fix: send notification when stoping watching resource in reports system (#5298)

* fix: send notification when stoping watching resource in reports system Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rework Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * readme Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2022-11-10 18:01:56 +01:00 · 2022-11-10 18:01:56 +01:00 · fcca45b1cf
commit fcca45b1cf
parent 19f0e7ebfe
11 changed files with 105 additions and 5 deletions
--- a/pkg/controllers/report/resource/controller.go
+++ b/pkg/controllers/report/resource/controller.go
@ -197,12 +197,16 @@ func (c *controller) updateDynamicWatchers(ctx context.Context) error {
 			}
 		}
 	}
-	// shutdown remaining watcher
-	for gvr, watcher := range c.dynamicWatchers {
-		watcher.watcher.Stop()
-		delete(c.dynamicWatchers, gvr)
-	}
+	oldDynamicWatcher := c.dynamicWatchers
 	c.dynamicWatchers = dynamicWatchers
+	// shutdown remaining watcher
+	for gvr, watcher := range oldDynamicWatcher {
+		watcher.watcher.Stop()
+		delete(oldDynamicWatcher, gvr)
+		for uid, resource := range watcher.hashes {
+			c.notify(uid, watcher.gvk, resource)
+		}
+	}
 	return nil
 }

--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- pod.yaml
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- background-scan-report-assert.yaml
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml
@ -0,0 +1,8 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: podsecurity-subrule-restricted
+error:
+- background-scan-report-error.yaml
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/README.md
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/README.md
@ -0,0 +1,13 @@
+## Description
+
+This test creates a policy and a pod, it then expects a background scan report to be created for the pod.
+When the policy is deleted, the background scan report should also be deleted.
+
+## Steps
+
+1.  - Create a cluster policy
+    - Assert the policy becomes ready
+1.  - Create a pod
+1.  - Assert a background scan report is created for the pod and contains the right summary
+1.  - Delete the policy
+    - Assert the background scan report is deleted for the pod
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml
@ -0,0 +1,14 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Pod
+    name: badpod01
+spec:
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml
@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Pod
+    name: badpod01
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml
+++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml
@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+spec:
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: restricted
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
+  validationFailureAction: audit