fix: send notification when stoping watching resource in reports syst…

…em (kyverno#5298) * fix: send notification when stoping watching resource in reports system Signed-off-by: Charles-Edouard Brétéché <[email protected]> * add kuttl test Signed-off-by: Charles-Edouard Brétéché <[email protected]> * rework Signed-off-by: Charles-Edouard Brétéché <[email protected]> * readme Signed-off-by: Charles-Edouard Brétéché <[email protected]> Signed-off-by: Charles-Edouard Brétéché <[email protected]>
infracloudio · Nov 10, 2022 · fcca45b · fcca45b
1 parent 19f0e7e
commit fcca45b
Show file tree

Hide file tree

Showing 11 changed files with 103 additions and 3 deletions.
diff --git a/pkg/controllers/report/resource/controller.go b/pkg/controllers/report/resource/controller.go
@@ -197,12 +197,16 @@ func (c *controller) updateDynamicWatchers(ctx context.Context) error {
 			}
 		}
 	}
+	oldDynamicWatcher := c.dynamicWatchers
+	c.dynamicWatchers = dynamicWatchers
 	// shutdown remaining watcher
-	for gvr, watcher := range c.dynamicWatchers {
+	for gvr, watcher := range oldDynamicWatcher {
 		watcher.watcher.Stop()
-		delete(c.dynamicWatchers, gvr)
+		delete(oldDynamicWatcher, gvr)
+		for uid, resource := range watcher.hashes {
+			c.notify(uid, watcher.gvk, resource)
+		}
 	}
-	c.dynamicWatchers = dynamicWatchers
 	return nil
 }
 

diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- pod.yaml
diff --git a/...e/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml b/...e/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- background-scan-report-assert.yaml
diff --git a/...onformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml b/...onformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml
@@ -0,0 +1,8 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: podsecurity-subrule-restricted
+error:
+- background-scan-report-error.yaml
diff --git a/.../conformance/kuttl/reports/background/background-scan-report-deletion/README.md b/.../conformance/kuttl/reports/background/background-scan-report-deletion/README.md
@@ -0,0 +1,13 @@
+## Description
+
+This test creates a policy and a pod, it then expects a background scan report to be created for the pod.
+When the policy is deleted, the background scan report should also be deleted.
+
+## Steps
+
+1.  - Create a cluster policy
+    - Assert the policy becomes ready
+1.  - Create a pod
+1.  - Assert a background scan report is created for the pod and contains the right summary
+1.  - Delete the policy
+    - Assert the background scan report is deleted for the pod
diff --git a/...ttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml b/...ttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml
@@ -0,0 +1,14 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Pod
+    name: badpod01
+spec:
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0
diff --git a/...uttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml b/...uttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml
@@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1alpha2
+kind: BackgroundScanReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Pod
+    name: badpod01
diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml
@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+spec:
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: restricted
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
+  validationFailureAction: audit