mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
fix: add chainsaw test for mutate existing (#9210)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
d5e5219601
commit
fe8f8faa8b
9 changed files with 138 additions and 1 deletions
3
.vscode/launch.json
vendored
3
.vscode/launch.json
vendored
|
@ -9,7 +9,8 @@
|
||||||
"program": "${workspaceFolder}/cmd/kyverno",
|
"program": "${workspaceFolder}/cmd/kyverno",
|
||||||
"args": [
|
"args": [
|
||||||
"--kubeconfig=${userHome}/.kube/config",
|
"--kubeconfig=${userHome}/.kube/config",
|
||||||
"--serverIP=<SERVER-IP>:9443",
|
"--serverIP=172.18.0.1:9443",
|
||||||
|
"--backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller",
|
||||||
"-v=2",
|
"-v=2",
|
||||||
"--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca",
|
"--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca",
|
||||||
"--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair",
|
"--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair",
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This test makes sure that the generated updaterequest is deleted after applying the mutation.
|
||||||
|
|
||||||
|
## Expected Behavior
|
||||||
|
|
||||||
|
The target resource `pod` is mutated and all updaterequests are deleted.
|
||||||
|
|
||||||
|
## Steps
|
||||||
|
|
||||||
|
### Test Steps
|
||||||
|
|
||||||
|
1. Create a namespace.
|
||||||
|
2. Create two configmaps `test-org-1` and `test-org-2` i.e. the trigger resources.
|
||||||
|
3. Create a pod i.e. the target resource.
|
||||||
|
4. Create a policy that has `mutateExistingOnPolicyUpdate` set to true.
|
||||||
|
5. Two update requests are generated for both configmaps, one of which has a `failure` status. It is expected that both URs got deleted.
|
|
@ -0,0 +1,38 @@
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: Test
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: multiple-trigger-resources
|
||||||
|
spec:
|
||||||
|
steps:
|
||||||
|
- name: step-01
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: namespace.yaml
|
||||||
|
- name: step-02
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: configmap.yaml
|
||||||
|
- name: step-03
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: pod.yaml
|
||||||
|
- name: step-04
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: policy.yaml
|
||||||
|
- assert:
|
||||||
|
file: policy-ready.yaml
|
||||||
|
- name: step-05
|
||||||
|
try:
|
||||||
|
- assert:
|
||||||
|
file: patched-pod.yaml
|
||||||
|
- name: step-06
|
||||||
|
try:
|
||||||
|
- sleep:
|
||||||
|
duration: 10s
|
||||||
|
- name: step-07
|
||||||
|
try:
|
||||||
|
- script:
|
||||||
|
content: "if kubectl get updaterequests -n kyverno 2>&1 | grep -q 'No resources found in kyverno namespace.'\nthen \n exit 0 \nelse \n exit
|
||||||
|
1\nfi\n"
|
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: test-org-1
|
||||||
|
namespace: org-label-inheritance-existing-ns-1
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: test-org-2
|
||||||
|
namespace: org-label-inheritance-existing-ns-1
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
org: kyverno-test-1
|
||||||
|
name: org-label-inheritance-existing-ns-1
|
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: test-org-1
|
||||||
|
namespace: org-label-inheritance-existing-ns-1
|
||||||
|
annotations:
|
||||||
|
org: kyverno-test-1
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: nginx:latest
|
||||||
|
name: test-org
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: test-org-1
|
||||||
|
namespace: org-label-inheritance-existing-ns-1
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: nginx:latest
|
||||||
|
name: test-org
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: org-label-inheritance-existing-1
|
||||||
|
status:
|
||||||
|
conditions:
|
||||||
|
- reason: Succeeded
|
||||||
|
status: "True"
|
||||||
|
type: Ready
|
|
@ -0,0 +1,35 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: org-label-inheritance-existing-1
|
||||||
|
annotations:
|
||||||
|
pod-policies.kyverno.io/autogen-controllers: none
|
||||||
|
spec:
|
||||||
|
mutateExistingOnPolicyUpdate: true
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
rules:
|
||||||
|
- name: propagate org label from namespace
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- ConfigMap
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: org
|
||||||
|
operator: Exists
|
||||||
|
context:
|
||||||
|
- name: org
|
||||||
|
apiCall:
|
||||||
|
urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }}
|
||||||
|
jmesPath: metadata.labels.org
|
||||||
|
mutate:
|
||||||
|
targets:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
namespace: "{{ request.object.metadata.namespace }}"
|
||||||
|
name: "{{ request.object.metadata.name }}"
|
||||||
|
patchStrategicMerge:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
org: "{{ org }}"
|
Loading…
Reference in a new issue