feat: Relax immutability requirements on match statements for generate rules #12784

tomasaschan · 2025-04-15T20:22:53Z

Explanation

This updates the immutability validation for generate rules to allow updating the match statements if and only if the policy before the change is not using synchronize: true.

Updating match was previously disallowed to avoid confusing or incorrect sync behavior when the set of trigger resources would change, but that is not a concern for non-synchronizing rules. This change relaxes the requirements slightly, by allowing updates to match statements if no rule in the policy uses synchronize: true.

It would, theoretically, be possible to relax this requirement even further, by matching rules before/after up by name, and applying this logic per rule rather than per policy, but doing so would require a larger refactor of the entire immutability checking code, as the current implementation works by resetting the values of all mutable fiels to a known value, hashing the resulting rule object, and then comparing the policy before and after the update by comparing the set of hashes; in other words, no such by-name match-up is done today. In the interest of leaving this change as small as possible, that is left out of scope.

Related issue

Fixes #12766

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

I have sent the draft PR to add or update the documentation and the link is:

What type of PR is this

Proposed Changes

Proof Manifests

Checklist

I have read the contributing guidelines.
I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
This is a bug fix and I have added unit tests that prove my fix is effective.
This is a feature and I have added CLI tests that are applicable.
My PR needs to be cherry picked to a specific release branch which is .
My PR contains new or altered behavior to Kyverno and
- CLI support should be added and my PR doesn't contain that functionality.

Further Comments

…rules Signed-off-by: Tomas Aschan <tomasl@spotify.com>

Signed-off-by: Tomas Aschan <tomasl@spotify.com>

codecov · 2025-04-15T20:32:57Z

Codecov Report

Attention: Patch coverage is 90.90909% with 2 lines in your changes missing coverage. Please review.

Project coverage is 14.36%. Comparing base (0e81c2a) to head (cc16e8d).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/validation/policy/generate.go	90.90%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #12784      +/-   ##
==========================================
+ Coverage   14.34%   14.36%   +0.01%     
==========================================
  Files         926      926              
  Lines      102681   102698      +17     
==========================================
+ Hits        14734    14752      +18     
+ Misses      86225    86224       -1     
  Partials     1722     1722

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

realshuting

/lgtm

Thanks @tomasaschan !

realshuting · 2025-04-16T09:32:31Z

/cherry-pick release-1.14

…e rules (#12784) * feat: Allow changing match statements for non-synchronizing generate rules Signed-off-by: Tomas Aschan <tomasl@spotify.com> * fix: Address a couple of incorrect format string errors Signed-off-by: Tomas Aschan <tomasl@spotify.com> --------- Signed-off-by: Tomas Aschan <tomasl@spotify.com> Co-authored-by: shuting <shuting@nirmata.com>

…e rules (#12784) (#12800) * feat: Allow changing match statements for non-synchronizing generate rules * fix: Address a couple of incorrect format string errors --------- Signed-off-by: Tomas Aschan <tomasl@spotify.com> Co-authored-by: Tomas Aschan <1550920+tomasaschan@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com>

…e rules (kyverno#12784) * feat: Allow changing match statements for non-synchronizing generate rules Signed-off-by: Tomas Aschan <tomasl@spotify.com> * fix: Address a couple of incorrect format string errors Signed-off-by: Tomas Aschan <tomasl@spotify.com> --------- Signed-off-by: Tomas Aschan <tomasl@spotify.com> Co-authored-by: shuting <shuting@nirmata.com>

…e rules (kyverno#12784) * feat: Allow changing match statements for non-synchronizing generate rules Signed-off-by: Tomas Aschan <tomasl@spotify.com> * fix: Address a couple of incorrect format string errors Signed-off-by: Tomas Aschan <tomasl@spotify.com> --------- Signed-off-by: Tomas Aschan <tomasl@spotify.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Martijn Evers <mevers@gk-software.com>

tomasaschan requested a review from realshuting as a code owner April 15, 2025 20:22

dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Apr 15, 2025

tomasaschan added 2 commits April 15, 2025 22:23

feat: Allow changing match statements for non-synchronizing generate …

c3fdec4

…rules Signed-off-by: Tomas Aschan <tomasl@spotify.com>

fix: Address a couple of incorrect format string errors

db3f376

Signed-off-by: Tomas Aschan <tomasl@spotify.com>

tomasaschan force-pushed the relax-generate-immutability branch from e73dff0 to db3f376 Compare April 15, 2025 20:23

tomasaschan mentioned this pull request Apr 15, 2025

[Feature] Allow generateExisting to mutable fields on generate policies #12764

Open

2 tasks

realshuting added 2 commits April 16, 2025 15:45

Merge branch 'main' into relax-generate-immutability

eff1528

Merge branch 'main' into relax-generate-immutability

e8e6272

realshuting approved these changes Apr 16, 2025

View reviewed changes

realshuting added cherry-pick-required milestone 1.14.0 labels Apr 16, 2025

realshuting enabled auto-merge (squash) April 16, 2025 09:32

Merge branch 'main' into relax-generate-immutability

6d37120

realshuting and others added 4 commits April 16, 2025 18:42

Merge branch 'main' into relax-generate-immutability

708297c

Merge branch 'main' into relax-generate-immutability

0cd9cc8

Merge branch 'main' into relax-generate-immutability

902b777

Merge branch 'main' into relax-generate-immutability

cc16e8d

realshuting merged commit eae3a19 into kyverno:main Apr 16, 2025
504 of 528 checks passed

gcp-cherry-pick-bot bot mentioned this pull request Apr 16, 2025

feat: Relax immutability requirements on match statements for generate rules (cherry-pick #12784) #12800

Merged

tomasaschan deleted the relax-generate-immutability branch April 16, 2025 15:06

realshuting added the cherry-pick-completed The PR was cherry-picked (or merged) to required release branches label Apr 16, 2025

cfi2017 mentioned this pull request May 8, 2025

chore(security-apps): bump kyverno from 3.3.7 to 3.4.1 adfinis/helm-charts#1398

Merged

7 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Relax immutability requirements on match statements for generate rules #12784

feat: Relax immutability requirements on match statements for generate rules #12784

feat: Relax immutability requirements on match statements for generate rules #12784

feat: Relax immutability requirements on match statements for generate rules #12784

Conversation

Explanation

Related issue

Milestone of this PR

Documentation (required for features)

What type of PR is this

Proposed Changes

Proof Manifests

Checklist

Further Comments

Codecov Report

Choose a reason for hiding this comment