From bd75658db33605411a2bed8f5722a84462ffa648 Mon Sep 17 00:00:00 2001
From: matanbaruch <matan.baruch@unity3d.com>
Date: Sun, 1 Jun 2025 23:51:36 +0300
Subject: [PATCH] Implement add-configmap-ownerreference policy to
 automatically set owner references for ConfigMaps used by ReplicaSets.
 Includes policy definition, test cases, and example resources for validation.

Signed-off-by: matanbaruch <matan.baruch@unity3d.com>
---
 .../chainsaw-step-01-assert-1.yaml            |  6 +++
 .../chainsaw-step-02-assert-1.yaml            | 11 ++++
 .../.chainsaw-test/chainsaw-test.yaml         | 36 +++++++++++++
 .../.chainsaw-test/configmap-good.yaml        |  8 +++
 .../replicaset-with-configmap.yaml            | 27 ++++++++++
 .../replicaset-without-configmap.yaml         | 20 +++++++
 .../.kyverno-test/kyverno-test.yaml           | 23 ++++++++
 .../add-configmap-ownerreference.yaml         | 54 +++++++++++++++++++
 .../artifacthub-pkg.yml                       | 32 +++++++++++
 9 files changed, 217 insertions(+)
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-01-assert-1.yaml
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-02-assert-1.yaml
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/chainsaw-test.yaml
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/configmap-good.yaml
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/replicaset-with-configmap.yaml
 create mode 100644 other/add-configmap-ownerreference/.chainsaw-test/replicaset-without-configmap.yaml
 create mode 100644 other/add-configmap-ownerreference/.kyverno-test/kyverno-test.yaml
 create mode 100644 other/add-configmap-ownerreference/add-configmap-ownerreference.yaml
 create mode 100644 other/add-configmap-ownerreference/artifacthub-pkg.yml

diff --git a/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-01-assert-1.yaml
new file mode 100644
index 000000000..baccf9126
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-configmap-ownerreference
+spec:
+  mutateExistingOnPolicyUpdate: false 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-02-assert-1.yaml b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-02-assert-1.yaml
new file mode 100644
index 000000000..dd7888020
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-02-assert-1.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: ReplicaSet
+    name: test-replicaset
+    controller: false
+    blockOwnerDeletion: false 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-test.yaml b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-test.yaml
new file mode 100644
index 000000000..42b8d2007
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-configmap-ownerreference
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../add-configmap-ownerreference.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: add-configmap-ownerreference
+          spec:
+            mutateExistingOnPolicyUpdate: false
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: configmap-good.yaml
+    - apply:
+        file: replicaset-with-configmap.yaml
+    - sleep:
+        duration: 2s
+    - assert:
+        file: chainsaw-step-02-assert-1.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: replicaset-without-configmap.yaml 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.chainsaw-test/configmap-good.yaml b/other/add-configmap-ownerreference/.chainsaw-test/configmap-good.yaml
new file mode 100644
index 000000000..20c55e085
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/configmap-good.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  namespace: default
+data:
+  key1: value1
+  key2: value2 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.chainsaw-test/replicaset-with-configmap.yaml b/other/add-configmap-ownerreference/.chainsaw-test/replicaset-with-configmap.yaml
new file mode 100644
index 000000000..e7cea1f97
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/replicaset-with-configmap.yaml
@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: test-replicaset
+  namespace: default
+  labels:
+    app: test-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app
+  template:
+    metadata:
+      labels:
+        app: test-app
+    spec:
+      containers:
+      - name: test-container
+        image: nginx:1.21
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/config
+      volumes:
+      - name: config-volume
+        configMap:
+          name: test-configmap 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.chainsaw-test/replicaset-without-configmap.yaml b/other/add-configmap-ownerreference/.chainsaw-test/replicaset-without-configmap.yaml
new file mode 100644
index 000000000..dffeb64a3
--- /dev/null
+++ b/other/add-configmap-ownerreference/.chainsaw-test/replicaset-without-configmap.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: test-replicaset-no-cm
+  namespace: default
+  labels:
+    app: test-app-no-cm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app-no-cm
+  template:
+    metadata:
+      labels:
+        app: test-app-no-cm
+    spec:
+      containers:
+      - name: test-container
+        image: nginx:1.21 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/.kyverno-test/kyverno-test.yaml b/other/add-configmap-ownerreference/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..5e9526128
--- /dev/null
+++ b/other/add-configmap-ownerreference/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,23 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-configmap-ownerreference
+policies:
+- ../add-configmap-ownerreference.yaml
+resources:
+- ../.chainsaw-test/configmap-good.yaml
+- ../.chainsaw-test/replicaset-with-configmap.yaml
+- ../.chainsaw-test/replicaset-without-configmap.yaml
+results:
+- kind: ReplicaSet
+  policy: add-configmap-ownerreference
+  resources:
+  - test-replicaset
+  result: pass
+  rule: add-configmap-ownerref-from-replicaset
+- kind: ReplicaSet
+  policy: add-configmap-ownerreference
+  resources:
+  - test-replicaset-no-cm
+  result: skip
+  rule: add-configmap-ownerref-from-replicaset 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/add-configmap-ownerreference.yaml b/other/add-configmap-ownerreference/add-configmap-ownerreference.yaml
new file mode 100644
index 000000000..0b6fd500b
--- /dev/null
+++ b/other/add-configmap-ownerreference/add-configmap-ownerreference.yaml
@@ -0,0 +1,54 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-configmap-ownerreference
+  annotations:
+    policies.kyverno.io/title: Add ConfigMap Owner Reference from ReplicaSet
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ReplicaSet,ConfigMap
+    kyverno.io/kyverno-version: 1.9.0
+    policies.kyverno.io/minversion: 1.9.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/description: >-
+      When a new ReplicaSet is created (typically by updating a Deployment), 
+      this policy will automatically add an owner reference to any ConfigMaps 
+      that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+      proper ownership relationships with the ReplicaSets that use them, which 
+      can be useful for garbage collection, monitoring, and dependency tracking.
+      This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+  - name: add-configmap-ownerref-from-replicaset
+    match:
+      any:
+      - resources:
+          kinds:
+          - ReplicaSet
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: Equals
+        value: CREATE
+      # Only process ReplicaSets that have volumes with configMap
+      - key: "{{ request.object.spec.template.spec.volumes[?configMap] | length(@) }}"
+        operator: GreaterThan
+        value: 0
+    mutate:
+      foreach:
+      - list: "request.object.spec.template.spec.volumes[?configMap].configMap.name"
+        targets:
+        - apiVersion: v1
+          kind: ConfigMap
+          name: "{{ element }}"
+          namespace: "{{ request.object.metadata.namespace }}"
+        patchStrategicMerge:
+          metadata:
+            ownerReferences:
+            - apiVersion: apps/v1
+              kind: ReplicaSet
+              name: "{{ request.object.metadata.name }}"
+              uid: "{{ request.object.metadata.uid }}"
+              controller: false
+              blockOwnerDeletion: false 
\ No newline at end of file
diff --git a/other/add-configmap-ownerreference/artifacthub-pkg.yml b/other/add-configmap-ownerreference/artifacthub-pkg.yml
new file mode 100644
index 000000000..c19e6c60d
--- /dev/null
+++ b/other/add-configmap-ownerreference/artifacthub-pkg.yml
@@ -0,0 +1,32 @@
+name: add-configmap-ownerreference
+version: 1.0.0
+displayName: Add ConfigMap Owner Reference from ReplicaSet
+createdAt: "2024-12-19T00:00:00.000Z"
+description: >-
+  When a new ReplicaSet is created (typically by updating a Deployment), 
+  this policy will automatically add an owner reference to any ConfigMaps 
+  that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+  proper ownership relationships with the ReplicaSets that use them, which 
+  can be useful for garbage collection, monitoring, and dependency tracking.
+  This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/add-configmap-ownerreference/add-configmap-ownerreference.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  When a new ReplicaSet is created (typically by updating a Deployment), 
+  this policy will automatically add an owner reference to any ConfigMaps 
+  that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+  proper ownership relationships with the ReplicaSets that use them, which 
+  can be useful for garbage collection, monitoring, and dependency tracking.
+  This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "ReplicaSet, ConfigMap"
+digest: f3122f221e2423d9aec9839f051018fb250bb449315522169b783c8cd0106371 
\ No newline at end of file