Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue-5100:added logic to check nsPolicies #18

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from

Conversation

SANSKARJAIN2
Copy link

@SANSKARJAIN2 SANSKARJAIN2 commented Nov 2, 2022

Signed-off-by: SANSKARJAIN2 [email protected]

Explanation

Upon editing the generated resource, only cluster policies are fetched to synchronize the resource with the source. This PR contains logic to support sync when the resource is generated via a namespaced policy.

Related issue

closes: 5100

Milestone of this PR

What type of PR is this

Proposed Changes

In order to sync the generated resource with the source resource when the generated resource is edited, only the cluster policies were fetched.
To detect which policy to fetch( cluster or namespaced) a new label is introduced policy.kyverno.io/policy-kind which can have can have either Namespace or Cluster indicating the kind of policy that created this resource.
The default behavior is to fetch cluster policies.

Proof Manifests

  1. Create a namespace poltest
kubectl create ns poltest

output:

namespace/poltest created
  1. Create secret named regcred
kubectl -n poltest create secret generic regcred --from-literal=foo=bar

output:

secret/regcred created
  1. Create policy
apiVersion: kyverno.io/v2beta1
kind: Policy
metadata:
  name: pol-sync-clone
  namespace: poltest
spec:
  rules:
  - name: gen-zk
    match:
      any:
      - resources:
          kinds:
          - ConfigMap
    generate:
      apiVersion: v1
      kind: Secret
      name: myclonedsecret
      namespace: poltest
      synchronize: true
      clone:
        namespace: poltest
        name: regcred 

output:

policy.kyverno.io/pol-sync-clone created
  1. Create a configMap in poltest namespace
kubectl -n poltest create cm foo --from-literal=foo=bar

output:

configmap/foo created
  1. Verify that secret myclonedsecret is created in poltest namespace have same value as regcred in poltest namespace
kubectl get secrets -n poltest

output:

NAME             TYPE     DATA   AGE
myclonedsecret   Opaque   1      42s
regcred          Opaque   1      2m42s
kubectl get secret myclonedsecret -n poltest -o=yaml

output:

apiVersion: v1
data:
  foo: YmFy
kind: Secret
metadata:
  creationTimestamp: "2022-11-06T21:31:45Z"
  labels:
    app.kubernetes.io/managed-by: kyverno
    kyverno.io/generated-by-kind: ConfigMap
    kyverno.io/generated-by-name: foo
    kyverno.io/generated-by-namespace: poltest
    policy.kyverno.io/gr-name: ur-xlsxq
    policy.kyverno.io/policy-name: pol-sync-clone
    policy.kyverno.io/synchronize: enable
  name: myclonedsecret
  namespace: poltest
  resourceVersion: "125834"
  uid: f1006624-486e-4c8a-ac76-d019d9be1b9c
type: Opaque
  1. edit myclonedsecret and wait for 2-3 seconds.
kubectl edit secret myclonedsecret -n poltest

output:

secret/myclonedsecret edited
  1. Verify that myclonedsecret is reverted to the original value ( same as regcred)
    Before fix:
$ kubectl get secret myclonedsecret -n poltest -o=yaml

apiVersion: v1
data:
  foo: dGVzdA==
kind: Secret
metadata:
  creationTimestamp: "2022-11-06T21:31:45Z"
  labels:
    app.kubernetes.io/managed-by: kyverno
    kyverno.io/generated-by-kind: ConfigMap
    kyverno.io/generated-by-name: foo
    kyverno.io/generated-by-namespace: poltest
    policy.kyverno.io/gr-name: ur-xlsxq
    policy.kyverno.io/policy-name: pol-sync-clone
    policy.kyverno.io/synchronize: enable
  name: myclonedsecret
  namespace: poltest
  resourceVersion: "126221"
  uid: f1006624-486e-4c8a-ac76-d019d9be1b9c
type: Opaque

After fix

$ kubectl get secret myclonedsecret -n poltest -o=yaml
apiVersion: v1
data:
  foo: YmFy
kind: Secret
metadata:
  creationTimestamp: "2022-11-06T21:48:32Z"
  labels:
    app.kubernetes.io/managed-by: kyverno
    kyverno.io/generated-by-kind: ConfigMap
    kyverno.io/generated-by-name: foo
    kyverno.io/generated-by-namespace: poltest
    policy.kyverno.io/gr-name: ur-qrvqb
    policy.kyverno.io/policy-kind: Namespace
    policy.kyverno.io/policy-name: pol-sync-clone
    policy.kyverno.io/synchronize: enable
  name: myclonedsecret
  namespace: poltest
  resourceVersion: "127138"
  uid: cb9ea29d-16d2-4c25-a15d-5af5679c6641
type: Opaque

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

Copy link

@shahpratikr shahpratikr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add unit tests

pkg/common/common.go Show resolved Hide resolved
Copy link

@sandeshlmore sandeshlmore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants