skip process mutate patches if conditon tag is not present

2025-03-30 19:35:06 +00:00 · 2019-11-27 19:40:47 -08:00 · 2019-11-27 19:40:47 -08:00 · 51642cbcf3
commit 51642cbcf3
parent e743a4702c
8 changed files with 54 additions and 24 deletions
--- a/pkg/engine/overlay.go
+++ b/pkg/engine/overlay.go
@ -32,6 +32,12 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
+		// condition key is not present in the resource, don't apply this rule
+		// consider as success
+		case conditionNotPresent:
+			glog.V(3).Infof("Resource %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			response.Success = true
+			return response, resource
 		// conditions are not met, don't apply this rule
 		// consider as failure
 		case conditionFailure:
@ -96,7 +102,13 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp

 func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) {
 	if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
-		if overlayerr.statusCode == conditionFailure {
+		switch overlayerr.statusCode {
+		// anchor key does not exist in the resource, skip applying policy
+		case conditionNotPresent:
+			glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path)
+			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("policy not applied: %v at %s", overlayerr.ErrorMsg(), path))
+		// anchor key is not satisfied in the resource, skip applying policy
+		case conditionFailure:
 			// anchor key is not satisfied in the resource, skip applying policy
 			glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Conditions are not met at %s, %v", path, overlayerr))
--- a/pkg/engine/overlayCondition.go
+++ b/pkg/engine/overlayCondition.go
@ -98,7 +98,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
 			}
 		} else {
 			// noAnchorKey doesn't exist in resource
-			continue
+			return curPath, newOverlayError(conditionNotPresent, fmt.Sprintf("resource field is not present %s", noAnchorKey))
 		}
 	}
 	return "", overlayError{}
--- a/pkg/engine/overlayError.go
+++ b/pkg/engine/overlayError.go
@ -6,6 +6,7 @@ type codeKey int

 const (
 	conditionFailure codeKey = iota
+	conditionNotPresent
 	overlayFailure
 )

--- a/test/output/pod-with-default-volume.yaml
+++ b/test/output/pod-with-default-volume.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-default-volume
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: default-token-wkknl
+      readOnly: true
+  volumes:
+  - name: default-token-wkknl
+    secret:
+      defaultMode: 420
+      secretName: default-token-wkknl
--- a/test/output/pod-without-volumes.yaml
+++ b/test/output/pod-without-volumes.yaml
@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:latest
--- a/test/resources/pod-with-default-volume.yaml
+++ b/test/resources/pod-with-default-volume.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-default-volume
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: default-token-wkknl
+      readOnly: true
+  volumes:
+  - name: default-token-wkknl
+    secret:
+      defaultMode: 420
+      secretName: default-token-wkknl
--- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
@ -13,7 +13,7 @@ expected:
        namespace: ''
        name: pod-with-hostpath
      rules:
-        - name: annotate-empty-dir
+        - name: annotate-host-path
          type: Mutation
          success: true
          message: "successfully processed overlay"
--- a/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
@ -1,22 +1,15 @@
 # file path is relative to project root
 input:
  policy: samples/best_practices/add_safe_to_evict.yaml
-  resource: test/resources/pod_with_latest_tag.yaml
+  resource: test/resources/pod-with-default-volume.yaml
 expected:
  mutation:
-    patchedresource: test/output/pod-without-volumes.yaml
+    patchedresource: test/resources/pod-with-default-volume.yaml
    policyresponse:
      policy: add-safe-to-evict
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
-        name: myapp-pod
-      rules:
-        - name: annotate-empty-dir
-          type: Mutation
-          success: false
-        - name: annotate-host-path
-          type: Mutation
-          success: false
-          message: "Conditions are not met at /spec/volumes/, [overlayError:0] Found anchor on different types of element at path /spec/volumes/: overlay []interface {} [map[(hostPath):map[path:*]]], resource <nil> <nil>"
+        name: pod-with-default-volume
+      rules: