apply patches cumulatively (#3083)

* apply patches cumulatively Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle skipped rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test files Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2022-01-25 01:00:18 -08:00 · 2022-01-25 01:00:18 -08:00 · 06e93fec46
commit 06e93fec46
parent cd4650eb5a
5 changed files with 75 additions and 6 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -33,10 +33,10 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	policy := policyContext.Policy
 	patchedResource := policyContext.NewResource
 	ctx := policyContext.JSONContext
-	var name []string
+	var skippedRules []string

 	logger := log.Log.WithName("EngineMutate").WithValues("policy", policy.Name, "kind", patchedResource.GetKind(),
-		"namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
+		"namespace", patchedResource.GetNamespace(), "skippedRules", patchedResource.GetName())

 	logger.V(4).Info("start policy processing", "startTime", startTime)

@ -61,7 +61,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {

 		if err = MatchesResourceDescription(patchedResource, rule, policyContext.AdmissionInfo, excludeResource, policyContext.NamespaceLabels, policyContext.Policy.Namespace); err != nil {
 			logger.V(4).Info("rule not matched", "reason", err.Error())
-			name = append(name, rule.Name)
+			skippedRules = append(skippedRules, rule.Name)
 			continue
 		}

@ -105,10 +105,10 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	}

 	for _, r := range resp.PolicyResponse.Rules {
-		for _, n := range name {
+		for _, n := range skippedRules {
 			if r.Name == n {
 				r.Status = response.RuleStatusSkip
-				logger.V(4).Info("rule Status set as skip", "rule name", r.Name)
+				logger.V(4).Info("rule Status set as skip", "rule skippedRules", r.Name)
 			}
 		}
 	}
@ -163,7 +163,7 @@ func mutateForEach(rule *kyverno.Rule, ctx *PolicyContext, resource unstructured
 			return ruleError(rule, utils.Mutation, msg, err), resource
 		}

-		mutateResp := mutateElements(rule.Name, foreach, ctx, elements, resource, logger)
+		mutateResp := mutateElements(rule.Name, foreach, ctx, elements, patchedResource, logger)
 		if mutateResp.Status == response.RuleStatusError {
 			logger.Error(err, "failed to mutate elements")
 			return buildRuleResponse(rule, mutateResp), resource
--- a/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
+++ b/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
@ -0,0 +1,12 @@
+name: foreach-mutate
+policies:
+  - policies.yaml
+resources:
+  - resources.yaml
+results:
+  - policy: add-default-resources
+    rule: add-default-requests
+    resource: badpod
+    patchedResource: patched.yaml
+    kind: Pod
+    result: pass
--- a/test/cli/test-mutate/foreach/cumulativePatch/patched.yaml
+++ b/test/cli/test-mutate/foreach/cumulativePatch/patched.yaml
@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod
+  labels:
+    app: myapp
+  annotations:
+    iam.amazonaws.com/role: cert-manager_mycluster
+spec:
+  containers:
+    - name: nginx2
+      image: docker.io/nginx
+      resources:
+        requests:
+          memory: 100Mi
+          cpu: 100m
--- a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml
+++ b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml
@ -0,0 +1,26 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-default-resources
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: "none"
+spec:
+  background: false
+  rules:
+    - name: add-default-requests
+      match:
+        resources:
+          kinds:
+            - Pod
+      mutate:
+        foreach:
+        - list: "request.object.spec.containers"
+          patchesJson6902: |-
+            - path: /spec/containers/{{elementIndex}}/resources/requests/memory
+              op: add
+              value: "100Mi"
+        - list: "request.object.spec.containers"
+          patchesJson6902: |-
+            - path: /spec/containers/{{elementIndex}}/resources/requests/cpu
+              op: add
+              value: "100m"
--- a/test/cli/test-mutate/foreach/cumulativePatch/resources.yaml
+++ b/test/cli/test-mutate/foreach/cumulativePatch/resources.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod
+  labels:
+    app: myapp
+  annotations:
+    iam.amazonaws.com/role: cert-manager_mycluster
+spec:
+  containers:
+    - name: nginx2
+      image: docker.io/nginx
+      # resources:
+      #   requests:
+      #     memory: 50Mi