Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: return the same engine response upon the update of the resource #10233

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: return the same engine response upon the update of the resource #10233

wants to merge 1 commit into from

Conversation

MariamFahmy98
Copy link
Collaborator

@MariamFahmy98 MariamFahmy98 commented May 14, 2024
edited

Explanation

This PR returns the same engine response in case the resource still violates the policy even after it is updated.

Related issue

Closes #10169

Milestone of this PR

/milestone 1.12.2

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

  1. Create a policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-multiple-replicas
  annotations:
    policies.kyverno.io/category: Best Practises
    policies.kyverno.io/minversion: 1.9.2
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Deployment,StatefulSet
    policies.kyverno.io/title: Require Multiple Replicas
    policies.kyverno.io/scored: "false"
spec:
  background: false
  rules:
    - name: require-multiple-replicas
      match:
        any:
          - resources:
              kinds:
                - Deployment
                - StatefulSet
              operations:
                - CREATE
                - UPDATE
      validate:
        pattern:
          spec:
            replicas: ">1"
  validationFailureAction: Audit
  1. Create the following deployment that violates the policy:
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:latest
  1. Check the generated policy report:
$ kubectl get polr
NAME                                   KIND         NAME         PASS   FAIL   WARN   ERROR   SKIP   AGE
4fab9c5f-7b73-46c8-a6aa-4c4c4ad3eb5f   Deployment   nginx-test   0      0      1      0       0      9s
  1. Update the deployment by using kubectl edit. (don't modify the replicas, you can update the container name for example)
  2. Check the reports:
$ kubectl get polr
NAME                                   KIND         NAME         PASS   FAIL   WARN   ERROR   SKIP   AGE
4fab9c5f-7b73-46c8-a6aa-4c4c4ad3eb5f   Deployment   nginx-test   0      0      1      0       0      102s

As expected, the policy report result isn't changed since the resource still violates the policy.

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@MariamFahmy98
fix: return the same engine response upon the update of the resource
05e5bd3 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.2 milestone May 14, 2024
@codecov Codecov
Copy link

codecov bot commented May 14, 2024
edited

Codecov Report

Attention: Patch coverage is 0% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 10.15%. Comparing base (25cb47e) to head (05e5bd3).
Report is 31 commits behind head on main.

Files Patch % Lines
...kg/engine/handlers/validation/validate_resource.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #10233   +/-   ##
=======================================
  Coverage   10.15%   10.15%           
=======================================
  Files        1030     1030           
  Lines       91816    91816           
=======================================
  Hits         9325     9325           
  Misses      81471    81471           
  Partials     1020     1020

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishal-chdhry vishal-chdhry Awaiting requested review from vishal-chdhry

@chipzoller chipzoller Awaiting requested review from chipzoller chipzoller is a code owner

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@realshuting realshuting Awaiting requested review from realshuting realshuting is a code owner

@KhaledEmaraDev KhaledEmaraDev Awaiting requested review from KhaledEmaraDev KhaledEmaraDev is a code owner

@MarcelMue MarcelMue Awaiting requested review from MarcelMue MarcelMue is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cherry-pick-required milestone 1.12.4
Projects
None yet
Milestone
Kyverno Release 1.12.4
Development

Successfully merging this pull request may close these issues.

[Bug] Skipping a resource re-validation overwrites to original result
2 participants
@MariamFahmy98 @realshuting