New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers #1847
Conversation
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One additional question - what happens if the user sets the annotation but there are multiple controllers? Do we need a validation check for that? Any other auto-gen related validation checks we need to add?
@@ -224,8 +224,8 @@ func GeneratePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing "// scenario C"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant in the comments....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment was added to another place, not so obvious to see:
kyverno/pkg/policymutation/policymutation.go
Lines 320 to 321 in 2704e40
// generateRulePatches generates rule for podControllers based on scenario A and C | |
func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) { |
* Fix Dev setup * make kind required in MatchResources * add test cases Co-authored-by: vyankatesh <vyankatesh@neualto.com>
…ogen_metadata Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Shuting Zhao <shutting06@gmail.com> # Conflicts: # pkg/policy/validate_test.go # pkg/policymutation/policymutation.go
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
593109c
to
ee65334
Compare
Good catch! I added the logic to handle this scenario automatically, when the predefined controllers are invalid, Kyverno overwrites it to "none". Added tests: kyverno/pkg/policymutation/policymutation_test.go Lines 222 to 229 in ee65334
|
@@ -1293,39 +1293,24 @@ func Test_checkAutoGenRules(t *testing.T) { | |||
expectedResult bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests added in the previous PR were duplicated, updated to cover other scenarios.
Signed-off-by: Shuting Zhao shutting06@gmail.com
Related issue
Closes #1805.
What type of PR is this
Proposed Changes
When there are mixed kinds (Pod & Pod controllers) defined in
match.resources.kinds
orexclude.resources.kinds
, the auto-gen is disabled.Proof Manifests
Create the following policy:
The auto-gen is automatically disabled by
pod-policies.kyverno.io/autogen-controllers: none
:Checklist
Further Comments