From e20745b01de5947b8811ff6ad14d15b4a87fcb28 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com> Date: Mon, 10 Jul 2023 14:22:28 +0300 Subject: [PATCH] feat: add events for successful generation (#7550) * feat: add events for successful generation Signed-off-by: Mariam Fahmy * fix Signed-off-by: Mariam Fahmy * fix Signed-off-by: Mariam Fahmy * modify generate events messages Signed-off-by: Mariam Fahmy * fix: modify mutate event messages Signed-off-by: Mariam Fahmy * feat: add kuttl tests Signed-off-by: Mariam Fahmy * fix Signed-off-by: Mariam Fahmy * add kuttl test for skip generation Signed-off-by: Mariam Fahmy * Add kuttl test for failures Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- pkg/background/generate/generate.go | 16 +- pkg/event/events.go | 32 ++- .../01-policy.yaml | 6 + .../02-resource.yaml | 4 + .../03-sleep.yaml | 5 + .../04-event.yaml | 5 + .../README.md | 14 ++ .../policy-assert.yaml | 10 + .../policy-event.yaml | 13 + .../policy.yaml | 35 +++ .../resource-event.yaml | 13 + .../resource.yaml | 4 + .../01-policy.yaml | 6 + .../02-resource.yaml | 4 + .../03-event.yaml | 4 + .../README.md | 11 + .../event-assert.yaml | 12 + .../policy-assert.yaml | 10 + .../policy.yaml | 17 ++ .../resource.yaml | 6 + .../01-crd.yaml | 234 ++++++++++++++++++ .../02-policy.yaml | 6 + .../03-resource.yaml | 4 + .../04-event.yaml | 5 + .../no-events-upon-fail-generation/event.yaml | 10 + .../policy-assert.yaml | 10 + .../policy.yaml | 26 ++ .../resource.yaml | 4 + .../01-policy.yaml | 6 + .../02-resource.yaml | 4 + .../03-event.yaml | 4 + .../no-events-upon-skip-generation/README.md | 11 + .../no-events-upon-skip-generation/event.yaml | 10 + .../policy-assert.yaml | 10 + .../policy.yaml | 30 +++ .../resource.yaml | 4 + 36 files changed, 601 insertions(+), 4 deletions(-) create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/README.md create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/README.md create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/01-crd.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/02-policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/03-resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/04-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy-assert.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/README.md create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/event.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml create mode 100644 test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index c10b6b70dc..65a196fec4 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -252,7 +252,21 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u } // Apply the generate rule on resource - return c.ApplyGeneratePolicy(logger, policyContext, ur, applicableRules) + genResources, err := c.ApplyGeneratePolicy(logger, policyContext, ur, applicableRules) + + // generate events. + if err == nil { + for _, res := range genResources { + e := event.NewResourceGenerationEvent(ur.Spec.Policy, ur.Spec.Rule, event.GeneratePolicyController, res) + c.eventGen.Add(e) + } + + unstructuredPol := kubeutils.NewUnstructured("kyverno.io/v1", policy.GetKind(), policy.GetNamespace(), policy.GetName()) + e := event.NewBackgroundSuccessEvent(ur.Spec.Policy, ur.Spec.Rule, event.GeneratePolicyController, unstructuredPol) + c.eventGen.Add(e...) + } + + return genResources, err } // getPolicySpec gets the policy spec from the ClusterPolicy/Policy diff --git a/pkg/event/events.go b/pkg/event/events.go index fbbd6b926c..247c17cedf 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -52,10 +52,18 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons var bldr strings.Builder defer bldr.Reset() + var res string if resource.GetNamespace() != "" { - fmt.Fprintf(&bldr, "%s %s/%s: pass", resource.GetKind(), resource.GetNamespace(), resource.GetName()) + res = fmt.Sprintf("%s %s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName()) } else { - fmt.Fprintf(&bldr, "%s %s: pass", resource.GetKind(), resource.GetName()) + res = fmt.Sprintf("%s %s", resource.GetKind(), resource.GetName()) + } + + hasValidate := engineResponse.Policy().GetSpec().HasValidate() + if hasValidate { + fmt.Fprintf(&bldr, "%s: pass", res) + } else { + fmt.Fprintf(&bldr, "%s is successfully mutated", res) } return Info{ @@ -86,6 +94,19 @@ func NewResourceViolationEvent(source Source, reason Reason, engineResponse engi } } +func NewResourceGenerationEvent(policy, rule string, source Source, resource kyvernov1.ResourceSpec) Info { + msg := fmt.Sprintf("Created %s %s as a result of applying policy %s/%s", resource.GetKind(), resource.GetName(), policy, rule) + + return Info{ + Kind: resource.GetKind(), + Namespace: resource.GetNamespace(), + Name: resource.GetName(), + Source: source, + Reason: PolicyApplied, + Message: msg, + } +} + func NewBackgroundFailedEvent(err error, policy, rule string, source Source, r *unstructured.Unstructured) []Info { if r == nil { return nil @@ -110,7 +131,12 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur } var events []Info - msg := fmt.Sprintf("policy %s/%s applied", policy, rule) + msg := "resource generated" + + if source == MutateExistingController { + msg = "resource mutated" + } + events = append(events, Info{ Kind: r.GetKind(), Namespace: r.GetNamespace(), diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml new file mode 100644 index 0000000000..fe3b8abbcb --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml @@ -0,0 +1,5 @@ +# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: sleep 3 \ No newline at end of file diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml new file mode 100644 index 0000000000..eb4068d392 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- policy-event.yaml +- resource-event.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/README.md b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/README.md new file mode 100644 index 0000000000..0da4c4dc51 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/README.md @@ -0,0 +1,14 @@ +## Description + +This test creates a generate policy, and the trigger resource (namespace). +Two events are generated: +1. An event for the policy to indicate that a new resource is generated. +2. An event for the generated resource itself. + +## Steps + +1. - Create a generate policy + - Assert the policy becomes ready +2. Create the namespace. +3. - An event is created for the policy with message "resource generated" + - An event is created for the generated resource. diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml new file mode 100644 index 0000000000..8598c5b56d --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml new file mode 100644 index 0000000000..3508a9033d --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: zk-kafka-address +type: Normal +message: resource generated +reason: PolicyApplied +source: + component: kyverno-generate diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml new file mode 100644 index 0000000000..1038f1c5f2 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + # generate the resource in the new namespace + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml new file mode 100644 index 0000000000..baab8908c6 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: test-ns +involvedObject: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: test-ns +type: Normal +reason: PolicyApplied +source: + component: kyverno-generate diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml new file mode 100644 index 0000000000..bdf2ddb764 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml new file mode 100644 index 0000000000..8a8e26b38a --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- event-assert.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/README.md b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/README.md new file mode 100644 index 0000000000..04cedd7b27 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a mutate policy which adds labels to the newly created config maps. +An event is generated upon successful generation. + +## Steps + +1. - Create a mutate policy + - Assert the policy becomes ready +2. Create a configmap. +3. An event is created with a message indicating that the config map is successfully mutated. diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml new file mode 100644 index 0000000000..2d11cfe270 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: add-labels +type: Normal +reason: PolicyApplied +source: + component: kyverno-admission diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml new file mode 100644 index 0000000000..721c465283 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml new file mode 100644 index 0000000000..aa0f7068ff --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: + rules: + - name: add-foo + match: + any: + - resources: + kinds: + - ConfigMap + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml new file mode 100644 index 0000000000..973de47345 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-demo +data: + key: "some value" diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/01-crd.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/01-crd.yaml new file mode 100644 index 0000000000..c2a379e3d0 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/01-crd.yaml @@ -0,0 +1,234 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: roles.iam.aws.crossplane.io +spec: + group: iam.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: Role + listKind: RoleList + plural: roles + shortNames: + - iamrole + singular: role + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An Role is a managed resource that represents an AWS IAM Role. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RoleSpec defines the desired state of an Role. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: RoleParameters define the desired state of an AWS IAM + Role. + properties: + assumeRolePolicyDocument: + description: AssumeRolePolicyDocument is the the trust relationship + policy document that grants an entity permission to assume the + role. + type: string + description: + description: Description is a description of the role. + type: string + maxSessionDuration: + description: 'MaxSessionDuration is the duration (in seconds) + that you want to set for the specified role. The default maximum + of one hour is applied. This setting can have a value from 1 + hour to 12 hours. Default: 3600' + format: int32 + type: integer + path: + description: 'Path is the path to the role. Default: /' + type: string + permissionsBoundary: + description: PermissionsBoundary is the ARN of the policy that + is used to set the permissions boundary for the role. + type: string + tags: + description: Tags. For more information about tagging, see Tagging + IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + items: + description: Tag represents user-provided metadata that can + be associated with a IAM role. For more information about + tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + description: The key name that can be used to look up or + retrieve the associated value. For example, Department + or Cost Center are common choices. + type: string + value: + description: "The value associated with this tag. For example, + tags with a key name of Department could have values such + as Human Resources, Accounting, and Support. Tags with + a key name of Cost Center might have values that consist + of the number associated with the different cost centers + in your company. Typically, many resources have tags with + the same key name but with different values. \n AWS always + interprets the tag Value as a single string. If you need + to store an array, you can store comma-separated values + in the string. However, you must interpret the value in + your code." + type: string + required: + - key + type: object + type: array + required: + - assumeRolePolicyDocument + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RoleStatus represents the observed state of an Role. + properties: + atProvider: + description: RoleExternalStatus keeps the state for the external resource + properties: + arn: + description: ARN is the Amazon Resource Name (ARN) specifying + the role. For more information about ARNs and how to use them + in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide guide. + type: string + roleID: + description: RoleID is the stable and unique string identifying + the role. For more information about IDs, see IAM Identifiers + (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the Using IAM guide. + type: string + required: + - arn + - roleID + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: + - v1beta1 diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/02-policy.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/02-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/02-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/03-resource.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/03-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/03-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/04-event.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/04-event.yaml new file mode 100644 index 0000000000..2524584a1b --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/04-event.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +error: +- event.yaml + diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/event.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/event.yaml new file mode 100644 index 0000000000..79583ec974 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/event.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: rbac-policy +source: + component: kyverno-generate diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy-assert.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy-assert.yaml new file mode 100644 index 0000000000..620afcda89 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rbac-policy +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy.yaml new file mode 100644 index 0000000000..e89e2fd023 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rbac-policy +spec: + rules: + - name: rbac-rule + generate: + apiVersion: iam.aws.crossplane.io/v1beta1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: "{{request.object.metadata.name}}" + synchronize: true + match: + any: + - resources: + kinds: + - Namespace diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/resource.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/resource.yaml new file mode 100644 index 0000000000..537d944dcd --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ns-2 diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml new file mode 100644 index 0000000000..0d6011a91b --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +error: +- event.yaml diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/README.md b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/README.md new file mode 100644 index 0000000000..41c59fd108 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a generate policy, and the trigger resource (namespace) `ns-1` which is excluded by the policy. +No events generated since the `ns-1` + +## Steps + +1. - Create a generate policy + - Assert the policy becomes ready +2. Create the namespace. +3. No events generated as the rule result is `skip` diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/event.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/event.yaml new file mode 100644 index 0000000000..b1d4eb59f3 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/event.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: default +source: + component: kyverno-generate diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml new file mode 100644 index 0000000000..a434cb1fb9 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: default +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml new file mode 100644 index 0000000000..e8efe4a8e7 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: default +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - test-ns + - ns-1 + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml new file mode 100644 index 0000000000..73054ba477 --- /dev/null +++ b/test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ns-1