mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: reset mutable fields orphandownstream (#10478)

Browse source 
* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

* fix: reset mutable fields orphandownstream

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>

---------

Signed-off-by: Husni Alhamdani <dhanielluis@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Husni Alhamdani 2024-06-25 11:24:35 +02:00 committed by GitHub
parent 122b3a36cf
commit cd6988d1e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 183 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
pkg/validation/policy/generate.go
View file

@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
rule.DeepCopyInto(new) rule.DeepCopyInto(new)
new.Generation.Synchronize = true new.Generation.Synchronize = true
new.Generation.SetData(nil) new.Generation.SetData(nil)
new.Generation.OrphanDownstreamOnPolicyDelete = true
return new return new
} }

46
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml
View file

@ -2,21 +2,21 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test kind: Test
metadata: metadata:
creationTimestamp: null creationTimestamp: null
name: cpol-data-sync-delete-policy name: cpol-data-sync-delete-policy-with-orphan
spec: spec:
steps: steps:
- name: step-01 - name: step-01
try: try:
- apply: - apply:
file: chainsaw-step-01-apply-1-1.yaml file: policy.yaml
- assert: - assert:
file: chainsaw-step-01-assert-1-1.yaml file: policy-ready.yaml
- name: step-02 - name: step-02
try: try:
- apply: - apply:
file: chainsaw-step-02-apply-1-1.yaml file: namespace.yaml
- assert: - assert:
file: chainsaw-step-02-assert-1-1.yaml file: configmap.yaml
- name: step-03 - name: step-03
try: try:
- delete: - delete:
@ -24,5 +24,39 @@ spec:
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
name: cpol-data-sync-orphan-downstream-delete-policy name: cpol-data-sync-orphan-downstream-delete-policy
- error:
file: configmap-assert.yaml
- name: step-04
try:
- delete:
ref:
apiVersion: v1
kind: Namespace
name: cpol-data-sync-orphan-downstream-delete-policy-ns
- name: step-05
try:
- apply:
file: policy.yaml
- assert: - assert:
file: chainsaw-step-02-assert-1-1.yaml file: policy-ready.yaml
- name: step-06
try:
- apply:
file: policy-orphan.yaml
- assert:
file: policy-ready.yaml
- name: step-07
try:
- apply:
file: namespace.yaml
- assert:
file: configmap.yaml
- name: step-08
try:
- delete:
ref:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: cpol-data-sync-orphan-downstream-delete-policy
- assert:
file: configmap.yaml

0
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml → test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml
View file

0
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml → test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml
View file

0
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml → test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml
View file

0
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml → test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml
View file

0
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml → test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml
View file

36
test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml Executable file
View file

@ -0,0 +1,36 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cpol-data-sync-orphan-downstream-delete-policy
spec:
generateExisting: false
rules:
- exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
apiVersion: v1
data:
data:
KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
kind: ConfigMap
metadata:
labels:
somekey: somevalue
kind: ConfigMap
name: zk-kafka-address
namespace: '{{request.object.metadata.name}}'
synchronize: true
orphanDownstreamOnPolicyDelete: false
match:
any:
- resources:
kinds:
- Namespace
name: cpol-data-sync-delete-rule

12
test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md Normal file
View file

@ -0,0 +1,12 @@
## Description
This test ensures that a generate policy with `orphanDownstreamOnPolicyDelete` can be updated on existing policy.
## Expected Behavior
The test fails if the `orphanDownstreamOnPolicyDelete` can't be updated, otherwise passes.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/10464

19
test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: update-orphan
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- apply:
file: policy-with-orphan.yaml
- assert:
file: policy-assert.yaml

9
test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-update-orphan
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

33
test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-update-orphan
spec:
rules:
- name: deny-all-traffic
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
orphanDownstreamOnPolicyDelete: true
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
name: deny-all-traffic
namespace: "{{request.object.metadata.name}}"
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
- Egress

33
test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-update-orphan
spec:
rules:
- name: deny-all-traffic
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
orphanDownstreamOnPolicyDelete: false
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
name: deny-all-traffic
namespace: "{{request.object.metadata.name}}"
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
- Egress