From ef05ab7b29a75c4e8420fa8873fa7510a6ce1e8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Aug 2024 11:08:39 +0000 Subject: [PATCH 1/3] chore(deps): bump github.com/google/go-containerregistry (#10810) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting --- go.mod | 5 ++--- go.sum | 10 ++++------ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index a6763ad724e9..67ed13869102 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 - github.com/google/go-containerregistry v0.20.1 + github.com/google/go-containerregistry v0.20.2 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e github.com/in-toto/in-toto-golang v0.9.0 github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e @@ -185,9 +185,8 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/djherbis/times v1.6.0 // indirect - github.com/docker/cli v26.1.3+incompatible // indirect + github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v26.1.4+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/emicklei/go-restful/v3 v3.12.1 // indirect diff --git a/go.sum b/go.sum index 6ffae7eba1b3..79878f261327 100644 --- a/go.sum +++ b/go.sum @@ -279,12 +279,10 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c= github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= -github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc= -github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= -github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -453,8 +451,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= -github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e h1:4HrYlQDhLjT1ys3ts5xGT2XKhK3qh0kbpxE8sw6Au7I= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e/go.mod h1:8oYKXummIO/NNasXRCKr4DBziuA1MZ+VEhSQMYI8aJ0= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= From 60a8384fd417ca8403ecefd6ddc9c5d20d755935 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 8 Aug 2024 15:11:20 +0300 Subject: [PATCH 2/3] feat: add tests for different values of generateExisting (#10807) Signed-off-by: Mariam Fahmy --- api/kyverno/v1/common_types.go | 4 -- api/kyverno/v1/spec_types.go | 22 +++------ api/kyverno/v2beta1/spec_types.go | 22 +++------ pkg/background/generate/generate.go | 8 ++- pkg/policy/generate.go | 14 +++++- pkg/utils/fuzz/policy_spec.go | 6 --- .../sync-multiple-resources/policy.yaml | 2 +- .../README.md | 17 +++++++ .../chainsaw-test.yaml | 27 ++++++++++ .../existing-resources.yaml | 13 +++++ .../fail-generated-resources.yaml | 21 ++++++++ .../generated-resources.yaml | 25 ++++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 49 +++++++++++++++++++ .../README.md | 17 +++++++ .../chainsaw-test.yaml | 27 ++++++++++ .../existing-resources.yaml | 13 +++++ .../fail-generated-resources.yaml | 21 ++++++++ .../generated-resources.yaml | 25 ++++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 49 +++++++++++++++++++ .../policy-fail-2-ns-cluster-target.yaml | 2 +- .../policy-pass-1-ns-namespaced-target.yaml | 2 +- .../policy-pass-2-no-ns-cluster-target.yaml | 2 +- .../README.md | 7 +++ .../chainsaw-test.yaml | 14 ++++++ .../policy.yaml | 31 ++++++++++++ .../target-namespace-scope/policy-fail-1.yaml | 2 +- .../target-namespace-scope/policy-fail-2.yaml | 2 +- .../target-namespace-scope/policy-fail-3.yaml | 2 +- .../target-namespace-scope/policy-pass.yaml | 2 +- .../README.md | 7 +++ .../chainsaw-test.yaml | 14 ++++++ .../policy.yaml | 32 ++++++++++++ 34 files changed, 466 insertions(+), 53 deletions(-) create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md create mode 100755 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md create mode 100755 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 8b0071e59b1f..0204faafda17 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -781,10 +781,6 @@ type Generation struct { CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"` } -func (g *Generation) IsGenerateExisting() *bool { - return g.GenerateExisting -} - type CloneList struct { // Namespace specifies source resource namespace. Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 0c59937b402d..901cf0f6514d 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -254,19 +254,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -340,15 +337,8 @@ func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) } return errs } diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 25a5e0ea810e..11f72bf2b33b 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -223,19 +223,16 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -300,15 +297,8 @@ func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) } return errs } diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index a7d669c7e9c4..408f532fed79 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -95,7 +95,7 @@ func NewGenerateController( } func (c *GenerateController) ProcessUR(ur *kyvernov2.UpdateRequest) error { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) var err error var genResources []kyvernov1.ResourceSpec logger.Info("start processing UR", "ur", ur.Name, "resourceVersion", ur.GetResourceVersion()) @@ -198,7 +198,7 @@ func (c *GenerateController) getTriggerForCreateOperation(spec kyvernov2.UpdateR } func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, ur kyvernov2.UpdateRequest, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, error) { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) logger.V(3).Info("applying generate policy rule") policy, err := c.getPolicySpec(ur) @@ -237,6 +237,10 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u var applicableRules []string // Removing UR if rule is failed. Used when the generate condition failed but ur exist for _, r := range engineResponse.PolicyResponse.Rules { + if r.Name() != ur.Spec.GetRuleName() { + continue + } + if r.Status() != engineapi.RuleStatusPass { logger.V(4).Info("querying all update requests") selector := labels.SelectorFromSet(labels.Set(map[string]string{ diff --git a/pkg/policy/generate.go b/pkg/policy/generate.go index 692d7097e43a..9ba2d616441c 100644 --- a/pkg/policy/generate.go +++ b/pkg/policy/generate.go @@ -41,10 +41,22 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt var errors []error var triggers []*unstructured.Unstructured ruleType := kyvernov2.Generate + spec := policy.GetSpec() policyNew := policy.CreateDeepCopy() policyNew.GetSpec().Rules = nil - for _, rule := range policy.GetSpec().Rules { + for _, rule := range spec.Rules { + // check if the rule sets the generateExisting field. + // if not, use the policy level setting + generateExisting := rule.Generation.GenerateExisting + if generateExisting != nil { + if !*generateExisting { + continue + } + } else if !spec.GenerateExisting { + continue + } + triggers = getTriggers(pc.client, rule, policy.IsNamespaced(), policy.GetNamespace(), pc.log) policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule}) for _, trigger := range triggers { diff --git a/pkg/utils/fuzz/policy_spec.go b/pkg/utils/fuzz/policy_spec.go index 24d175e1c013..f39fed8c07e1 100644 --- a/pkg/utils/fuzz/policy_spec.go +++ b/pkg/utils/fuzz/policy_spec.go @@ -96,12 +96,6 @@ func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) { } spec.MutateExistingOnPolicyUpdate = mutateExistingOnPolicyUpdate - generateExistingOnPolicyUpdate, err := ff.GetBool() - if err != nil { - return *spec, err - } - spec.GenerateExistingOnPolicyUpdate = &generateExistingOnPolicyUpdate - generateExisting, err := ff.GetBool() if err != nil { return *spec, err diff --git a/test/cli/test-generate/sync-multiple-resources/policy.yaml b/test/cli/test-generate/sync-multiple-resources/policy.yaml index 989217f234f6..5b9852780007 100644 --- a/test/cli/test-generate/sync-multiple-resources/policy.yaml +++ b/test/cli/test-generate/sync-multiple-resources/policy.yaml @@ -10,7 +10,7 @@ metadata: Sync Secret and Configmap from kube-system namespace spec: failurePolicy: Ignore - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: sync-controller-secret match: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md new file mode 100644 index 000000000000..7cbbb9745326 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case one rule sets the `generateExisting` field whereas the other don't set it. It is expected that rules which don't set the field will use the higher level value `spec.generateExisting`. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces and it doesn't set the field. It is expected that the rule will use the `spec.generateExisting` value which is `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml new file mode 100755 index 000000000000..125d03a4742b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configurations-for-generate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml new file mode 100644 index 000000000000..ab3740d2bd5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml new file mode 100644 index 000000000000..96b86fb5dce8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml new file mode 100644 index 000000000000..f61700ca9f7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml new file mode 100644 index 000000000000..8017a12787c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml new file mode 100644 index 000000000000..a2b525e9076c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + generateExisting: false + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md new file mode 100644 index 000000000000..f183346bb5e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case the rules have a different value for the `generateExisting` field. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces sets the `generateExisting` to `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml new file mode 100755 index 000000000000..231349992ecd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-generate-existing-values +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml new file mode 100644 index 000000000000..ab3740d2bd5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml new file mode 100644 index 000000000000..96b86fb5dce8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml new file mode 100644 index 000000000000..f61700ca9f7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml new file mode 100644 index 000000000000..8017a12787c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml new file mode 100644 index 000000000000..302c9f571267 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: false + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml index 10821ad2a71c..3a1e4566707d 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml index 8908257a95ca..295eaa21bd49 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: user-per-namespace-pass-2 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml index bd8c77fe622d..3d2ac19a259e 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 000000000000..466682496008 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 000000000000..b160f2e70bc8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 000000000000..8969b27855b8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-policy +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml index 2291bdd1aa24..116b459c8ec6 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-1 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml index 81d76143de13..e68fe76496eb 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-2 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml index 41c369ce2dfe..f09121c55ac4 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-3 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml index ec0d97e11c8f..3ed90d89220c 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml @@ -4,7 +4,7 @@ metadata: name: user-per-namespace-pass namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 000000000000..466682496008 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 000000000000..b160f2e70bc8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 000000000000..a2e909e98096 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-policy + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file From f35b449435e0138c023b301649bfc2097f077e2c Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 8 Aug 2024 17:18:17 +0300 Subject: [PATCH 3/3] feat: add tests checking policy creation (#10816) Signed-off-by: Mariam Fahmy Co-authored-by: shuting --- .../cleanup-policy-with-clusterrole/README.md | 11 +++++++ .../chainsaw-test.yaml | 17 ++++++++++ .../clusterrole.yaml | 18 +++++++++++ .../policy-assert.yaml | 5 +++ .../policy.yaml | 13 ++++++++ .../mutate-policy-with-clusterrole/README.md | 11 +++++++ .../chainsaw-test.yaml | 17 ++++++++++ .../clusterrole.yaml | 21 ++++++++++++ .../policy-assert.yaml | 9 ++++++ .../policy.yaml | 32 +++++++++++++++++++ 10 files changed, 154 insertions(+) create mode 100644 test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md create mode 100644 test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml create mode 100644 test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml create mode 100644 test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml create mode 100644 test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md create mode 100644 test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml create mode 100644 test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml create mode 100644 test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md new file mode 100644 index 000000000000..9e88be826697 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that a policy is successfully created since it is given the necessary permissions to delete a secret named `test-secret`. + +## Expected Behavior + +The test passes if the policy is successfully created. Otherwise, it fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/10221 diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml new file mode 100644 index 000000000000..66a043fa0ec7 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cleanup-policy-with-clusterrole +spec: + steps: + - name: step-01 + try: + - apply: + file: clusterrole.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml new file mode 100644 index 000000000000..a615c6241068 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:cleanup-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - test-secret + verbs: + - list + - delete diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml new file mode 100644 index 000000000000..523fe8d84cf7 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: test-secret-removal +spec: {} diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml new file mode 100644 index 000000000000..be1f01da4289 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml @@ -0,0 +1,13 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: test-secret-removal +spec: + match: + any: + - resources: + kinds: + - Secret + names: + - test-secret + schedule: "*/10 * * * *" diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md new file mode 100644 index 000000000000..6abe1d04cdbf --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that a policy is successfully created since it is given the necessary permissions to mutate a Deployment named `monitor-grafana`. + +## Expected Behavior + +The test passes if the policy is successfully created. Otherwise, it fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/9133 diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml new file mode 100644 index 000000000000..ab556a41b8ce --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: mutate-policy-with-clusterrole +spec: + steps: + - name: step-01 + try: + - apply: + file: clusterrole.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml new file mode 100644 index 000000000000..cc0c0b1b4618 --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:mutate-deployments +rules: +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - "monitor-grafana" + verbs: + - get + - list + - patch + - update + - watch diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml new file mode 100644 index 000000000000..e0768771ae24 --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-reload-on-secret-update +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml new file mode 100644 index 000000000000..f7f8f10dc0da --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-reload-on-secret-update +spec: + rules: + - name: update-secret + match: + any: + - resources: + kinds: + - Secret + names: + - applicationsecret + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: Equals + value: UPDATE + mutate: + mutateExistingOnPolicyUpdate: false + targets: + - apiVersion: apps/v1 + kind: Deployment + name: monitor-grafana + patchStrategicMerge: + spec: + template: + metadata: + annotations: + example.com/triggerrestart: "{{ request.object.metadata.resourceVersion }}"