kyverno/pkg/engine/mutation.go

package engine

import (
	"reflect"
	"time"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	"github.com/nirmata/kyverno/pkg/info"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

// Mutate performs mutation. Overlay first and then mutation patches

func Mutate(policy kyverno.Policy, resource unstructured.Unstructured) (response EngineResponse) {
	// var response EngineResponse
	var allPatches, rulePatches [][]byte
	var err error
	var errs []error
	ris := []info.RuleInfo{}
	startTime := time.Now()
	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
	defer func() {
		response.ExecutionTime = time.Since(startTime)
		glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, response.ExecutionTime)
		glog.V(4).Infof("Mutation Rules appplied succesfully count %v for policy %q", response.RulesAppliedCount, policy.Name)
	}()
	incrementAppliedRuleCount := func() {
		// rules applied succesfully count
		response.RulesAppliedCount++
	}

	patchedDocument, err := resource.MarshalJSON()
	if err != nil {
		glog.Errorf("unable to marshal resource : %v\n", err)
	}

	if err != nil {
		glog.V(4).Infof("unable to marshal resource : %v", err)
		response.PatchedResource = resource
		return response
	}

	for _, rule := range policy.Spec.Rules {
		if reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) {
			continue
		}

		// check if the resource satisfies the filter conditions defined in the rule
		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
		// dont statisfy a policy rule resource description
		ok := MatchesResourceDescription(resource, rule)
		if !ok {
			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())
			continue
		}

		ruleInfo := info.NewRuleInfo(rule.Name, info.Mutation)

		// Process Overlay
		if rule.Mutation.Overlay != nil {
			// ruleRespone := processOverlay(rule, res)
			rulePatches, err = processOverlay(rule, patchedDocument)
			if err == nil {
				if len(rulePatches) == 0 {
					// if array elements dont match then we skip(nil patch, no error)
					// or if acnohor is defined and doenst match
					// policy is not applicable
					glog.V(4).Info("overlay does not match, so skipping applying rule")
					continue
				}

				ruleInfo.Addf("Rule %s: Overlay succesfully applied.", rule.Name)

				// strip slashes from string
				ruleInfo.Patches = rulePatches
				allPatches = append(allPatches, rulePatches...)

				glog.V(4).Infof("overlay applied succesfully on resource %s/%s", resource.GetNamespace(), resource.GetName())
			} else {
				glog.V(4).Infof("failed to apply overlay: %v", err)
				ruleInfo.Fail()
				ruleInfo.Addf("failed to apply overlay: %v", err)
			}
			incrementAppliedRuleCount()
		}

		// Process Patches
		if len(rule.Mutation.Patches) != 0 {
			rulePatches, errs = processPatches(rule, patchedDocument)
			if len(errs) > 0 {
				ruleInfo.Fail()
				for _, err := range errs {
					glog.V(4).Infof("failed to apply patches: %v", err)
					ruleInfo.Addf("patches application has failed, err %v.", err)
				}
			} else {
				glog.V(4).Infof("patches applied succesfully on resource %s/%s", resource.GetNamespace(), resource.GetName())
				ruleInfo.Addf("Patches succesfully applied.")

				ruleInfo.Patches = rulePatches
				allPatches = append(allPatches, rulePatches...)
			}
			incrementAppliedRuleCount()
		}

		patchedDocument, err = ApplyPatches(patchedDocument, rulePatches)
		if err != nil {
			glog.Errorf("Failed to apply patches on ruleName=%s, err%v\n:", rule.Name, err)
		}

		ris = append(ris, ruleInfo)
	}

	patchedResource, err := ConvertToUnstructured(patchedDocument)
	if err != nil {
		glog.Errorf("Failed to convert patched resource to unstructuredtype, err%v\n:", err)
		response.PatchedResource = resource
		return response
	}

	response.Patches = allPatches
	response.PatchedResource = *patchedResource
	response.RuleInfos = ris
	return response
}

//MutateNew ...
func MutateNew(policy kyverno.Policy, resource unstructured.Unstructured) (response EngineResponseNew) {
	startTime := time.Now()
	// policy information
	func() {
		// set policy information
		response.PolicyResponse.Policy = policy.Name
		// resource details
		response.PolicyResponse.Resource.Name = resource.GetName()
		response.PolicyResponse.Resource.Namespace = resource.GetNamespace()
		response.PolicyResponse.Resource.Kind = resource.GetKind()
		response.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
	}()
	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
	defer func() {
		response.PolicyResponse.ProcessingTime = time.Since(startTime)
		glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, response.PolicyResponse.ProcessingTime)
		glog.V(4).Infof("Mutation Rules appplied succesfully count %v for policy %q", response.PolicyResponse.RulesAppliedCount, policy.Name)
	}()
	incrementAppliedRuleCount := func() {
		// rules applied succesfully count
		response.PolicyResponse.RulesAppliedCount++
	}

	var patchedResource unstructured.Unstructured

	for _, rule := range policy.Spec.Rules {
		//TODO: to be checked before calling the resources as well
		if reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) {
			continue
		}
		// check if the resource satisfies the filter conditions defined in the rule
		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
		// dont statisfy a policy rule resource description
		ok := MatchesResourceDescription(resource, rule)
		if !ok {
			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())
			continue
		}
		// Process Overlay
		if rule.Mutation.Overlay != nil {
			var ruleResponse RuleResponse
			ruleResponse, patchedResource = processOverlayNew(rule, resource)
			if reflect.DeepEqual(ruleResponse, (RuleResponse{})) {
				// overlay pattern does not match the resource conditions
				continue
			}
			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}

		// Process Patches
		if rule.Mutation.Patches != nil {
			var ruleResponse RuleResponse
			ruleResponse, patchedResource = processPatchesNew(rule, resource)
			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}
	}
	// send the patched resource
	response.PatchedResource = patchedResource
	return response
}
Resolve PR 27 2019-05-13 18:17:28 -07:00			`package engine`
Add PolicyEngine 2019-05-09 22:26:22 -07:00
			`import (`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`"reflect"`
initial commit 2019-08-19 16:40:10 -07:00			`"time"`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`"github.com/golang/glog"`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`"github.com/nirmata/kyverno/pkg/info"`
add process existing for mutation & validation + come cleanup 2019-08-13 11:32:12 -07:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`)`

Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`// Mutate performs mutation. Overlay first and then mutation patches`
rebase 2019-08-19 17:26:52 -07:00
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`func Mutate(policy kyverno.Policy, resource unstructured.Unstructured) (response EngineResponse) {`
			`// var response EngineResponse`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`var allPatches, rulePatches [][]byte`
			`var err error`
			`var errs []error`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`ris := []info.RuleInfo{}`
initial commit 2019-08-19 16:40:10 -07:00			`startTime := time.Now()`
			`glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)`
			`defer func() {`
engineResponse to contain stats 2019-08-19 18:57:19 -07:00			`response.ExecutionTime = time.Since(startTime)`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, response.ExecutionTime)`
			`glog.V(4).Infof("Mutation Rules appplied succesfully count %v for policy %q", response.RulesAppliedCount, policy.Name)`
initial commit 2019-08-19 16:40:10 -07:00			`}()`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`incrementAppliedRuleCount := func() {`
initial commit 2019-08-19 16:40:10 -07:00			`// rules applied succesfully count`
engineResponse to contain stats 2019-08-19 18:57:19 -07:00			`response.RulesAppliedCount++`
initial commit 2019-08-19 16:40:10 -07:00			`}`

Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`patchedDocument, err := resource.MarshalJSON()`
			`if err != nil {`
			`glog.Errorf("unable to marshal resource : %v\n", err)`
			`}`

			`if err != nil {`
			`glog.V(4).Infof("unable to marshal resource : %v", err)`
engineResponse to contain stats 2019-08-19 18:57:19 -07:00			`response.PatchedResource = resource`
			`return response`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`}`
Add PolicyEngine 2019-05-09 22:26:22 -07:00
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`for _, rule := range policy.Spec.Rules {`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`if reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) {`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`continue`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00
cleanup 2019-08-09 11:08:02 -07:00			`// check if the resource satisfies the filter conditions defined in the rule`
			`//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that`
			`// dont statisfy a policy rule resource description`
add process existing for mutation & validation + come cleanup 2019-08-13 11:32:12 -07:00			`ok := MatchesResourceDescription(resource, rule)`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`if !ok {`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`continue`
			`}`
clean up mutation 2019-08-09 12:59:37 -07:00
			`ruleInfo := info.NewRuleInfo(rule.Name, info.Mutation)`
cleanup 2019-08-09 11:08:02 -07:00
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`// Process Overlay`
			`if rule.Mutation.Overlay != nil {`
initial redesign 2019-08-23 18:34:23 -07:00			`// ruleRespone := processOverlay(rule, res)`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`rulePatches, err = processOverlay(rule, patchedDocument)`
show mutation changes in annotation 2019-07-25 16:20:22 -04:00			`if err == nil {`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`if len(rulePatches) == 0 {`
handle overlay array mismatch 2019-07-24 14:25:51 -04:00			`// if array elements dont match then we skip(nil patch, no error)`
			`// or if acnohor is defined and doenst match`
			`// policy is not applicable`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Info("overlay does not match, so skipping applying rule")`
handle overlay array mismatch 2019-07-24 14:25:51 -04:00			`continue`
			`}`
clean up mutation 2019-08-09 12:59:37 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`ruleInfo.Addf("Rule %s: Overlay succesfully applied.", rule.Name)`

show mutation changes in annotation 2019-07-25 16:20:22 -04:00			`// strip slashes from string`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00			`ruleInfo.Patches = rulePatches`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`allPatches = append(allPatches, rulePatches...)`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
			`glog.V(4).Infof("overlay applied succesfully on resource %s/%s", resource.GetNamespace(), resource.GetName())`
handled skipped element in array 2019-07-24 06:33:51 -04:00			`} else {`
cleanup 2019-08-09 11:08:02 -07:00			`glog.V(4).Infof("failed to apply overlay: %v", err)`
clean up mutation 2019-08-09 12:59:37 -07:00			`ruleInfo.Fail()`
			`ruleInfo.Addf("failed to apply overlay: %v", err)`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`incrementAppliedRuleCount()`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`}`
127: Implemented usage of result package in validation and mutation functions. 2019-06-05 13:43:07 +03:00
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`// Process Patches`
			`if len(rule.Mutation.Patches) != 0 {`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`rulePatches, errs = processPatches(rule, patchedDocument)`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`if len(errs) > 0 {`
clean up mutation 2019-08-09 12:59:37 -07:00			`ruleInfo.Fail()`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`for _, err := range errs {`
cleanup 2019-08-09 11:08:02 -07:00			`glog.V(4).Infof("failed to apply patches: %v", err)`
clean up mutation 2019-08-09 12:59:37 -07:00			`ruleInfo.Addf("patches application has failed, err %v.", err)`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`}`
Fixed mutation by overlays 2019-06-05 16:44:53 +03:00			`} else {`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("patches applied succesfully on resource %s/%s", resource.GetNamespace(), resource.GetName())`
			`ruleInfo.Addf("Patches succesfully applied.")`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00
			`ruleInfo.Patches = rulePatches`
clean up + fix bugs 2019-07-19 20:30:55 -07:00			`allPatches = append(allPatches, rulePatches...)`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`incrementAppliedRuleCount()`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`patchedDocument, err = ApplyPatches(patchedDocument, rulePatches)`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`if err != nil {`
			`glog.Errorf("Failed to apply patches on ruleName=%s, err%v\n:", rule.Name, err)`
			`}`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
			`ris = append(ris, ruleInfo)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`}`

Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`patchedResource, err := ConvertToUnstructured(patchedDocument)`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00			`if err != nil {`
			`glog.Errorf("Failed to convert patched resource to unstructuredtype, err%v\n:", err)`
engineResponse to contain stats 2019-08-19 18:57:19 -07:00			`response.PatchedResource = resource`
			`return response`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00			`}`

engineResponse to contain stats 2019-08-19 18:57:19 -07:00			`response.Patches = allPatches`
			`response.PatchedResource = *patchedResource`
			`response.RuleInfos = ris`
			`return response`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`}`
initial redesign 2019-08-23 18:34:23 -07:00
			`//MutateNew ...`
			`func MutateNew(policy kyverno.Policy, resource unstructured.Unstructured) (response EngineResponseNew) {`
			`startTime := time.Now()`
			`// policy information`
			`func() {`
			`// set policy information`
			`response.PolicyResponse.Policy = policy.Name`
			`// resource details`
			`response.PolicyResponse.Resource.Name = resource.GetName()`
			`response.PolicyResponse.Resource.Namespace = resource.GetNamespace()`
			`response.PolicyResponse.Resource.Kind = resource.GetKind()`
			`response.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()`
			`}()`
			`glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)`
			`defer func() {`
			`response.PolicyResponse.ProcessingTime = time.Since(startTime)`
			`glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, response.PolicyResponse.ProcessingTime)`
			`glog.V(4).Infof("Mutation Rules appplied succesfully count %v for policy %q", response.PolicyResponse.RulesAppliedCount, policy.Name)`
			`}()`
			`incrementAppliedRuleCount := func() {`
			`// rules applied succesfully count`
			`response.PolicyResponse.RulesAppliedCount++`
			`}`

			`var patchedResource unstructured.Unstructured`

			`for _, rule := range policy.Spec.Rules {`
			`//TODO: to be checked before calling the resources as well`
			`if reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) {`
			`continue`
			`}`
			`// check if the resource satisfies the filter conditions defined in the rule`
			`//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that`
			`// dont statisfy a policy rule resource description`
			`ok := MatchesResourceDescription(resource, rule)`
			`if !ok {`
			`glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())`
			`continue`
			`}`
			`// Process Overlay`
			`if rule.Mutation.Overlay != nil {`
			`var ruleResponse RuleResponse`
			`ruleResponse, patchedResource = processOverlayNew(rule, resource)`
			`if reflect.DeepEqual(ruleResponse, (RuleResponse{})) {`
			`// overlay pattern does not match the resource conditions`
			`continue`
			`}`
			`response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)`
			`incrementAppliedRuleCount()`
			`}`

			`// Process Patches`
			`if rule.Mutation.Patches != nil {`
			`var ruleResponse RuleResponse`
			`ruleResponse, patchedResource = processPatchesNew(rule, resource)`
			`response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)`
			`incrementAppliedRuleCount()`
			`}`
			`}`
			`// send the patched resource`
			`response.PatchedResource = patchedResource`
			`return response`
			`}`