Add extend CLI for generate policies proposal #6
Conversation
There was a problem hiding this comment.
Had a few questions for advanced support:
- can we handle context lookups for generate policies using CLI? (Is this supported in validate and mutate policies via CLI?)
- can we handle JMESPath variables? (Is this supported in mutate and validate?)
- can we use existing resources in the cluster for this CLI test?
- how do we handle policies with
spec.rules.generate.synchronizeset totrue?
|
|
||
| The method is similar to testing mutate policies. User will provide the desired resource manifest file as generatedResource in results array of the test file. This manifest file will be compared with the Kyverno generated resource and accordingly the test will display the result as pass or fail. | ||
|
|
||
| Additionally, like in the case of testing mutate policies, we provide the resource on which we want to perform mutation. For generate policies, the triggering resource should be provided on creation/updation of which our generation rule is applied. |
There was a problem hiding this comment.
..provided on creation/update of which..
|
|
||
| ### Mock Generate-Request Controller | ||
|
|
||
| To process generate rules, we need a Generate-Request Controller. We can make a simple instance of the Controller with only the Kubernetes' dynamic client. The dynamic client must be a fake one so as to not process the rule on an actual cluster. Additionally, the triggering resource and pre-existing resource for the clone object should exist in the cluster. The dynamic client will be initialized with these resources. |
There was a problem hiding this comment.
Based on the above proposal, all test resources are local resources, do we need the dynamic client?
|
|
||
| ### Mock Generate-Request Controller | ||
|
|
||
| To process generate rules, we need a Generate-Request Controller. We can make a simple instance of the Controller with only the Kubernetes' dynamic client. The dynamic client must be a fake one so as to not process the rule on an actual cluster. Additionally, the triggering resource and pre-existing resource for the clone object should exist in the cluster. The dynamic client will be initialized with these resources. |
There was a problem hiding this comment.
Based on the above proposal, all test resources are local resources, do we need the dynamic client?
There was a problem hiding this comment.
Yes we require the dynamic client otherwise its not possible to invoke the function responsible for handling generate policies.
There was a problem hiding this comment.
Had a few questions for advanced support:
- can we handle context lookups for generate policies using CLI? (Is this supported in validate and mutate policies via CLI?)
- can we handle JMESPath variables? (Is this supported in mutate and validate?)
- can we use existing resources in the cluster for this CLI test?
- how do we handle policies with
spec.rules.generate.synchronizeset totrue?
|
One of the objectives of this enhancement would be to ensure all the presently-available generate policies on kyverno/policies can be tested successfully. |
|
@shubham4443 Have we updated document for Namespace based generate policies ? |
|
Hi @chipzoller @realshuting |
There are comments asked by Shuting which you have not addressed. At this point, since we didn't really follow the process we created, let's just make sure this KDP reflects the current state of whatever was implemented. In other words, if there are things in this KDP which are different based on the current state, go back and update the KDP accordingly. |
I addressed those comments in our weekly contributor's meeting. Nevertheless, I will answer those questions again. I have gone through the KDP just now and there aren't any things different from the current state. |
Answers to the questions -
|
|
@realshuting to provide final review and merge. |
There was a problem hiding this comment.
@shubham4443 - looks good overall.
Have a question regarding the name, see below
|
|
||
| ## Proposal | ||
|
|
||
| When using a generate rule, the origin resource can be either an existing resource defined within Kubernetes, or a new resource defined in the rule itself. When the origin resource is a pre-existing resource the clone object is used. When the origin resource is a new resource defined within the manifest of the rule, the data object is used. Both rules are mutually exclusive, and only one will be specified in a rule. Both objects require a different approach for testing through CLI command. |
There was a problem hiding this comment.
We usually have the trigger and the target resources in a generate policy. What is this origin resource?
There was a problem hiding this comment.
Its the same as target resource. In the documentation https://kyverno.io/docs/writing-policies/generate/ it is mentioned as origin resource so I used the same word.
There was a problem hiding this comment.
Can we rename them to the target resource? Ideally we should be consistent when referencing trigger and target resources for generate and mutate existing policies.
|
|
||
| ### Method to test data object | ||
|
|
||
| The method is similar to testing mutate policies. User will provide the desired resource manifest file as generatedResource in the results array of the test file. This manifest file will be compared with the Kyverno generated resource and accordingly the test will display the result as pass or fail. |
There was a problem hiding this comment.
.. is similar to the testing for mutate policies.
| result: pass | ||
| ``` | ||
|
|
||
| User should provide the pre-existing resource in the cloneSourceResource field of the results array. The cloneSourceResource.yaml for the above test file will look like this - |
There was a problem hiding this comment.
.. in the cloneSourceResource field ..
|
@shubham4443 - can you resolve conversations that were addressed and sign off your commits? |
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> Signed-off-by: shubham4443 <shubham4443@gmail.com>
Signed-off-by: shubham4443 <shubham4443@gmail.com>
shubham4443
force-pushed
the
extend_cli_for_generate_policies
branch
from
6e20ff8 to
691f028
Compare
|
@shubham4443 please resolves conflicts |
…_for_generate_policies
|
Was the implementation PR merged? May need to the change status on main page. |
Yes |
Signed-off-by: Shubham Nazare shubham4443@gmail.com