From cd6988d1e2fa44128084fb3f8c20b2fd22c56115 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Tue, 25 Jun 2024 11:24:35 +0200 Subject: [PATCH] fix: reset mutable fields orphandownstream (#10478) * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani --------- Signed-off-by: Husni Alhamdani Co-authored-by: shuting --- pkg/validation/policy/generate.go | 1 + .../chainsaw-test.yaml | 46 ++++++++++++++++--- ...4-error-1-1.yaml => configmap-assert.yaml} | 0 ...step-02-assert-1-1.yaml => configmap.yaml} | 0 ...-step-02-apply-1-1.yaml => namespace.yaml} | 0 ...p-01-apply-1-1.yaml => policy-orphan.yaml} | 0 ...p-01-assert-1-1.yaml => policy-ready.yaml} | 0 .../policy.yaml | 36 +++++++++++++++ .../validation/clusterpolicy/orphan/README.md | 12 +++++ .../clusterpolicy/orphan/chainsaw-test.yaml | 19 ++++++++ .../clusterpolicy/orphan/policy-assert.yaml | 9 ++++ .../orphan/policy-with-orphan.yaml | 33 +++++++++++++ .../clusterpolicy/orphan/policy.yaml | 33 +++++++++++++ 13 files changed, 183 insertions(+), 6 deletions(-) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-04-error-1-1.yaml => configmap-assert.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-02-assert-1-1.yaml => configmap.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-02-apply-1-1.yaml => namespace.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-01-apply-1-1.yaml => policy-orphan.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-01-assert-1-1.yaml => policy-ready.yaml} (100%) create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml diff --git a/pkg/validation/policy/generate.go b/pkg/validation/policy/generate.go index 7634a041e8..ce7ddc5dd0 100644 --- a/pkg/validation/policy/generate.go +++ b/pkg/validation/policy/generate.go @@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule { rule.DeepCopyInto(new) new.Generation.Synchronize = true new.Generation.SetData(nil) + new.Generation.OrphanDownstreamOnPolicyDelete = true return new } diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml index 33ac3d2451..6277148d56 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml @@ -2,21 +2,21 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: cpol-data-sync-delete-policy + name: cpol-data-sync-delete-policy-with-orphan spec: steps: - name: step-01 try: - apply: - file: chainsaw-step-01-apply-1-1.yaml + file: policy.yaml - assert: - file: chainsaw-step-01-assert-1-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: - file: chainsaw-step-02-apply-1-1.yaml + file: namespace.yaml - assert: - file: chainsaw-step-02-assert-1-1.yaml + file: configmap.yaml - name: step-03 try: - delete: @@ -24,5 +24,39 @@ spec: apiVersion: kyverno.io/v1 kind: ClusterPolicy name: cpol-data-sync-orphan-downstream-delete-policy + - error: + file: configmap-assert.yaml + - name: step-04 + try: + - delete: + ref: + apiVersion: v1 + kind: Namespace + name: cpol-data-sync-orphan-downstream-delete-policy-ns + - name: step-05 + try: + - apply: + file: policy.yaml - assert: - file: chainsaw-step-02-assert-1-1.yaml + file: policy-ready.yaml + - name: step-06 + try: + - apply: + file: policy-orphan.yaml + - assert: + file: policy-ready.yaml + - name: step-07 + try: + - apply: + file: namespace.yaml + - assert: + file: configmap.yaml + - name: step-08 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-orphan-downstream-delete-policy + - assert: + file: configmap.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml new file mode 100755 index 0000000000..d5660a15c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + orphanDownstreamOnPolicyDelete: false + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md new file mode 100644 index 0000000000..df4b297ffd --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy with `orphanDownstreamOnPolicyDelete` can be updated on existing policy. + +## Expected Behavior + +The test fails if the `orphanDownstreamOnPolicyDelete` can't be updated, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/10464 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml new file mode 100644 index 0000000000..5005f5aa49 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: update-orphan +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: policy-with-orphan.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml new file mode 100644 index 0000000000..8813628e70 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml new file mode 100644 index 0000000000..81540b397d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + orphanDownstreamOnPolicyDelete: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml new file mode 100644 index 0000000000..98d55f9c92 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + orphanDownstreamOnPolicyDelete: false + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file