chore: add more chainsaw tests for generate.foreach (#11140) (#11193)

* chore: rename tests



* tests: add cpol-data-sync-update-policy



* tests: add cpol-data-sync-update-target



* tests: add cpol-clone-sync-update-source



* tests: add cpol-clone-sync-update-target



* tests: add cpol-clone-list-sync-update-source



* tests: rename vars in cpol-clone-list-sync-update-source



* tests: add cpol-clone-list-sync-update-target



* tests: add test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create



* tests: add cpol-clone-list-sync-create



---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/validation/policy/generate.go

@@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule {
 	rule.DeepCopyInto(new)
 	new.Generation.Synchronize = true
 	new.Generation.SetData(nil)
+	new.Generation.ForEachGeneration = nil
 	new.Generation.OrphanDownstreamOnPolicyDelete = true
 	return new
 }

test/conformance/chainsaw/e2e-matrix.json

@@ -45,16 +45,16 @@
     "^generate$/^clusterpolicy$/^cornercases$/^(cpol-data-sync-to-nosync-delete-rule-deprecated|cpol-data-trigger-not-present|data-role-and-rolebinding|generate-event-upon-edit|pod-restart-on-cm-update|pod-restart-on-cm-update-deprecated|trigger-resource-name-exceeds-63-characters)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^clone$/^multiple$/^sync$/^(basic-create)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^clone$/^nosync$/^(cpol-clone-nosync-create|cpol-clone-nosync-delete-downstream|cpol-clone-nosync-delete-policy|cpol-clone-nosync-delete-rule|cpol-clone-nosync-delete-source|cpol-clone-nosync-delete-trigger|cpol-clone-nosync-modify-downstream|cpol-clone-nosync-modify-source|cpol-clone-nosync-update-trigger-no-match)\\[.*\\]$",
-    "^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update|cpol-clone-list-sync-update-deprecated|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
+    "^generate$/^clusterpolicy$/^standard$/^clone$/^sync$/^(cpol-clone-list-sync-create|cpol-clone-list-sync-create-deprecated|cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-deprecated|cpol-clone-list-sync-update-source|cpol-clone-sync-create|cpol-clone-sync-delete-downstream|cpol-clone-sync-delete-policy|cpol-clone-sync-delete-rule|cpol-clone-sync-delete-source|cpol-clone-sync-delete-trigger|cpol-clone-sync-existing-update-trigger-no-precondition|cpol-clone-sync-existing-update-trigger-no-precondition-deprecated|cpol-clone-sync-modify-downstream|cpol-clone-sync-modify-downstream-apply|cpol-clone-sync-modify-source|cpol-clone-sync-no-existing-update-trigger-no-precondition|cpol-clone-sync-update-trigger-no-match)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^data$/^nosync$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-delete-trigger|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|cpol-data-nosync-update-trigger-no-match|generate-on-subresource-trigger)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^data$/^nosync-deprecated$/^(cpol-data-nosync-delete-downstream|cpol-data-nosync-delete-policy|cpol-data-nosync-delete-rule|cpol-data-nosync-modify-downstream|cpol-data-nosync-modify-rule|generate-on-subresource-trigger)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-one-trigger|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-delete-trigger|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-policy|cpol-data-sync-modify-rule|cpol-data-sync-mutate-and-generate|cpol-data-sync-no-existing-update-trigger-no-precondition|cpol-data-sync-orphan-downstream-delete-policy|cpol-data-sync-update-trigger-no-match)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^data$/^sync-deprecated$/^(cpol-data-sync-create|cpol-data-sync-delete-downstream|cpol-data-sync-delete-policy|cpol-data-sync-delete-rule|cpol-data-sync-existing-update-trigger-no-precondition|cpol-data-sync-modify-downstream|cpol-data-sync-modify-rule|cpol-data-sync-orphan-downstream-delete-policy)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^existing$/^(different-configurations-for-generate-existing|different-generate-existing-values|different-generate-existing-values-reorder|existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data|existing-with-wildcard-name-matching)\\[.*\\]$",
     "^generate$/^clusterpolicy$/^standard$/^existing-deprecated$/^(existing-basic-add-rule-data|existing-basic-create-policy-data|existing-basic-create-policy-preconditions-data)\\[.*\\]$",
-    "^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-sync-create|cpol-clone-sync-create-delete-source)\\[.*\\]$",
+    "^generate$/^foreach$/^clusterpolicy$/^clone$/^sync$/^(cpol-clone-list-sync-delete-source|cpol-clone-list-sync-update-source|cpol-clone-list-sync-update-target|cpol-clone-sync-create|cpol-clone-sync-create-delete-source|cpol-clone-sync-update-source|cpol-clone-sync-update-target)\\[.*\\]$",
-    "^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy)\\[.*\\]$",
+    "^generate$/^foreach$/^clusterpolicy$/^data$/^sync$/^(cpol-data-sync-create|cpol-data-sync-delete-policy|cpol-data-sync-update-policy|cpol-data-sync-update-target)\\[.*\\]$",
-    "^generate$/^foreach$/^existing$/^(cpol-clone-sync-create)\\[.*\\]$",
+    "^generate$/^foreach$/^existing$/^(cpol-clone-list-sync-create|cpol-clone-sync-create|cpol-data-sync-create)\\[.*\\]$",
     "^generate$/^policy$/^cornercases$/^(pol-clone-create-on-trigger-deletion|pol-clone-sync-create-source-after-policy|pol-data-create-on-trigger-deletion)\\[.*\\]$",
     "^generate$/^policy$/^standard$/^clone$/^nosync$/^(pol-clone-nosync-create|pol-clone-nosync-delete-downstream|pol-clone-nosync-delete-policy|pol-clone-nosync-delete-rule|pol-clone-nosync-delete-source|pol-clone-nosync-delete-trigger|pol-clone-nosync-invalid|pol-clone-nosync-modify-downstream|pol-clone-nosync-modify-source|pol-clone-nosync-update-trigger-no-match)\\[.*\\]$",
     "^generate$/^policy$/^standard$/^clone$/^sync$/^(pol-clone-sync-delete-downstream|pol-clone-sync-delete-policy|pol-clone-sync-delete-rule|pol-clone-sync-delete-source|pol-clone-sync-delete-trigger|pol-clone-sync-invalid|pol-clone-sync-modify-downstream|pol-clone-sync-modify-source|pol-clone-sync-update-trigger-no-match)\\[.*\\]$",

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-0-existing.yaml

@@ -0,0 +1,58 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cpol-clone-list-sync-update-source
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source-existing-ns
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
+type: Opaque
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "false"
+    location: europe
+  name: mysecret-2
+  namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
+type: Opaque
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source-target-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source-target-ns-2
+

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-1-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: '{{request.object.metadata.namespace}}'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-cpol-clone-list-sync-update-source-target-ns-1
+          namespace: '{{ ns }}'
+          cloneList:
+            kinds:
+            - v1/Secret
+            namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
+            selector:
+              matchLabels:
+                allowedToBeCloned: "true"

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/2-1-trigger.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-source-trigger-ns
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: foreach-cpol-clone-list-sync-update-source-trigger-ns
+data:
+  namespaces: foreach-cpol-clone-list-sync-update-source-target-ns-1,foreach-cpol-clone-list-sync-update-source-target-ns-2

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-1-target-expected.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/3-2-target-none-expected.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-2
+  namespace: foreach-cpol-clone-list-sync-update-source-target-ns-2
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-1-update-source.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-source-existing-ns
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/4-2-updated-target.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-source-target-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach cloneList" policy upon source changes.
+
+## Expected Behavior
+
+1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned.
+2. update the source secret, expect changes to be synced to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-source/chainsaw-test.yaml

@@ -0,0 +1,31 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-clone-list-sync-delete-source
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-0-existing.yaml
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-trigger.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: 3-1-target-expected.yaml
+    - error:
+        file: 3-2-target-none-expected.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: 4-1-update-source.yaml
+    - assert:
+        file: 4-2-updated-target.yaml

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-0-existing.yaml

@@ -0,0 +1,58 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cpol-clone-list-sync-update-target
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target-existing-ns
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
+type: Opaque
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "false"
+    location: europe
+  name: mysecret-2
+  namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
+type: Opaque
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target-target-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target-target-ns-2
+

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-1-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: '{{request.object.metadata.namespace}}'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-cpol-clone-list-sync-update-target-target-ns-1
+          namespace: '{{ ns }}'
+          cloneList:
+            kinds:
+            - v1/Secret
+            namespace: foreach-cpol-clone-list-sync-update-target-existing-ns
+            selector:
+              matchLabels:
+                allowedToBeCloned: "true"

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/2-1-trigger.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-cpol-clone-list-sync-update-target-trigger-ns
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: foreach-cpol-clone-list-sync-update-target-trigger-ns
+data:
+  namespaces: foreach-cpol-clone-list-sync-update-target-target-ns-1,foreach-cpol-clone-list-sync-update-target-target-ns-2

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/3-1-target-expected.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/4-1-update-target.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-cpol-clone-list-sync-update-target-target-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach cloneList" policy upon target changes.
+
+## Expected Behavior
+
+1. trigger the standard policy, expect a secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1` to be cloned.
+2. update the target cloned secret, expect changes to be reverted to the cloned secret `foreach-cpol-clone-list-sync-delete-source-target-ns-1/mysecret-1`.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-list-sync-update-target/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-clone-list-sync-delete-source
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-0-existing.yaml
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-trigger.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: 3-1-target-expected.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: 4-1-update-target.yaml
+    - assert:
+        file: 3-1-target-expected.yaml

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/1-1-source.yaml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cpol-clone-sync-update-source
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-2
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: source-secret
+  namespace: default
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-1-policy.yaml

@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-sync-update-source
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: 'default'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: v1
+          kind: Secret
+          name: cloned-secret-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          clone:
+            namespace: default
+            name: source-secret

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/2-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-sync-update-source
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/3-1-trigger.yaml

@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1,foreach-ns-2
+  fo: bar

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-1-cloned-target.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: cloned-secret-0-foreach-ns-1
+  namespace: foreach-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/4-2-no-cloned-target.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: cloned-secret-0-foreach-ns-2
+  namespace: foreach-ns-2
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-1-update-source.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  name: source-secret
+  namespace: default
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/5-2-updated-target.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  name: cloned-secret-0-foreach-ns-1
+  namespace: foreach-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach clone" policy upon source changes.
+
+## Expected Behavior
+
+1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned.
+2. update the source secret, expect changes to be synced to the target secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-source/chainsaw-test.yaml

@@ -0,0 +1,34 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-data-sync-create
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-1-source.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-policy.yaml
+    - assert:
+        file: 2-2-policy-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: 3-1-trigger.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: 4-1-cloned-target.yaml
+    - error:
+        file: 4-2-no-cloned-target.yaml
+  - name: step-05
+    try:
+    - apply:
+        file: 5-1-update-source.yaml
+    - assert:
+        file: 5-2-updated-target.yaml
+    

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/1-1-source.yaml

@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cpol-clone-sync-update-target
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-2
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: source-secret
+  namespace: default
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-1-policy.yaml

@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-sync-update-target
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: 'default'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: v1
+          kind: Secret
+          name: cloned-secret-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          clone:
+            namespace: default
+            name: source-secret

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/2-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-sync-update-target
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/3-1-trigger.yaml

@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1,foreach-ns-2
+  fo: bar

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/4-1-cloned-target.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: cloned-secret-0-foreach-ns-1
+  namespace: foreach-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/5-1-update-target.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: bm90LWJhcg==
+kind: Secret
+metadata:
+  name: cloned-secret-0-foreach-ns-1
+  namespace: foreach-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach clone" policy upon target changes.
+
+## Expected Behavior
+
+1. trigger the standard policy, expect a secret `foreach-ns-1/cloned-secret-0-foreach-ns-1` to be cloned.
+2. update the cloned secret, expect changes to be reverted to the cloned secret `foreach-ns-1/cloned-secret-0-foreach-ns-1`.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/clone/sync/cpol-clone-sync-update-target/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-data-sync-create
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-1-source.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-policy.yaml
+    - assert:
+        file: 2-2-policy-assert.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: 3-1-trigger.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: 4-1-cloned-target.yaml
+  - name: step-05
+    try:
+    - apply:
+        file: 5-1-update-target.yaml
+    - assert:
+        file: 4-1-cloned-target.yaml
+    

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-1-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element.namespace: '{{ ns }}'
+                element.name: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress
+              - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-1-trigger.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-1
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/2-2-netpol.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-1-update-policy.yaml

@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new
+          namespace: '{{ ns }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element.namespace: '{{ ns }}'
+                element.name: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/3-2-netpol.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1-new
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-1-update-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{ elementIndex }}-{{ ns }}-new
+          namespace: '{{ ns }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element.namespace: '{{ ns }}'
+                element.name: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress
+              - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/4-2-netpol.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1-new
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach data" policy upon policy changes.
+
+## Expected Behavior
+
+1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created.
+2. change the target name in `spec.rules.generate.foreach.name`, expect a new netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be created.
+3. change the data block in `spec.rules.generate.foreach.data`, expect the above netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be updated.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-policy/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-data-sync-create
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-trigger.yaml
+    - assert:
+        file: 2-2-netpol.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: 3-1-update-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+    - assert:
+        file: 3-2-netpol.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: 4-1-update-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+    - assert:
+        file: 4-2-netpol.yaml

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-1-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element.namespace: '{{ ns }}'
+                element.name: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress
+              - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-data-sync-update-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-1-trigger.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-1
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/2-2-netpol.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/3-1-update-target.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks the synchronize behavior for a "generate foreach data" policy upon target changes.
+
+## Expected Behavior
+
+1. create the standard policy, expect a netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1` to be created.
+2. change the target resource, expect changes in netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1-new` to be reverted.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/clusterpolicy/data/sync/cpol-data-sync-update-target/chainsaw-test.yaml

@@ -0,0 +1,25 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-data-sync-create
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: 2-1-trigger.yaml
+    - assert:
+        file: 2-2-netpol.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: 3-1-update-target.yaml
+    - assert:
+        file: 2-2-netpol.yaml

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-0-existing.yaml

@@ -0,0 +1,58 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:cpol-clone-list-sync-create
+  labels:
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create-existing-ns
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
+type: Opaque
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "false"
+    location: europe
+  name: mysecret-2
+  namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
+type: Opaque
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create-target-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create-target-ns-2
+

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/0-1-trigger.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create-trigger-ns
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: foreach-existing-cpol-clone-list-sync-create-trigger-ns
+data:
+  namespaces: foreach-existing-cpol-clone-list-sync-create-target-ns-1,foreach-existing-cpol-clone-list-sync-create-target-ns-2

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-1-policy.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: '{{request.object.metadata.namespace}}'
+    generate:
+      generateExisting: true
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-existing-cpol-clone-list-sync-create-target-ns-1
+          namespace: '{{ ns }}'
+          cloneList:
+            kinds:
+            - v1/Secret
+            namespace: foreach-existing-cpol-clone-list-sync-create-existing-ns
+            selector:
+              matchLabels:
+                allowedToBeCloned: "true"

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: foreach-existing-cpol-clone-list-sync-create
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-1-target-expected.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-1
+  namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-1
+type: Opaque

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/2-2-target-none-expected.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  labels:
+    allowedToBeCloned: "true"
+    location: europe
+  name: mysecret-2
+  namespace: foreach-existing-cpol-clone-list-sync-create-target-ns-2
+type: Opaque

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks the generateExisting behavior for a "generate foreach cloneList" policy upon policy creation.
+
+## Expected Behavior
+
+1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-existing-cpol-clone-list-sync-create-target-ns-1/mysecret-1`to be created.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/existing/cpol-clone-list-sync-create/chainsaw-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-clone-list-sync-delete-source
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 0-0-existing.yaml
+    - apply:
+        file: 0-1-trigger.yaml
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: 2-1-target-expected.yaml
+    - error:
+        file: 2-2-target-none-expected.yaml

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-0-existing.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foreach-ns-2
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1,foreach-ns-2

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-1-policy.yaml

@@ -0,0 +1,52 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address-foreach-cpol-data-sync-create
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: 'default'
+    generate:
+      generateExisting: true
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element.namespace: '{{ ns }}'
+                element.name: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress
+              - Egress

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/1-2-policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: zk-kafka-address-foreach-cpol-data-sync-create
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-2-netpol.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-1
+  namespace: foreach-ns-1
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/2-3-netpol.yaml

@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: my-networkpolicy-0-foreach-ns-2
+  namespace: foreach-ns-2
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks the generateExisting behavior for a "generate foreach data" policy upon policy creation.
+
+## Expected Behavior
+
+1. when a policy is created with `generate.generateExisting: true`, expect target netpol `foreach-ns-1/my-networkpolicy-0-foreach-ns-1`to be created.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/3542

test/conformance/chainsaw/generate/foreach/existing/cpol-data-sync-create/chainsaw-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-data-sync-create
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: 1-0-existing.yaml
+    - apply:
+        file: 1-1-policy.yaml
+    - assert:
+        file: 1-2-policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: 2-2-netpol.yaml
+    - error:
+        file: 2-3-netpol.yaml