Problem Statement

In cases where generate rules are used with synchronization enabled, Kyverno resists all forms of tampering on the generated (downstream) resource and will re-sync it from the source, whether that be defined in the rule (data type) or taken from a preexisting resource (clone type). Sometimes users want to allow only specific modifications to be permitted to these synchronized resources, for example modifications to the metadata contents for things like annotations and labels. This is an ability supported by Red Hat's Namespace Configuration Operator that would be nice to support in Kyverno.

One difference to point out is that NCO currently does this implicitly (which does not appear to be capable of disabling) for metadata, status and spec.replicas fields. Kyverno should probably not adopt such a path but implicitly deny all forms of external changes and then give uses an opt-in ability with a new field under the generate object to only allow specific ones to be changed.

This is an example of how one would allow changes to the spec.hard object in a ResourceQuota:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: NamespaceConfig
metadata:
  name: small-namespace
spec:
  labelSelector:
    matchLabels:
      size: small  
  templates:
  - excludedPaths:
    - .spec.hard
    objectTemplate: |
      apiVersion: v1
      kind: ResourceQuota
      metadata:
        name: small-size
        namespace: {{ .Name }}
      spec:
        hard:
          requests.cpu: "4"
          requests.memory: "2Gi"

Solution Description

Allow a user to define, in a generate rule, which field(s) should be changeable when synchronization is enabled.

Alternatives

No response

Additional Context

Semi-related to #2030

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.