Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable auto-gen when a rule has mixed of kinds: pod & pod controllers #1847

Merged
merged 6 commits into from Apr 29, 2021
Merged

Disable auto-gen when a rule has mixed of kinds: pod & pod controllers #1847

merged 6 commits into from Apr 29, 2021

Conversation

realshuting
Copy link
Member

@realshuting realshuting commented Apr 29, 2021
edited

Signed-off-by: Shuting Zhao shutting06@gmail.com

Related issue

Closes #1805.

What type of PR is this

/kind bug

Proposed Changes

When there are mixed kinds (Pod & Pod controllers) defined in match.resources.kinds or exclude.resources.kinds, the auto-gen is disabled.

Proof Manifests

Create the following policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-old-flux
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: block-old-flux
    match:
      resources:
        kinds:
        - Deployment
        - CronJob
        - Job
        - StatefulSet
        - DaemonSet
        - Pod
    validate:
      message: Cannot use old Flux v1 annotation.
      pattern:
        metadata:
          =(annotations):
            X(fluxcd.io/*): "*?"

The auto-gen is automatically disabled by pod-policies.kyverno.io/autogen-controllers: none:

✗ kg cpol block-old-flux -o yaml | k neat
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
  name: block-old-flux
spec:
  background: false
  rules:
  - match:
      resources:
        kinds:
        - Deployment
        - CronJob
        - Job
        - StatefulSet
        - DaemonSet
        - Pod
    name: block-old-flux
    validate:
      message: Cannot use old Flux v1 annotation.
      pattern:
        metadata:
          =(annotations):
            X(fluxcd.io/*): '*?'
  validationFailureAction: enforce

Checklist

  • I have read the contributing guidelines.
  • I have added tests that prove my fix is effective or that my feature works.
  • [] My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@realshuting
disable auto-gen when a rule has mixed of kinds: pod & pod controllers
2704e40 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
JimBugwadia
JimBugwadia reviewed Apr 29, 2021
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One additional question - what happens if the user sets the annotation but there are multiple controllers? Do we need a validation check for that? Any other auto-gen related validation checks we need to add?

pkg/policymutation/policymutation.go
@@ -224,8 +224,8 @@ func GeneratePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing "// scenario C"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C is handled in https://github.com/kyverno/kyverno/pull/1847/files/2704e40165e020a3b846cf477108220d8ce24e22#diff-15f5667117ad6d93290286aaa292507f75cc3aa9441f9b8f03bdfe1cd31cd6acR320.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant in the comments....

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment was added to another place, not so obvious to see:

kyverno/pkg/policymutation/policymutation.go

Lines 320 to 321 in 2704e40

// generateRulePatches generates rule for podControllers based on scenario A and C
func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {

pkg/policymutation/policymutation.go Outdated Show resolved Hide resolved
vyankyGH and others added 5 commits April 29, 2021 10:37
@vyankyGH @vyankd
Bugfix : Make match.resources.kinds required (kyverno#1843)
f80929c 
* Fix Dev setup

* make kind required in MatchResources

* add test cases

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
@realshuting
Merge commit 'f80929c2a464e10cc494128cd106a756f332f137' into 1805_aut…
c274bb8 
…ogen_metadata

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@realshuting
Merge branch 'main' into 1805_autogen_metadata
acb26a7 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>

# Conflicts:
#	pkg/policy/validate_test.go
#	pkg/policymutation/policymutation.go
@realshuting
address PR comments
35481a4 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@realshuting
update background canAutoGen unit tests
ee65334 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@realshuting
Copy link
Member Author

what happens if the user sets the annotation but there are multiple controllers?

Good catch! I added the logic to handle this scenario automatically, when the predefined controllers are invalid, Kyverno overwrites it to "none". Added tests:

kyverno/pkg/policymutation/policymutation_test.go

Lines 222 to 229 in ee65334

name: "rule-with-predefined-invalid-controllers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"DaemonSet,Deployment,StatefulSet","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-predefined-valid-controllers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"none","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",

realshuting
realshuting commented Apr 29, 2021
View reviewed changes
pkg/policy/validate_test.go
@@ -1293,39 +1293,24 @@ func Test_checkAutoGenRules(t *testing.T) {
expectedResult bool
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests added in the previous PR were duplicated, updated to cover other scenarios.

@realshuting realshuting merged commit 618a699 into kyverno:main Apr 29, 2021
@kumar-mallikarjuna kumar-mallikarjuna mentioned this pull request Nov 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

Assignees

@JimBugwadia JimBugwadia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] auto-gen should not update metadata paths
3 participants
@realshuting @JimBugwadia @vyankyGH