From 0c11af2d9a1259acdcbda7b2f6afd92a3b93cfe8 Mon Sep 17 00:00:00 2001
From: Sambhav Kothari <sambhavs.email@gmail.com>
Date: Sat, 15 Jan 2022 20:28:28 +0000
Subject: [PATCH] Fix autogen issue with cronjob generator and foreach pod
 generator (#2989)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
---
 pkg/policymutation/cronjob.go                 |  2 +-
 pkg/policymutation/policymutation.go          |  1 +
 pkg/policymutation/policymutation_test.go     | 32 +++++++++++++++++
 ...olicy_mutate_pod_foreach_with_context.yaml | 34 +++++++++++++++++++
 4 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml

diff --git a/pkg/policymutation/cronjob.go b/pkg/policymutation/cronjob.go
index 7b2e07e087..e18b8a7360 100644
--- a/pkg/policymutation/cronjob.go
+++ b/pkg/policymutation/cronjob.go
@@ -122,7 +122,7 @@ func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger)
 
 		var newForeachMutation []*kyverno.ForEachMutation
 
-		for _, foreach := range rule.Mutation.ForEachMutation {
+		for _, foreach := range jobRule.Mutation.ForEachMutation {
 			newForeachMutation = append(newForeachMutation, &kyverno.ForEachMutation{
 				List:             foreach.List,
 				Context:          foreach.Context,
diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go
index 5345f241b2..d2d728019b 100644
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@@ -618,6 +618,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 		for _, foreach := range rule.Mutation.ForEachMutation {
 			newForeachMutation = append(newForeachMutation, &kyverno.ForEachMutation{
 				List:             foreach.List,
+				Context:          foreach.Context,
 				AnyAllConditions: foreach.AnyAllConditions,
 				PatchStrategicMerge: map[string]interface{}{
 					"spec": map[string]interface{}{
diff --git a/pkg/policymutation/policymutation_test.go b/pkg/policymutation/policymutation_test.go
index 4d809df4e6..7826efb73b 100644
--- a/pkg/policymutation/policymutation_test.go
+++ b/pkg/policymutation/policymutation_test.go
@@ -165,6 +165,38 @@ func Test_CronJobOnly(t *testing.T) {
 	assert.DeepEqual(t, rulePatches, expectedPatches)
 }
 
+func Test_ForEachPod(t *testing.T) {
+	dir, err := os.Getwd()
+	baseDir := filepath.Dir(filepath.Dir(dir))
+	assert.NilError(t, err)
+	file, err := ioutil.ReadFile(baseDir + "/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml")
+	if err != nil {
+		t.Log(err)
+	}
+	policies, err := utils.GetPolicy(file)
+	if err != nil {
+		t.Log(err)
+	}
+
+	policy := policies[0]
+	policy.Spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+
+	rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log)
+	if len(errs) != 0 {
+		t.Log(errs)
+	}
+
+	expectedPatches := [][]byte{
+		[]byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-resolve-image-containers","match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"exclude":{"resources":{"namespaces":["fake-namespce"]}},"preconditions":{"all":[{"key":"{{request.operation}}","operator":"In","value":["CREATE","UPDATE"]}]},"mutate":{"foreach":[{"list":"request.object.spec.template.spec.containers","context":[{"name":"dictionary","configMap":{"name":"some-config-map","namespace":"some-namespace"}}],"patchStrategicMerge":{"spec":{"template":{"spec":{"containers":[{"image":"{{ dictionary.data.image }}","name":"{{ element.name }}"}]}}}}}]}}}`),
+		[]byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-resolve-image-containers","match":{"resources":{"kinds":["CronJob"]}},"exclude":{"resources":{"namespaces":["fake-namespce"]}},"preconditions":{"all":[{"key":"{{request.operation}}","operator":"In","value":["CREATE","UPDATE"]}]},"mutate":{"foreach":[{"list":"request.object.spec.jobTemplate.spec.template.spec.containers","context":[{"name":"dictionary","configMap":{"name":"some-config-map","namespace":"some-namespace"}}],"patchStrategicMerge":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"containers":[{"image":"{{ dictionary.data.image }}","name":"{{ element.name }}"}]}}}}}}}]}}}`),
+	}
+
+	for i, ep := range expectedPatches {
+		assert.Equal(t, string(rulePatches[i]), string(ep),
+			fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep))
+	}
+}
+
 func Test_CronJob_hasExclude(t *testing.T) {
 
 	controllers := engine.PodControllerCronJob
diff --git a/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml b/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml
new file mode 100644
index 0000000000..aa89330229
--- /dev/null
+++ b/test/policy/mutate/policy_mutate_pod_foreach_with_context.yaml
@@ -0,0 +1,34 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: resolve-image
+spec:
+  background: false
+  rules:
+  - name: resolve-image-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    preconditions:
+      all:
+      - key: "{{request.operation}}"
+        operator: In
+        value:
+        - CREATE
+        - UPDATE
+    mutate:
+      foreach:
+      - list: "request.object.spec.containers"
+        context:
+          - name: dictionary
+            configMap:
+              # Name of the ConfigMap which will be looked up
+              name: some-config-map
+              # Namespace in which this ConfigMap is stored
+              namespace: some-namespace 
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"           
+              image: "{{ dictionary.data.image }}"