diff --git a/pkg/background/generate/clone.go b/pkg/background/generate/clone.go index 84e96607cd..489702bf29 100644 --- a/pkg/background/generate/clone.go +++ b/pkg/background/generate/clone.go @@ -46,6 +46,11 @@ func manageClone(log logr.Logger, target, sourceSpec kyvernov1.ResourceSpec, pol sourceObjCopy := sourceObj.DeepCopy() addSourceLabels(sourceObjCopy) + + if sourceObjCopy.GetNamespace() != target.GetNamespace() && sourceObjCopy.GetOwnerReferences() != nil { + sourceObjCopy.SetOwnerReferences(nil) + } + targetObj, err := client.GetResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName()) if err != nil { if apierrors.IsNotFound(err) && len(ur.Status.GeneratedResources) != 0 && !clone.Synchronize { @@ -58,10 +63,6 @@ func manageClone(log logr.Logger, target, sourceSpec kyvernov1.ResourceSpec, pol return newSkipGenerateResponse(nil, target, fmt.Errorf("failed to get the target source: %v", err)) } - if sourceObjCopy.GetNamespace() != target.GetNamespace() && sourceObjCopy.GetOwnerReferences() != nil { - sourceObjCopy.SetOwnerReferences(nil) - } - if targetObj != nil { sourceObjCopy.SetUID(targetObj.GetUID()) sourceObjCopy.SetSelfLink(targetObj.GetSelfLink()) diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml new file mode 100644 index 0000000000..96b89e0d92 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml @@ -0,0 +1,16 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: > + kubectl -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns get configmap owner -o json | + jq '{ + "metadata": { + "ownerReferences": [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "name": "owner", + "uid": .metadata.uid + }] + } + }' | + kubectl patch -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns secret cpol-clone-delete-ownerreferences-across-namespaces --patch-file=/dev/stdin diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml new file mode 100644 index 0000000000..fd215ed1cb --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- trigger.yaml +assert: +- created-secret.yaml diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml new file mode 100644 index 0000000000..9d645e8e95 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: > + kubectl --namespace cpol-clone-delete-ownerreferences-across-namespaces-target-ns get secret cpol-clone-delete-ownerreferences-across-namespaces -o json | + jq -e '.metadata.ownerReferences == null' diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md new file mode 100644 index 0000000000..16e6dc869c --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md @@ -0,0 +1,11 @@ +## Description + +This tests that the ownerReferences of cloned objects in different Namespaces are removed. Otherwise these objects will be immediately garbage-collected + +## Expected Behavior + +The background controller will strip the ownerReference when cloning between Namespaces, if it exists. + +## Reference Issue(s) + +- https://github.com/kyverno/kyverno/issues/2276 diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml new file mode 100644 index 0000000000..64e2789fd0 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-target-ns +type: Opaque diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml new file mode 100644 index 0000000000..087293808d --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml new file mode 100644 index 0000000000..e95821be60 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: owner + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns + kind: Secret + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: clone-secret diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml new file mode 100644 index 0000000000..04ad516c46 --- /dev/null +++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-target-ns