fix: shared policy context needs to be copied (#10139)

* fix: shared policy context needs to be copied

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test(e2e): concurrent PSS execution

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test(e2e): wait for pss policies to be ready

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/engine/policycontext/policy_context.go

@@ -127,49 +127,49 @@ func (c *PolicyContext) JSONContext() enginectx.Interface {
 
 // Mutators
 
-func (c *PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {
+func (c PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {
 	c.policy = policy
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithNamespaceLabels(namespaceLabels map[string]string) *PolicyContext {
+func (c PolicyContext) WithNamespaceLabels(namespaceLabels map[string]string) *PolicyContext {
 	c.namespaceLabels = namespaceLabels
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithAdmissionInfo(admissionInfo kyvernov1beta1.RequestInfo) *PolicyContext {
+func (c PolicyContext) WithAdmissionInfo(admissionInfo kyvernov1beta1.RequestInfo) *PolicyContext {
 	c.admissionInfo = admissionInfo
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithNewResource(resource unstructured.Unstructured) *PolicyContext {
+func (c PolicyContext) WithNewResource(resource unstructured.Unstructured) *PolicyContext {
 	c.newResource = resource
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithOldResource(resource unstructured.Unstructured) *PolicyContext {
+func (c PolicyContext) WithOldResource(resource unstructured.Unstructured) *PolicyContext {
 	c.oldResource = resource
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithResourceKind(gvk schema.GroupVersionKind, subresource string) *PolicyContext {
+func (c PolicyContext) WithResourceKind(gvk schema.GroupVersionKind, subresource string) *PolicyContext {
 	c.gvk = gvk
 	c.subresource = subresource
-	return c
+	return &c
 }
 
-func (c *PolicyContext) WithRequestResource(gvr metav1.GroupVersionResource) *PolicyContext {
+func (c PolicyContext) WithRequestResource(gvr metav1.GroupVersionResource) *PolicyContext {
 	c.requestResource = gvr
-	return c
+	return &c
 }
 
 func (c *PolicyContext) WithResources(newResource unstructured.Unstructured, oldResource unstructured.Unstructured) *PolicyContext {
 	return c.WithNewResource(newResource).WithOldResource(oldResource)
 }
 
-func (c *PolicyContext) WithAdmissionOperation(admissionOperation bool) *PolicyContext {
+func (c PolicyContext) WithAdmissionOperation(admissionOperation bool) *PolicyContext {
 	c.admissionOperation = admissionOperation
-	return c
+	return &c
 }
 
 // Constructors

test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/bad-pod.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      args:
+        - sleep
+        - 1d
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        allowPrivilegeEscalation: true
+        capabilities:
+          drop:
+            - ALL

test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/chainsaw-test.yaml

@@ -0,0 +1,36 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: concurrent-policy-execution
+spec:
+  steps:
+    - name: install-pss-policies
+      try:
+        - script:
+            content: |
+              #!/bin/bash
+              set -eu
+
+              helm --repo https://kyverno.github.io/kyverno/ install kyverno-policies kyverno-policies --set=podSecurityStandard=restricted --set=background=true --set=validationFailureAction=Enforce
+        - assert:
+            file: policy-asserts.yaml
+    - name: apply-test-pods
+      try:
+        - apply:
+            expect:
+              - check:
+                  ($error != null): false
+            file: good-pod.yaml
+        - apply:
+            expect:
+              - check:
+                  ($error != null): true
+            file: bad-pod.yaml
+    - name: uninstall-pss-policies
+      try:
+        - script:
+            content: |
+              #!/bin/bash
+              set -eu
+
+              helm uninstall kyverno-policies

test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/good-pod.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: good-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      args:
+        - sleep
+        - 1d
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL

test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/policy-asserts.yaml

@@ -0,0 +1,171 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-capabilities-strict
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-namespaces
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-ports
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-process
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-privilege-escalation
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-privileged-containers
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-proc-mount
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-selinux
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-non-root-user
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-nonroot
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-apparmor-profiles
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-seccomp
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-seccomp-strict
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-sysctls
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-volume-types
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+