Merge branch '522_policy_validation' of github.com:shravanshetty1/kyverno into 536_extend_cli_v3

2025-03-31 03:45:17 +00:00 · 2020-03-06 02:12:24 +05:30 · 2020-03-06 02:12:24 +05:30 · 58dcf90298
commit 58dcf90298
parent 99c020ceb3 a0baf182f2
10 changed files with 559 additions and 3 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -5,6 +5,8 @@ import (
 	"flag"
 	"time"

+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
@ -200,6 +202,9 @@ func main() {
 		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
 	}

+	// Sync openAPI definitions of resources
+	openApiSync := openapi.NewCRDSync(client)
+
 	// WEBHOOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
 	// - reports the results based on the response from the policy engine:
@ -238,6 +243,7 @@ func main() {
 	go grc.Run(1, stopCh)
 	go grcc.Run(1, stopCh)
 	go pvgen.Run(1, stopCh)
+	go openApiSync.Run(1, stopCh)

 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@ -5,6 +5,8 @@ import (
 	"strings"
 	"time"

+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	apps "k8s.io/api/apps/v1"
@ -215,6 +217,7 @@ func convertToCSR(obj *unstructured.Unstructured) (*certificates.CertificateSign
 type IDiscovery interface {
 	GetGVRFromKind(kind string) schema.GroupVersionResource
 	GetServerVersion() (*version.Info, error)
+	OpenAPISchema() (*openapi_v2.Document, error)
 }

 // SetDiscovery sets the discovery client implementation
@ -246,6 +249,10 @@ func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struc
 	}
 }

+func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) {
+	return c.cachedClient.OpenAPISchema()
+}
+
 //GetGVRFromKind get the Group Version Resource from kind
 // if kind is not found in first attempt we invalidate the cache,
 // the retry will then fetch the new registered resources and check again
--- a/pkg/dclient/utils.go
+++ b/pkg/dclient/utils.go
@ -3,6 +3,8 @@ package client
 import (
 	"strings"

+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -74,6 +76,10 @@ func (c *fakeDiscoveryClient) GetGVRFromKind(kind string) schema.GroupVersionRes
 	return c.getGVR(resource)
 }

+func (c *fakeDiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) {
+	return nil, nil
+}
+
 func newUnstructured(apiVersion, kind, namespace, name string) *unstructured.Unstructured {
 	return &unstructured.Unstructured{
 		Object: map[string]interface{}{
--- a/pkg/engine/forceMutate.go
+++ b/pkg/engine/forceMutate.go
@ -0,0 +1,107 @@
+package engine
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/context"
+	"github.com/nirmata/kyverno/pkg/engine/mutate"
+	"github.com/nirmata/kyverno/pkg/engine/response"
+	"github.com/nirmata/kyverno/pkg/engine/utils"
+	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) {
+	patches, err := mutate.MutateResourceWithOverlay(resource.UnstructuredContent(), overlay)
+	if err != nil {
+		return unstructured.Unstructured{}, err
+	}
+	if len(patches) == 0 {
+		return resource, nil
+	}
+
+	// convert to RAW
+	resourceRaw, err := resource.MarshalJSON()
+	if err != nil {
+		return unstructured.Unstructured{}, err
+	}
+
+	var patchResource []byte
+	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
+	if err != nil {
+		return unstructured.Unstructured{}, err
+	}
+
+	resource = unstructured.Unstructured{}
+	err = resource.UnmarshalJSON(patchResource)
+	if err != nil {
+		return unstructured.Unstructured{}, err
+	}
+
+	return resource, nil
+}
+
+// ForceMutate does not check any conditions, it simply mutates the given resource
+func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error) {
+	var err error
+	for _, rule := range policy.Spec.Rules {
+		if !rule.HasMutate() {
+			continue
+		}
+
+		mutation := rule.Mutation.DeepCopy()
+
+		if mutation.Overlay != nil {
+			overlay := mutation.Overlay
+			if ctx != nil {
+				if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
+					return unstructured.Unstructured{}, err
+				}
+			} else {
+				overlay = replaceSubstituteVariables(overlay)
+			}
+
+			resource, err = mutateResourceWithOverlay(resource, overlay)
+			if err != nil {
+				return unstructured.Unstructured{}, fmt.Errorf("could not mutate resource with overlay on rule %v:%v", rule.Name, err)
+			}
+		}
+
+		if rule.Mutation.Patches != nil {
+			var resp response.RuleResponse
+			resp, resource = mutate.ProcessPatches(rule, resource)
+			if !resp.Success {
+				return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
+			}
+		}
+	}
+
+	return resource, nil
+}
+
+func replaceSubstituteVariables(overlay interface{}) interface{} {
+	overlayRaw, err := json.Marshal(overlay)
+	if err != nil {
+		return overlay
+	}
+
+	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
+	for {
+		if len(regex.FindAllStringSubmatch(string(overlayRaw), -1)) > 0 {
+			overlayRaw = regex.ReplaceAll(overlayRaw, []byte(`placeholderValue`))
+		} else {
+			break
+		}
+	}
+
+	var output interface{}
+	err = json.Unmarshal(overlayRaw, &output)
+	if err != nil {
+		return overlay
+	}
+
+	return output
+}
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@ -116,7 +116,7 @@ func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayErro
 		}
 	}

-	patchBytes, err := mutateResourceWithOverlay(resource, overlay)
+	patchBytes, err := MutateResourceWithOverlay(resource, overlay)
 	if err != nil {
 		return patchBytes, newOverlayError(overlayFailure, err.Error())
 	}
@ -124,8 +124,8 @@ func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayErro
 	return patchBytes, overlayError{}
 }

-// mutateResourceWithOverlay is a start of overlaying process
-func mutateResourceWithOverlay(resource, pattern interface{}) ([][]byte, error) {
+// MutateResourceWithOverlay is a start of overlaying process
+func MutateResourceWithOverlay(resource, pattern interface{}) ([][]byte, error) {
 	// It assumes that mutation is started from root, so "/" is passed
 	return applyOverlay(resource, pattern, "/")
 }
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@ -0,0 +1,112 @@
+package openapi
+
+import (
+	"encoding/json"
+	"time"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"github.com/golang/glog"
+
+	"gopkg.in/yaml.v2"
+
+	"github.com/googleapis/gnostic/compiler"
+
+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+
+	client "github.com/nirmata/kyverno/pkg/dclient"
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+type crdDefinition struct {
+	Spec struct {
+		Names struct {
+			Kind string `json:"kind"`
+		} `json:"names"`
+		Versions []struct {
+			Schema struct {
+				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+			} `json:"schema"`
+		} `json:"versions"`
+	} `json:"spec"`
+}
+
+type crdSync struct {
+	client *client.Client
+}
+
+func NewCRDSync(client *client.Client) *crdSync {
+	return &crdSync{
+		client: client,
+	}
+}
+
+func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
+	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
+	if err != nil {
+		glog.V(4).Infof("cannot get openapi schema: %v", err)
+	}
+
+	err = useOpenApiDocument(newDoc)
+	if err != nil {
+		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
+	}
+
+	for i := 0; i < workers; i++ {
+		go wait.Until(c.sync, time.Second*10, stopCh)
+	}
+	<-stopCh
+}
+
+func (c *crdSync) sync() {
+	openApiGlobalState.mutex.Lock()
+	defer openApiGlobalState.mutex.Unlock()
+
+	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
+	if err != nil {
+		glog.V(4).Infof("could not fetch crd's from server: %v", err)
+		return
+	}
+
+	deleteCRDFromPreviousSync()
+
+	for _, crd := range crds.Items {
+		parseCRD(crd)
+	}
+}
+
+func deleteCRDFromPreviousSync() {
+	for _, crd := range openApiGlobalState.crdList {
+		delete(openApiGlobalState.kindToDefinitionName, crd)
+		delete(openApiGlobalState.definitions, crd)
+	}
+
+	openApiGlobalState.crdList = []string{}
+}
+
+func parseCRD(crd unstructured.Unstructured) {
+	var crdDefinition crdDefinition
+	crdRaw, _ := json.Marshal(crd.Object)
+	_ = json.Unmarshal(crdRaw, &crdDefinition)
+
+	crdName := crdDefinition.Spec.Names.Kind
+	if len(crdDefinition.Spec.Versions) < 1 {
+		glog.V(4).Infof("could not parse crd schema, no versions present")
+		return
+	}
+
+	var schema yaml.MapSlice
+	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Versions[0].Schema.OpenAPIV3Schema)
+	_ = yaml.Unmarshal(schemaRaw, &schema)
+
+	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
+	if err != nil {
+		glog.V(4).Infof("could not parse crd schema:%v", err)
+		return
+	}
+
+	openApiGlobalState.crdList = append(openApiGlobalState.crdList, crdName)
+
+	openApiGlobalState.kindToDefinitionName[crdName] = crdName
+	openApiGlobalState.definitions[crdName] = parsedSchema
+}
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@ -0,0 +1,240 @@
+package openapi
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/nirmata/kyverno/data"
+
+	"github.com/golang/glog"
+
+	"github.com/nirmata/kyverno/pkg/engine"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+
+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+	"github.com/googleapis/gnostic/compiler"
+	"k8s.io/kube-openapi/pkg/util/proto"
+	"k8s.io/kube-openapi/pkg/util/proto/validation"
+
+	"gopkg.in/yaml.v2"
+)
+
+var openApiGlobalState struct {
+	mutex                sync.RWMutex
+	document             *openapi_v2.Document
+	definitions          map[string]*openapi_v2.Schema
+	kindToDefinitionName map[string]string
+	crdList              []string
+	models               proto.Models
+}
+
+func init() {
+	defaultDoc, err := getSchemaDocument()
+	if err != nil {
+		panic(err)
+	}
+
+	err = useOpenApiDocument(defaultDoc)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+
+	var kindToRules = make(map[string][]v1.Rule)
+	for _, rule := range policy.Spec.Rules {
+		if rule.HasMutate() {
+			rule.MatchResources = v1.MatchResources{
+				UserInfo: v1.UserInfo{},
+				ResourceDescription: v1.ResourceDescription{
+					Kinds: rule.MatchResources.Kinds,
+				},
+			}
+			rule.ExcludeResources = v1.ExcludeResources{}
+			for _, kind := range rule.MatchResources.Kinds {
+				kindToRules[kind] = append(kindToRules[kind], rule)
+			}
+		}
+	}
+
+	for kind, rules := range kindToRules {
+		newPolicy := *policy.DeepCopy()
+		newPolicy.Spec.Rules = rules
+		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
+		if resource == nil {
+			glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)
+			return nil
+		}
+		newResource := unstructured.Unstructured{Object: resource}
+		newResource.SetKind(kind)
+
+		patchedResource, err := engine.ForceMutate(nil, *newPolicy.DeepCopy(), newResource)
+		if err != nil {
+			return err
+		}
+		err = ValidateResource(*patchedResource.DeepCopy(), kind)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+	var err error
+
+	kind = openApiGlobalState.kindToDefinitionName[kind]
+	schema := openApiGlobalState.models.LookupModel(kind)
+	if schema == nil {
+		schema, err = getSchemaFromDefinitions(kind)
+		if err != nil || schema == nil {
+			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
+		}
+		delete(patchedResource.Object, "kind")
+	}
+
+	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
+		var errorMessages []string
+		for i := range errs {
+			errorMessages = append(errorMessages, errs[i].Error())
+		}
+
+		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
+	}
+
+	return nil
+}
+
+func useOpenApiDocument(customDoc *openapi_v2.Document) error {
+	openApiGlobalState.mutex.Lock()
+	defer openApiGlobalState.mutex.Unlock()
+
+	openApiGlobalState.document = customDoc
+
+	openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
+	openApiGlobalState.kindToDefinitionName = make(map[string]string)
+	for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
+		openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
+		path := strings.Split(definition.GetName(), ".")
+		openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
+	}
+
+	var err error
+	openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getSchemaDocument() (*openapi_v2.Document, error) {
+	var spec yaml.MapSlice
+	err := yaml.Unmarshal([]byte(data.SwaggerDoc), &spec)
+	if err != nil {
+		return nil, err
+	}
+
+	return openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))
+}
+
+// For crd, we do not store definition in document
+func getSchemaFromDefinitions(kind string) (proto.Schema, error) {
+	path := proto.NewPath(kind)
+	return (&proto.Definitions{}).ParseSchema(openApiGlobalState.definitions[kind], &path)
+}
+
+func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
+
+	types := kindSchema.GetType().GetValue()
+
+	if kindSchema.GetXRef() != "" {
+		return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
+	}
+
+	if len(types) != 1 {
+		if len(kindSchema.GetProperties().GetAdditionalProperties()) > 0 {
+			types = []string{"object"}
+		} else {
+			return nil
+		}
+	}
+
+	switch types[0] {
+	case "object":
+		var props = make(map[string]interface{})
+		properties := kindSchema.GetProperties().GetAdditionalProperties()
+		if len(properties) == 0 {
+			return props
+		}
+
+		var wg sync.WaitGroup
+		var mutex sync.Mutex
+		wg.Add(len(properties))
+		for _, property := range properties {
+			go func(property *openapi_v2.NamedSchema) {
+				prop := generateEmptyResource(property.GetValue())
+				mutex.Lock()
+				props[property.GetName()] = prop
+				mutex.Unlock()
+				wg.Done()
+			}(property)
+		}
+		wg.Wait()
+		return props
+	case "array":
+		var array []interface{}
+		for _, schema := range kindSchema.GetItems().GetSchema() {
+			array = append(array, generateEmptyResource(schema))
+		}
+		return array
+	case "string":
+		if kindSchema.GetDefault() != nil {
+			return string(kindSchema.GetDefault().Value.Value)
+		}
+		if kindSchema.GetExample() != nil {
+			return string(kindSchema.GetExample().GetValue().Value)
+		}
+		return ""
+	case "integer":
+		if kindSchema.GetDefault() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
+			return int64(val)
+		}
+		if kindSchema.GetExample() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
+			return int64(val)
+		}
+		return int64(0)
+	case "number":
+		if kindSchema.GetDefault() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
+			return int64(val)
+		}
+		if kindSchema.GetExample() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
+			return int64(val)
+		}
+		return int64(0)
+	case "boolean":
+		if kindSchema.GetDefault() != nil {
+			return string(kindSchema.GetDefault().Value.Value) == "true"
+		}
+		if kindSchema.GetExample() != nil {
+			return string(kindSchema.GetExample().GetValue().Value) == "true"
+		}
+		return false
+	}
+
+	return nil
+}
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@ -0,0 +1,65 @@
+package openapi
+
+import (
+	"encoding/json"
+	"testing"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+)
+
+func Test_ValidateMutationPolicy(t *testing.T) {
+
+	tcs := []struct {
+		description string
+		policy      []byte
+		errMessage  string
+	}{
+		{
+			description: "Policy with mutating imagePullPolicy Overlay",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"Always"}]}}}}]}}`),
+		},
+		{
+			description: "Policy with mutating imagePullPolicy Overlay, field does not exist",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","nonExistantField":"Always"}]}}}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Pod.spec.containers[0]): unknown field "nonExistantField" in io.k8s.api.core.v1.Container`,
+		},
+		{
+			description: "Policy with mutating imagePullPolicy Overlay, type of value is different (does not throw error since all numbers are also strings according to swagger)",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":80}]}}}}]}}`),
+		},
+		{
+			description: "Policy with patches",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":9663},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`),
+		},
+		{
+			description: "Policy with patches, value converted from number to string",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":"9663"},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Endpoints.subsets[0].ports[0].port): invalid type for io.k8s.api.core.v1.EndpointPort.port: got "string", expected "integer"`,
+		},
+		{
+			description: "Policy where boolean is been converted to number",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"mutate-pod-disable-automoutingapicred"},"spec":{"rules":[{"name":"pod-disable-automoutingapicred","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"(serviceAccountName)":"*","automountServiceAccountToken":80}}}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Pod.spec.automountServiceAccountToken): invalid type for io.k8s.api.core.v1.PodSpec.automountServiceAccountToken: got "integer", expected "boolean"`,
+		},
+		{
+			description: "Dealing with nested variables",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"add-ns-access-controls","annotations":{"policies.kyverno.io/category":"Workload Isolation","policies.kyverno.io/description":"Create roles and role bindings for a new namespace"}},"spec":{"background":false,"rules":[{"name":"add-sa-annotation","match":{"resources":{"kinds":["Namespace"]}},"mutate":{"overlay":{"metadata":{"annotations":{"nirmata.io/ns-creator":"{{serviceAccountName-{{something}}}}"}}}}},{"name":"generate-owner-role","match":{"resources":{"kinds":["Namespace"]}},"preconditions":[{"key":"{{request.userInfo.username}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountName}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountNamespace}}","operator":"NotEqual","value":""}],"generate":{"kind":"ClusterRole","name":"ns-owner-{{request.object.metadata.name{{something}}}}-{{request.userInfo.username}}","data":{"metadata":{"annotations":{"nirmata.io/ns-creator":"{{serviceAccountName}}"}},"rules":[{"apiGroups":[""],"resources":["namespaces"],"verbs":["delete"],"resourceNames":["{{request.object.metadata.name}}"]}]}}},{"name":"generate-owner-role-binding","match":{"resources":{"kinds":["Namespace"]}},"preconditions":[{"key":"{{request.userInfo.username}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountName}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountNamespace}}","operator":"NotEqual","value":""}],"generate":{"kind":"ClusterRoleBinding","name":"ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding","data":{"metadata":{"annotations":{"nirmata.io/ns-creator":"{{serviceAccountName}}"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}"},"subjects":[{"kind":"ServiceAccount","name":"{{serviceAccountName}}","namespace":"{{serviceAccountNamespace}}"}]}}},{"name":"generate-admin-role-binding","match":{"resources":{"kinds":["Namespace"]}},"preconditions":[{"key":"{{request.userInfo.username}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountName}}","operator":"NotEqual","value":""},{"key":"{{serviceAccountNamespace}}","operator":"NotEqual","value":""}],"generate":{"kind":"RoleBinding","name":"ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding","namespace":"{{request.object.metadata.name}}","data":{"metadata":{"annotations":{"nirmata.io/ns-creator":"{{serviceAccountName}}"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"kind":"ServiceAccount","name":"{{serviceAccountName}}","namespace":"{{serviceAccountNamespace}}"}]}}}]}}`),
+		},
+	}
+
+	for i, tc := range tcs {
+		policy := v1.ClusterPolicy{}
+		_ = json.Unmarshal(tc.policy, &policy)
+
+		var errMessage string
+		err := ValidatePolicyMutation(policy)
+		if err != nil {
+			errMessage = err.Error()
+		}
+
+		if errMessage != tc.errMessage {
+			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
+		}
+	}
+
+}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -8,6 +8,8 @@ import (
 	"strconv"
 	"strings"

+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	rbacv1 "k8s.io/api/rbac/v1"
@ -80,6 +82,10 @@ func Validate(p kyverno.ClusterPolicy) error {
 		}
 	}

+	if err := openapi.ValidatePolicyMutation(p); err != nil {
+		return err
+	}
+
 	return nil
 }

--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -3,6 +3,8 @@ package webhooks
 import (
 	"time"

+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@ -101,6 +103,11 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
 			continue
 		}
+		err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
+		if err != nil {
+			glog.V(4).Infoln(err)
+			continue
+		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
 		glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())