From 51642cbcf3bbceba01a7b30f1c23137965bc9c90 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 27 Nov 2019 19:40:47 -0800
Subject: [PATCH] skip process mutate patches if conditon tag is not present

---
 pkg/engine/overlay.go                           | 14 +++++++++++++-
 pkg/engine/overlayCondition.go                  |  2 +-
 pkg/engine/overlayError.go                      |  1 +
 test/output/pod-with-default-volume.yaml        | 17 +++++++++++++++++
 test/output/pod-without-volumes.yaml            | 10 ----------
 test/resources/pod-with-default-volume.yaml     | 17 +++++++++++++++++
 .../best_practices/add_safe_to_evict2.yaml      |  2 +-
 .../best_practices/add_safe_to_evict3.yaml      | 15 ++++-----------
 8 files changed, 54 insertions(+), 24 deletions(-)
 create mode 100644 test/output/pod-with-default-volume.yaml
 delete mode 100644 test/output/pod-without-volumes.yaml
 create mode 100644 test/resources/pod-with-default-volume.yaml

diff --git a/pkg/engine/overlay.go b/pkg/engine/overlay.go
index 2610cfadba..c772c2cb7a 100644
--- a/pkg/engine/overlay.go
+++ b/pkg/engine/overlay.go
@@ -32,6 +32,12 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
+		// condition key is not present in the resource, don't apply this rule
+		// consider as success
+		case conditionNotPresent:
+			glog.V(3).Infof("Resource %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			response.Success = true
+			return response, resource
 		// conditions are not met, don't apply this rule
 		// consider as failure
 		case conditionFailure:
@@ -96,7 +102,13 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 
 func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) {
 	if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
-		if overlayerr.statusCode == conditionFailure {
+		switch overlayerr.statusCode {
+		// anchor key does not exist in the resource, skip applying policy
+		case conditionNotPresent:
+			glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path)
+			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("policy not applied: %v at %s", overlayerr.ErrorMsg(), path))
+		// anchor key is not satisfied in the resource, skip applying policy
+		case conditionFailure:
 			// anchor key is not satisfied in the resource, skip applying policy
 			glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Conditions are not met at %s, %v", path, overlayerr))
diff --git a/pkg/engine/overlayCondition.go b/pkg/engine/overlayCondition.go
index 9c8deced21..ffd8f5ef4d 100755
--- a/pkg/engine/overlayCondition.go
+++ b/pkg/engine/overlayCondition.go
@@ -98,7 +98,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
 			}
 		} else {
 			// noAnchorKey doesn't exist in resource
-			continue
+			return curPath, newOverlayError(conditionNotPresent, fmt.Sprintf("resource field is not present %s", noAnchorKey))
 		}
 	}
 	return "", overlayError{}
diff --git a/pkg/engine/overlayError.go b/pkg/engine/overlayError.go
index 9dabdceea2..8f797caf61 100644
--- a/pkg/engine/overlayError.go
+++ b/pkg/engine/overlayError.go
@@ -6,6 +6,7 @@ type codeKey int
 
 const (
 	conditionFailure codeKey = iota
+	conditionNotPresent
 	overlayFailure
 )
 
diff --git a/test/output/pod-with-default-volume.yaml b/test/output/pod-with-default-volume.yaml
new file mode 100644
index 0000000000..13e50dd289
--- /dev/null
+++ b/test/output/pod-with-default-volume.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-default-volume
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: default-token-wkknl
+      readOnly: true
+  volumes:
+  - name: default-token-wkknl
+    secret:
+      defaultMode: 420
+      secretName: default-token-wkknl
\ No newline at end of file
diff --git a/test/output/pod-without-volumes.yaml b/test/output/pod-without-volumes.yaml
deleted file mode 100644
index 904f3719e0..0000000000
--- a/test/output/pod-without-volumes.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: myapp-pod
-  labels:
-    app: myapp
-spec: 
-  containers:
-  - name: nginx
-    image: nginx:latest
\ No newline at end of file
diff --git a/test/resources/pod-with-default-volume.yaml b/test/resources/pod-with-default-volume.yaml
new file mode 100644
index 0000000000..13e50dd289
--- /dev/null
+++ b/test/resources/pod-with-default-volume.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-default-volume
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: default-token-wkknl
+      readOnly: true
+  volumes:
+  - name: default-token-wkknl
+    secret:
+      defaultMode: 420
+      secretName: default-token-wkknl
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
index 1ca956c8f7..8bdede03c9 100644
--- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
@@ -13,7 +13,7 @@ expected:
         namespace: ''
         name: pod-with-hostpath
       rules:
-        - name: annotate-empty-dir
+        - name: annotate-host-path
           type: Mutation
           success: true
           message: "successfully processed overlay"
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
index 3965942afd..67160db417 100644
--- a/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
+++ b/test/scenarios/samples/best_practices/add_safe_to_evict3.yaml
@@ -1,22 +1,15 @@
 # file path is relative to project root
 input:
   policy: samples/best_practices/add_safe_to_evict.yaml
-  resource: test/resources/pod_with_latest_tag.yaml
+  resource: test/resources/pod-with-default-volume.yaml
 expected:
   mutation:
-    patchedresource: test/output/pod-without-volumes.yaml
+    patchedresource: test/resources/pod-with-default-volume.yaml
     policyresponse:
       policy: add-safe-to-evict
       resource:
         kind: Pod
         apiVersion: v1
         namespace: ''
-        name: myapp-pod
-      rules:
-        - name: annotate-empty-dir
-          type: Mutation
-          success: false
-        - name: annotate-host-path
-          type: Mutation
-          success: false
-          message: "Conditions are not met at /spec/volumes/, [overlayError:0] Found anchor on different types of element at path /spec/volumes/: overlay []interface {} [map[(hostPath):map[path:*]]], resource <nil> <nil>"
\ No newline at end of file
+        name: pod-with-default-volume
+      rules:
\ No newline at end of file