fix: aggregated admission report not updated correctly (#7798)

* fix: aggregated admission report not updated correctly

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/controllers/report/admission/controller.go

@@ -249,7 +249,7 @@ func (c *controller) aggregateReports(ctx context.Context, uid types.UID) (kyver
 		if aggregated.GetResourceVersion() != "" {
 			after = reportutils.DeepCopy(aggregated)
 		}
-		reportutils.SetResults(aggregated, results...)
+		reportutils.SetResults(after, results...)
 		if after.GetResourceVersion() == "" {
 			if len(results) > 0 {
 				if _, err := reportutils.CreateReport(ctx, after, c.client); err != nil {

test/conformance/kuttl/reports/admission/update/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/reports/admission/update/02-deployment-fail.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: deployment-fail.yaml
+assert:
+- deployment-fail-assert.yaml

test/conformance/kuttl/reports/admission/update/03-report-fail-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- report-fail-assert.yaml

test/conformance/kuttl/reports/admission/update/04-deployment-pass.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: deployment-pass.yaml
+assert:
+- deployment-pass-assert.yaml

test/conformance/kuttl/reports/admission/update/05-report-pass-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- report-pass-assert.yaml

test/conformance/kuttl/reports/admission/update/README.md

@@ -0,0 +1,14 @@
+## Description
+
+This test verifies that aggregated admission report is correctly updated when a resource changes.
+A policy in Audit mode is created.
+A deployment is created, the deployment violates the policy and we assert the admission report contains a `fail` result.
+The deployment is then updated to not violate the policy anymore and we assert the admission report changes to contain `pass` result.
+
+## Expected result
+
+When the resource does not violate the policy anymore, the result in the admission report should change from `fail` to `pass`.
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7793

test/conformance/kuttl/reports/admission/update/deployment-fail-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-dpl-1
+status:
+  observedGeneration: 1
+  updatedReplicas: 1
+  readyReplicas: 1
+  replicas: 1

test/conformance/kuttl/reports/admission/update/deployment-fail.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-dpl-1
+spec:
+  selector:
+    matchLabels:
+      app: test-dpl-1
+  template:
+    metadata:
+      labels:
+        app: test-dpl-1
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: test-container
+        image: nginx:latest

test/conformance/kuttl/reports/admission/update/deployment-pass-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-dpl-1
+status:
+  observedGeneration: 2
+  updatedReplicas: 1
+  readyReplicas: 1
+  replicas: 1

test/conformance/kuttl/reports/admission/update/deployment-pass.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-dpl-1
+spec:
+  selector:
+    matchLabels:
+      app: test-dpl-1
+  template:
+    metadata:
+      labels:
+        app: test-dpl-1
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: test-container
+        image: nginx:1.25.1

test/conformance/kuttl/reports/admission/update/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-latest-tag
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/reports/admission/update/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-latest-tag
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-image-tag-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Using a mutable image tag e.g. 'latest' is not allowed."
+      pattern:
+        spec:
+          containers:
+          - image: "!*:latest"

test/conformance/kuttl/reports/admission/update/report-fail-assert.yaml

@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1alpha2
+kind: AdmissionReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: test-dpl-1
+spec:
+  results:
+  - message: 'validation error: Using a mutable image tag e.g. ''latest'' is not allowed.
+      rule autogen-validate-image-tag-pod failed at path /spec/template/spec/containers/0/image/'
+    policy: disallow-latest-tag
+    resources:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: test-dpl-1
+    result: fail
+    rule: autogen-validate-image-tag-pod
+    source: kyverno
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0

test/conformance/kuttl/reports/admission/update/report-pass-assert.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1alpha2
+kind: AdmissionReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: test-dpl-1
+spec:
+  results:
+  - message: validation rule 'autogen-validate-image-tag-pod' passed.
+    policy: disallow-latest-tag
+    resources:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: test-dpl-1
+    result: pass
+    rule: autogen-validate-image-tag-pod
+    source: kyverno
+  summary:
+    error: 0
+    fail: 0
+    pass: 1
+    skip: 0
+    warn: 0