From 93eaead5656753ee31fd22e6b0df366990fed69e Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 23 Nov 2022 16:16:06 +0800 Subject: [PATCH] fix: mutate existing policy does not get applied when background=false (#5439) * fix mutate existing policies when background=false Signed-off-by: ShutingZhao * add the kuttl test Signed-off-by: ShutingZhao Signed-off-by: ShutingZhao --- pkg/policy/policy_controller.go | 6 ++-- .../existing/background-false/01-assert.yaml | 9 +++++ .../background-false/01-manifests.yaml | 36 +++++++++++++++++++ .../existing/background-false/03-assert.yaml | 6 ++++ .../existing/background-false/99-cleanup.yaml | 4 +++ .../existing/background-false/README.md | 11 ++++++ 6 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/README.md diff --git a/pkg/policy/policy_controller.go b/pkg/policy/policy_controller.go index 769be60089..4cab023ea4 100644 --- a/pkg/policy/policy_controller.go +++ b/pkg/policy/policy_controller.go @@ -139,8 +139,10 @@ func NewPolicyController( func (pc *PolicyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bool { logger := pc.log.WithValues("policy", p.GetName()) if !p.BackgroundProcessingEnabled() { - logger.V(4).Info("background processed is disabled") - return false + if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() { + logger.V(4).Info("background processing is disabled") + return false + } } if err := ValidateVariables(p, true); err != nil { diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml new file mode 100644 index 0000000000..46908e1174 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-privileged-existing-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml new file mode 100644 index 0000000000..dc2a5732fe --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-privileged-existing-namespaces + annotations: + policies.kyverno.io/title: Add Privileged Label to Existing Namespaces + policies.kyverno.io/category: Pod Security Admission + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file + which sets either baseline or restricted, for example in many PaaS CIS profiles, it may + be necessary to relax this to privileged on a per-Namespace basis so that more + granular control can be provided. This policy labels new and existing Namespaces, except + that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label. +spec: + mutateExistingOnPolicyUpdate: true + background: false + rules: + - name: label-privileged-namespaces + match: + any: + - resources: + kinds: + - Namespace + mutate: + targets: + - apiVersion: v1 + kind: Namespace + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml new file mode 100644 index 0000000000..a4a2785149 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: default + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/README.md b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/README.md new file mode 100644 index 0000000000..965f2d1110 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test for mutation of existing resources when background is set to false. + +## Expected Behavior + +The mutateExisting policy does not require `.spec.background=true` to be applied. + +## Reference Issue(s) + +5430