diff --git a/pkg/validation/policy/generate.go b/pkg/validation/policy/generate.go index ce7ddc5dd0..1b4486240e 100644 --- a/pkg/validation/policy/generate.go +++ b/pkg/validation/policy/generate.go @@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule { rule.DeepCopyInto(new) new.Generation.Synchronize = true new.Generation.SetData(nil) + new.Generation.ForEachGeneration = nil new.Generation.OrphanDownstreamOnPolicyDelete = true return new } diff --git a/test/conformance/chainsaw/e2e-matrix.json b/test/conformance/chainsaw/e2e-matrix.json index c5e512883d..46bed3fb7f 100644 --- a/test/conformance/chainsaw/e2e-matrix.json +++ b/test/conformance/chainsaw/e2e-matrix.json @@ -45,16 +45,16 @@ "^generate$/^clusterpolicy$/^cornercases$/^(cpol-data-sync-to-nosync-delete-rule-deprecated|cpol-data-trigger-not-present|data-role-and-rolebinding|generate-event-upon-edit|pod-restart-on-cm-update|pod-restart-on-cm-update-deprecated|trigger-resource-name-exceeds-63-characters)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^clone$/^multiple$/^sync$/^(basic-create)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^clone$/^nosync$/^(cpol-clone-nosync-create|cpol-clone-nosync-delete-downstream|cpol-clone-nosync-delete-policy|cpol-clone-nosync-delete-rule|cpol-clone-nosync-delete-source|cpol-clone-nosync-delete-trigger|cpol-clone-nosync-modify-downstream|cpol-clone-nosync-modify-source|cpol-clone-nosync-update-trigger-no-match)\\[.*\\]$", - "^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update|cpol-clone-list-sync-update-deprecated|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$", + "^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-deprecated|cpol-clone-list-sync-update-source|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^data$/^nosync$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-delete-trigger|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|cpol-data-nosync-update-trigger-no-match|generate-on-subresource-trigger)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^data$/^nosync-deprecated$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|generate-on-subresource-trigger)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-one-trigger|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-delete-trigger|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-policy|cpol-data-sync-modify-rule|cpol-data-sync-mutate-and-generate|cpol-data-sync-no-existing-update-trigger-no-precondition|cpol-data-sync-orphan-downstream-delete-policy|cpol-data-sync-update-trigger-no-match)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^data$/^sync-deprecated$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-rule|cpol-data-sync-orphan-downstream-delete-policy)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^existing$/^(different-configurations-for-generate-existing|different-generate-existing-values|different-generate-existing-values-reorder|existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data|existing-with-wildcard-name-matching)\\[.*\\]$", "^generate$/^clusterpolicy$/^standard$/^existing-deprecated$/^(existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data)\\[.*\\]$", - "^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-sync-create|cpol-clone-sync-create-delete-source)\\[.*\\]$", - "^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy)\\[.*\\]$", - "^generate$/^foreach$/^existing$/^(cpol-clone-sync-create)\\[.*\\]$", + "^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-source|cpol-clone-list-sync-update-target|cpol-clone-sync-create|cpol-clone-sync-create-delete-source|cpol-clone-sync-update-source|cpol-clone-sync-update-target)\\[.*\\]$", + "^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy|cpol-data-sync-update-policy|cpol-data-sync-update-target)\\[.*\\]$", + "^generate$/^foreach$/^existing$/^(cpol-clone-list-sync-create|cpol-clone-sync-create|cpol-data-sync-create)\\[.*\\]$", "^generate$/^policy$/^cornercases$/^(pol-clone-create-on-trigger-deletion|pol-clone-sync-create-source-after-policy|pol-data-create-on-trigger-deletion)\\[.*\\]$", "^generate$/^policy$/^standard$/^clone$/^nosync$/^(pol-clone-nosync-create|pol-clone-nosync-delete-downstream|pol-clone-nosync-delete-policy|pol-clone-nosync-delete-rule|pol-clone-nosync-delete-source|pol-clone-nosync-delete-trigger|pol-clone-nosync-invalid|pol-clone-nosync-modify-downstream|pol-clone-nosync-modify-source|pol-clone-nosync-update-trigger-no-match)\\[.*\\]$", "^generate$/^policy$/^standard$/^clone$/^sync$/^(pol-clone-sync-delete-downstream|pol-clone-sync-delete-policy|pol-clone-sync-delete-rule|pol-clone-sync-delete-source|pol-clone-sync-delete-trigger|pol-clone-sync-invalid|pol-clone-sync-modify-downstream|pol-clone-sync-modify-source|pol-clone-sync-update-trigger-no-match)\\[.*\\]$", diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/README.md similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/README.md rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/README.md diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/cluster-policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy-ready.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/cluster-policy.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/cluster-policy.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/manifests.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/manifests.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/ns.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/ns.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/ns.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/permissions.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/permissions.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/permissions.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/resource-assert.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/resource-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/synchronized-target.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/synchronized-target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/update-source.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/update-source.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-source/update-source.yaml diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-0-existing.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-0-existing.yaml new file mode 100755 index 0000000000..18fc0942d0 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-0-existing.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cpol-clone-list-sync-update-source + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-source-existing-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-source-existing-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "false" + location: europe + name: mysecret-2 + namespace: foreach-cpol-clone-list-sync-update-source-existing-ns +type: Opaque +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-source-target-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-source-target-ns-2 + diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-1-policy.yaml new file mode 100755 index 0000000000..a666e0025e --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-1-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-list-sync-update-source +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: '{{request.object.metadata.namespace}}' + generate: + generateExisting: false + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-cpol-clone-list-sync-update-source-target-ns-1 + namespace: '{{ ns }}' + cloneList: + kinds: + - v1/Secret + namespace: foreach-cpol-clone-list-sync-update-source-existing-ns + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-2-policy-assert.yaml new file mode 100755 index 0000000000..2ea349327c --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-list-sync-update-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/2-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/2-1-trigger.yaml new file mode 100755 index 0000000000..756edf39bb --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/2-1-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-source-trigger-ns +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: foreach-cpol-clone-list-sync-update-source-trigger-ns +data: + namespaces: foreach-cpol-clone-list-sync-update-source-target-ns-1,foreach-cpol-clone-list-sync-update-source-target-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-1-target-expected.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-1-target-expected.yaml new file mode 100644 index 0000000000..b8152d08df --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-1-target-expected.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-2-target-none-expected.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-2-target-none-expected.yaml new file mode 100644 index 0000000000..c5dea334f6 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-2-target-none-expected.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-2 + namespace: foreach-cpol-clone-list-sync-update-source-target-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-1-update-source.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-1-update-source.yaml new file mode 100644 index 0000000000..045b5b4e30 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-1-update-source.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-source-existing-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-2-updated-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-2-updated-target.yaml new file mode 100644 index 0000000000..334c09dbd0 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-2-updated-target.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/README.md new file mode 100644 index 0000000000..5eb76d1e0c --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach cloneList" policy upon source changes. + +## Expected Behavior + +1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned. +2. update the source secret, expect changes to be synced to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml new file mode 100755 index 0000000000..dbe1ff788b --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml @@ -0,0 +1,31 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-list-sync-delete-source +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-0-existing.yaml + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - apply: + file: 2-1-trigger.yaml + - name: step-03 + try: + - assert: + file: 3-1-target-expected.yaml + - error: + file: 3-2-target-none-expected.yaml + - name: step-04 + try: + - apply: + file: 4-1-update-source.yaml + - assert: + file: 4-2-updated-target.yaml diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-0-existing.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-0-existing.yaml new file mode 100755 index 0000000000..c9c0dda4f0 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-0-existing.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cpol-clone-list-sync-update-target + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-target-existing-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-target-existing-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "false" + location: europe + name: mysecret-2 + namespace: foreach-cpol-clone-list-sync-update-target-existing-ns +type: Opaque +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-target-target-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-target-target-ns-2 + diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-1-policy.yaml new file mode 100755 index 0000000000..f14ff1940b --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-1-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-list-sync-update-target +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: '{{request.object.metadata.namespace}}' + generate: + generateExisting: false + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-cpol-clone-list-sync-update-target-target-ns-1 + namespace: '{{ ns }}' + cloneList: + kinds: + - v1/Secret + namespace: foreach-cpol-clone-list-sync-update-target-existing-ns + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-2-policy-assert.yaml new file mode 100755 index 0000000000..e2ba07a81d --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-list-sync-update-target +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/2-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/2-1-trigger.yaml new file mode 100755 index 0000000000..c8804855c0 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/2-1-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-cpol-clone-list-sync-update-target-trigger-ns +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: foreach-cpol-clone-list-sync-update-target-trigger-ns +data: + namespaces: foreach-cpol-clone-list-sync-update-target-target-ns-1,foreach-cpol-clone-list-sync-update-target-target-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/3-1-target-expected.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/3-1-target-expected.yaml new file mode 100644 index 0000000000..0d73d383b3 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/3-1-target-expected.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/4-1-update-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/4-1-update-target.yaml new file mode 100644 index 0000000000..09ceb2328d --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/4-1-update-target.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/README.md new file mode 100644 index 0000000000..b3664295e3 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach cloneList" policy upon target changes. + +## Expected Behavior + +1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned. +2. update the target cloned secret, expect changes to be reverted to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/chainsaw-test.yaml new file mode 100755 index 0000000000..2eccb3aa6c --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-list-sync-delete-source +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-0-existing.yaml + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - apply: + file: 2-1-trigger.yaml + - name: step-03 + try: + - assert: + file: 3-1-target-expected.yaml + - name: step-04 + try: + - apply: + file: 4-1-update-target.yaml + - assert: + file: 3-1-target-expected.yaml diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/1-1-source.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/1-1-source.yaml new file mode 100755 index 0000000000..1c4d3ffd73 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/1-1-source.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cpol-clone-sync-update-source + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-2 +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-1-policy.yaml new file mode 100644 index 0000000000..cc1b33b080 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-1-policy.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-sync-update-source +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: 'default' + generate: + generateExisting: false + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: v1 + kind: Secret + name: cloned-secret-{{ elementIndex }}-{{ ns }} + namespace: '{{ ns }}' + clone: + namespace: default + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-2-policy-assert.yaml new file mode 100644 index 0000000000..7d56857b93 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-sync-update-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/3-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/3-1-trigger.yaml new file mode 100644 index 0000000000..45d766133f --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/3-1-trigger.yaml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: default +data: + namespaces: foreach-ns-1,foreach-ns-2 + fo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-1-cloned-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-1-cloned-target.yaml new file mode 100644 index 0000000000..29623e30a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-1-cloned-target.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cloned-secret-0-foreach-ns-1 + namespace: foreach-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-2-no-cloned-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-2-no-cloned-target.yaml new file mode 100644 index 0000000000..3be098ba45 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-2-no-cloned-target.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cloned-secret-0-foreach-ns-2 + namespace: foreach-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-1-update-source.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-1-update-source.yaml new file mode 100644 index 0000000000..685189d118 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-1-update-source.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + name: source-secret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-2-updated-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-2-updated-target.yaml new file mode 100644 index 0000000000..6abf4103df --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-2-updated-target.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + name: cloned-secret-0-foreach-ns-1 + namespace: foreach-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/README.md new file mode 100644 index 0000000000..882d04343e --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach clone" policy upon source changes. + +## Expected Behavior + +1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned. +2. update the source secret, expect changes to be synced to the target secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/chainsaw-test.yaml new file mode 100755 index 0000000000..10a6ef099c --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-1-source.yaml + - name: step-02 + try: + - apply: + file: 2-1-policy.yaml + - assert: + file: 2-2-policy-assert.yaml + - name: step-03 + try: + - apply: + file: 3-1-trigger.yaml + - name: step-04 + try: + - apply: + file: 4-1-cloned-target.yaml + - error: + file: 4-2-no-cloned-target.yaml + - name: step-05 + try: + - apply: + file: 5-1-update-source.yaml + - assert: + file: 5-2-updated-target.yaml + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/1-1-source.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/1-1-source.yaml new file mode 100755 index 0000000000..124d053e9c --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/1-1-source.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cpol-clone-sync-update-target + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-2 +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-1-policy.yaml new file mode 100644 index 0000000000..e02a7f3394 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-1-policy.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-sync-update-target +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: 'default' + generate: + generateExisting: false + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: v1 + kind: Secret + name: cloned-secret-{{ elementIndex }}-{{ ns }} + namespace: '{{ ns }}' + clone: + namespace: default + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-2-policy-assert.yaml new file mode 100644 index 0000000000..39493ecd06 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-clone-sync-update-target +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/3-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/3-1-trigger.yaml new file mode 100644 index 0000000000..45d766133f --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/3-1-trigger.yaml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: default +data: + namespaces: foreach-ns-1,foreach-ns-2 + fo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/4-1-cloned-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/4-1-cloned-target.yaml new file mode 100644 index 0000000000..29623e30a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/4-1-cloned-target.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cloned-secret-0-foreach-ns-1 + namespace: foreach-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/5-1-update-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/5-1-update-target.yaml new file mode 100644 index 0000000000..6abf4103df --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/5-1-update-target.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: bm90LWJhcg== +kind: Secret +metadata: + name: cloned-secret-0-foreach-ns-1 + namespace: foreach-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/README.md new file mode 100644 index 0000000000..899fed8330 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach clone" policy upon target changes. + +## Expected Behavior + +1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned. +2. update the cloned secret, expect changes to be reverted to the cloned secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/chainsaw-test.yaml new file mode 100755 index 0000000000..175e723abd --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-1-source.yaml + - name: step-02 + try: + - apply: + file: 2-1-policy.yaml + - assert: + file: 2-2-policy-assert.yaml + - name: step-03 + try: + - apply: + file: 3-1-trigger.yaml + - name: step-04 + try: + - apply: + file: 4-1-cloned-target.yaml + - name: step-05 + try: + - apply: + file: 5-1-update-target.yaml + - assert: + file: 4-1-cloned-target.yaml + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-1-policy.yaml new file mode 100755 index 0000000000..4aab70aaf4 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-1-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + generate: + generateExisting: false + synchronize: true + orphanDownstreamOnPolicyDelete: false + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: my-networkpolicy-{{ elementIndex }}-{{ ns }} + namespace: '{{ ns }}' + data: + metadata: + labels: + request.namespace: '{{ request.object.metadata.name }}' + element.namespace: '{{ ns }}' + element.name: '{{ element }}' + elementIndex: '{{ elementIndex }}' + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-2-policy-assert.yaml new file mode 100755 index 0000000000..17f119e8c5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-1-trigger.yaml new file mode 100755 index 0000000000..9e231301f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-1-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-1 +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: default +data: + namespaces: foreach-ns-1 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-2-netpol.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-2-netpol.yaml new file mode 100755 index 0000000000..16d01b7c41 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-2-netpol.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1 + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-1-update-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-1-update-policy.yaml new file mode 100755 index 0000000000..39fa75b8e9 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-1-update-policy.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + generate: + generateExisting: false + synchronize: true + orphanDownstreamOnPolicyDelete: false + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new + namespace: '{{ ns }}' + data: + metadata: + labels: + request.namespace: '{{ request.object.metadata.name }}' + element.namespace: '{{ ns }}' + element.name: '{{ element }}' + elementIndex: '{{ elementIndex }}' + spec: + podSelector: {} + policyTypes: + - Ingress diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-2-netpol.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-2-netpol.yaml new file mode 100755 index 0000000000..430dbd05e5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-2-netpol.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1-new + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-1-update-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-1-update-policy.yaml new file mode 100755 index 0000000000..e4754c9049 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-1-update-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + generate: + generateExisting: false + synchronize: true + orphanDownstreamOnPolicyDelete: false + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new + namespace: '{{ ns }}' + data: + metadata: + labels: + request.namespace: '{{ request.object.metadata.name }}' + element.namespace: '{{ ns }}' + element.name: '{{ element }}' + elementIndex: '{{ elementIndex }}' + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-2-netpol.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-2-netpol.yaml new file mode 100755 index 0000000000..a565e2f569 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-2-netpol.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1-new + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/README.md new file mode 100644 index 0000000000..61ad752a3e --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/README.md @@ -0,0 +1,13 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach data" policy upon policy changes. + +## Expected Behavior + +1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created. +2. change the target name in `spec.rules.generate.foreach.name`, expect a new netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be created. +3. change the data block in `spec.rules.generate.foreach.data`, expect the above netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be updated. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/chainsaw-test.yaml new file mode 100755 index 0000000000..46a8182c4a --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - apply: + file: 2-1-trigger.yaml + - assert: + file: 2-2-netpol.yaml + - name: step-03 + try: + - apply: + file: 3-1-update-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - assert: + file: 3-2-netpol.yaml + - name: step-04 + try: + - apply: + file: 4-1-update-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - assert: + file: 4-2-netpol.yaml diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-1-policy.yaml new file mode 100755 index 0000000000..4aab70aaf4 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-1-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + generate: + generateExisting: false + synchronize: true + orphanDownstreamOnPolicyDelete: false + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: my-networkpolicy-{{ elementIndex }}-{{ ns }} + namespace: '{{ ns }}' + data: + metadata: + labels: + request.namespace: '{{ request.object.metadata.name }}' + element.namespace: '{{ ns }}' + element.name: '{{ element }}' + elementIndex: '{{ elementIndex }}' + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-2-policy-assert.yaml new file mode 100755 index 0000000000..17f119e8c5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-cpol-data-sync-update-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-1-trigger.yaml new file mode 100755 index 0000000000..9e231301f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-1-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-1 +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: default +data: + namespaces: foreach-ns-1 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-2-netpol.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-2-netpol.yaml new file mode 100755 index 0000000000..16d01b7c41 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-2-netpol.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1 + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/3-1-update-target.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/3-1-update-target.yaml new file mode 100755 index 0000000000..c191802c09 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/3-1-update-target.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1 + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/README.md b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/README.md new file mode 100644 index 0000000000..daa232e351 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks the synchronize behavior for a "generate foreach data" policy upon target changes. + +## Expected Behavior + +1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created. +2. change the target resource, expect changes in netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be reverted. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/chainsaw-test.yaml new file mode 100755 index 0000000000..c528b05bc5 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - apply: + file: 2-1-trigger.yaml + - assert: + file: 2-2-netpol.yaml + - name: step-03 + try: + - apply: + file: 3-1-update-target.yaml + - assert: + file: 2-2-netpol.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-0-existing.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-0-existing.yaml new file mode 100755 index 0000000000..b7e6408fcc --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-0-existing.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:cpol-clone-list-sync-create + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-existing-cpol-clone-list-sync-create-existing-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "false" + location: europe + name: mysecret-2 + namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns +type: Opaque +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-existing-cpol-clone-list-sync-create-target-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-existing-cpol-clone-list-sync-create-target-ns-2 + diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-1-trigger.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-1-trigger.yaml new file mode 100755 index 0000000000..187c6bbf64 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-1-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-existing-cpol-clone-list-sync-create-trigger-ns +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: foreach-existing-cpol-clone-list-sync-create-trigger-ns +data: + namespaces: foreach-existing-cpol-clone-list-sync-create-target-ns-1,foreach-existing-cpol-clone-list-sync-create-target-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-1-policy.yaml new file mode 100755 index 0000000000..cb37b9a2d0 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-1-policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-existing-cpol-clone-list-sync-create +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: '{{request.object.metadata.namespace}}' + generate: + generateExisting: true + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-existing-cpol-clone-list-sync-create-target-ns-1 + namespace: '{{ ns }}' + cloneList: + kinds: + - v1/Secret + namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-2-policy-assert.yaml new file mode 100755 index 0000000000..8635cd1366 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: foreach-existing-cpol-clone-list-sync-create +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-1-target-expected.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-1-target-expected.yaml new file mode 100644 index 0000000000..2a7564c3eb --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-1-target-expected.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-2-target-none-expected.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-2-target-none-expected.yaml new file mode 100644 index 0000000000..1feef7f4af --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-2-target-none-expected.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-2 + namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/README.md b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/README.md new file mode 100644 index 0000000000..afa2d4db10 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting behavior for a "generate foreach cloneList" policy upon policy creation. + +## Expected Behavior + +1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-existing-cpol-clone-list-sync-create-target-ns-1/mysecret-1`to be created. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/chainsaw-test.yaml new file mode 100755 index 0000000000..3c7c468c9b --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-list-sync-delete-source +spec: + steps: + - name: step-01 + try: + - apply: + file: 0-0-existing.yaml + - apply: + file: 0-1-trigger.yaml + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - assert: + file: 2-1-target-expected.yaml + - error: + file: 2-2-target-none-expected.yaml diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-0-existing.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-0-existing.yaml new file mode 100755 index 0000000000..188f6d9333 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-0-existing.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-ns-2 +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-deny + namespace: default +data: + namespaces: foreach-ns-1,foreach-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-1-policy.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-1-policy.yaml new file mode 100755 index 0000000000..cf078c5b61 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-1-policy.yaml @@ -0,0 +1,52 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address-foreach-cpol-data-sync-create +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + name: k-kafka-address + context: + - name: configmapns + variable: + jmesPath: request.object.metadata.namespace + preconditions: + any: + - key: '{{configmapns}}' + operator: Equals + value: 'default' + generate: + generateExisting: true + synchronize: true + foreach: + - list: request.object.data.namespaces | split(@, ',') + context: + - name: ns + variable: + jmesPath: element + preconditions: + any: + - key: '{{ ns }}' + operator: AnyIn + value: + - foreach-ns-1 + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: my-networkpolicy-{{ elementIndex }}-{{ ns }} + namespace: '{{ ns }}' + data: + metadata: + labels: + request.namespace: '{{ request.object.metadata.name }}' + element.namespace: '{{ ns }}' + element.name: '{{ element }}' + elementIndex: '{{ elementIndex }}' + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-2-policy-assert.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-2-policy-assert.yaml new file mode 100755 index 0000000000..e91c4ad8fd --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-2-policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address-foreach-cpol-data-sync-create +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-2-netpol.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-2-netpol.yaml new file mode 100755 index 0000000000..16d01b7c41 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-2-netpol.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-1 + namespace: foreach-ns-1 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-3-netpol.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-3-netpol.yaml new file mode 100644 index 0000000000..e42f6cff04 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-3-netpol.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: my-networkpolicy-0-foreach-ns-2 + namespace: foreach-ns-2 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/README.md b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/README.md new file mode 100644 index 0000000000..0d946e88d6 --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting behavior for a "generate foreach data" policy upon policy creation. + +## Expected Behavior + +1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1`to be created. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3542 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/chainsaw-test.yaml new file mode 100755 index 0000000000..ccf9ff415e --- /dev/null +++ b/test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: 1-0-existing.yaml + - apply: + file: 1-1-policy.yaml + - assert: + file: 1-2-policy-assert.yaml + - name: step-02 + try: + - assert: + file: 2-2-netpol.yaml + - error: + file: 2-3-netpol.yaml