From fdc962e28c47045867cc9876b733168c979c597a Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Mon, 10 Jul 2023 15:19:33 +0200 Subject: [PATCH] fix: aggregated admission report not updated correctly (#7798) (#7799) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: aggregated admission report not updated correctly * kuttl --------- Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché --- .../report/admission/controller.go | 2 +- .../reports/admission/update/01-policy.yaml | 6 +++++ .../admission/update/02-deployment-fail.yaml | 6 +++++ .../update/03-report-fail-assert.yaml | 4 +++ .../admission/update/04-deployment-pass.yaml | 6 +++++ .../update/05-report-pass-assert.yaml | 4 +++ .../kuttl/reports/admission/update/README.md | 14 +++++++++++ .../update/deployment-fail-assert.yaml | 9 +++++++ .../admission/update/deployment-fail.yaml | 19 ++++++++++++++ .../update/deployment-pass-assert.yaml | 9 +++++++ .../admission/update/deployment-pass.yaml | 19 ++++++++++++++ .../admission/update/policy-assert.yaml | 9 +++++++ .../reports/admission/update/policy.yaml | 20 +++++++++++++++ .../admission/update/report-fail-assert.yaml | 25 +++++++++++++++++++ .../admission/update/report-pass-assert.yaml | 24 ++++++++++++++++++ 15 files changed, 175 insertions(+), 1 deletion(-) create mode 100644 test/conformance/kuttl/reports/admission/update/01-policy.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/02-deployment-fail.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/03-report-fail-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/04-deployment-pass.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/05-report-pass-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/README.md create mode 100644 test/conformance/kuttl/reports/admission/update/deployment-fail-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/deployment-fail.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/deployment-pass-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/deployment-pass.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/policy-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/policy.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/report-fail-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/update/report-pass-assert.yaml diff --git a/pkg/controllers/report/admission/controller.go b/pkg/controllers/report/admission/controller.go index 23f5ffa3fd2e..20edb0bbf0d1 100644 --- a/pkg/controllers/report/admission/controller.go +++ b/pkg/controllers/report/admission/controller.go @@ -249,7 +249,7 @@ func (c *controller) aggregateReports(ctx context.Context, uid types.UID) (kyver if aggregated.GetResourceVersion() != "" { after = reportutils.DeepCopy(aggregated) } - reportutils.SetResults(aggregated, results...) + reportutils.SetResults(after, results...) if after.GetResourceVersion() == "" { if len(results) > 0 { if _, err := reportutils.CreateReport(ctx, after, c.client); err != nil { diff --git a/test/conformance/kuttl/reports/admission/update/01-policy.yaml b/test/conformance/kuttl/reports/admission/update/01-policy.yaml new file mode 100644 index 000000000000..b088ed7601b5 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/update/02-deployment-fail.yaml b/test/conformance/kuttl/reports/admission/update/02-deployment-fail.yaml new file mode 100644 index 000000000000..a8822fda8925 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/02-deployment-fail.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: deployment-fail.yaml +assert: +- deployment-fail-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/update/03-report-fail-assert.yaml b/test/conformance/kuttl/reports/admission/update/03-report-fail-assert.yaml new file mode 100644 index 000000000000..b0c742e89a7c --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/03-report-fail-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- report-fail-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/update/04-deployment-pass.yaml b/test/conformance/kuttl/reports/admission/update/04-deployment-pass.yaml new file mode 100644 index 000000000000..3d7386c246c7 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/04-deployment-pass.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: deployment-pass.yaml +assert: +- deployment-pass-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/update/05-report-pass-assert.yaml b/test/conformance/kuttl/reports/admission/update/05-report-pass-assert.yaml new file mode 100644 index 000000000000..6afea66cd37f --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/05-report-pass-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- report-pass-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/update/README.md b/test/conformance/kuttl/reports/admission/update/README.md new file mode 100644 index 000000000000..d7eca891bf4d --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/README.md @@ -0,0 +1,14 @@ +## Description + +This test verifies that aggregated admission report is correctly updated when a resource changes. +A policy in Audit mode is created. +A deployment is created, the deployment violates the policy and we assert the admission report contains a `fail` result. +The deployment is then updated to not violate the policy anymore and we assert the admission report changes to contain `pass` result. + +## Expected result + +When the resource does not violate the policy anymore, the result in the admission report should change from `fail` to `pass`. + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7793 \ No newline at end of file diff --git a/test/conformance/kuttl/reports/admission/update/deployment-fail-assert.yaml b/test/conformance/kuttl/reports/admission/update/deployment-fail-assert.yaml new file mode 100644 index 000000000000..7c8222009bb8 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/deployment-fail-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +status: + observedGeneration: 1 + updatedReplicas: 1 + readyReplicas: 1 + replicas: 1 diff --git a/test/conformance/kuttl/reports/admission/update/deployment-fail.yaml b/test/conformance/kuttl/reports/admission/update/deployment-fail.yaml new file mode 100644 index 000000000000..0a34bd220952 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/deployment-fail.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +spec: + selector: + matchLabels: + app: test-dpl-1 + template: + metadata: + labels: + app: test-dpl-1 + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: test-container + image: nginx:latest diff --git a/test/conformance/kuttl/reports/admission/update/deployment-pass-assert.yaml b/test/conformance/kuttl/reports/admission/update/deployment-pass-assert.yaml new file mode 100644 index 000000000000..2611dbe7e239 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/deployment-pass-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +status: + observedGeneration: 2 + updatedReplicas: 1 + readyReplicas: 1 + replicas: 1 diff --git a/test/conformance/kuttl/reports/admission/update/deployment-pass.yaml b/test/conformance/kuttl/reports/admission/update/deployment-pass.yaml new file mode 100644 index 000000000000..12bc160b77c1 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/deployment-pass.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +spec: + selector: + matchLabels: + app: test-dpl-1 + template: + metadata: + labels: + app: test-dpl-1 + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: test-container + image: nginx:1.25.1 diff --git a/test/conformance/kuttl/reports/admission/update/policy-assert.yaml b/test/conformance/kuttl/reports/admission/update/policy-assert.yaml new file mode 100644 index 000000000000..19f475312899 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/reports/admission/update/policy.yaml b/test/conformance/kuttl/reports/admission/update/policy.yaml new file mode 100644 index 000000000000..e296c0d44a62 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-image-tag-pod + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Using a mutable image tag e.g. 'latest' is not allowed." + pattern: + spec: + containers: + - image: "!*:latest" diff --git a/test/conformance/kuttl/reports/admission/update/report-fail-assert.yaml b/test/conformance/kuttl/reports/admission/update/report-fail-assert.yaml new file mode 100644 index 000000000000..f75fdf84e746 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/report-fail-assert.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +spec: + results: + - message: 'validation error: Using a mutable image tag e.g. ''latest'' is not allowed. + rule autogen-validate-image-tag-pod failed at path /spec/template/spec/containers/0/image/' + policy: disallow-latest-tag + resources: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 + result: fail + rule: autogen-validate-image-tag-pod + source: kyverno + summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/kuttl/reports/admission/update/report-pass-assert.yaml b/test/conformance/kuttl/reports/admission/update/report-pass-assert.yaml new file mode 100644 index 000000000000..3e13f911baf6 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/update/report-pass-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +spec: + results: + - message: validation rule 'autogen-validate-image-tag-pod' passed. + policy: disallow-latest-tag + resources: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 + result: pass + rule: autogen-validate-image-tag-pod + source: kyverno + summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file