From c8685966227de817bc917139b3f8f875809ffd47 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 13 Aug 2024 17:14:10 +0800 Subject: [PATCH] fix: generate existing Signed-off-by: ShutingZhao --- pkg/background/generate/generate.go | 22 ++++++-- .../README.md | 17 ++++++ .../chainsaw-test.yaml | 27 ++++++++++ .../existing-resources.yaml | 13 +++++ .../fail-generated-resources.yaml | 34 ++++++++++++ .../generated-resources.yaml | 25 +++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 53 +++++++++++++++++++ .../fail-generated-resources.yaml | 13 +++++ .../generated-resources.yaml | 24 ++++----- .../policy.yaml | 4 ++ 11 files changed, 224 insertions(+), 17 deletions(-) create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/README.md create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/existing-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/fail-generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/generated-resources.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy-ready.yaml create mode 100644 test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy.yaml diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index 8101b92e1a06..cff081e90b79 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -196,7 +196,7 @@ func (c *GenerateController) getTriggerForCreateOperation(spec kyvernov2.UpdateR func (c *GenerateController) applyGenerate(trigger unstructured.Unstructured, ur kyvernov2.UpdateRequest, i int, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, error) { logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey()) - logger.V(3).Info("applying generate policy rule") + logger.V(3).Info("applying generate policy") policy, err := c.getPolicyObject(ur) if err != nil && !apierrors.IsNotFound(err) { @@ -210,7 +210,20 @@ func (c *GenerateController) applyGenerate(trigger unstructured.Unstructured, ur return nil, err } - policyContext, err := common.NewBackgroundContext(logger, c.client, ur.Spec.Context, policy, &trigger, c.configuration, c.jp, namespaceLabels) + var rule *kyvernov1.Rule + p := policy.CreateDeepCopy() + for j := range p.GetSpec().Rules { + if p.GetSpec().Rules[j].Name == ruleContext.Rule { + rule = &p.GetSpec().Rules[j] + break + } + } + if rule == nil { + logger.Info("skip rule application as the rule does not exist in the updaterequest", "rule", ruleContext.Rule) + return nil, nil + } + p.GetSpec().SetRules([]kyvernov1.Rule{*rule}) + policyContext, err := common.NewBackgroundContext(logger, c.client, ur.Spec.Context, p, &trigger, c.configuration, c.jp, namespaceLabels) if err != nil { return nil, err } @@ -305,7 +318,6 @@ func (c *GenerateController) ApplyGeneratePolicy(log logr.Logger, policyContext if !slices.Contains(applicableRules, rule.Name) { continue } - if rule.Generation.Synchronize { ruleRaw, err := json.Marshal(rule.DeepCopy()) if err != nil { @@ -327,7 +339,7 @@ func (c *GenerateController) ApplyGeneratePolicy(log logr.Logger, policyContext if applyRules == kyvernov1.ApplyOne && applyCount > 0 { break } - + logger := log.WithValues("rule", rule.Name) // add configmap json data to context if err := c.engine.ContextLoader(policyContext.Policy(), rule)(context.TODO(), rule.Context, policyContext.JSONContext()); err != nil { log.Error(err, "cannot add configmaps to context") @@ -339,7 +351,7 @@ func (c *GenerateController) ApplyGeneratePolicy(log logr.Logger, policyContext return nil, err } - genResource, err = applyRule(log, c.client, rule, resource, policy) + genResource, err = applyRule(logger, c.client, rule, resource, policy) if err != nil { log.Error(err, "failed to apply generate rule", "policy", policy.GetName(), "rule", rule.Name, "resource", resource.GetName()) return nil, err diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/README.md new file mode 100644 index 000000000000..f183346bb5e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case the rules have a different value for the `generateExisting` field. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces sets the `generateExisting` to `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/chainsaw-test.yaml new file mode 100755 index 000000000000..231349992ecd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-generate-existing-values +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/existing-resources.yaml new file mode 100644 index 000000000000..ab3740d2bd5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/fail-generated-resources.yaml new file mode 100644 index 000000000000..fc1fbc522249 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/fail-generated-resources.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/generated-resources.yaml new file mode 100644 index 000000000000..740d5d289f31 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/generated-resources.yaml @@ -0,0 +1,25 @@ +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# labels: +# created-by: kyverno +# name: default-deny +# namespace: red-ns +# spec: +# podSelector: {} +# policyTypes: +# - Ingress +# - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy-ready.yaml new file mode 100644 index 000000000000..73a7bc1dfb3e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values-reorder +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy.yaml new file mode 100644 index 000000000000..ac3ca4cad31f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values-reorder/policy.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values-reorder +spec: + rules: + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + names: + - red-ns + generate: + generateExisting: false + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + names: + - green-ns + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml index 96b86fb5dce8..fc1fbc522249 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml @@ -19,3 +19,16 @@ metadata: somekey: somevalue name: zk-kafka-address namespace: green-ns +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml index f61700ca9f7d..740d5d289f31 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml @@ -1,15 +1,15 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - created-by: kyverno - name: default-deny - namespace: red-ns -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# labels: +# created-by: kyverno +# name: default-deny +# namespace: red-ns +# spec: +# podSelector: {} +# policyTypes: +# - Ingress +# - Egress --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml index 302c9f571267..08dd7e15fec3 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml @@ -10,6 +10,8 @@ spec: - resources: kinds: - Namespace + names: + - green-ns generate: generateExisting: true kind: NetworkPolicy @@ -32,6 +34,8 @@ spec: - resources: kinds: - Namespace + names: + - red-ns generate: generateExisting: false synchronize: true