From fe8f8faa8b3b2ad1de70ee89179678531b3c1fb0 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 19 Dec 2023 20:15:34 +0200 Subject: [PATCH] fix: add chainsaw test for mutate existing (#9210) Signed-off-by: Mariam Fahmy --- .vscode/launch.json | 3 +- .../multiple-trigger-resources/README.md | 17 +++++++++ .../chainsaw-test.yaml | 38 +++++++++++++++++++ .../multiple-trigger-resources/configmap.yaml | 11 ++++++ .../multiple-trigger-resources/namespace.yaml | 6 +++ .../patched-pod.yaml | 11 ++++++ .../multiple-trigger-resources/pod.yaml | 9 +++++ .../policy-ready.yaml | 9 +++++ .../multiple-trigger-resources/policy.yaml | 35 +++++++++++++++++ 9 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/README.md create mode 100755 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/configmap.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/namespace.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/patched-pod.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/pod.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy-ready.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy.yaml diff --git a/.vscode/launch.json b/.vscode/launch.json index d03e43f821..f2cb1c9496 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -9,7 +9,8 @@ "program": "${workspaceFolder}/cmd/kyverno", "args": [ "--kubeconfig=${userHome}/.kube/config", - "--serverIP=:9443", + "--serverIP=172.18.0.1:9443", + "--backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller", "-v=2", "--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca", "--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair", diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/README.md new file mode 100644 index 0000000000..de1c74251b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/README.md @@ -0,0 +1,17 @@ +## Description + +This test makes sure that the generated updaterequest is deleted after applying the mutation. + +## Expected Behavior + +The target resource `pod` is mutated and all updaterequests are deleted. + +## Steps + +### Test Steps + +1. Create a namespace. +2. Create two configmaps `test-org-1` and `test-org-2` i.e. the trigger resources. +3. Create a pod i.e. the target resource. +4. Create a policy that has `mutateExistingOnPolicyUpdate` set to true. +5. Two update requests are generated for both configmaps, one of which has a `failure` status. It is expected that both URs got deleted. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml new file mode 100755 index 0000000000..601de2bc02 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml @@ -0,0 +1,38 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multiple-trigger-resources +spec: + steps: + - name: step-01 + try: + - apply: + file: namespace.yaml + - name: step-02 + try: + - apply: + file: configmap.yaml + - name: step-03 + try: + - apply: + file: pod.yaml + - name: step-04 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-05 + try: + - assert: + file: patched-pod.yaml + - name: step-06 + try: + - sleep: + duration: 10s + - name: step-07 + try: + - script: + content: "if kubectl get updaterequests -n kyverno 2>&1 | grep -q 'No resources found in kyverno namespace.'\nthen \n exit 0 \nelse \n exit + 1\nfi\n" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/configmap.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/configmap.yaml new file mode 100644 index 0000000000..af76051acc --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org-1 + namespace: org-label-inheritance-existing-ns-1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org-2 + namespace: org-label-inheritance-existing-ns-1 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/namespace.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/namespace.yaml new file mode 100644 index 0000000000..6630848e8b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test-1 + name: org-label-inheritance-existing-ns-1 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/patched-pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/patched-pod.yaml new file mode 100644 index 0000000000..370daaab7f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/patched-pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-org-1 + namespace: org-label-inheritance-existing-ns-1 + annotations: + org: kyverno-test-1 +spec: + containers: + - image: nginx:latest + name: test-org \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/pod.yaml new file mode 100644 index 0000000000..dfc7a87a4f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-org-1 + namespace: org-label-inheritance-existing-ns-1 +spec: + containers: + - image: nginx:latest + name: test-org diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy-ready.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy-ready.yaml new file mode 100644 index 0000000000..931cfa7a33 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy.yaml new file mode 100644 index 0000000000..67d99ff64a --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + mutateExistingOnPolicyUpdate: true + validationFailureAction: Enforce + rules: + - name: propagate org label from namespace + match: + any: + - resources: + kinds: + - ConfigMap + namespaceSelector: + matchExpressions: + - key: org + operator: Exists + context: + - name: org + apiCall: + urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }} + jmesPath: metadata.labels.org + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.object.metadata.namespace }}" + name: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + annotations: + org: "{{ org }}"