fix: ur not cleaned up when deleting namespaced policy

cmd/cli/kubectl-kyverno/test/test_command.go

@@ -67,7 +67,7 @@ applying 1 policy to 2 resources...
 kyverno test .
 
 Executing limit-containers-per-pod...
-applying 1 policy to 4 resources... 
+applying 1 policy to 4 resources...
 
 │───│──────────────────────────│──────────────────────────────────────│─────────────────────────────│────────│
 │ # │ POLICY                   │ RULE                                 │ RESOURCE                    │ RESULT │
@@ -84,7 +84,7 @@ Test Summary: 4 tests passed and 0 tests failed
 kyverno test . --test-case-selector "policy=disallow-latest-tag, rule=require-image-tag, resource=test-require-image-tag-pass"
 
 Executing test-simple...
-applying 1 policy to 1 resource... 
+applying 1 policy to 1 resource...
 
 │───│─────────────────────│───────────────────│─────────────────────────────────────────│────────│
 │ # │ POLICY              │ RULE              │ RESOURCE                                │ RESULT │
@@ -787,9 +787,7 @@ func getAndCompareResource(path string, engineResource unstructured.Unstructured
 	if err != nil {
 		log.Log.V(3).Info(resourceType+" mismatch", "error", err.Error())
 		status = "fail"
-	}
-
-	if matched == "" {
+	} else if matched == "" {
 		status = "pass"
 	}
 	return status

go.mod

@@ -14,7 +14,6 @@ require (
 	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/fatih/color v1.13.0
-	github.com/gardener/controller-manager-library v0.2.0
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-billy/v5 v5.3.1
 	github.com/go-git/go-git/v5 v5.4.2
@@ -93,7 +92,6 @@ require (
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20220930113650-c6815a8c17ad // indirect

pkg/background/update_request_controller.go

@@ -99,7 +99,7 @@ func NewController(
 	})
 	polInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		UpdateFunc: c.updatePolicy,
-		DeleteFunc: c.deletePolicy,
+		DeleteFunc: c.deleteNSPolicy,
 	})
 
 	c.informersSynced = []cache.InformerSynced{cpolInformer.Informer().HasSynced, polInformer.Informer().HasSynced, urInformer.Informer().HasSynced, namespaceInformer.Informer().HasSynced, podInformer.Informer().HasSynced}
@@ -370,6 +370,50 @@ func (c *controller) deletePolicy(obj interface{}) {
 	}
 }
 
+func (c *controller) deleteNSPolicy(obj interface{}) {
+	p, ok := kubeutils.GetObjectWithTombstone(obj).(*kyvernov1.Policy)
+	if !ok {
+		logger.Info("Failed to get deleted object", "obj", obj)
+		return
+	}
+
+	logger.V(4).Info("deleting policy", "name", p.Name)
+	key, err := cache.MetaNamespaceKeyFunc(kubeutils.GetObjectWithTombstone(obj))
+	if err != nil {
+		logger.Error(err, "failed to load policy key")
+		return
+	}
+	logger.V(4).Info("updating policy", "key", key)
+
+	// check if deleted policy is clone generate policy
+	generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger)
+
+	// get the generated resource name from update request
+	selector := labels.SelectorFromSet(labels.Set(map[string]string{
+		kyvernov1beta1.URGeneratePolicyLabel: p.Name,
+	}))
+
+	urList, err := c.urLister.List(selector)
+	if err != nil {
+		logger.Error(err, "failed to get UR for resource", "label", kyvernov1beta1.URGeneratePolicyLabel)
+		return
+	}
+
+	if !generatePolicyWithClone {
+		// re-evaluate the UR as the policy was updated
+		for _, ur := range urList {
+			logger.V(4).Info("enqueue the UR for cleanup", "UR", ur.Name)
+			c.enqueueUpdateRequest(ur)
+		}
+	} else {
+		for _, ur := range urList {
+			for _, generatedResource := range ur.Status.GeneratedResources {
+				logger.V(4).Info("retaining resource for cloned policy", "apiVersion", generatedResource.APIVersion, "kind", generatedResource.Kind, "name", generatedResource.Name, "namespace", generatedResource.Namespace)
+			}
+		}
+	}
+}
+
 func (c *controller) addUR(obj interface{}) {
 	ur := obj.(*kyvernov1beta1.UpdateRequest)
 	c.enqueueUpdateRequest(ur)

pkg/policy/updaterequest.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/gardener/controller-manager-library/pkg/logger"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	common "github.com/kyverno/kyverno/pkg/background/common"
@@ -129,15 +128,15 @@ func (pc *PolicyController) handleUpdateRequest(ur *kyvernov1beta1.UpdateRequest
 func (pc *PolicyController) listMutateURs(policyKey string, trigger *unstructured.Unstructured) []*kyvernov1beta1.UpdateRequest {
 	mutateURs, err := pc.urLister.List(labels.SelectorFromSet(common.MutateLabelsSet(policyKey, trigger)))
 	if err != nil {
-		logger.Error(err, "failed to list update request for mutate policy")
+		pc.log.Error(err, "failed to list update request for mutate policy")
 	}
 	return mutateURs
 }
 
 func (pc *PolicyController) listGenerateURs(policyKey string, trigger *unstructured.Unstructured) []*kyvernov1beta1.UpdateRequest {
 	generateURs, err := pc.urLister.List(labels.SelectorFromSet(common.GenerateLabelsSet(policyKey, trigger)))
 	if err != nil {
-		logger.Error(err, "failed to list update request for generate policy")
+		pc.log.Error(err, "failed to list update request for generate policy")
 	}
 	return generateURs
 }

pkg/policy/validate.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/distribution/distribution/reference"
 	jsonpatch "github.com/evanphx/json-patch/v5"
-	"github.com/gardener/controller-manager-library/pkg/logger"
 	"github.com/jmespath/go-jmespath"
 	"github.com/jmoiron/jsonq"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@@ -158,7 +157,7 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 			if discovery.IsGroupDiscoveryFailedError(err) {
 				err := err.(*discovery.ErrGroupDiscoveryFailed)
 				for gv, err := range err.Groups {
-					logger.Error(err, "failed to list api resources", "group", gv)
+					logging.Error(err, "failed to list api resources", "group", gv)
 				}
 			} else {
 				return warnings, err

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/00-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - policy.yaml
+assert:
+  - policy-assert.yaml

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/01-deployment.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - resources.yaml
+assert:
+  - resources-assert.yaml

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test checks that document references with special characters in their names are supported.
+
+## Expected Behavior
+
+JMESPath references generated when documents are traversed are escaped properly according to the JMESPath standard.
+
+## Reference Issue(s)
+
+3578
+3616

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: jmespath-with-special-chars-demo
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: jmespath-with-special-chars-demo
+spec:
+  rules:
+    - name: format-deploy-zone
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            labels:
+              deploy-zone: "{{ to_upper('{{@}}') }}"
+    - name: retention-adjust
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            labels:
+              corp.com/retention: "{{ regex_replace_all('([0-9])([0-9])', '{{ @ }}', '${1}0') }}"

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+  labels:
+    deploy-zone: FRANKFURT
+    corp.com/retention: days_30

test/conformance/kuttl/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: busybox
+  labels:
+    deploy-zone: frankfurt
+    corp.com/retention: days_37
+spec:
+  containers:
+    - name: busybox
+      image: busybox:stable
+      command: ["sleep", "600"]