mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix cleanup var 'target.*' (#5888)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-01-05 22:38:23 +08:00 committed by GitHub
parent e9f338df58
commit c24e25fb56
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 226 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cmd/cleanup-controller/handlers/cleanup/handlers.go
View file

@ -111,7 +111,7 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
// check conditions // check conditions
if spec.Conditions != nil { if spec.Conditions != nil {
enginectx := enginecontext.NewContext() enginectx := enginecontext.NewContext()
if err := enginectx.AddResource(resource.Object); err != nil { if err := enginectx.AddTargetResource(resource.Object); err != nil {
debug.Error(err, "failed to add resource in context") debug.Error(err, "failed to add resource in context")
errs = append(errs, err) errs = append(errs, err)
continue continue

2
pkg/validation/cleanuppolicy/validate.go
View file

@ -102,4 +102,4 @@ func validateVariables(logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyI
return nil return nil
} }
var allowedVariables = regexp.MustCompile(`request\.|images\.|([a-z_0-9]+\()[^{}]`) var allowedVariables = regexp.MustCompile(`target\.|images\.|([a-z_0-9]+\()[^{}]`)

5
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/00-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default

36
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/00-manifests.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- image: nginx:latest
name: example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cleanup-pod
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-cleanup-pod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-cleanup-pod
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno

20
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/01-assert.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-pod
spec:
match:
any:
- resources:
kinds:
- Pod
conditions:
all:
- key: "{{ target.metadata.name }}"
operator: Equals
value: example
- key: "{{ target.metadata.namespace }}"
operator: Equals
value: default
## execute every minute
schedule: "*/1 * * * *"

20
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/01-policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-pod
spec:
match:
any:
- resources:
kinds:
- Pod
conditions:
all:
- key: "{{ target.metadata.name }}"
operator: Equals
value: example
- key: "{{ target.metadata.namespace }}"
operator: Equals
value: default
## execute every minute
schedule: "*/1 * * * *"

5
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/02-sleep.yaml Normal file
View file

@ -0,0 +1,5 @@
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 65

9
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/03-errors.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- image: nginx:latest
name: example

5
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/99-cleanup.yaml Normal file
View file

@ -0,0 +1,5 @@
# A clean-up is presently required because kuttl does not do a reliable job of cleaning up both cluster-scoped objects.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 00-manifests.yaml,01-policy.yaml --force --wait=true --ignore-not-found=true

10
test/conformance/kuttl/cleanup/clusterpolicy/cleanup-pod/README.md Normal file
View file

@ -0,0 +1,10 @@
# ## Description
This test cleans up pods via a cluster cleanup policy.
## Expected Behavior
The pod `default/example` is cleaned up successfully.
## Reference Issue(s)

5
test/conformance/kuttl/cleanup/policy/cleanup-pod/00-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default

36
test/conformance/kuttl/cleanup/policy/cleanup-pod/00-manifests.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- image: nginx:latest
name: example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cleanup-pod
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-cleanup-pod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-cleanup-pod
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno

17
test/conformance/kuttl/cleanup/policy/cleanup-pod/01-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kyverno.io/v2alpha1
kind: CleanupPolicy
metadata:
name: cleanup-pod
namespace: default
spec:
match:
any:
- resources:
kinds:
- Pod
conditions:
any:
- key: "{{ target.metadata.name }}"
operator: Equals
value: example
schedule: "*/1 * * * *"

18
test/conformance/kuttl/cleanup/policy/cleanup-pod/01-policy.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: kyverno.io/v2alpha1
kind: CleanupPolicy
metadata:
name: cleanup-pod
namespace: default
spec:
match:
any:
- resources:
kinds:
- Pod
conditions:
any:
- key: "{{ target.metadata.name }}"
operator: Equals
value: example
## execute every minute
schedule: "*/1 * * * *"

5
test/conformance/kuttl/cleanup/policy/cleanup-pod/02-sleep.yaml Normal file
View file

@ -0,0 +1,5 @@
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 65

9
test/conformance/kuttl/cleanup/policy/cleanup-pod/03-errors.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- image: nginx:latest
name: example

5
test/conformance/kuttl/cleanup/policy/cleanup-pod/99-cleanup.yaml Normal file
View file

@ -0,0 +1,5 @@
# A clean-up is presently required because kuttl does not do a reliable job of cleaning up both cluster-scoped objects.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 00-manifests.yaml,01-policy.yaml --force --wait=true --ignore-not-found=true

10
test/conformance/kuttl/cleanup/policy/cleanup-pod/README.md Normal file
View file

@ -0,0 +1,10 @@
# ## Description
This test cleans up pods via a namespaced cleanup policy.
## Expected Behavior
The pod `default/example` is cleaned up successfully.
## Reference Issue(s)

4
test/conformance/kuttl/validate/cleanuppolicy/00-assert.yaml → test/conformance/kuttl/cleanup/validation/cron-format/00-assert.yaml
View file

@ -11,7 +11,7 @@ spec:
- Pod - Pod
conditions: conditions:
any: any:
- key: "{{ request.name }}" - key: "{{ target.metadata.name }}"
operator: Equals operator: Equals
value: example value: example
schedule: "* * * * *" schedule: "*/2 * * * *"

4
test/conformance/kuttl/validate/cleanuppolicy/00-cleanuppolicy.yaml → test/conformance/kuttl/cleanup/validation/cron-format/00-cleanuppolicy.yaml
View file

@ -11,7 +11,7 @@ spec:
- Pod - Pod
conditions: conditions:
any: any:
- key: "{{ request.name }}" - key: "{{ target.metadata.name }}"
operator: Equals operator: Equals
value: example value: example
schedule: "* * * * *" schedule: "*/2 * * * *"

4
test/conformance/kuttl/validate/cleanuppolicy/01-assert.yaml → test/conformance/kuttl/cleanup/validation/cron-format/01-assert.yaml
View file

@ -10,7 +10,7 @@ spec:
- Pod - Pod
conditions: conditions:
any: any:
- key: "{{ request.name }}" - key: "{{ target.metadata.name }}"
operator: Equals operator: Equals
value: example value: example
schedule: "* * * * *" schedule: "*/2 * * * *"

4
test/conformance/kuttl/validate/cleanuppolicy/01-clustercleanuppolicy.yaml → test/conformance/kuttl/cleanup/validation/cron-format/01-clustercleanuppolicy.yaml
View file

@ -10,7 +10,7 @@ spec:
- Pod - Pod
conditions: conditions:
any: any:
- key: "{{ request.name }}" - key: "{{ target.metadata.name }}"
operator: Equals operator: Equals
value: example value: example
schedule: "* * * * *" schedule: "*/2 * * * *"

0
test/conformance/kuttl/validate/cleanuppolicy/02-create-task.yaml → test/conformance/kuttl/cleanup/validation/cron-format/02-create-task.yaml
View file

2
test/conformance/kuttl/validate/cleanuppolicy/badcleanuppolicy.yaml → test/conformance/kuttl/cleanup/validation/cron-format/badcleanuppolicy.yaml
View file

@ -11,7 +11,7 @@ spec:
- Pod - Pod
conditions: conditions:
any: any:
- key: "{{ request.name }}" - key: "{{ target.metadata.name }}"
operator: Equals operator: Equals
value: example value: example
schedule: "invalid-schedule" schedule: "invalid-schedule"