-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] [CLI] kyverno test are applying previous mutation rules to subsequent test cases causing failures #6816
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
If it helps, the exact names I used were: |
Actually, I can't pin this down, seems like changing the name is not the problem, it just reordered the way the results were applied. What actually seems to be happening is mutations on prior results are getting applied, and it is affecting subsequent rules when using the same resource. So in my example above, since we have a pass -> skip
The first one seem to mutate the second one which is expecting a skip. If the first rule is commented out, the skip works as intended. |
Happen to run across this in the logs:
I think the test may be applying rules (sorted by alphabetical from the results) instead of just the specific rule specified in the test. |
Alright, pretty sure I have narrowed it down now: This means that adding a rule anywhere in the result list now gets applied to all resources in the result list. This is why when I comment one out, it starts to pass and no longer gets applied. I can see it in the logs:
https://github.com/kyverno/kyverno/blob/main/cmd/cli/kubectl-kyverno/test/test_command.go#L872 I am unsure why we would specify |
This seems like an obvious bug... |
I don't mind taking a stab at fixing this, but I need help understanding what is actually supposed to happen.
This would be a breaking change though, but makes more sense than what is currently happening. |
@mvaalexp can you provide the manifests to reproduce the issue ? I think it's fixed now the cli was refactored but i would like to confirm and add a test before closing the issue. |
Give me a few hours, I found my old test case for this and was able to recreate but it has proprietary stuff in it, let me attempt to remove it. |
@mvaalexp sure, awesome ! thanks |
I have attached the test case. |
I guess you expect both tests to pass ? |
@mvaalexp there are a couple of issues with your test.
- policy: karpenter-annotations-to-nodeselector
rule: hard-nodeselector-lifecycle-on-demand
resource: soft-pod-antiaffinity-1-copy
kind: Pod
result: skip
|
With the considerations above the cli is now fixed and it will be available in 1.11. |
When ran individually, they both succeed, when ran together, it fails. I am not at my desk at the moment, so will need to refresh my memory, the point is test 1 is altering the state of test 2 (which it shouldn't). If you comment out
from the |
We changed the cli, rules are not removed anymore. Now the CLI evaluates all policies you provide against all resources and we use that to check the test results. This is closer to what happens in real world and is easier to reason about. So now, the second test case is not skipped anymore, because of the condition: - key: "{{ request.object.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution || '' }}"
operator: NotEquals
value: ''
|
By all policies, do you mean all rules in a policy (I agree this makes more sense)? If so, then shouldn't the rule field be removed entirely?
|
Yes, we record the mutated resource per policy, not per rule, hence
That's a good question. Either something like this, or we can record the patched resource at the rule level, not sure what is best. |
Kyverno CLI Version
1.9.2
Description
If you have 2 rules in the same policy that start with the same string, it seems to process the policy twice if both are specfied in the same kyverno-test.yaml file.
I am unsure if this is supposed to be a feature or some oversight, but it was very hard to debug. Seems like if you are specifying the rule to be tested, other rules should not be applied.
Steps to reproduce
The second rule will fail because for some reason since
foo-rule-bar
starts withfoo-rule
it also applies the first result rule to resource-2. If you remove the first result rule, it passes.Expected behavior
Rule names in prior results should not affect the results of later results if the prior rule is a substring of the current rule.
Screenshots
No response
Kyverno logs
No response
Slack discussion
No response
Troubleshooting
The text was updated successfully, but these errors were encountered: