mutate rule: do not ignore empty key in resource if overlay has nested anchor

pkg/engine/mutation.go

@@ -26,7 +26,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 	defer func() {
 		response.PolicyResponse.ProcessingTime = time.Since(startTime)
 		glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, response.PolicyResponse.ProcessingTime)
-		glog.V(4).Infof("Mutation Rules appplied succesfully count %v for policy %q", response.PolicyResponse.RulesAppliedCount, policy.Name)
+		glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", response.PolicyResponse.RulesAppliedCount, policy.Name)
 	}()
 	incrementAppliedRuleCount := func() {
 		// rules applied succesfully count

pkg/engine/overlayCondition.go

@@ -156,11 +156,13 @@ func validateNonAnchorOverlayMap(resourceMap, overlayWithoutAnchor map[string]in
 		curPath := path + key + "/"
 		resourceValue, ok := resourceMap[key]
 		if !ok {
-			// policy: 		"(image)": "*:latest",
-			//				"imagePullPolicy": "IfNotPresent",
-			// resource:	"(image)": "*:latest",
-			// the above case should be allowed
-			continue
+			if !hasNestedAnchors(overlayValue) {
+				// policy: 		"(image)": "*:latest",
+				//				"imagePullPolicy": "IfNotPresent",
+				// resource:	"(image)": "*:latest",
+				// the above case should be allowed
+				continue
+			}
 		}
 		if newPath, err := checkConditions(resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
 			return newPath, err

pkg/testrunner/scenario.go

@@ -250,7 +250,8 @@ func validateResponse(t *testing.T, er engine.PolicyResponse, expected engine.Po
 
 	// rules
 	if len(er.Rules) != len(expected.Rules) {
-		t.Error("rule count: error")
+		t.Errorf("rule count error, er.Rules=%d, expected.Rules=%d", len(er.Rules), len(expected.Rules))
+		return
 	}
 	if len(er.Rules) == len(expected.Rules) {
 		// if there are rules being applied then we compare the rule response

pkg/testrunner/testrunner_test.go

@@ -112,6 +112,10 @@ func Test_add_safe_to_evict_annotation2(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict2.yaml")
 }
 
+func Test_add_safe_to_evict_annotation3(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/add_safe_to_evict3.yaml")
+}
+
 func Test_validate_restrict_automount_sa_token_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/more/restrict_automount_sa_token.yaml")
 }

test/output/pod-without-volumes.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:latest

test/scenarios/samples/best_practices/add_safe_to_evict3.yaml

@@ -0,0 +1,22 @@
+# file path is relative to project root
+input:
+  policy: samples/best_practices/add_safe_to_evict.yaml
+  resource: test/resources/pod_with_latest_tag.yaml
+expected:
+  mutation:
+    patchedresource: test/output/pod-without-volumes.yaml
+    policyresponse:
+      policy: add-safe-to-evict
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: annotate-empty-dir
+          type: Mutation
+          success: false
+        - name: annotate-host-path
+          type: Mutation
+          success: false
+          message: "Conditions are not met at /spec/volumes/, [overlayError:0] Found anchor on different types of element at path /spec/volumes/: overlay []interface {} [map[(hostPath):map[path:*]]], resource <nil> <nil>"