Implement add-configmap-ownerreference policy to automatically set owner references for ConfigMaps used by ReplicaSets. Includes policy definition, test cases, and example resources for validation.

Signed-off-by: matanbaruch <[email protected]>

Author: matanbaruch

other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-configmap-ownerreference
+spec:
+  mutateExistingOnPolicyUpdate: false 

other/add-configmap-ownerreference/.chainsaw-test/chainsaw-step-02-assert-1.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: ReplicaSet
+    name: test-replicaset
+    controller: false
+    blockOwnerDeletion: false 

other/add-configmap-ownerreference/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-configmap-ownerreference
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../add-configmap-ownerreference.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: add-configmap-ownerreference
+          spec:
+            mutateExistingOnPolicyUpdate: false
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: configmap-good.yaml
+    - apply:
+        file: replicaset-with-configmap.yaml
+    - sleep:
+        duration: 2s
+    - assert:
+        file: chainsaw-step-02-assert-1.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: replicaset-without-configmap.yaml 

other/add-configmap-ownerreference/.chainsaw-test/configmap-good.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  namespace: default
+data:
+  key1: value1
+  key2: value2 

other/add-configmap-ownerreference/.chainsaw-test/replicaset-with-configmap.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: test-replicaset
+  namespace: default
+  labels:
+    app: test-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app
+  template:
+    metadata:
+      labels:
+        app: test-app
+    spec:
+      containers:
+      - name: test-container
+        image: nginx:1.21
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/config
+      volumes:
+      - name: config-volume
+        configMap:
+          name: test-configmap 

other/add-configmap-ownerreference/.chainsaw-test/replicaset-without-configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: test-replicaset-no-cm
+  namespace: default
+  labels:
+    app: test-app-no-cm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-app-no-cm
+  template:
+    metadata:
+      labels:
+        app: test-app-no-cm
+    spec:
+      containers:
+      - name: test-container
+        image: nginx:1.21 

other/add-configmap-ownerreference/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-configmap-ownerreference
+policies:
+- ../add-configmap-ownerreference.yaml
+resources:
+- ../.chainsaw-test/configmap-good.yaml
+- ../.chainsaw-test/replicaset-with-configmap.yaml
+- ../.chainsaw-test/replicaset-without-configmap.yaml
+results:
+- kind: ReplicaSet
+  policy: add-configmap-ownerreference
+  resources:
+  - test-replicaset
+  result: pass
+  rule: add-configmap-ownerref-from-replicaset
+- kind: ReplicaSet
+  policy: add-configmap-ownerreference
+  resources:
+  - test-replicaset-no-cm
+  result: skip
+  rule: add-configmap-ownerref-from-replicaset 

other/add-configmap-ownerreference/add-configmap-ownerreference.yaml

@@ -0,0 +1,54 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-configmap-ownerreference
+  annotations:
+    policies.kyverno.io/title: Add ConfigMap Owner Reference from ReplicaSet
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ReplicaSet,ConfigMap
+    kyverno.io/kyverno-version: 1.9.0
+    policies.kyverno.io/minversion: 1.9.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/description: >-
+      When a new ReplicaSet is created (typically by updating a Deployment), 
+      this policy will automatically add an owner reference to any ConfigMaps 
+      that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+      proper ownership relationships with the ReplicaSets that use them, which 
+      can be useful for garbage collection, monitoring, and dependency tracking.
+      This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+  - name: add-configmap-ownerref-from-replicaset
+    match:
+      any:
+      - resources:
+          kinds:
+          - ReplicaSet
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: Equals
+        value: CREATE
+      # Only process ReplicaSets that have volumes with configMap
+      - key: "{{ request.object.spec.template.spec.volumes[?configMap] | length(@) }}"
+        operator: GreaterThan
+        value: 0
+    mutate:
+      foreach:
+      - list: "request.object.spec.template.spec.volumes[?configMap].configMap.name"
+        targets:
+        - apiVersion: v1
+          kind: ConfigMap
+          name: "{{ element }}"
+          namespace: "{{ request.object.metadata.namespace }}"
+        patchStrategicMerge:
+          metadata:
+            ownerReferences:
+            - apiVersion: apps/v1
+              kind: ReplicaSet
+              name: "{{ request.object.metadata.name }}"
+              uid: "{{ request.object.metadata.uid }}"
+              controller: false
+              blockOwnerDeletion: false 

other/add-configmap-ownerreference/artifacthub-pkg.yml

@@ -0,0 +1,32 @@
+name: add-configmap-ownerreference
+version: 1.0.0
+displayName: Add ConfigMap Owner Reference from ReplicaSet
+createdAt: "2024-12-19T00:00:00.000Z"
+description: >-
+  When a new ReplicaSet is created (typically by updating a Deployment), 
+  this policy will automatically add an owner reference to any ConfigMaps 
+  that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+  proper ownership relationships with the ReplicaSets that use them, which 
+  can be useful for garbage collection, monitoring, and dependency tracking.
+  This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/add-configmap-ownerreference/add-configmap-ownerreference.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  When a new ReplicaSet is created (typically by updating a Deployment), 
+  this policy will automatically add an owner reference to any ConfigMaps 
+  that the ReplicaSet mounts as volumes. This ensures that ConfigMaps have 
+  proper ownership relationships with the ReplicaSets that use them, which 
+  can be useful for garbage collection, monitoring, and dependency tracking.
+  This policy requires additional RBAC permissions for Kyverno to update ConfigMaps.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.24"
+  kyverno/subject: "ReplicaSet, ConfigMap"
+digest: f3122f221e2423d9aec9839f051018fb250bb449315522169b783c8cd0106371