diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html
index b3400e3274..c16689bd80 100644
--- a/docs/user/crd/kyverno.v1.html
+++ b/docs/user/crd/kyverno.v1.html
@@ -7599,7 +7599,7 @@ does not match an empty label set.
- ResourceSpec
+ | TargetSelector
*
@@ -9307,8 +9307,8 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
-
- ResourceSpec
+
+ TargetSelector
@@ -9316,7 +9316,7 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
|
- ResourceSpec contains the target resources to load when mutating existing resources.
+ TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.
@@ -9390,6 +9390,99 @@ See: https://kyverno.io/docs/writing-policies/preconditions/
+
+
+
+
+ TargetSelector
+
+
+
+
+ (Appears in:
+ TargetResourceSpec)
+
+
+
+
+
+
+
+
+
+ | Field |
+ Description |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ResourceSpec
+
+ *
+
+
+
+
+
+
+
+ ResourceSpec
+
+
+
+ |
+
+
+
+ ResourceSpec contains the target resources to load when mutating existing resources.
+
+
+
+
+
+ |
+
+
+
+
+
+
+ selector
+
+
+
+
+
+
+ meta/v1.LabelSelector
+
+
+ |
+
+
+
+ Selector allows you to select target resources with their labels.
+
+
+
+
+
+ |
+
+
+
+
+
diff --git a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go
index 9c26ee0360..841c156b24 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go
+++ b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go
@@ -20,15 +20,16 @@ package v1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
)
// TargetResourceSpecApplyConfiguration represents an declarative configuration of the TargetResourceSpec type for use
// with apply.
type TargetResourceSpecApplyConfiguration struct {
- *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
- Context []ContextEntryApplyConfiguration `json:"context,omitempty"`
- RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
+ *TargetSelectorApplyConfiguration `json:"TargetSelector,omitempty"`
+ Context []ContextEntryApplyConfiguration `json:"context,omitempty"`
+ RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
}
// TargetResourceSpecApplyConfiguration constructs an declarative configuration of the TargetResourceSpec type for use with
@@ -88,6 +89,21 @@ func (b *TargetResourceSpecApplyConfiguration) ensureResourceSpecApplyConfigurat
}
}
+// WithSelector sets the Selector field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Selector field is set to the value of the last call.
+func (b *TargetResourceSpecApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetResourceSpecApplyConfiguration {
+ b.ensureTargetSelectorApplyConfigurationExists()
+ b.Selector = &value
+ return b
+}
+
+func (b *TargetResourceSpecApplyConfiguration) ensureTargetSelectorApplyConfigurationExists() {
+ if b.TargetSelectorApplyConfiguration == nil {
+ b.TargetSelectorApplyConfiguration = &TargetSelectorApplyConfiguration{}
+ }
+}
+
// WithContext adds the given value to the Context field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Context field.
diff --git a/pkg/client/applyconfigurations/kyverno/v1/targetselector.go b/pkg/client/applyconfigurations/kyverno/v1/targetselector.go
new file mode 100644
index 0000000000..222198a82a
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v1/targetselector.go
@@ -0,0 +1,96 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+)
+
+// TargetSelectorApplyConfiguration represents an declarative configuration of the TargetSelector type for use
+// with apply.
+type TargetSelectorApplyConfiguration struct {
+ *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
+ Selector *metav1.LabelSelector `json:"selector,omitempty"`
+}
+
+// TargetSelectorApplyConfiguration constructs an declarative configuration of the TargetSelector type for use with
+// apply.
+func TargetSelector() *TargetSelectorApplyConfiguration {
+ return &TargetSelectorApplyConfiguration{}
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithAPIVersion(value string) *TargetSelectorApplyConfiguration {
+ b.ensureResourceSpecApplyConfigurationExists()
+ b.APIVersion = &value
+ return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithKind(value string) *TargetSelectorApplyConfiguration {
+ b.ensureResourceSpecApplyConfigurationExists()
+ b.Kind = &value
+ return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithNamespace(value string) *TargetSelectorApplyConfiguration {
+ b.ensureResourceSpecApplyConfigurationExists()
+ b.Namespace = &value
+ return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithName(value string) *TargetSelectorApplyConfiguration {
+ b.ensureResourceSpecApplyConfigurationExists()
+ b.Name = &value
+ return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithUID(value types.UID) *TargetSelectorApplyConfiguration {
+ b.ensureResourceSpecApplyConfigurationExists()
+ b.UID = &value
+ return b
+}
+
+func (b *TargetSelectorApplyConfiguration) ensureResourceSpecApplyConfigurationExists() {
+ if b.ResourceSpecApplyConfiguration == nil {
+ b.ResourceSpecApplyConfiguration = &ResourceSpecApplyConfiguration{}
+ }
+}
+
+// WithSelector sets the Selector field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Selector field is set to the value of the last call.
+func (b *TargetSelectorApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetSelectorApplyConfiguration {
+ b.Selector = &value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go
index d051d1d11a..ef83bbc5bd 100644
--- a/pkg/client/applyconfigurations/utils.go
+++ b/pkg/client/applyconfigurations/utils.go
@@ -141,6 +141,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.StaticKeyAttestorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TargetResourceSpec"):
return &kyvernov1.TargetResourceSpecApplyConfiguration{}
+ case v1.SchemeGroupVersion.WithKind("TargetSelector"):
+ return &kyvernov1.TargetSelectorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("UserInfo"):
return &kyvernov1.UserInfoApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ValidateImageVerification"):
diff --git a/pkg/clients/dclient/fake.go b/pkg/clients/dclient/fake.go
index 89d71c7dfb..9baf85ca6d 100644
--- a/pkg/clients/dclient/fake.go
+++ b/pkg/clients/dclient/fake.go
@@ -6,7 +6,9 @@ import (
"strings"
openapiv2 "github.com/google/gnostic-models/openapiv2"
+ kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/discovery"
@@ -16,7 +18,32 @@ import (
// NewFakeClient ---testing utilities
func NewFakeClient(scheme *runtime.Scheme, gvrToListKind map[schema.GroupVersionResource]string, objects ...runtime.Object) (Interface, error) {
- c := fake.NewSimpleDynamicClientWithCustomListKinds(scheme, gvrToListKind, objects...)
+ unstructuredScheme := runtime.NewScheme()
+ for gvk := range scheme.AllKnownTypes() {
+ if unstructuredScheme.Recognizes(gvk) {
+ continue
+ }
+ if strings.HasSuffix(gvk.Kind, "List") {
+ unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{})
+ continue
+ }
+ unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{})
+ }
+ objects, err := convertObjectsToUnstructured(objects)
+ if err != nil {
+ panic(err)
+ }
+ for _, obj := range objects {
+ gvk := obj.GetObjectKind().GroupVersionKind()
+ if !unstructuredScheme.Recognizes(gvk) {
+ unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{})
+ }
+ gvk.Kind += "List"
+ if !unstructuredScheme.Recognizes(gvk) {
+ unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{})
+ }
+ }
+ c := fake.NewSimpleDynamicClientWithCustomListKinds(unstructuredScheme, gvrToListKind, objects...)
// the typed and dynamic client are initialized with similar resources
kclient := kubefake.NewSimpleClientset(objects...)
return &client{
@@ -101,3 +128,15 @@ func (c *fakeDiscoveryClient) OpenAPISchema() (*openapiv2.Document, error) {
func (c *fakeDiscoveryClient) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface {
return nil
}
+
+func convertObjectsToUnstructured(objs []runtime.Object) ([]runtime.Object, error) {
+ ul := make([]runtime.Object, 0, len(objs))
+ for _, obj := range objs {
+ u, err := kubeutils.ObjToUnstructured(obj)
+ if err != nil {
+ return nil, err
+ }
+ ul = append(ul, u)
+ }
+ return ul, nil
+}
diff --git a/pkg/clients/dclient/helpers.go b/pkg/clients/dclient/helpers.go
index c1c1c58f24..8fa249c6c5 100644
--- a/pkg/clients/dclient/helpers.go
+++ b/pkg/clients/dclient/helpers.go
@@ -16,7 +16,7 @@ type Resource struct {
Unstructured unstructured.Unstructured
}
-func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string) ([]Resource, error) {
+func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error) {
var resources []Resource
gvrss, err := c.Discovery().FindResources(group, version, kind, subresource)
if err != nil {
@@ -45,8 +45,17 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres
})
} else {
// we can use `LIST`
+ var labelSelector string
+ if lselector != nil {
+ selector, err := metav1.LabelSelectorAsSelector(lselector)
+ if err != nil {
+ return nil, err
+ }
+ labelSelector = selector.String()
+ }
+
if gvrs.SubResource == "" {
- list, err := dyn.List(ctx, metav1.ListOptions{})
+ list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
if err != nil {
return nil, err
}
@@ -63,7 +72,7 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres
}
} else {
// we need to use `LIST` / `GET`
- list, err := dyn.List(ctx, metav1.ListOptions{})
+ list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
if err != nil {
return nil, err
}
diff --git a/pkg/engine/adapters/dclient.go b/pkg/engine/adapters/dclient.go
index ab0e9b9646..560c204590 100644
--- a/pkg/engine/adapters/dclient.go
+++ b/pkg/engine/adapters/dclient.go
@@ -25,8 +25,8 @@ func (a *dclientAdapter) RawAbsPath(ctx context.Context, path, method string, da
return a.client.RawAbsPath(ctx, path, method, dataReader)
}
-func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]engineapi.Resource, error) {
- resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name)
+func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]engineapi.Resource, error) {
+ resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name, lselector)
if err != nil {
return nil, err
}
diff --git a/pkg/engine/api/client.go b/pkg/engine/api/client.go
index 3b9ec25926..6f5dd8f440 100644
--- a/pkg/engine/api/client.go
+++ b/pkg/engine/api/client.go
@@ -31,7 +31,7 @@ type AuthClient interface {
type ResourceClient interface {
GetResource(ctx context.Context, apiVersion, kind, namespace, name string, subresources ...string) (*unstructured.Unstructured, error)
ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
- GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]Resource, error)
+ GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error)
GetNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Namespace, error)
IsNamespaced(group, version, kind string) (bool, error)
}
diff --git a/pkg/engine/handlers/mutation/load_targets.go b/pkg/engine/handlers/mutation/load_targets.go
index 28ceb71daa..c85f0551fe 100644
--- a/pkg/engine/handlers/mutation/load_targets.go
+++ b/pkg/engine/handlers/mutation/load_targets.go
@@ -40,7 +40,7 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno
errors = append(errors, err)
continue
}
- objs, err := getTargets(ctx, client, spec, policyCtx)
+ objs, err := getTargets(ctx, client, spec.ResourceSpec, policyCtx, spec.Selector)
if err != nil {
errors = append(errors, err)
continue
@@ -56,32 +56,35 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno
return targetObjects, multierr.Combine(errors...)
}
-func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.ResourceSpec, error) {
+func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.TargetSelector, error) {
kind, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Kind)
if err != nil {
- return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err)
+ return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err)
}
apiversion, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.APIVersion)
if err != nil {
- return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err)
+ return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err)
}
namespace, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Namespace)
if err != nil || namespace == nil {
- return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err)
+ return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err)
}
name, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Name)
if err != nil || name == nil {
- return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err)
+ return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err)
}
- return kyvernov1.ResourceSpec{
- APIVersion: apiversion.(string),
- Kind: kind.(string),
- Namespace: namespace.(string),
- Name: name.(string),
+ return kyvernov1.TargetSelector{
+ ResourceSpec: kyvernov1.ResourceSpec{
+ APIVersion: apiversion.(string),
+ Kind: kind.(string),
+ Namespace: namespace.(string),
+ Name: name.(string),
+ },
+ Selector: target.Selector,
}, nil
}
-func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext) ([]resourceInfo, error) {
+func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext, lselector *metav1.LabelSelector) ([]resourceInfo, error) {
namespace := target.Namespace
name := target.Name
policy := policyCtx.Policy()
@@ -90,10 +93,11 @@ func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.R
namespace = policy.GetNamespace()
}
group, version, kind, subresource := kubeutils.ParseKindSelector(target.APIVersion + "/" + target.Kind)
- resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name)
+ resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name, lselector)
if err != nil {
return nil, err
}
+
targetObjects := make([]resourceInfo, 0, len(resources))
for _, resource := range resources {
targetObjects = append(targetObjects, resourceInfo{
diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 6b4941ea33..7ff1b5ace1 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -1366,6 +1366,161 @@ func Test_mutate_existing_resources(t *testing.T) {
patchedTargets [][]byte
targetList string
}{
+ {
+ name: "test-labelselector",
+ policy: []byte(`{
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "test-post-mutation"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "mutate-deploy-on-configmap-update",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "ConfigMap"
+ ],
+ "names": [
+ "dictionary"
+ ],
+ "namespaces": [
+ "staging"
+ ]
+ }
+ }
+ ]
+ },
+ "preconditions": {
+ "any": [
+ {
+ "key": "{{ request.object.data.foo }}",
+ "operator": "Equals",
+ "value": "bar"
+ }
+ ]
+ },
+ "mutate": {
+ "targets": [
+ {
+ "apiVersion": "v1",
+ "kind": "Deployment",
+ "namespace": "staging",
+ "selector": {
+ "matchLabels": {
+ "app":"nginx"
+ }
+ }
+ }
+ ],
+ "patchStrategicMerge": {
+ "metadata": {
+ "labels": {
+ "foo": "bar"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }`),
+ trigger: []byte(`{
+ "apiVersion": "v1",
+ "data": {
+ "foo": "bar"
+ },
+ "kind": "ConfigMap",
+ "metadata": {
+ "name": "dictionary",
+ "namespace": "staging"
+ }
+ }`),
+ targets: [][]byte{[]byte(`{
+ "apiVersion": "apps/v1",
+ "kind": "Deployment",
+ "metadata": {
+ "name": "example-A",
+ "namespace": "staging",
+ "labels": {
+ "app": "nginx"
+ }
+ },
+ "spec": {
+ "replicas": 1,
+ "selector": {
+ "matchLabels": {
+ "app": "nginx"
+ }
+ },
+ "template": {
+ "metadata": {
+ "labels": {
+ "app": "nginx"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:1.14.2",
+ "ports": [
+ {
+ "containerPort": 80
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+ }`)},
+ patchedTargets: [][]byte{[]byte(`{
+ "apiVersion": "apps/v1",
+ "kind": "Deployment",
+ "metadata": {
+ "name": "example-A",
+ "namespace": "staging",
+ "labels": {
+ "app": "nginx",
+ "foo": "bar"
+ }
+ },
+ "spec": {
+ "replicas": 1,
+ "selector": {
+ "matchLabels": {
+ "app": "nginx"
+ }
+ },
+ "template": {
+ "metadata": {
+ "labels": {
+ "app": "nginx"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:1.14.2",
+ "ports": [
+ {
+ "containerPort": 80
+ }
+ ]
+ }
+ ]
+ }
+ }
+ }
+ }`)},
+ targetList: "DeploymentList",
+ },
{
name: "test-different-trigger-target",
policy: []byte(`{
@@ -1849,18 +2004,11 @@ func Test_mutate_existing_resources(t *testing.T) {
}
policyContext := createContext(t, &policy, trigger)
- gvrToListKind := map[schema.GroupVersionResource]string{
- {Group: patchedTargets[0].GroupVersionKind().Group, Version: patchedTargets[0].GroupVersionKind().Version, Resource: patchedTargets[0].GroupVersionKind().Kind}: test.targetList,
- }
-
scheme := runtime.NewScheme()
- dclient, err := client.NewFakeClient(scheme, gvrToListKind, targets...)
+ dclient, err := client.NewFakeClient(scheme, map[schema.GroupVersionResource]string{}, targets...)
require.NoError(t, err)
dclient.SetDiscovery(client.NewFakeDiscoveryClient(nil))
- _, err = dclient.GetResource(context.TODO(), patchedTargets[0].GetAPIVersion(), patchedTargets[0].GetKind(), patchedTargets[0].GetNamespace(), patchedTargets[0].GetName())
- require.NoError(t, err)
-
er := testMutate(context.TODO(), dclient, registryclient.NewOrDie(), policyContext, nil)
var actualPatchedTargets []unstructured.Unstructured
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md
new file mode 100644
index 0000000000..5957b00969
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md
@@ -0,0 +1,21 @@
+## Description
+
+This test ensures that target resources for mutations can be selected using label selectors
+
+## Expected Behavior
+
+The target resource is fetched and mutated when specifying a label selector that will match it
+
+## Steps
+
+### Test Steps
+
+1. Create three `ConfigMap` resources, two with the required label existing and one without it.
+2. Create a `ClusterPolicy` that will add a label to `ConfigMaps` on any secret events, and select targets with the label.
+3. Create a `Secert` resource.
+4. Assert that the `ConfigMaps` got the required labels added to them.
+5. Verify that the `ConfigMap` without the required label on it didn't get changed.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/10407
\ No newline at end of file
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml
new file mode 100644
index 0000000000..8226b72d8c
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml
@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ name: test-fetching-resources-with-labelselectors
+spec:
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: should-match.yaml
+ - apply:
+ file: should-not-match.yaml
+ - apply:
+ file: policy.yaml
+ - assert:
+ file: policy-assert.yaml
+ - apply:
+ file: secret.yaml
+ - assert:
+ file: cm-mutated.yaml
+ - assert:
+ file: should-not-match.yaml
+
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml
new file mode 100644
index 0000000000..809ceaab79
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cm1
+ labels:
+ should-match: 'yes'
+ foo: 'bar'
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cm1
+ labels:
+ should-match: 'yes'
+ foo: 'bar'
\ No newline at end of file
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml
new file mode 100644
index 0000000000..5fe6abcafd
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutate-existing-configmap
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml
new file mode 100644
index 0000000000..45bd908677
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml
@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutate-existing-configmap
+spec:
+ rules:
+ - name: mutate-configmap-on-secret-event
+ match:
+ any:
+ - resources:
+ kinds:
+ - Secret
+ mutate:
+ targets:
+ - apiVersion: v1
+ kind: ConfigMap
+ selector:
+ matchLabels:
+ should-match: 'yes'
+ patchStrategicMerge:
+ metadata:
+ labels:
+ foo: bar
+
\ No newline at end of file
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml
new file mode 100644
index 0000000000..433c026bd1
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: some-secret
\ No newline at end of file
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml
new file mode 100644
index 0000000000..603f5e4b54
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cm1
+ labels:
+ should-match: 'yes'
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cm2
+ labels:
+ should-match: 'yes'
\ No newline at end of file
diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml
new file mode 100644
index 0000000000..d2551eb1dc
--- /dev/null
+++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cm3
+ labels:
+ should-match: 'no'
\ No newline at end of file
|