 63)
-
- val, ok := labels[key]
- if ok {
- if val != value {
- logging.V(2).Info(fmt.Sprintf("kyverno wont over-ride the label %s", key))
- return
- }
- }
- if !ok {
- // add label
- labels[key] = value
- }
-}
-
func PolicyInfo(labels map[string]string, policy kyvernov1.PolicyInterface, ruleName string) {
labels[GeneratePolicyLabel] = policy.GetName()
labels[GeneratePolicyNamespaceLabel] = policy.GetNamespace()
diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go
index 8d4b792835..3c91f5a234 100644
--- a/pkg/background/generate/generate.go
+++ b/pkg/background/generate/generate.go
@@ -409,25 +409,8 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, t
newResource.SetAPIVersion(rdata.GenAPIVersion)
common.ManageLabels(newResource, trigger, policy, rule.Name)
- // Add Synchronize label
- label := newResource.GetLabels()
-
- // Add background gen-rule label if generate rule applied on existing resource
- if policy.GetSpec().IsGenerateExisting() {
- label[LabelBackgroundGenRuleName] = rule.Name
- }
-
- label[LabelDataPolicyName] = policy.GetName()
- label[LabelURName] = ur.Name
if rdata.Action == Create {
- if rule.Generation.Synchronize {
- label[LabelSynchronize] = "enable"
- } else {
- label[LabelSynchronize] = "disable"
- }
-
newResource.SetResourceVersion("")
- newResource.SetLabels(label)
_, err = client.CreateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
if err != nil {
if !apierrors.IsAlreadyExists(err) {
@@ -452,9 +435,6 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, t
// if synchronize is true - update the label and generated resource with generate policy data
if rule.Generation.Synchronize {
logger.V(4).Info("updating existing resource")
- label[LabelSynchronize] = "enable"
- newResource.SetLabels(label)
-
if rdata.GenAPIVersion == "" {
generatedResourceAPIVersion := generatedObj.GetAPIVersion()
newResource.SetAPIVersion(generatedResourceAPIVersion)
@@ -471,24 +451,6 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, t
return newGenResources, err
}
}
- } else {
- currentGeneratedResourcelabel := generatedObj.GetLabels()
- currentSynclabel := currentGeneratedResourcelabel[LabelSynchronize]
-
- // update only if the labels mismatches
- if (!rule.Generation.Synchronize && currentSynclabel == "enable") ||
- (rule.Generation.Synchronize && currentSynclabel == "disable") {
- logger.V(4).Info("updating label in existing resource")
- currentGeneratedResourcelabel[LabelSynchronize] = "disable"
- generatedObj.SetLabels(currentGeneratedResourcelabel)
-
- _, err = client.UpdateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, generatedObj, false)
- if err != nil {
- logger.Error(err, "failed to update label in existing resource")
- newGenResources = append(newGenResources, noGenResource)
- return newGenResources, err
- }
- }
}
}
logger.V(3).Info("updated generate target resource")
diff --git a/pkg/background/generate/labels.go b/pkg/background/generate/labels.go
deleted file mode 100644
index eee9bc8d0f..0000000000
--- a/pkg/background/generate/labels.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package generate
-
-const (
- LabelURName = "policy.kyverno.io/ur-name"
- LabelDataPolicyName = "policy.kyverno.io/policy-name"
- LabelClonePolicyName = "generate.kyverno.io/clone-policy-name"
- LabelSynchronize = "policy.kyverno.io/synchronize"
- LabelBackgroundGenRuleName = "kyverno.io/background-gen-rule"
-
- AnnotationUpdateTime = "generate.kyverno.io/update-time"
-)
diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go
index 957d879a75..4a9f2106ec 100644
--- a/pkg/engine/api/engineresponse.go
+++ b/pkg/engine/api/engineresponse.go
@@ -1,6 +1,7 @@
package api
import (
+ "fmt"
"reflect"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@@ -116,6 +117,11 @@ func (er EngineResponse) GetFailedRules() []string {
return er.getRules(func(rule RuleResponse) bool { return rule.HasStatus(RuleStatusFail, RuleStatusError) })
}
+// GetFailedRulesWithErrors returns failed rules with corresponding error messages
+func (er EngineResponse) GetFailedRulesWithErrors() []string {
+ return er.getRulesWithErrors(func(rule RuleResponse) bool { return rule.HasStatus(RuleStatusFail, RuleStatusError) })
+}
+
// GetSuccessRules returns success rules
func (er EngineResponse) GetSuccessRules() []string {
return er.getRules(func(rule RuleResponse) bool { return rule.HasStatus(RuleStatusPass) })
@@ -142,6 +148,16 @@ func (er EngineResponse) getRules(predicate func(RuleResponse) bool) []string {
return rules
}
+func (er EngineResponse) getRulesWithErrors(predicate func(RuleResponse) bool) []string {
+ var rules []string
+ for _, r := range er.PolicyResponse.Rules {
+ if predicate(r) {
+ rules = append(rules, fmt.Sprintf("%s: %s", r.Name, r.Message))
+ }
+ }
+ return rules
+}
+
func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
spec := er.Policy.GetSpec()
for _, v := range spec.ValidationFailureActionOverrides {
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 63b053a7cc..3dfb33d93d 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -19,7 +19,6 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
"github.com/kyverno/kyverno/pkg/autogen"
- "github.com/kyverno/kyverno/pkg/background/generate"
"github.com/kyverno/kyverno/pkg/clients/dclient"
openapicontroller "github.com/kyverno/kyverno/pkg/controllers/openapi"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
@@ -33,7 +32,6 @@ import (
"golang.org/x/exp/slices"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/apimachinery/pkg/util/yaml"
@@ -367,43 +365,6 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
return warnings, fmt.Errorf("labels and annotations supports only string values, \"use double quotes around the non string values\"")
}
- // add label to source mentioned in policy
- if !mock && rule.Generation.Clone.Name != "" {
- obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
- if err != nil {
- logging.Error(err, fmt.Sprintf("source resource %s/%s/%s not found.", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name))
- continue
- }
- err = UpdateSourceResource(client, rule.Generation.Kind, rule.Generation.Clone.Namespace, policy.GetName(), obj)
- if err != nil {
- logging.Error(err, "failed to update source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
- continue
- }
- logging.V(4).Info("updated source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
- }
- if !mock && len(rule.Generation.CloneList.Kinds) != 0 {
- for _, kind := range rule.Generation.CloneList.Kinds {
- apiVersion, kind := kubeutils.GetKindFromGVK(kind)
- resources, err := client.ListResource(context.TODO(), apiVersion, kind, rule.Generation.CloneList.Namespace, rule.Generation.CloneList.Selector)
- if err != nil {
- logging.Error(err, fmt.Sprintf("failed to list resources %s/%s.", kind, rule.Generation.CloneList.Namespace))
- continue
- }
- for _, rName := range resources.Items {
- obj, err := client.GetResource(context.TODO(), apiVersion, kind, rule.Generation.CloneList.Namespace, rName.GetName())
- if err != nil {
- logging.Error(err, fmt.Sprintf("source resource %s/%s/%s not found.", kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name))
- continue
- }
- err = UpdateSourceResource(client, kind, rule.Generation.CloneList.Namespace, policy.GetName(), obj)
- if err != nil {
- logging.Error(err, "failed to update source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
- continue
- }
- }
- }
- }
-
matchKinds := match.GetKinds()
excludeKinds := exclude.GetKinds()
allKinds := make([]string, 0, len(matchKinds)+len(excludeKinds))
@@ -439,42 +400,6 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
return warnings, nil
}
-func UpdateSourceResource(client dclient.Interface, kind, namespace string, policyName string, obj *unstructured.Unstructured) error {
- updateSource := true
- label := obj.GetLabels()
-
- if len(label) == 0 {
- label = make(map[string]string)
- label[generate.LabelClonePolicyName] = policyName
- } else {
- if label[generate.LabelClonePolicyName] != "" {
- policyNames := label[generate.LabelClonePolicyName]
- if !strings.Contains(policyNames, policyName) {
- policyNames = policyNames + "," + policyName
- label[generate.LabelClonePolicyName] = policyNames
- } else {
- updateSource = false
- }
- } else {
- label[generate.LabelClonePolicyName] = policyName
- }
- }
-
- if updateSource {
- logging.V(4).Info("updating existing clone source labels")
- obj.SetLabels(label)
- obj.SetResourceVersion("")
-
- _, err := client.UpdateResource(context.TODO(), obj.GetAPIVersion(), kind, namespace, obj, false)
- if err != nil {
- logging.Error(err, "failed to update source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
- return err
- }
- logging.V(4).Info("updated source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
- }
- return nil
-}
-
func ValidateVariables(p kyvernov1.PolicyInterface, backgroundMode bool) error {
vars := hasVariables(p)
if backgroundMode {
diff --git a/pkg/webhooks/resource/fake.go b/pkg/webhooks/resource/fake.go
index b81b48ed5d..fe4984e1b6 100644
--- a/pkg/webhooks/resource/fake.go
+++ b/pkg/webhooks/resource/fake.go
@@ -54,7 +54,6 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
eventGen: event.NewFake(),
openApiManager: openapi.NewFake(),
pcBuilder: webhookutils.NewPolicyContextBuilder(configuration, dclient, rbLister, crbLister),
- urUpdater: webhookutils.NewUpdateRequestUpdater(kyvernoclient, urLister),
engine: engine.NewEngine(
configuration,
dclient,
diff --git a/pkg/webhooks/resource/generation/handler.go b/pkg/webhooks/resource/generation/handler.go
index 942fdf91d6..69ac7582c7 100644
--- a/pkg/webhooks/resource/generation/handler.go
+++ b/pkg/webhooks/resource/generation/handler.go
@@ -40,7 +40,6 @@ func NewGenerationHandler(
cpolLister kyvernov1listers.ClusterPolicyLister,
polLister kyvernov1listers.PolicyLister,
urGenerator webhookgenerate.Generator,
- urUpdater webhookutils.UpdateRequestUpdater,
eventGen event.Interface,
metrics metrics.MetricsConfigManager,
) GenerationHandler {
@@ -54,7 +53,6 @@ func NewGenerationHandler(
cpolLister: cpolLister,
polLister: polLister,
urGenerator: urGenerator,
- urUpdater: urUpdater,
eventGen: eventGen,
metrics: metrics,
}
@@ -70,7 +68,6 @@ type generationHandler struct {
cpolLister kyvernov1listers.ClusterPolicyLister
polLister kyvernov1listers.PolicyLister
urGenerator webhookgenerate.Generator
- urUpdater webhookutils.UpdateRequestUpdater
eventGen event.Interface
metrics metrics.MetricsConfigManager
}
diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go
index 3e781f2a9a..9c3539fdef 100644
--- a/pkg/webhooks/resource/handlers.go
+++ b/pkg/webhooks/resource/handlers.go
@@ -58,7 +58,6 @@ type handlers struct {
eventGen event.Interface
openApiManager openapi.ValidateInterface
pcBuilder webhookutils.PolicyContextBuilder
- urUpdater webhookutils.UpdateRequestUpdater
admissionReports bool
}
@@ -98,7 +97,6 @@ func NewHandlers(
eventGen: eventGen,
openApiManager: openApiManager,
pcBuilder: webhookutils.NewPolicyContextBuilder(configuration, client, rbLister, crbLister),
- urUpdater: webhookutils.NewUpdateRequestUpdater(kyvernoClient, urLister),
admissionReports: admissionReports,
}
}
diff --git a/pkg/webhooks/resource/mutation/mutation.go b/pkg/webhooks/resource/mutation/mutation.go
index ab1e458a15..58830243f9 100644
--- a/pkg/webhooks/resource/mutation/mutation.go
+++ b/pkg/webhooks/resource/mutation/mutation.go
@@ -160,7 +160,7 @@ func (h *mutationHandler) applyMutation(ctx context.Context, request *admissionv
policyPatches := engineResponse.GetPatches()
if !engineResponse.IsSuccessful() {
- return nil, nil, fmt.Errorf("failed to apply policy %s rules %v", policyContext.Policy().GetName(), engineResponse.GetFailedRules())
+ return nil, nil, fmt.Errorf("failed to apply policy %s rules %v", policyContext.Policy().GetName(), engineResponse.GetFailedRulesWithErrors())
}
if policyContext.Policy().ValidateSchema() && engineResponse.PatchedResource.GetKind() != "*" {
diff --git a/pkg/webhooks/resource/updaterequest.go b/pkg/webhooks/resource/updaterequest.go
index 6473c110df..e13b1f5b95 100644
--- a/pkg/webhooks/resource/updaterequest.go
+++ b/pkg/webhooks/resource/updaterequest.go
@@ -78,6 +78,6 @@ func (h *handlers) handleMutateExisting(ctx context.Context, logger logr.Logger,
}
func (h *handlers) handleGenerate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
- gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.urUpdater, h.eventGen, h.metricsConfig)
+ gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig)
go gh.Handle(ctx, request, generatePolicies, policyContext)
}
diff --git a/pkg/webhooks/updaterequest/generator.go b/pkg/webhooks/updaterequest/generator.go
index 24b59018ae..37f91e7847 100644
--- a/pkg/webhooks/updaterequest/generator.go
+++ b/pkg/webhooks/updaterequest/generator.go
@@ -69,50 +69,26 @@ func (g *generator) tryApplyResource(ctx context.Context, urSpec kyvernov1beta1.
queryLabels = common.GenerateLabelsSet(urSpec.Policy, urSpec.GetResource())
}
- urList, err := g.urLister.List(labels.SelectorFromSet(queryLabels))
+ l.V(4).Info("creating new UpdateRequest")
+ ur := kyvernov1beta1.UpdateRequest{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: config.KyvernoNamespace(),
+ GenerateName: "ur-",
+ Labels: queryLabels,
+ },
+ Spec: urSpec,
+ }
+ created, err := g.client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Create(ctx, &ur, metav1.CreateOptions{})
if err != nil {
- l.Error(err, "failed to get update request for the resource", "resource", urSpec.GetResource().String())
+ l.V(4).Error(err, "failed to create UpdateRequest, retrying", "name", ur.GetGenerateName(), "namespace", ur.GetNamespace())
return err
}
- for _, v := range urList {
- l := l.WithValues("name", v.GetName())
- l.V(4).Info("updating existing update request")
- if _, err := common.Update(g.client, g.urLister, v.GetName(), func(ur *kyvernov1beta1.UpdateRequest) {
- v.Spec = urSpec
- }); err != nil {
- l.V(4).Error(err, "failed to update UpdateRequest")
- return err
- } else {
- l.V(4).Info("successfully updated UpdateRequest")
- }
- if _, err := common.UpdateStatus(g.client, g.urLister, v.GetName(), kyvernov1beta1.Pending, "", nil); err != nil {
- l.V(4).Error(err, "failed to update UpdateRequest status")
- return err
- }
- }
-
- if len(urList) == 0 || urSpec.DeleteDownstream {
- l.V(4).Info("creating new UpdateRequest")
- ur := kyvernov1beta1.UpdateRequest{
- ObjectMeta: metav1.ObjectMeta{
- Namespace: config.KyvernoNamespace(),
- GenerateName: "ur-",
- Labels: queryLabels,
- },
- Spec: urSpec,
- }
- created, err := g.client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Create(ctx, &ur, metav1.CreateOptions{})
- if err != nil {
- l.V(4).Error(err, "failed to create UpdateRequest, retrying", "name", ur.GetGenerateName(), "namespace", ur.GetNamespace())
- return err
- }
- updated := created.DeepCopy()
- updated.Status.State = kyvernov1beta1.Pending
- _, err = g.client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), updated, metav1.UpdateOptions{})
- if err != nil {
- return err
- }
- l.V(4).Info("successfully created UpdateRequest", "name", updated.GetName(), "namespace", ur.GetNamespace())
+ updated := created.DeepCopy()
+ updated.Status.State = kyvernov1beta1.Pending
+ _, err = g.client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), updated, metav1.UpdateOptions{})
+ if err != nil {
+ return err
}
+ l.V(4).Info("successfully created UpdateRequest", "name", updated.GetName(), "namespace", ur.GetNamespace())
return nil
}
diff --git a/pkg/webhooks/utils/update_request_updater.go b/pkg/webhooks/utils/update_request_updater.go
deleted file mode 100644
index 7d25175e9d..0000000000
--- a/pkg/webhooks/utils/update_request_updater.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package utils
-
-import (
- "time"
-
- "github.com/go-logr/logr"
- kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
- "github.com/kyverno/kyverno/pkg/background/common"
- "github.com/kyverno/kyverno/pkg/background/generate"
- "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
- kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
-)
-
-type UpdateRequestUpdater interface {
- // UpdateAnnotation updates UR annotation, triggering reprocessing of UR and recreation/updation of generated resource
- UpdateAnnotation(logger logr.Logger, name string)
-}
-
-type updateRequestUpdater struct {
- client versioned.Interface
- lister kyvernov1beta1listers.UpdateRequestNamespaceLister
-}
-
-func NewUpdateRequestUpdater(client versioned.Interface, lister kyvernov1beta1listers.UpdateRequestNamespaceLister) UpdateRequestUpdater {
- return &updateRequestUpdater{
- client: client,
- lister: lister,
- }
-}
-
-func (h *updateRequestUpdater) updateAnnotation(logger logr.Logger, name string) {
- if _, err := common.Update(h.client, h.lister, name, func(ur *kyvernov1beta1.UpdateRequest) {
- urAnnotations := ur.Annotations
- if len(urAnnotations) == 0 {
- urAnnotations = make(map[string]string)
- }
- urAnnotations[generate.AnnotationUpdateTime] = time.Now().String()
- ur.SetAnnotations(urAnnotations)
- }); err != nil {
- logger.Error(err, "failed to update update request update-time annotations for the resource", "update request", name)
- }
-}
-
-func (h *updateRequestUpdater) setPendingStatus(logger logr.Logger, name string) {
- if _, err := common.UpdateStatus(h.client, h.lister, name, kyvernov1beta1.Pending, "", nil); err != nil {
- logger.Error(err, "failed to set UpdateRequest state to Pending", "update request", name)
- }
-}
-
-func (h *updateRequestUpdater) UpdateAnnotation(logger logr.Logger, name string) {
- h.updateAnnotation(logger, name)
- h.setPendingStatus(logger, name)
-}
diff --git a/pkg/webhooks/utils/update_request_updater_test.go b/pkg/webhooks/utils/update_request_updater_test.go
deleted file mode 100644
index be76e69124..0000000000
--- a/pkg/webhooks/utils/update_request_updater_test.go
+++ /dev/null
@@ -1,173 +0,0 @@
-package utils
-
-import (
- "context"
- "testing"
-
- "github.com/go-logr/logr"
- kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
- "github.com/kyverno/kyverno/pkg/background/generate"
- "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
- "github.com/kyverno/kyverno/pkg/client/clientset/versioned/fake"
- kyvernoinformers "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
- kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
- "github.com/kyverno/kyverno/pkg/config"
- "github.com/stretchr/testify/assert"
- v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime"
-)
-
-func TestNewUpdateRequestUpdater(t *testing.T) {
- type args struct {
- client versioned.Interface
- lister kyvernov1beta1listers.UpdateRequestNamespaceLister
- }
- tests := []struct {
- name string
- args args
- want UpdateRequestUpdater
- }{{
- name: "nil",
- args: args{nil, nil},
- want: &updateRequestUpdater{nil, nil},
- }}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got := NewUpdateRequestUpdater(tt.args.client, tt.args.lister)
- assert.Equal(t, tt.want, got)
- })
- }
-}
-
-func Test_updateRequestUpdater_updateAnnotation(t *testing.T) {
- type data struct {
- objects []runtime.Object
- }
- tests := []struct {
- name string
- data data
- urName string
- updated bool
- }{{
- name: "success",
- data: data{
- []runtime.Object{
- &kyvernov1beta1.UpdateRequest{
- ObjectMeta: v1.ObjectMeta{
- Name: "test",
- Namespace: config.KyvernoNamespace(),
- },
- },
- },
- },
- urName: "test",
- updated: true,
- }, {
- name: "not found",
- data: data{
- []runtime.Object{
- &kyvernov1beta1.UpdateRequest{
- ObjectMeta: v1.ObjectMeta{
- Name: "dummy",
- Namespace: config.KyvernoNamespace(),
- },
- },
- },
- },
- urName: "dummy",
- updated: false,
- }}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- ctx, cancel := context.WithCancel(context.Background())
- done := ctx.Done()
- t.Cleanup(cancel)
- client := fake.NewSimpleClientset(tt.data.objects...)
- kyvernoInformers := kyvernoinformers.NewSharedInformerFactory(client, 0)
- lister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
- kyvernoInformers.Start(done)
- kyvernoInformers.WaitForCacheSync(done)
- h := &updateRequestUpdater{
- client: client,
- lister: lister,
- }
- h.updateAnnotation(logr.Discard(), "test")
- ur, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Get(ctx, tt.urName, v1.GetOptions{})
- assert.NoError(t, err)
- assert.NotNil(t, ur)
- if tt.updated {
- annotations := ur.GetAnnotations()
- assert.NotNil(t, annotations)
- assert.NotNil(t, annotations[generate.AnnotationUpdateTime])
- } else {
- annotations := ur.GetAnnotations()
- assert.Nil(t, annotations)
- }
- })
- }
-}
-
-func Test_updateRequestUpdater_setPendingStatus(t *testing.T) {
- type data struct {
- objects []runtime.Object
- }
- tests := []struct {
- name string
- data data
- urName string
- updated bool
- }{{
- name: "success",
- data: data{
- []runtime.Object{
- &kyvernov1beta1.UpdateRequest{
- ObjectMeta: v1.ObjectMeta{
- Name: "test",
- Namespace: config.KyvernoNamespace(),
- },
- },
- },
- },
- urName: "test",
- updated: true,
- }, {
- name: "not found",
- data: data{
- []runtime.Object{
- &kyvernov1beta1.UpdateRequest{
- ObjectMeta: v1.ObjectMeta{
- Name: "dummy",
- Namespace: config.KyvernoNamespace(),
- },
- },
- },
- },
- urName: "dummy",
- updated: false,
- }}
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- ctx, cancel := context.WithCancel(context.Background())
- done := ctx.Done()
- t.Cleanup(cancel)
- client := fake.NewSimpleClientset(tt.data.objects...)
- kyvernoInformers := kyvernoinformers.NewSharedInformerFactory(client, 0)
- lister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
- kyvernoInformers.Start(done)
- kyvernoInformers.WaitForCacheSync(done)
- h := &updateRequestUpdater{
- client: client,
- lister: lister,
- }
- h.setPendingStatus(logr.Discard(), "test")
- ur, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Get(ctx, tt.urName, v1.GetOptions{})
- assert.NoError(t, err)
- assert.NotNil(t, ur)
- if tt.updated {
- assert.Equal(t, kyvernov1beta1.Pending, ur.Status.State)
- } else {
- assert.NotEqual(t, kyvernov1beta1.Pending, ur.Status.State)
- }
- })
- }
-}
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml
index 3747a0720a..e9a93ac5a1 100644
--- a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml
@@ -7,13 +7,6 @@ kind: Secret
metadata:
labels:
allowedToBeCloned: "true"
- app.kubernetes.io/managed-by: kyverno
- generate.kyverno.io/clone-policy-name: sync-with-multi-clone
- kyverno.io/generated-by-kind: Namespace
- kyverno.io/generated-by-name: prod-1
- kyverno.io/generated-by-namespace: ""
- policy.kyverno.io/policy-name: sync-with-multi-clone
- policy.kyverno.io/synchronize: enable
name: image-secret
namespace: prod-1
type: kubernetes.io/basic-auth
@@ -25,12 +18,5 @@ kind: ConfigMap
metadata:
labels:
allowedToBeCloned: "true"
- app.kubernetes.io/managed-by: kyverno
- generate.kyverno.io/clone-policy-name: sync-with-multi-clone
- kyverno.io/generated-by-kind: Namespace
- kyverno.io/generated-by-name: prod-1
- kyverno.io/generated-by-namespace: ""
- policy.kyverno.io/policy-name: sync-with-multi-clone
- policy.kyverno.io/synchronize: enable
name: bootstrap-config
namespace: prod-1
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml
index 24bc5ec2f0..e377632d08 100644
--- a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml
@@ -7,13 +7,6 @@ kind: Secret
metadata:
labels:
allowedToBeCloned: "true"
- app.kubernetes.io/managed-by: kyverno
- generate.kyverno.io/clone-policy-name: sync-with-multi-clone-update
- kyverno.io/generated-by-kind: Namespace
- kyverno.io/generated-by-name: prod
- kyverno.io/generated-by-namespace: ""
- policy.kyverno.io/policy-name: sync-with-multi-clone-update
- policy.kyverno.io/synchronize: enable
name: image-secret
namespace: prod
type: kubernetes.io/basic-auth
@@ -25,12 +18,5 @@ kind: ConfigMap
metadata:
labels:
allowedToBeCloned: "true"
- app.kubernetes.io/managed-by: kyverno
- generate.kyverno.io/clone-policy-name: sync-with-multi-clone-update
- kyverno.io/generated-by-kind: Namespace
- kyverno.io/generated-by-name: prod
- kyverno.io/generated-by-namespace: ""
- policy.kyverno.io/policy-name: sync-with-multi-clone-update
- policy.kyverno.io/synchronize: enable
name: bootstrap-config
namespace: prod
diff --git a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml
index 9f15974599..59428d2df1 100644
--- a/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml
@@ -6,12 +6,5 @@ kind: ConfigMap
metadata:
labels:
allowedToBeCloned: "true"
- app.kubernetes.io/managed-by: kyverno
- generate.kyverno.io/clone-policy-name: sync-with-multi-clone-update
- kyverno.io/generated-by-kind: Namespace
- kyverno.io/generated-by-name: prod
- kyverno.io/generated-by-namespace: ""
- policy.kyverno.io/policy-name: sync-with-multi-clone-update
- policy.kyverno.io/synchronize: enable
name: bootstrap-config
namespace: prod
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml
index 030f798740..8fa12c2eac 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml
@@ -4,4 +4,4 @@ metadata:
annotations:
org: kyverno-test
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-standard-ns
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml
index 1656a39674..d2dd3388ef 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-standard-ns
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml
index cb7280f482..da42eb1369 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
kind: Pod
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-standard-ns
spec:
containers:
- image: nginx:latest
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml
index 11ec9368ec..c399e38816 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml
@@ -1,7 +1,7 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: org-label-inheritance-existing
+ name: org-label-inheritance-existing-standard
status:
conditions:
- reason: Succeeded
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml
index 58ccd6fb4a..73a0db5b60 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml
@@ -1,7 +1,7 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
- name: org-label-inheritance-existing
+ name: org-label-inheritance-existing-standard
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
@@ -39,4 +39,4 @@ kind: Namespace
metadata:
labels:
org: kyverno-test
- name: test
+ name: org-label-inheritance-existing-standard-ns
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml
index 945c00b098..b13165d73d 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml
@@ -3,19 +3,19 @@ kind: Namespace
metadata:
labels:
org: kyverno-test
- name: test
+ name: org-label-inheritance-existing-ns
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-ns
---
apiVersion: v1
kind: Pod
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-ns
spec:
containers:
- image: nginx:latest
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml
index 945c00b098..b13165d73d 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml
@@ -3,19 +3,19 @@ kind: Namespace
metadata:
labels:
org: kyverno-test
- name: test
+ name: org-label-inheritance-existing-ns
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-ns
---
apiVersion: v1
kind: Pod
metadata:
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-ns
spec:
containers:
- image: nginx:latest
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml
index 030f798740..e26f93d9c2 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml
@@ -4,4 +4,4 @@ metadata:
annotations:
org: kyverno-test
name: test-org
- namespace: test
+ namespace: org-label-inheritance-existing-ns
diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md
index 0d7020e626..98706c7ae7 100644
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md
@@ -10,7 +10,7 @@ The pod is mutated with annotation `org: kyverno-test`.
### Test Steps
-1. Create a pod and a configmap in the `test` namespace labeled by `org: kyverno-test`.
+1. Create a pod and a configmap in the `org-label-inheritance-existing-ns` namespace labeled by `org: kyverno-test`.
2. Create a `ClusterPolicy` that mutates existing pods.
3. The pod should be mutated with the annotation `org: kyverno-test` present on the parent namespace.