fix: namespace matching for background namespaced policies (#6530)

* fix namespace matching for background policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * add a kuttl test match-trigger-namespace Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-29 02:45:06 +00:00 · 2023-03-10 21:55:08 +08:00 · 2023-03-10 21:55:08 +08:00 · 85a83e4fae
commit 85a83e4fae
parent 5160b63154
11 changed files with 160 additions and 2 deletions
--- a/pkg/engine/background.go
+++ b/pkg/engine/background.go
@ -95,11 +95,12 @@ func (e *engine) filterRule(
 	ctx := policyContext.JSONContext()
 	excludeGroupRole := e.configuration.GetExcludedGroups()
 	namespaceLabels := policyContext.NamespaceLabels()
+	policy := policyContext.Policy()

-	if err := MatchesResourceDescription(subresourceGVKToAPIResource, newResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, "", policyContext.SubResource()); err != nil {
+	if err := MatchesResourceDescription(subresourceGVKToAPIResource, newResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, policy.GetNamespace(), policyContext.SubResource()); err != nil {
 		if ruleType == engineapi.Generation {
 			// if the oldResource matched, return "false" to delete GR for it
-			if err = MatchesResourceDescription(subresourceGVKToAPIResource, oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, "", policyContext.SubResource()); err == nil {
+			if err = MatchesResourceDescription(subresourceGVKToAPIResource, oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, policy.GetNamespace(), policyContext.SubResource()); err == nil {
 				return &engineapi.RuleResponse{
 					Name:   rule.Name,
 					Type:   ruleType,
--- a/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/01-assert.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/01-assert.yaml
@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: match-trigger-namespace
+  namespace: match-trigger-namespace-ns
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/01-manifests.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/01-manifests.yaml
@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: match-trigger-namespace-ns
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    example.com/sm-sync: "true"
+  name: regcred
+  namespace: match-trigger-namespace-ns
+type: Opaque
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: match-trigger-namespace
+  namespace: match-trigger-namespace-ns
+spec:
+  generateExisting: true
+  rules:
+    - name: get-synced-secrets
+      match:
+        resources:
+          kinds:
+            - Secret
+          selector:
+            matchLabels:
+              example.com/sm-sync: "true"
+      generate:
+        apiVersion: v1
+        kind: Secret
+        name: "{{request.object.metadata.name}}-modify"
+        namespace: match-trigger-namespace-ns
+        synchronize: true
+        data:
+          type: Opaque
+          data:
+            modify: Zm9v
--- a/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/02-sleep.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/02-sleep.yaml
@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 3
--- a/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/03-assert.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/03-assert.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  modify: Zm9v
+kind: Secret
+metadata:
+  name: regcred-modify
+  namespace: match-trigger-namespace-ns
+type: Opaque
--- a/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/README.md
+++ b/test/conformance/kuttl/generate/policy/standard/existing/match-trigger-namespace/README.md
@ -0,0 +1,11 @@
+## Description
+
+This test checks the generateExisting namespaced policy is applied when the trigger is found in the same namespace as the policy.
+
+## Expected Behavior
+
+If the resource secret is created, the test passes. If it is not, the test fails.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6519
--- a/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/01-assert.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/01-assert.yaml
@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: non-match-trigger-namespace
+  namespace: non-match-trigger-namespace-ns
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/01-manifests.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/01-manifests.yaml
@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: non-match-trigger-namespace-ns
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: non-match-trigger-namespace-ns-2
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    example.com/sm-sync: "true"
+  name: regcred
+  namespace: non-match-trigger-namespace-ns-2
+type: Opaque
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: non-match-trigger-namespace
+  namespace: non-match-trigger-namespace-ns
+spec:
+  generateExisting: true
+  rules:
+    - name: get-synced-secrets
+      match:
+        resources:
+          kinds:
+            - Secret
+          selector:
+            matchLabels:
+              example.com/sm-sync: "true"
+      generate:
+        apiVersion: v1
+        kind: Secret
+        name: "{{request.object.metadata.name}}-modify"
+        namespace: non-match-trigger-namespace-ns
+        synchronize: true
+        data:
+          type: Opaque
+          data:
+            modify: Zm9v
--- a/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/02-sleep.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/02-sleep.yaml
@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 3
--- a/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/03-errors.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/03-errors.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  modify: Zm9v
+kind: Secret
+metadata:
+  name: regcred-modify
+  namespace: non-match-trigger-namespace-ns
+type: Opaque
--- a/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/README.md
+++ b/test/conformance/kuttl/generate/policy/standard/existing/non-match-trigger-namespace/README.md
@ -0,0 +1,11 @@
+## Description
+
+This test checks the generateExisting namespaced policy is not applied when the trigger is not found in the same namespace as the policy.
+
+## Expected Behavior
+
+If the resource secret is not created, the test passes. If it is created, the test fails.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6519