Skip to content

feat: Extend CLI to cover generate policies #3456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 51 commits into from
May 25, 2022
Merged

feat: Extend CLI to cover generate policies #3456

merged 51 commits into from
May 25, 2022

Conversation

shubham4443
Copy link
Contributor

Related issue

Fixes #3114
Maintainers @prateekpandey14 @vyankyGH

Milestone of this PR

What type of PR is this

/kind feature

Proposed Changes

Prior to this PR, only validate and mutate policies were covered by the CLI test command. This PR adds the ability to test generate policies. A complete design proposal can be found here.

Proof Manifests

Consider this generate policy. A sample kyverno-test.yaml file for this policy would look like this -

name: deny-all-traffic
policies:
  - policy.yaml
resources:
  - resource.yaml
results:
  - policy: add-networkpolicy
    rule: default-deny
    resource: hello-world-namespace
    generatedResource: generatedResource.yaml
    kind: Namespace
    result: pass

resource.yaml is the manifest for creating Namespace resource.

apiVersion: v1
kind: Namespace
metadata:
  name: hello-world-namespace

Our test will pass if our generatedResource.yaml looks like this -

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: hello-world-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

@codecov-commenter
Copy link

codecov-commenter commented Mar 27, 2022
edited
Loading

Codecov Report

Merging #3456 (1e8dff2) into main (fbbe57f) will decrease coverage by 0.13%.
The diff coverage is 0.92%.

@@            Coverage Diff             @@
##             main    #3456      +/-   ##
==========================================
- Coverage   29.63%   29.49%   -0.14%     
==========================================
  Files         138      138              
  Lines       18377    18462      +85     
==========================================
  Hits         5446     5446              
- Misses      12268    12353      +85     
  Partials      663      663
Impacted Files Coverage Δ
cmd/cli/kubectl-kyverno/utils/common/common.go 12.86% <0.00%> (-1.04%) ⬇️
cmd/cli/kubectl-kyverno/utils/common/fetch.go 8.44% <0.00%> (ø)
pkg/background/generate/generate.go 0.00% <0.00%> (ø)
pkg/engine/background.go 0.00% <0.00%> (ø)
pkg/engine/response/response.go 0.00% <ø> (ø)
cmd/cli/kubectl-kyverno/apply/apply_command.go 17.37% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fbbe57f...1e8dff2. Read the comment docs.

This was referenced Mar 31, 2022
Closed
Closed
sonatype-lift[bot]
sonatype-lift bot reviewed Apr 14, 2022
View reviewed changes
@shubham4443 shubham4443 mentioned this pull request Apr 14, 2022
Merged
2 tasks
@shubham4443
Refactor according to new generate controller
5fd5581 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
@shubham4443
Refactor according to new generate controller
d1fabc9 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
sonatype-lift[bot]
sonatype-lift bot reviewed Apr 14, 2022
View reviewed changes
@shubham4443 shubham4443 marked this pull request as ready for review April 14, 2022 16:10
sonatype-lift[bot]
sonatype-lift bot reviewed May 14, 2022
View reviewed changes
sonatype-lift[bot]
sonatype-lift bot reviewed May 14, 2022
View reviewed changes
sonatype-lift[bot]
sonatype-lift bot reviewed May 14, 2022
View reviewed changes
@shubham4443
Fix linting errors
04ba817 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
@shubham4443
Add namespace in test-image-digest test file
22add93 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
@shubham4443
Merge branch 'main' of https://github.com/kyverno/kyverno into cli-ge…
2c1052c 
…nerate
sonatype-lift[bot]
sonatype-lift bot reviewed May 19, 2022
View reviewed changes
sonatype-lift[bot]
sonatype-lift bot reviewed May 19, 2022
View reviewed changes
sonatype-lift[bot]
sonatype-lift bot reviewed May 19, 2022
View reviewed changes
shubham4443 and others added 4 commits May 19, 2022 17:21
@shubham4443
Remove assigning namespace default if not specified
3953ddc 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
@shubham4443
Merge branch 'main' into cli-generate
bf1f055
@shubham4443
Fix linting errors
9c4259c 
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
@prateekpandey14
Merge branch 'main' into cli-generate
61f16c6
prateekpandey14
prateekpandey14 reviewed May 24, 2022
View reviewed changes
Copy link
Contributor

@prateekpandey14 prateekpandey14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changes looks good . some minor comment

pkg/background/generate/generate.go
return nil, err
}
return resource, nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we move this helper/utils methods to pkg/background/common/util.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While moving c.client.GetResource throws an error because client field of GenerateController instance is not exported.

prateekpandey14
prateekpandey14 reviewed May 25, 2022
View reviewed changes
@vyankyGH
Copy link
Contributor

/lgtm

@vyankyGH vyankyGH enabled auto-merge (squash) May 25, 2022 14:05
@prateekpandey14 prateekpandey14 disabled auto-merge May 25, 2022 14:12
@prateekpandey14 prateekpandey14 enabled auto-merge (squash) May 25, 2022 14:14
@prateekpandey14 prateekpandey14 merged commit 165c5d9 into kyverno:main May 25, 2022
This was referenced May 30, 2022
Merged
Closed
@chipzoller
Copy link
Contributor

@shubham4443 now that this is available in the 1.8.0 CLI and I test using the samples, I notice if I comment out the - Egress line from the bottom of the generatedResource, it still gets scored as a Pass. Any idea why?

@shubham4443
Copy link
Contributor Author

@chipzoller I'm seeing the same issue. Not sure why it is happening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sambhav sambhav Awaiting requested review from sambhav

3 more reviewers

@prateekpandey14 prateekpandey14 prateekpandey14 left review comments

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@vyankyGH vyankyGH vyankyGH approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@prateekpandey14 prateekpandey14

@vyankyGH vyankyGH

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend Kyverno CLI to cover generate policies
5 participants
@shubham4443 @codecov-commenter @prateekpandey14 @vyankyGH @chipzoller