Fix autogen issue with cronjob generator and foreach pod generator (#2989)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
2025-03-28 02:18:15 +00:00 · 2022-01-15 20:28:28 +00:00 · 2022-01-15 20:28:28 +00:00 · 0c11af2d9a
commit 0c11af2d9a
parent 1fec430249
4 changed files with 68 additions and 1 deletions
--- a/pkg/policymutation/cronjob.go
+++ b/pkg/policymutation/cronjob.go
@ -122,7 +122,7 @@ func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger)

 		var newForeachMutation []*kyverno.ForEachMutation

-		for _, foreach := range rule.Mutation.ForEachMutation {
+		for _, foreach := range jobRule.Mutation.ForEachMutation {
 			newForeachMutation = append(newForeachMutation, &kyverno.ForEachMutation{
 				List:             foreach.List,
 				Context:          foreach.Context,
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@ -618,6 +618,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 		for _, foreach := range rule.Mutation.ForEachMutation {
 			newForeachMutation = append(newForeachMutation, &kyverno.ForEachMutation{
 				List:             foreach.List,
+				Context:          foreach.Context,
 				AnyAllConditions: foreach.AnyAllConditions,
 				PatchStrategicMerge: map[string]interface{}{
 					"spec": map[string]interface{}{
--- a/pkg/policymutation/policymutation_test.go
+++ b/pkg/policymutation/policymutation_test.go
@ -165,6 +165,38 @@ func Test_CronJobOnly(t *testing.T) {
 	assert.DeepEqual(t, rulePatches, expectedPatches)
 }

+func Test_ForEachPod(t *testing.T) {
+	dir, err := os.Getwd()
+	baseDir := filepath.Dir(filepath.Dir(dir))
+	assert.NilError(t, err)
+	file, err := ioutil.ReadFile(baseDir + "/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml")
+	if err != nil {
+		t.Log(err)
+	}
+	policies, err := utils.GetPolicy(file)
+	if err != nil {
+		t.Log(err)
+	}
+
+	policy := policies[0]
+	policy.Spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+
+	rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log)
+	if len(errs) != 0 {
+		t.Log(errs)
+	}
+
+	expectedPatches := [][]byte{
+		[]byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-resolve-image-containers","match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"exclude":{"resources":{"namespaces":["fake-namespce"]}},"preconditions":{"all":[{"key":"{{request.operation}}","operator":"In","value":["CREATE","UPDATE"]}]},"mutate":{"foreach":[{"list":"request.object.spec.template.spec.containers","context":[{"name":"dictionary","configMap":{"name":"some-config-map","namespace":"some-namespace"}}],"patchStrategicMerge":{"spec":{"template":{"spec":{"containers":[{"image":"{{ dictionary.data.image }}","name":"{{ element.name }}"}]}}}}}]}}}`),
+		[]byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-resolve-image-containers","match":{"resources":{"kinds":["CronJob"]}},"exclude":{"resources":{"namespaces":["fake-namespce"]}},"preconditions":{"all":[{"key":"{{request.operation}}","operator":"In","value":["CREATE","UPDATE"]}]},"mutate":{"foreach":[{"list":"request.object.spec.jobTemplate.spec.template.spec.containers","context":[{"name":"dictionary","configMap":{"name":"some-config-map","namespace":"some-namespace"}}],"patchStrategicMerge":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"containers":[{"image":"{{ dictionary.data.image }}","name":"{{ element.name }}"}]}}}}}}}]}}}`),
+	}
+
+	for i, ep := range expectedPatches {
+		assert.Equal(t, string(rulePatches[i]), string(ep),
+			fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep))
+	}
+}
+
 func Test_CronJob_hasExclude(t *testing.T) {

 	controllers := engine.PodControllerCronJob
--- a/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml
+++ b/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml
@ -0,0 +1,34 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: resolve-image
+spec:
+  background: false
+  rules:
+  - name: resolve-image-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    preconditions:
+      all:
+      - key: "{{request.operation}}"
+        operator: In
+        value:
+        - CREATE
+        - UPDATE
+    mutate:
+      foreach:
+      - list: "request.object.spec.containers"
+        context:
+          - name: dictionary
+            configMap:
+              # Name of the ConfigMap which will be looked up
+              name: some-config-map
+              # Namespace in which this ConfigMap is stored
+              namespace: some-namespace 
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"           
+              image: "{{ dictionary.data.image }}"