fix: Remove ownerReferences when cloning across Namespaces (#7517)

Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/background/generate/clone.go

@@ -46,6 +46,11 @@ func manageClone(log logr.Logger, target, sourceSpec kyvernov1.ResourceSpec, pol
 
 	sourceObjCopy := sourceObj.DeepCopy()
 	addSourceLabels(sourceObjCopy)
+
+	if sourceObjCopy.GetNamespace() != target.GetNamespace() && sourceObjCopy.GetOwnerReferences() != nil {
+		sourceObjCopy.SetOwnerReferences(nil)
+	}
+
 	targetObj, err := client.GetResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName())
 	if err != nil {
 		if apierrors.IsNotFound(err) && len(ur.Status.GeneratedResources) != 0 && !clone.Synchronize {
@@ -58,10 +63,6 @@ func manageClone(log logr.Logger, target, sourceSpec kyvernov1.ResourceSpec, pol
 		return newSkipGenerateResponse(nil, target, fmt.Errorf("failed to get the target source: %v", err))
 	}
 
-	if sourceObjCopy.GetNamespace() != target.GetNamespace() && sourceObjCopy.GetOwnerReferences() != nil {
-		sourceObjCopy.SetOwnerReferences(nil)
-	}
-
 	if targetObj != nil {
 		sourceObjCopy.SetUID(targetObj.GetUID())
 		sourceObjCopy.SetSelfLink(targetObj.GetSelfLink())

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml

@@ -0,0 +1,16 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: >
+      kubectl -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns get configmap owner -o json |
+      jq '{
+        "metadata": {
+          "ownerReferences": [{
+            "apiVersion": "v1",
+            "kind": "ConfigMap",
+            "name": "owner",
+            "uid": .metadata.uid
+          }]
+        }
+      }' |
+      kubectl patch -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns secret cpol-clone-delete-ownerreferences-across-namespaces --patch-file=/dev/stdin

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- trigger.yaml
+assert:
+- created-secret.yaml

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: >
+      kubectl --namespace cpol-clone-delete-ownerreferences-across-namespaces-target-ns get secret cpol-clone-delete-ownerreferences-across-namespaces -o json |
+      jq -e '.metadata.ownerReferences == null'

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This tests that the ownerReferences of cloned objects in different Namespaces are removed. Otherwise these objects will be immediately garbage-collected
+
+## Expected Behavior
+
+The background controller will strip the ownerReference when cloning between Namespaces, if it exists.
+
+## Reference Issue(s)
+
+- https://github.com/kyverno/kyverno/issues/2276

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces
+  namespace: cpol-clone-delete-ownerreferences-across-namespaces-target-ns
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: owner
+  namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
+type: Opaque
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces
+  namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
+type: Opaque
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces
+spec:
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: cpol-clone-delete-ownerreferences-across-namespaces
+        namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns
+      kind: Secret
+      name: cpol-clone-delete-ownerreferences-across-namespaces
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: clone-secret

test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cpol-clone-delete-ownerreferences-across-namespaces-target-ns