refactor: move controller autogen annotation in api package (#3364)

* fix: configmap resource filters generated by helm does not account for namespace

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refator: move controller autogen annotation in api package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

api/kyverno/v1/constants.go

@@ -0,0 +1,6 @@
+package v1
+
+const (
+	//PodControllersAnnotation defines the annotation key for Pod-Controllers
+	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
+)

pkg/autogen/autogen.go

@@ -8,7 +8,13 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/go-logr/logr"
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/engine"
+)
+
+const (
+	// PodControllerCronJob represent CronJob string
+	PodControllerCronJob = "CronJob"
+	//PodControllers stores the list of Pod-controllers in csv string
+	PodControllers = "DaemonSet,Deployment,Job,StatefulSet,CronJob"
 )
 
 // CanAutoGen checks whether the rule(s) (in policy) can be applied to Pod controllers
@@ -95,7 +101,7 @@ func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, control
 		return false, ""
 	}
 
-	return true, engine.PodControllers
+	return true, PodControllers
 }
 
 // podControllersKey annotation could be:

pkg/autogen/autogen_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/utils"
 	"gotest.tools/assert"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -45,7 +44,7 @@ func Test_getControllers(t *testing.T) {
 		{
 			name:                "rule-with-deny",
 			policy:              []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","deny":{"conditions":[{"key":"{{request.object.metadata.labels.foo}}","operator":"Equals","value":"bar"}]}}}]}}`),
-			expectedControllers: engine.PodControllers,
+			expectedControllers: PodControllers,
 		},
 		{
 			name:                "rule-with-match-mixed-kinds-pod-podcontrollers",
@@ -60,12 +59,12 @@ func Test_getControllers(t *testing.T) {
 		{
 			name:                "rule-with-match-kinds-pod-only",
 			policy:              []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`),
-			expectedControllers: engine.PodControllers,
+			expectedControllers: PodControllers,
 		},
 		{
 			name:                "rule-with-exclude-kinds-pod-only",
 			policy:              []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"],"namespaces":["test"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`),
-			expectedControllers: engine.PodControllers,
+			expectedControllers: PodControllers,
 		},
 		{
 			name:                "rule-with-mutate-patches",
@@ -129,7 +128,7 @@ func Test_Any(t *testing.T) {
 		},
 	}
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	fmt.Println("utils.JoinPatches(patches)erterter", string(utils.JoinPatches(rulePatches)))
 	if len(errs) != 0 {
 		t.Log(errs)
@@ -167,7 +166,7 @@ func Test_All(t *testing.T) {
 		},
 	}
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
 		t.Log(errs)
 	}
@@ -199,7 +198,7 @@ func Test_Exclude(t *testing.T) {
 	policy := policies[0]
 	policy.Spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
 		t.Log(errs)
 	}
@@ -217,7 +216,7 @@ func Test_Exclude(t *testing.T) {
 
 func Test_CronJobOnly(t *testing.T) {
 
-	controllers := engine.PodControllerCronJob
+	controllers := PodControllerCronJob
 	dir, err := os.Getwd()
 	baseDir := filepath.Dir(filepath.Dir(dir))
 	assert.NilError(t, err)
@@ -232,7 +231,7 @@ func Test_CronJobOnly(t *testing.T) {
 
 	policy := policies[0]
 	policy.SetAnnotations(map[string]string{
-		engine.PodControllersAnnotation: controllers,
+		kyverno.PodControllersAnnotation: controllers,
 	})
 
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, controllers, log.Log)
@@ -263,7 +262,7 @@ func Test_ForEachPod(t *testing.T) {
 	policy := policies[0]
 	policy.Spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
 		t.Log(errs)
 	}
@@ -281,7 +280,7 @@ func Test_ForEachPod(t *testing.T) {
 
 func Test_CronJob_hasExclude(t *testing.T) {
 
-	controllers := engine.PodControllerCronJob
+	controllers := PodControllerCronJob
 	dir, err := os.Getwd()
 	baseDir := filepath.Dir(filepath.Dir(dir))
 	assert.NilError(t, err)
@@ -297,7 +296,7 @@ func Test_CronJob_hasExclude(t *testing.T) {
 
 	policy := policies[0]
 	policy.SetAnnotations(map[string]string{
-		engine.PodControllersAnnotation: controllers,
+		kyverno.PodControllersAnnotation: controllers,
 	})
 
 	rule := policy.Spec.Rules[0].DeepCopy()
@@ -318,7 +317,7 @@ func Test_CronJob_hasExclude(t *testing.T) {
 }
 
 func Test_CronJobAndDeployment(t *testing.T) {
-	controllers := strings.Join([]string{engine.PodControllerCronJob, "Deployment"}, ",")
+	controllers := strings.Join([]string{PodControllerCronJob, "Deployment"}, ",")
 	dir, err := os.Getwd()
 	baseDir := filepath.Dir(filepath.Dir(dir))
 	assert.NilError(t, err)
@@ -333,7 +332,7 @@ func Test_CronJobAndDeployment(t *testing.T) {
 
 	policy := policies[0]
 	policy.SetAnnotations(map[string]string{
-		engine.PodControllersAnnotation: controllers,
+		kyverno.PodControllersAnnotation: controllers,
 	})
 
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, controllers, log.Log)
@@ -364,7 +363,7 @@ func Test_UpdateVariablePath(t *testing.T) {
 
 	policy := policies[0]
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
 		t.Log(errs)
 	}
@@ -398,7 +397,7 @@ func Test_Deny(t *testing.T) {
 		},
 	}
 
-	rulePatches, errs := GenerateRulePatches(&policy.Spec, engine.PodControllers, log.Log)
+	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	fmt.Println("utils.JoinPatches(patches)erterter", string(utils.JoinPatches(rulePatches)))
 	if len(errs) != 0 {
 		t.Log(errs)

pkg/autogen/rule.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/go-logr/logr"
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/utils"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -262,7 +261,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger) *kyvernoRule {
 	logger := log.WithName("handleCronJob")
 
-	hasCronJob := strings.Contains(controllers, engine.PodControllerCronJob) || strings.Contains(controllers, "all")
+	hasCronJob := strings.Contains(controllers, PodControllerCronJob) || strings.Contains(controllers, "all")
 	if !hasCronJob {
 		return nil
 	}
@@ -289,7 +288,7 @@ func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger)
 		rule := cronJobAnyAllAutogenRule(cronJobRule.MatchResources.All)
 		cronJobRule.MatchResources.All = rule
 	} else {
-		cronJobRule.MatchResources.Kinds = []string{engine.PodControllerCronJob}
+		cronJobRule.MatchResources.Kinds = []string{PodControllerCronJob}
 	}
 
 	if (jobRule.ExcludeResources) != nil && len(jobRule.ExcludeResources.Any) > 0 {
@@ -300,7 +299,7 @@ func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger)
 		cronJobRule.ExcludeResources.All = rule
 	} else {
 		if (jobRule.ExcludeResources) != nil && (len(jobRule.ExcludeResources.Kinds) > 0) {
-			cronJobRule.ExcludeResources.Kinds = []string{engine.PodControllerCronJob}
+			cronJobRule.ExcludeResources.Kinds = []string{PodControllerCronJob}
 		}
 	}
 

pkg/autogen/utils.go

@@ -4,7 +4,6 @@ import (
 	"strings"
 
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/utils"
 )
 
@@ -17,7 +16,7 @@ func isKindOtherthanPod(kinds []string) bool {
 
 func hasAutogenKinds(kind []string) bool {
 	for _, v := range kind {
-		if v == "Pod" || strings.Contains(engine.PodControllers, v) {
+		if v == "Pod" || strings.Contains(PodControllers, v) {
 			return true
 		}
 	}
@@ -52,7 +51,7 @@ func stripCronJob(controllers string) string {
 	var newControllers []string
 	controllerArr := strings.Split(controllers, ",")
 	for _, c := range controllerArr {
-		if c == engine.PodControllerCronJob {
+		if c == PodControllerCronJob {
 			continue
 		}
 		newControllers = append(newControllers, c)
@@ -67,7 +66,7 @@ func cronJobAnyAllAutogenRule(v kyverno.ResourceFilters) kyverno.ResourceFilters
 	anyKind := v.DeepCopy()
 	for i, value := range v {
 		if utils.ContainsPod(value.Kinds, "Job") {
-			anyKind[i].Kinds = []string{engine.PodControllerCronJob}
+			anyKind[i].Kinds = []string{PodControllerCronJob}
 		}
 	}
 	return anyKind

pkg/engine/mutation.go

@@ -17,15 +17,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-const (
-	// PodControllerCronJob represent CronJob string
-	PodControllerCronJob = "CronJob"
-	//PodControllers stores the list of Pod-controllers in csv string
-	PodControllers = "DaemonSet,Deployment,Job,StatefulSet,CronJob"
-	//PodControllersAnnotation defines the annotation key for Pod-Controllers
-	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
-)
-
 // Mutate performs mutation. Overlay first and then mutation patches
 func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	resp = &response.EngineResponse{}

pkg/engine/utils.go

@@ -428,7 +428,7 @@ func excludeResource(podControllers string, resource unstructured.Unstructured)
 // - if the policy has auto-gen annotation && resource == Pod
 // - if the auto-gen contains cronJob && resource == Job
 func ManagedPodResource(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) bool {
-	podControllers, ok := policy.GetAnnotations()[PodControllersAnnotation]
+	podControllers, ok := policy.GetAnnotations()[kyverno.PodControllersAnnotation]
 	if !ok || strings.ToLower(podControllers) == "none" {
 		return false
 	}

pkg/kyverno/common/common.go

@@ -566,8 +566,8 @@ OuterLoop:
 
 	if resource.GetKind() == "Pod" && len(resource.GetOwnerReferences()) > 0 {
 		if policy.HasAutoGenAnnotation() {
-			if _, ok := policy.GetAnnotations()[engine.PodControllersAnnotation]; ok {
-				delete(policy.Annotations, engine.PodControllersAnnotation)
+			if _, ok := policy.GetAnnotations()[v1.PodControllersAnnotation]; ok {
+				delete(policy.Annotations, v1.PodControllersAnnotation)
 			}
 		}
 	}

pkg/policy/policy_controller.go

@@ -571,7 +571,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool {
 
 	if len(podRuleName) > 0 {
 		annotations := policy.GetAnnotations()
-		val, ok := annotations["pod-policies.kyverno.io/autogen-controllers"]
+		val, ok := annotations[kyverno.PodControllersAnnotation]
 		if !ok {
 			return true
 		}

pkg/policymutation/policymutation.go

@@ -10,7 +10,6 @@ import (
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/common"
-	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/utils"
 )
 
@@ -257,7 +256,7 @@ func GeneratePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p
 	}
 
 	ann := policy.GetAnnotations()
-	actualControllers, ok := ann[engine.PodControllersAnnotation]
+	actualControllers, ok := ann[kyverno.PodControllersAnnotation]
 
 	// - scenario A
 	// - predefined controllers are invalid, overwrite the value
@@ -293,7 +292,7 @@ func GeneratePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p
 func defaultPodControllerAnnotation(ann map[string]string, controllers string) ([]byte, error) {
 	if ann == nil {
 		ann = make(map[string]string)
-		ann[engine.PodControllersAnnotation] = controllers
+		ann[kyverno.PodControllersAnnotation] = controllers
 		jsonPatch := struct {
 			Path  string      `json:"path"`
 			Op    string      `json:"op"`