merge main

Signed-off-by: ShutingZhao <[email protected]>

api/kyverno/v1/common_types.go

@@ -781,10 +781,6 @@ type Generation struct {
 	CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"`
 }
 
-func (g *Generation) IsGenerateExisting() *bool {
-	return g.GenerateExisting
-}
-
 type CloneList struct {
 	// Namespace specifies source resource namespace.
 	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`

api/kyverno/v1/spec_types.go

@@ -254,19 +254,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	return s.MutateExistingOnPolicyUpdate
 }
 
-// IsGenerateExisting return GenerateExisting set value
+// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true
 func (s *Spec) IsGenerateExisting() bool {
 	for _, rule := range s.Rules {
 		if rule.HasGenerate() {
-			isGenerateExisting := rule.Generation.IsGenerateExisting()
-			if isGenerateExisting != nil {
-				return *isGenerateExisting
+			isGenerateExisting := rule.Generation.GenerateExisting
+			if isGenerateExisting != nil && *isGenerateExisting {
+				return true
 			}
 		}
 	}
-	if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
-		return true
-	}
 	return s.GenerateExisting
 }
 
@@ -340,15 +337,8 @@ func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList)
 		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
 	}
 
-	for _, rule := range s.Rules {
-		if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
-			if s.GenerateExistingOnPolicyUpdate != nil {
-				errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
-			}
-			if s.GenerateExisting {
-				errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
-			}
-		}
+	if s.GenerateExistingOnPolicyUpdate != nil {
+		errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
 	}
 	return errs
 }

api/kyverno/v2beta1/spec_types.go

@@ -223,19 +223,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	return s.MutateExistingOnPolicyUpdate
 }
 
-// IsGenerateExisting return GenerateExisting set value
+// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true
 func (s *Spec) IsGenerateExisting() bool {
 	for _, rule := range s.Rules {
 		if rule.HasGenerate() {
-			isGenerateExisting := rule.Generation.IsGenerateExisting()
-			if isGenerateExisting != nil {
-				return *isGenerateExisting
+			isGenerateExisting := rule.Generation.GenerateExisting
+			if isGenerateExisting != nil && *isGenerateExisting {
+				return true
 			}
 		}
 	}
-	if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
-		return true
-	}
 	return s.GenerateExisting
 }
 
@@ -300,15 +297,8 @@ func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList)
 		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
 	}
 
-	for _, rule := range s.Rules {
-		if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
-			if s.GenerateExistingOnPolicyUpdate != nil {
-				errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
-			}
-			if s.GenerateExisting {
-				errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
-			}
-		}
+	if s.GenerateExistingOnPolicyUpdate != nil {
+		errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
 	}
 	return errs
 }

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49
-	github.com/google/go-containerregistry v0.20.1
+	github.com/google/go-containerregistry v0.20.2
 	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e
@@ -185,9 +185,8 @@ require (
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
-	github.com/docker/cli v26.1.3+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v26.1.4+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect

go.sum

@@ -279,12 +279,10 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc=
-github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
 github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -453,8 +451,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0=
-github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
+github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e h1:4HrYlQDhLjT1ys3ts5xGT2XKhK3qh0kbpxE8sw6Au7I=
 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e/go.mod h1:8oYKXummIO/NNasXRCKr4DBziuA1MZ+VEhSQMYI8aJ0=
 github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=

pkg/background/generate/generate.go

@@ -92,7 +92,11 @@ func NewGenerateController(
 }
 
 func (c *GenerateController) ProcessUR(ur *kyvernov2.UpdateRequest) error {
+<<<<<<< HEAD
 	logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey())
+=======
+	logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String())
+>>>>>>> main
 	var err error
 	var genResources []kyvernov1.ResourceSpec
 	logger.Info("start processing UR", "ur", ur.Name, "resourceVersion", ur.GetResourceVersion())
@@ -239,7 +243,55 @@ func (c *GenerateController) applyGenerate(trigger unstructured.Unstructured, ur
 
 	var applicableRules []string
 	for _, r := range engineResponse.PolicyResponse.Rules {
+<<<<<<< HEAD
 		if r.Status() == engineapi.RuleStatusPass {
+=======
+		if r.Name() != ur.Spec.GetRuleName() {
+			continue
+		}
+
+		if r.Status() != engineapi.RuleStatusPass {
+			logger.V(4).Info("querying all update requests")
+			selector := labels.SelectorFromSet(labels.Set(map[string]string{
+				kyvernov2.URGeneratePolicyLabel:       engineResponse.Policy().GetName(),
+				kyvernov2.URGenerateResourceKindLabel: engineResponse.Resource.GetKind(),
+				kyvernov2.URGenerateResourceNSLabel:   engineResponse.Resource.GetNamespace(),
+			}))
+			// get update requests that have the resource UID label
+			requirement, err := labels.NewRequirement(kyvernov2.URGenerateResourceUIDLabel, selection.Equals, []string{string(engineResponse.Resource.GetUID())})
+			if err != nil {
+				logger.Error(err, "failed to add the resource UID label")
+			}
+			selectorWithResUID := selector.Add(*requirement)
+			urList, err := c.urLister.List(selectorWithResUID)
+			if err != nil {
+				logger.Error(err, "failed to get update request for the resource", "kind", engineResponse.Resource.GetKind(), "name", engineResponse.Resource.GetName(), "namespace", engineResponse.Resource.GetNamespace())
+				continue
+			}
+
+			if len(urList) == 0 {
+				// get update requests that have the resource name label
+				requirement, err = labels.NewRequirement(kyvernov2.URGenerateResourceNameLabel, selection.Equals, []string{engineResponse.Resource.GetName()})
+				if err != nil {
+					logger.Error(err, "failed to add the resource name label")
+					continue
+				}
+				selectorWithResName := selector.Add(*requirement)
+				urList, err = c.urLister.List(selectorWithResName)
+				if err != nil {
+					logger.Error(err, "failed to get update request for the resource", "kind", engineResponse.Resource.GetKind(), "name", engineResponse.Resource.GetName(), "namespace", engineResponse.Resource.GetNamespace())
+					continue
+				}
+			}
+
+			for _, v := range urList {
+				err := c.kyvernoClient.KyvernoV2().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), v.GetName(), metav1.DeleteOptions{})
+				if err != nil {
+					logger.Error(err, "failed to delete update request")
+				}
+			}
+		} else {
+>>>>>>> main
 			applicableRules = append(applicableRules, r.Name())
 		}
 	}

pkg/policy/generate.go

@@ -26,10 +26,6 @@ func (pc *policyController) handleGenerate(policyKey string, policy kyvernov1.Po
 		return err
 	}
 
-	if !policy.GetSpec().IsGenerateExisting() {
-		return nil
-	}
-
 	logger.V(4).Info("reconcile policy with generateExisting enabled")
 	if err := pc.handleGenerateForExisting(policy); err != nil {
 		logger.Error(err, "failed to create UR for generateExisting")
@@ -80,6 +76,18 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt
 		if !rule.HasGenerate() {
 			continue
 		}
+
+		// check if the rule sets the generateExisting field.
+		// if not, use the policy level setting
+		generateExisting := rule.Generation.GenerateExisting
+		if generateExisting != nil {
+			if !*generateExisting {
+				continue
+			}
+		} else if !policy.GetSpec().GenerateExisting {
+			continue
+		}
+
 		triggers = getTriggers(pc.client, rule, policy.IsNamespaced(), policy.GetNamespace(), pc.log)
 		policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule})
 		for _, trigger := range triggers {

pkg/utils/fuzz/policy_spec.go

@@ -96,12 +96,6 @@ func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) {
 	}
 	spec.MutateExistingOnPolicyUpdate = mutateExistingOnPolicyUpdate
 
-	generateExistingOnPolicyUpdate, err := ff.GetBool()
-	if err != nil {
-		return *spec, err
-	}
-	spec.GenerateExistingOnPolicyUpdate = &generateExistingOnPolicyUpdate
-
 	generateExisting, err := ff.GetBool()
 	if err != nil {
 		return *spec, err

test/cli/test-generate/sync-multiple-resources/policy.yaml

@@ -10,7 +10,7 @@ metadata:
       Sync Secret and Configmap from kube-system namespace
 spec:
   failurePolicy: Ignore
-  generateExistingOnPolicyUpdate: true
+  generateExisting: true
   rules:
   - name: sync-controller-secret
     match:

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md

@@ -0,0 +1,17 @@
+## Description
+
+This test ensures that a generate policy works as expected in case one rule sets the `generateExisting` field whereas the other don't set it. It is expected that rules which don't set the field will use the higher level value `spec.generateExisting`. 
+
+## Expected Behavior
+
+1. Create two Namespaces named `red-ns` and `green-ns`.
+
+2. Create a policy with two generate rules:
+    - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`.
+    - The second rule named `generate-config-map` matches Namespaces and it doesn't set the field. It is expected that the rule will use the `spec.generateExisting` value which is `false`.
+
+3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated.
+
+## Reference Issue(s)
+
+N/A

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: different-configurations-for-generate-existing
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: existing-resources.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - sleep:
+        duration: 3s
+  - name: step-04
+    try:
+    - assert:
+        file: generated-resources.yaml
+    - error:
+        file: fail-generated-resources.yaml

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: red-ns
+  labels:
+    color: red
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: green-ns
+  labels:
+    color: green

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: red-ns
+---
+apiVersion: v1
+data:
+  KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092
+  ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181
+kind: ConfigMap
+metadata:
+  labels:
+    somekey: somevalue
+  name: zk-kafka-address
+  namespace: green-ns

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    created-by: kyverno
+  name: default-deny
+  namespace: red-ns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    created-by: kyverno
+  name: default-deny
+  namespace: green-ns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: different-generate-existing-values
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready