diff --git a/pkg/controllers/report/resource/controller.go b/pkg/controllers/report/resource/controller.go index 1599fb26e0db..51f388e1c699 100644 --- a/pkg/controllers/report/resource/controller.go +++ b/pkg/controllers/report/resource/controller.go @@ -197,12 +197,16 @@ func (c *controller) updateDynamicWatchers(ctx context.Context) error { } } } + oldDynamicWatcher := c.dynamicWatchers + c.dynamicWatchers = dynamicWatchers // shutdown remaining watcher - for gvr, watcher := range c.dynamicWatchers { + for gvr, watcher := range oldDynamicWatcher { watcher.watcher.Stop() - delete(c.dynamicWatchers, gvr) + delete(oldDynamicWatcher, gvr) + for uid, resource := range watcher.hashes { + c.notify(uid, watcher.gvk, resource) + } } - c.dynamicWatchers = dynamicWatchers return nil } diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml new file mode 100644 index 000000000000..b088ed7601b5 --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/00-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml new file mode 100644 index 000000000000..581b58e74288 --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/01-pod.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- pod.yaml diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml new file mode 100644 index 000000000000..c53f75c4ac15 --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/02-background-scan-report.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- background-scan-report-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml new file mode 100644 index 000000000000..2983b4a9150a --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/03-delete-report.yaml @@ -0,0 +1,8 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: podsecurity-subrule-restricted +error: +- background-scan-report-error.yaml diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/README.md b/test/conformance/kuttl/reports/background/background-scan-report-deletion/README.md new file mode 100644 index 000000000000..e61d07927bc0 --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy and a pod, it then expects a background scan report to be created for the pod. +When the policy is deleted, the background scan report should also be deleted. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a pod +1. - Assert a background scan report is created for the pod and contains the right summary +1. - Delete the policy + - Assert the background scan report is deleted for the pod diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml new file mode 100644 index 000000000000..adcfed50343c --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-assert.yaml @@ -0,0 +1,14 @@ +apiVersion: kyverno.io/v1alpha2 +kind: BackgroundScanReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: badpod01 +spec: + summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml new file mode 100644 index 000000000000..a3ddbbea2f6b --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/background-scan-report-error.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1alpha2 +kind: BackgroundScanReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: badpod01 diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml new file mode 100644 index 000000000000..2b73ac5fb5ce --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml new file mode 100644 index 000000000000..c21f7dd31075 --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml new file mode 100644 index 000000000000..87c0e5f7bdaf --- /dev/null +++ b/test/conformance/kuttl/reports/background/background-scan-report-deletion/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: restricted + validate: + podSecurity: + level: restricted + version: latest + validationFailureAction: audit