fix: preconditions in mutate existing rules (#7183)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cleanup-controller/handlers/cleanup/handlers.go

@@ -201,7 +201,7 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
 					// check conditions
 					if spec.Conditions != nil {
 						enginectx.Reset()
-						if err := enginectx.AddTargetResource(resource.Object); err != nil {
+						if err := enginectx.SetTargetResource(resource.Object); err != nil {
 							debug.Error(err, "failed to add resource in context")
 							errs = append(errs, err)
 							continue

pkg/engine/context/context.go

@@ -51,8 +51,8 @@ type Interface interface {
 	// AddOldResource merges resource json under request.oldObject
 	AddOldResource(data map[string]interface{}) error
 
-	// AddTargetResource merges resource json under target
-	AddTargetResource(data map[string]interface{}) error
+	// SetTargetResource merges resource json under target
+	SetTargetResource(data map[string]interface{}) error
 
 	// AddOperation merges operation under request.operation
 	AddOperation(data string) error
@@ -190,7 +190,11 @@ func (ctx *context) AddOldResource(data map[string]interface{}) error {
 }
 
 // AddTargetResource adds data at path: target
-func (ctx *context) AddTargetResource(data map[string]interface{}) error {
+func (ctx *context) SetTargetResource(data map[string]interface{}) error {
+	if err := addToContext(ctx, nil, "target"); err != nil {
+		logger.Error(err, "unable to replace target resource")
+		return err
+	}
 	return addToContext(ctx, data, "target")
 }
 

pkg/engine/handlers/mutation/mutate_existing.go

@@ -47,7 +47,7 @@ func (h mutateExistingHandler) Process(
 			continue
 		}
 		policyContext := policyContext.Copy()
-		if err := policyContext.JSONContext().AddTargetResource(target.unstructured.Object); err != nil {
+		if err := policyContext.JSONContext().SetTargetResource(target.unstructured.Object); err != nil {
 			logger.Error(err, "failed to add target resource to the context")
 			continue
 		}

pkg/engine/mutate/mutation.go

@@ -64,7 +64,7 @@ func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.U
 		return NewErrorResponse("failed to unmarshal patched resource", err)
 	}
 	if rule.IsMutateExisting() {
-		if err := ctx.AddTargetResource(resource.Object); err != nil {
+		if err := ctx.SetTargetResource(resource.Object); err != nil {
 			return NewErrorResponse("failed to update patched resource in the JSON context", err)
 		}
 	} else {

test/conformance/kuttl/mutate/existing/preconditions/01-resources.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- resources.yaml

test/conformance/kuttl/mutate/existing/preconditions/02-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/mutate/existing/preconditions/03-resources-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- resources-assert.yaml

test/conformance/kuttl/mutate/existing/preconditions/04-resources-error.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+error:
+- resources-error.yaml

test/conformance/kuttl/mutate/existing/preconditions/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test creates pods and a policy to add a label to existing pods with per target preconditions based on the target annotations.
+
+## Expected Behavior
+
+Only the pod with `policy.lan/value: foo` annotation has the label `policy-applied: 'true'` added.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/7174

test/conformance/kuttl/mutate/existing/preconditions/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/mutate/existing/preconditions/policy.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test
+spec:
+  mutateExistingOnPolicyUpdate: true
+  rules:
+    - name: test
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              names:
+                - default
+      mutate:
+        targets:
+          - kind: Pod
+            apiVersion: '*'
+            name: '*'
+            namespace: "{{ request.object.metadata.name }}"
+            preconditions:
+              all:
+                - key: "{{ target.metadata.annotations.\"policy.lan/value\" }}"
+                  operator: Equals
+                  value: foo
+        patchStrategicMerge:
+          metadata:
+            labels:
+              policy-applied: 'true'

test/conformance/kuttl/mutate/existing/preconditions/resources-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-a
+  namespace: default
+  labels:
+    policy-applied: 'true'
+  annotations:
+    policy.lan/value: foo

test/conformance/kuttl/mutate/existing/preconditions/resources-error.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-b
+  namespace: default
+  labels:
+    policy-applied: 'true'
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-c
+  namespace: default
+  labels:
+    policy-applied: 'true'

test/conformance/kuttl/mutate/existing/preconditions/resources.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-a
+  namespace: default
+  annotations:
+    policy.lan/value: foo
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-b
+  namespace: default
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-c
+  namespace: default
+  annotations:
+    policy.lan/value: bar
+spec:
+  containers:
+    - name: nginx
+      image: nginx