fix: updating expansion templates to add owner ref in expanded resources (open-policy-agent#4262)

Signed-off-by: Jaydip Gabani <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>

Author: JaydipGabani

pkg/expansion/fixtures/fixtures.go

@@ -191,6 +191,34 @@ metadata:
     app: nginx
   name: nginx-deployment-pod
   namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
+spec:
+  containers:
+  - args:
+    - "/bin/sh"
+    image: nginx:1.14.2
+    name: nginx
+    ports:
+    - containerPort: '80'
+`
+
+	PodNoMutateWithNs = `
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx-deployment-pod
+  namespace: not-default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
 spec:
   containers:
   - args:
@@ -209,6 +237,11 @@ metadata:
     app: nginx
   name: nginx-deployment-pod
   namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
 spec:
   containers:
   - args:
@@ -228,6 +261,11 @@ metadata:
     app: nginx
   name: nginx-deployment-pod
   namespace: not-default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
 spec:
   containers:
   - args:
@@ -247,6 +285,11 @@ metadata:
     app: nginx
   name: nginx-deployment-pod
   namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
 spec:
   containers:
   - args:
@@ -267,6 +310,11 @@ metadata:
     owner: admin
   name: nginx-deployment-pod
   namespace: default
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
+    uid: ""
 spec:
   containers:
   - args:
@@ -546,6 +594,11 @@ metadata:
     fluffy: extremely
   name: big-chungus-kitten
   namespace: default
+  ownerReferences:
+  - apiVersion: cat.myapp.sh/v1alpha1
+    kind: Cat
+    name: big-chungus
+    uid: ""
 spec:
   breed: calico
   weight: 10
@@ -560,6 +613,11 @@ metadata:
     shouldPet: manytimes
   name: big-chungus-purr
   namespace: default
+  ownerReferences:
+  - apiVersion: cat.myapp.sh/v1alpha1
+    kind: Cat
+    name: big-chungus
+    uid: ""
 spec:
   loud: very
 `
@@ -591,6 +649,11 @@ kind: Job
 metadata:
   name: my-cronjob-job
   namespace: default
+  ownerReferences:
+  - apiVersion: batch/v1
+    kind: CronJob
+    name: my-cronjob
+    uid: ""
 spec:
   template:
     spec:
@@ -612,6 +675,11 @@ metadata:
     owner: admin
   name: my-cronjob-job-pod
   namespace: default
+  ownerReferences:
+  - apiVersion: batch/v1
+    kind: Job
+    name: my-cronjob-job
+    uid: ""
 spec:
   containers:
   - args:

pkg/expansion/system.go

@@ -12,6 +12,7 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/mutation"
 	mutationtypes "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -246,10 +247,41 @@ func expandResource(obj *unstructured.Unstructured, ns *corev1.Namespace, templa
 	}
 
 	resource.SetName(mockNameForResource(obj, resultantGVK))
+	ensureOwnerReference(resource, obj)
 
 	return resource, nil
 }
 
+// ensureOwnerReference appends an OwnerReference describing parent to the resultant
+// resource if one is not already present.
+func ensureOwnerReference(resultant, parent *unstructured.Unstructured) {
+	if resultant == nil || parent == nil {
+		return
+	}
+
+	parentAPIVersion := parent.GetAPIVersion()
+	parentKind := parent.GetKind()
+	parentName := parent.GetName()
+	if parentAPIVersion == "" || parentKind == "" || parentName == "" {
+		return
+	}
+
+	newOwnerRef := metav1.OwnerReference{
+		APIVersion: parentAPIVersion,
+		Kind:       parentKind,
+		Name:       parentName,
+	}
+
+	existingRefs := resultant.GetOwnerReferences()
+	for _, ref := range existingRefs {
+		if ref.APIVersion == parentAPIVersion && ref.Kind == parentKind && ref.Name == parentName {
+			return
+		}
+	}
+
+	resultant.SetOwnerReferences(append(existingRefs, newOwnerRef))
+}
+
 // mockNameForResource returns a mock name for a resultant resource created
 // from expanding `gen`. The name will be of the form:
 // "<generator name>-<resultant kind>". For example, a deployment named