mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: autogen not generating the correct kind (#7455)

Browse source 
* fix: autogen not generating the correct kind

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-07 20:32:35 +02:00 committed by GitHub
parent 0c3351887a
commit ea98b08951
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 305 additions and 119 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/autogen/rule.go
View file

@ -291,7 +291,11 @@ func generateCronJobRule(rule *kyvernov1.Rule, controllers string) *kyvernov1.Ru
"spec/jobTemplate/spec/template",
[]string{PodControllerCronJob},
func(r kyvernov1.ResourceFilters, kinds []string) kyvernov1.ResourceFilters {
return getAnyAllAutogenRule(r, "Job", kinds)
anyKind := r.DeepCopy()
for i := range anyKind {
anyKind[i].Kinds = kinds
}
return anyKind
},
)
}

6
test/conformance/kuttl/autogen/deployment-cronjob/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

11
test/conformance/kuttl/autogen/deployment-cronjob/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation.
## Expected Behavior
The policy gets created and contains a autogen rules for cronjobs and deployments in the status.
## Related Issue(s)
- https://github.com/kyverno/kyverno/issues/7444

98
test/conformance/kuttl/autogen/deployment-cronjob/policy-assert.yaml Normal file
View file

@ -0,0 +1,98 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
autogen:
rules:
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Deployment
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
template:
spec:
containers:
- image: '!*:latest'
- match:
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: '!*:latest'

33
test/conformance/kuttl/autogen/deployment-cronjob/policy.yaml Normal file
View file

@ -0,0 +1,33 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob
spec:
validationFailureAction: Audit
rules:
- match:
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
pattern:
spec:
containers:
- image: '*:*'
- match:
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
containers:
- image: '!*:latest'

36
test/conformance/kuttl/autogen/deployment-statefulset-job/policy-assert.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
@ -35,11 +37,12 @@ status:
autogen:
rules:
- match:
resources:
kinds:
- Deployment
- StatefulSet
- Job
any:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
name: autogen-require-image-tag
validate:
message: An image tag is required.
@ -50,11 +53,12 @@ status:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Deployment
- StatefulSet
- Job
any:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/deployment-statefulset-job/policy.yaml
View file

@ -8,9 +8,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -19,9 +20,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/none/policy-assert.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/none/policy.yaml
View file

@ -8,9 +8,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -19,9 +20,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

28
test/conformance/kuttl/autogen/only-cronjob/policy-assert.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
@ -35,9 +37,10 @@ status:
autogen:
rules:
- match:
resources:
kinds:
- CronJob
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
@ -50,9 +53,10 @@ status:
containers:
- image: '*:*'
- match:
resources:
kinds:
- CronJob
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/only-cronjob/policy.yaml
View file

@ -8,9 +8,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -19,9 +20,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

28
test/conformance/kuttl/autogen/only-deployment/policy-assert.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
@ -35,9 +37,10 @@ status:
autogen:
rules:
- match:
resources:
kinds:
- Deployment
any:
- resources:
kinds:
- Deployment
name: autogen-require-image-tag
validate:
message: An image tag is required.
@ -48,9 +51,10 @@ status:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Deployment
any:
- resources:
kinds:
- Deployment
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/only-deployment/policy.yaml
View file

@ -8,9 +8,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -19,9 +20,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

62
test/conformance/kuttl/autogen/should-autogen/policy-assert.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
@ -35,14 +37,15 @@ status:
autogen:
rules:
- match:
resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-require-image-tag
validate:
message: An image tag is required.
@ -53,9 +56,10 @@ status:
containers:
- image: '*:*'
- match:
resources:
kinds:
- CronJob
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-require-image-tag
validate:
message: An image tag is required.
@ -68,14 +72,15 @@ status:
containers:
- image: '*:*'
- match:
resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.
@ -86,9 +91,10 @@ status:
containers:
- image: '!*:latest'
- match:
resources:
kinds:
- CronJob
any:
- resources:
kinds:
- CronJob
name: autogen-cronjob-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

14
test/conformance/kuttl/autogen/should-autogen/policy.yaml
View file

@ -6,9 +6,10 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: require-image-tag
validate:
message: An image tag is required.
@ -17,9 +18,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

16
test/conformance/kuttl/autogen/should-not-autogen/policy-assert.yaml
View file

@ -6,10 +6,11 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
- Deployment
any:
- resources:
kinds:
- Pod
- Deployment
name: require-image-tag
validate:
message: An image tag is required.
@ -18,9 +19,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

16
test/conformance/kuttl/autogen/should-not-autogen/policy.yaml
View file

@ -6,10 +6,11 @@ spec:
validationFailureAction: Audit
rules:
- match:
resources:
kinds:
- Pod
- Deployment
any:
- resources:
kinds:
- Pod
- Deployment
name: require-image-tag
validate:
message: An image tag is required.
@ -18,9 +19,10 @@ spec:
containers:
- image: '*:*'
- match:
resources:
kinds:
- Pod
any:
- resources:
kinds:
- Pod
name: validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.