fix: admission review variables for DELETE operations (#6197) (#6214)

* build trigger from the stored admission request payload * add a kuttl test --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-02-03 20:58:20 +08:00 · 2023-02-03 20:58:20 +08:00 · 884819a00c
commit 884819a00c
parent 987d72dae5
8 changed files with 110 additions and 3 deletions
--- a/pkg/background/common/resource.go
+++ b/pkg/background/common/resource.go
@ -8,6 +8,7 @@ import (
 	logr "github.com/go-logr/logr"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	retryutils "github.com/kyverno/kyverno/pkg/utils/retry"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -51,6 +52,16 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp
 		return nil, err
 	}

-	log.V(2).Info("fetched trigger resource", "resourceSpec", resourceSpec)
+	if resource == nil && urSpec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
+		request := urSpec.Context.AdmissionRequestInfo.AdmissionRequest
+		raw := request.Object.Raw
+		if request.Operation == admissionv1.Delete {
+			raw = request.OldObject.Raw
+		}
+
+		resource, err = kubeutils.BytesToUnstructured(raw)
+	}
+
+	log.V(3).Info("fetched trigger resource", "resourceSpec", resourceSpec)
 	return resource, err
 }
--- a/pkg/webhooks/resource/utils.go
+++ b/pkg/webhooks/resource/utils.go
@ -49,7 +49,7 @@ func applyUpdateRequest(
 	ctx context.Context,
 	request *admissionv1.AdmissionRequest,
 	ruleType kyvernov1beta1.RequestType,
-	grGenerator updaterequest.Generator,
+	urGenerator updaterequest.Generator,
 	userRequestInfo kyvernov1beta1.RequestInfo,
 	action admissionv1.Operation,
 	engineResponses ...*response.EngineResponse,
@ -61,7 +61,7 @@ func applyUpdateRequest(

 	for _, er := range engineResponses {
 		ur := transform(admissionRequestInfo, userRequestInfo, er, ruleType)
-		if err := grGenerator.Apply(ctx, ur, action); err != nil {
+		if err := urGenerator.Apply(ctx, ur, action); err != nil {
 			failedUpdateRequest = append(failedUpdateRequest, updateRequestResponse{ur: ur, err: err})
 		}
 	}
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-post-mutation-delete-trigger
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml
@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging-2
+  labels:
+    app-type: corp
+  annotations:
+    cloud.platformzero.com/serviceClass: "xl2"
+---
+apiVersion: v1
+data:
+  foo: bar
+kind: ConfigMap
+metadata:
+  name: dictionary-2
+  namespace: staging-2
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: test-secret-2
+  namespace: staging-2
+type: Opaque
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-post-mutation-delete-trigger
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: mutate-secret-on-configmap-delete
+      match:
+        any:
+        - resources:
+            kinds:
+            - ConfigMap
+            names:
+            - dictionary-2
+            namespaces:
+            - staging-2
+      preconditions:
+        any:
+        - key: "{{ request.operation }}"
+          operator: Equals
+          value: DELETE
+      mutate:
+        targets:
+        - apiVersion: v1
+          kind: Secret
+          name: test-secret-2
+          namespace: "{{ request.object.metadata.namespace }}"
+        patchStrategicMerge:
+          metadata:
+            labels:
+              foo: "{{ request.object.metadata.name }}"
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml
@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: ConfigMap
+  name: dictionary-2
+  namespace: staging-2
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-2
+  namespace: staging-2
+  labels:
+    foo: dictionary-2
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/README.md
@ -0,0 +1,11 @@
+## Description
+
+This is a basic test for the mutate existing capability which ensures that specifically deleting a triggering resource, via a precondition, results in the correct mutation of a different resource.
+
+## Expected Behavior
+
+When the `dictionary-2` ConfigMap is deleted, this should result in the mutation of the Secret named `test-secret-2` within the same Namespace to add the label `foo` with value set to the name or `dictionary-2` in this case. If the Secret is mutated so that the label `foo: dictionary-2` is present, the test passes. If not, the test fails.
+
+## Reference Issue(s)
+
+N/A
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true