From a1ce6e4297d60e29f15031738ee21abb588318b2 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 13 Nov 2019 17:56:56 -0800
Subject: [PATCH 1/3] fix annotation patch in mutate rule

---
 pkg/engine/mutation.go      | 11 ++++++-----
 pkg/engine/overlay.go       | 11 +++++++++--
 pkg/webhooks/annotations.go | 10 +++++++---
 pkg/webhooks/mutation.go    |  3 ++-
 4 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 1d8bc61b6b..cf17cd8502 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -4,7 +4,6 @@ import (
 	"time"
 
 	"github.com/golang/glog"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 // Mutate performs mutation. Overlay first and then mutation patches
@@ -34,7 +33,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		response.PolicyResponse.RulesAppliedCount++
 	}
 
-	var patchedResource unstructured.Unstructured
+	patchedResource := policyContext.NewResource
 
 	for _, rule := range policy.Spec.Rules {
 		//TODO: to be checked before calling the resources as well
@@ -61,13 +60,15 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		// Process Overlay
 		if rule.Mutation.Overlay != nil {
 			var ruleResponse RuleResponse
-			ruleResponse, patchedResource = processOverlay(rule, resource)
+			ruleResponse, patchedResource = processOverlay(rule, patchedResource)
 			if ruleResponse.Success == true && ruleResponse.Patches == nil {
 				// overlay pattern does not match the resource conditions
 				glog.V(4).Infof(ruleResponse.Message)
 				continue
+			} else if ruleResponse.Success == true {
+				glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			}
-			glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+
 			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount()
 		}
@@ -75,7 +76,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		// Process Patches
 		if rule.Mutation.Patches != nil {
 			var ruleResponse RuleResponse
-			ruleResponse, patchedResource = processPatches(rule, resource)
+			ruleResponse, patchedResource = processPatches(rule, patchedResource)
 			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount()
diff --git a/pkg/engine/overlay.go b/pkg/engine/overlay.go
index 515995ca34..8f54ae33ba 100644
--- a/pkg/engine/overlay.go
+++ b/pkg/engine/overlay.go
@@ -53,6 +53,11 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 		}
 	}
 
+	if len(patches) == 0 {
+		response.Success = true
+		return response, resource
+	}
+
 	// convert to RAW
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
@@ -65,11 +70,13 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	var patchResource []byte
 	patchResource, err = ApplyPatches(resourceRaw, patches)
 	if err != nil {
-		glog.Info("failed to apply patch")
+		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
+		glog.V(2).Info(msg)
 		response.Success = false
-		response.Message = fmt.Sprintf("failed to apply JSON patches: %v", err)
+		response.Message = msg
 		return response, resource
 	}
+
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
 		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index c25411fbb7..b6dbbce56d 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -31,8 +31,12 @@ type response struct {
 
 func generateAnnotationPatches(engineResponses []engine.EngineResponse) []byte {
 	var annotations map[string]string
-	if len(engineResponses) > 0 {
-		annotations = engineResponses[0].PatchedResource.GetAnnotations()
+
+	for _, er := range engineResponses {
+		if ann := er.PatchedResource.GetAnnotations(); ann != nil {
+			annotations = ann
+			break
+		}
 	}
 
 	if annotations == nil {
@@ -104,7 +108,7 @@ func annotationFromEngineResponses(engineResponses []engine.EngineResponse) []by
 
 	// return nil if there's no patches
 	// otherwise result = null, len(result) = 4
-	if policyPatches == nil {
+	if len(policyPatches) == 0 {
 		return nil
 	}
 
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 3eab291d68..4485419f2b 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -59,6 +59,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
 
 	// if not then set it from the api request
 	resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
+	resource.SetNamespace(request.Namespace)
 	var engineResponses []engine.EngineResponse
 	policyContext := engine.PolicyContext{
 		NewResource: *resource,
@@ -103,6 +104,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
 	}
 
 	sendStat(true)
-	glog.Errorf("Failed to mutate the resource\n")
+	glog.Errorf("Failed to mutate the resource, %s\n", getErrorMsg(engineResponses))
 	return false, nil, getErrorMsg(engineResponses)
 }

From 79a7bde4ab64dd93b599cf77e492d0e02789bc59 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 13 Nov 2019 18:44:18 -0800
Subject: [PATCH 2/3] - fix test; - improve logging

---
 pkg/policyviolation/controller.go                             | 2 +-
 pkg/policyviolation/generator.go                              | 2 +-
 pkg/policyviolation/namespacedpv.go                           | 2 +-
 pkg/policyviolation/namespacepvcontroller.go                  | 2 +-
 test/scenarios/samples/best_practices/add_safe_to_evict.yaml  | 4 ----
 test/scenarios/samples/best_practices/add_safe_to_evict2.yaml | 4 ----
 6 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/pkg/policyviolation/controller.go b/pkg/policyviolation/controller.go
index 746e1390aa..869d13ba8c 100644
--- a/pkg/policyviolation/controller.go
+++ b/pkg/policyviolation/controller.go
@@ -195,7 +195,7 @@ func (pvc *PolicyViolationController) syncPolicyViolation(key string) error {
 	startTime := time.Now()
 	glog.V(4).Infof("Started syncing policy violation %q (%v)", key, startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy violation %q (%v)", key, time.Since(startTime))
+		glog.V(4).Infof("Finished syncing cluster policy violation %q (%v)", key, time.Since(startTime))
 	}()
 	policyViolation, err := pvc.pvLister.Get(key)
 	if errors.IsNotFound(err) {
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index ca3429b478..cd9a715232 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -149,7 +149,7 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 
 	// retires requests if there is error
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.Warningf("Error syncing policy violation %v: %v", key, err)
+		glog.V(4).Infof("Error syncing policy violation %v: %v", key, err)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index cba216400d..2e270a9ad2 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -77,7 +77,7 @@ func createNamespacedPV(dclient *dclient.Client, pvLister kyvernolister.Namespac
 				glog.V(4).Infof("creating new namespaced policy violation for policy %s & resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
 
 				if err := retryGetResource(dclient, newPv.Spec.ResourceSpec); err != nil {
-					return fmt.Errorf("failed to get resource for policy violation '%s': %v", curPv.Name, err)
+					return fmt.Errorf("failed to get resource for policy violation on resource '%s': %v", newPv.Spec.ResourceSpec.ToKey(), err)
 				}
 
 				if _, err := pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv); err != nil {
diff --git a/pkg/policyviolation/namespacepvcontroller.go b/pkg/policyviolation/namespacepvcontroller.go
index f290dabc09..59e1455807 100644
--- a/pkg/policyviolation/namespacepvcontroller.go
+++ b/pkg/policyviolation/namespacepvcontroller.go
@@ -187,7 +187,7 @@ func (pvc *NamespacedPolicyViolationController) syncPolicyViolation(key string)
 	startTime := time.Now()
 	glog.V(4).Infof("Started syncing policy violation %q (%v)", key, startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy violation %q (%v)", key, time.Since(startTime))
+		glog.V(4).Infof("Finished syncing namespaced policy violation %q (%v)", key, time.Since(startTime))
 	}()
 
 	// tags: NAMESPACE/NAME
diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml
index 435ec26012..c861cf65d4 100644
--- a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml
@@ -14,10 +14,6 @@ expected:
         name: pod-with-emptydir
       rules:
         - name: annotate-empty-dir
-          type: Mutation
-          success: true
-          message: "successfully processed overlay"
-        - name: annotate-host-path
           type: Mutation
           success: true
           message: "successfully processed overlay"
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
index baaf85a961..1ca956c8f7 100644
--- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
@@ -14,10 +14,6 @@ expected:
         name: pod-with-hostpath
       rules:
         - name: annotate-empty-dir
-          type: Mutation
-          success: true
-          message: "successfully processed overlay"
-        - name: annotate-host-path
           type: Mutation
           success: true
           message: "successfully processed overlay"
\ No newline at end of file

From 2153c284b5aab7428a96c0364851604dbbc7d713 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 13 Nov 2019 18:48:03 -0800
Subject: [PATCH 3/3] update image tag to latest

---
 definitions/install.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index d7d0995012..f2c49f9863 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -420,7 +420,7 @@ spec:
       serviceAccountName: kyverno-service-account
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v0.11.0
+          image: nirmata/kyverno:latest
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout