From 06e93fec46fdc29c28045488f4a2dc01d5c37425 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Tue, 25 Jan 2022 01:00:18 -0800
Subject: [PATCH] apply patches cumulatively (#3083)

* apply patches cumulatively

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle skipped rules

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test files

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 pkg/engine/mutation.go                        | 12 ++++-----
 .../foreach/cumulativePatch/kyverno-test.yaml | 12 +++++++++
 .../foreach/cumulativePatch/patched.yaml      | 16 ++++++++++++
 .../foreach/cumulativePatch/policies.yaml     | 26 +++++++++++++++++++
 .../foreach/cumulativePatch/resources.yaml    | 15 +++++++++++
 5 files changed, 75 insertions(+), 6 deletions(-)
 create mode 100644 test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
 create mode 100644 test/cli/test-mutate/foreach/cumulativePatch/patched.yaml
 create mode 100644 test/cli/test-mutate/foreach/cumulativePatch/policies.yaml
 create mode 100644 test/cli/test-mutate/foreach/cumulativePatch/resources.yaml

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index e27eb91cb8..1a27b68465 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -33,10 +33,10 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	policy := policyContext.Policy
 	patchedResource := policyContext.NewResource
 	ctx := policyContext.JSONContext
-	var name []string
+	var skippedRules []string
 
 	logger := log.Log.WithName("EngineMutate").WithValues("policy", policy.Name, "kind", patchedResource.GetKind(),
-		"namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
+		"namespace", patchedResource.GetNamespace(), "skippedRules", patchedResource.GetName())
 
 	logger.V(4).Info("start policy processing", "startTime", startTime)
 
@@ -61,7 +61,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 
 		if err = MatchesResourceDescription(patchedResource, rule, policyContext.AdmissionInfo, excludeResource, policyContext.NamespaceLabels, policyContext.Policy.Namespace); err != nil {
 			logger.V(4).Info("rule not matched", "reason", err.Error())
-			name = append(name, rule.Name)
+			skippedRules = append(skippedRules, rule.Name)
 			continue
 		}
 
@@ -105,10 +105,10 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	}
 
 	for _, r := range resp.PolicyResponse.Rules {
-		for _, n := range name {
+		for _, n := range skippedRules {
 			if r.Name == n {
 				r.Status = response.RuleStatusSkip
-				logger.V(4).Info("rule Status set as skip", "rule name", r.Name)
+				logger.V(4).Info("rule Status set as skip", "rule skippedRules", r.Name)
 			}
 		}
 	}
@@ -163,7 +163,7 @@ func mutateForEach(rule *kyverno.Rule, ctx *PolicyContext, resource unstructured
 			return ruleError(rule, utils.Mutation, msg, err), resource
 		}
 
-		mutateResp := mutateElements(rule.Name, foreach, ctx, elements, resource, logger)
+		mutateResp := mutateElements(rule.Name, foreach, ctx, elements, patchedResource, logger)
 		if mutateResp.Status == response.RuleStatusError {
 			logger.Error(err, "failed to mutate elements")
 			return buildRuleResponse(rule, mutateResp), resource
diff --git a/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml b/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
new file mode 100644
index 0000000000..eba15a7eba
--- /dev/null
+++ b/test/cli/test-mutate/foreach/cumulativePatch/kyverno-test.yaml
@@ -0,0 +1,12 @@
+name: foreach-mutate
+policies:
+  - policies.yaml
+resources:
+  - resources.yaml
+results:
+  - policy: add-default-resources
+    rule: add-default-requests
+    resource: badpod
+    patchedResource: patched.yaml
+    kind: Pod
+    result: pass
diff --git a/test/cli/test-mutate/foreach/cumulativePatch/patched.yaml b/test/cli/test-mutate/foreach/cumulativePatch/patched.yaml
new file mode 100644
index 0000000000..dbf281cebb
--- /dev/null
+++ b/test/cli/test-mutate/foreach/cumulativePatch/patched.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod
+  labels:
+    app: myapp
+  annotations:
+    iam.amazonaws.com/role: cert-manager_mycluster
+spec:
+  containers:
+    - name: nginx2
+      image: docker.io/nginx
+      resources:
+        requests:
+          memory: 100Mi
+          cpu: 100m
diff --git a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml
new file mode 100644
index 0000000000..7beea26d92
--- /dev/null
+++ b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml
@@ -0,0 +1,26 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-default-resources
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: "none"
+spec:
+  background: false
+  rules:
+    - name: add-default-requests
+      match:
+        resources:
+          kinds:
+            - Pod
+      mutate:
+        foreach:
+        - list: "request.object.spec.containers"
+          patchesJson6902: |-
+            - path: /spec/containers/{{elementIndex}}/resources/requests/memory
+              op: add
+              value: "100Mi"
+        - list: "request.object.spec.containers"
+          patchesJson6902: |-
+            - path: /spec/containers/{{elementIndex}}/resources/requests/cpu
+              op: add
+              value: "100m"
diff --git a/test/cli/test-mutate/foreach/cumulativePatch/resources.yaml b/test/cli/test-mutate/foreach/cumulativePatch/resources.yaml
new file mode 100644
index 0000000000..5eaf26b95a
--- /dev/null
+++ b/test/cli/test-mutate/foreach/cumulativePatch/resources.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod
+  labels:
+    app: myapp
+  annotations:
+    iam.amazonaws.com/role: cert-manager_mycluster
+spec:
+  containers:
+    - name: nginx2
+      image: docker.io/nginx
+      # resources:
+      #   requests:
+      #     memory: 50Mi
\ No newline at end of file