mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

refactor: stop recording json patches but generate them on demand (part 1) (#7394)

Browse source 
* refactor: stop recording json patches but generate them on demand

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* changed lib

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix verify images

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* image verif tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* unit tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-05 14:33:23 +02:00 committed by GitHub
parent ff7cda2694
commit 6bc3761b7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 162 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/background/mutate/mutate.go
View file

@ -263,7 +263,7 @@ func addAnnotation(policy kyvernov1.PolicyInterface, patched *unstructured.Unstr
patchedNew = patched
var rulePatches []utils.RulePatch
for _, patch := range r.Patches() {
for _, patch := range r.DeprecatedPatches() {
rulePatches = append(rulePatches, utils.RulePatch{
RuleName: r.Name(),
Op: patch.Operation,

14
pkg/engine/api/engineresponse.go
View file

@ -155,9 +155,17 @@ func (er EngineResponse) IsValidatingAdmissionPolicy() bool {
// GetPatches returns all the patches joined
func (er EngineResponse) GetPatches() []jsonpatch.JsonPatchOperation {
var patches []jsonpatch.JsonPatchOperation
for _, r := range er.PolicyResponse.Rules {
patches = append(patches, r.Patches()...)
originalBytes, err := er.Resource.MarshalJSON()
if err != nil {
return nil
}
patchedBytes, err := er.PatchedResource.MarshalJSON()
if err != nil {
return nil
}
patches, err := jsonpatch.CreatePatch(originalBytes, patchedBytes)
if err != nil {
return nil
}
return patches
}

209
pkg/engine/api/engineresponse_test.go
View file

@ -5,7 +5,6 @@ import (
"testing"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/mattbaird/jsonpatch"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -908,110 +907,110 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}
}
func TestEngineResponse_GetPatches(t *testing.T) {
type fields struct {
PatchedResource unstructured.Unstructured
Policy kyvernov1.PolicyInterface
PolicyResponse PolicyResponse
namespaceLabels map[string]string
}
tests := []struct {
name string
fields fields
want []jsonpatch.JsonPatchOperation
}{{}, {
fields: fields{
PolicyResponse: PolicyResponse{
Rules: nil,
},
},
}, {
fields: fields{
PolicyResponse: PolicyResponse{
Rules: []RuleResponse{},
},
},
}, {
fields: fields{
PolicyResponse: PolicyResponse{
Rules: []RuleResponse{{}},
},
},
}, {
fields: fields{
PolicyResponse: PolicyResponse{
Rules: []RuleResponse{
{},
*RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
Operation: "add",
Path: "/1",
Value: 0,
}, {
Operation: "add",
Path: "/2",
Value: 1,
}}...),
},
},
},
want: []jsonpatch.JsonPatchOperation{{
Operation: "add",
Path: "/1",
Value: 0,
}, {
Operation: "add",
Path: "/2",
Value: 1,
}},
}, {
fields: fields{
PolicyResponse: PolicyResponse{
Rules: []RuleResponse{
{},
*RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
Operation: "add",
Path: "/1",
Value: 0,
}, {
Operation: "add",
Path: "/2",
Value: 1,
}}...),
*RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
Operation: "add",
Path: "/3",
Value: 2,
}}...),
},
},
},
want: []jsonpatch.JsonPatchOperation{{
Operation: "add",
Path: "/1",
Value: 0,
}, {
Operation: "add",
Path: "/2",
Value: 1,
}, {
Operation: "add",
Path: "/3",
Value: 2,
}},
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
er := EngineResponse{
PatchedResource: tt.fields.PatchedResource,
PolicyResponse: tt.fields.PolicyResponse,
namespaceLabels: tt.fields.namespaceLabels,
}.WithPolicy(tt.fields.Policy)
if got := er.GetPatches(); !reflect.DeepEqual(got, tt.want) {
t.Errorf("EngineResponse.GetPatches() = %v, want %v", got, tt.want)
}
})
}
}
// func TestEngineResponse_GetPatches(t *testing.T) {
// type fields struct {
// PatchedResource unstructured.Unstructured
// Policy kyvernov1.PolicyInterface
// PolicyResponse PolicyResponse
// namespaceLabels map[string]string
// }
// tests := []struct {
// name string
// fields fields
// want []jsonpatch.JsonPatchOperation
// }{{}, {
// fields: fields{
// PolicyResponse: PolicyResponse{
// Rules: nil,
// },
// },
// }, {
// fields: fields{
// PolicyResponse: PolicyResponse{
// Rules: []RuleResponse{},
// },
// },
// }, {
// fields: fields{
// PolicyResponse: PolicyResponse{
// Rules: []RuleResponse{{}},
// },
// },
// }, {
// fields: fields{
// PolicyResponse: PolicyResponse{
// Rules: []RuleResponse{
// {},
// *RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
// Operation: "add",
// Path: "/1",
// Value: 0,
// }, {
// Operation: "add",
// Path: "/2",
// Value: 1,
// }}...),
// },
// },
// },
// want: []jsonpatch.JsonPatchOperation{{
// Operation: "add",
// Path: "/1",
// Value: 0,
// }, {
// Operation: "add",
// Path: "/2",
// Value: 1,
// }},
// }, {
// fields: fields{
// PolicyResponse: PolicyResponse{
// Rules: []RuleResponse{
// {},
// *RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
// Operation: "add",
// Path: "/1",
// Value: 0,
// }, {
// Operation: "add",
// Path: "/2",
// Value: 1,
// }}...),
// *RuleResponse{}.WithPatches([]jsonpatch.JsonPatchOperation{{
// Operation: "add",
// Path: "/3",
// Value: 2,
// }}...),
// },
// },
// },
// want: []jsonpatch.JsonPatchOperation{{
// Operation: "add",
// Path: "/1",
// Value: 0,
// }, {
// Operation: "add",
// Path: "/2",
// Value: 1,
// }, {
// Operation: "add",
// Path: "/3",
// Value: 2,
// }},
// }}
// for _, tt := range tests {
// t.Run(tt.name, func(t *testing.T) {
// er := EngineResponse{
// PatchedResource: tt.fields.PatchedResource,
// PolicyResponse: tt.fields.PolicyResponse,
// namespaceLabels: tt.fields.namespaceLabels,
// }.WithPolicy(tt.fields.Policy)
// if got := er.GetPatches(); !reflect.DeepEqual(got, tt.want) {
// t.Errorf("EngineResponse.GetPatches() = %v, want %v", got, tt.want)
// }
// })
// }
// }
func TestEngineResponse_GetResourceSpec(t *testing.T) {
namespacedResource := unstructured.Unstructured{}

2
pkg/engine/api/ruleresponse.go
View file

@ -137,7 +137,7 @@ func (r *RuleResponse) GeneratedResource() unstructured.Unstructured {
return r.generatedResource
}
func (r *RuleResponse) Patches() []jsonpatch.JsonPatchOperation {
func (r *RuleResponse) DeprecatedPatches() []jsonpatch.JsonPatchOperation {
return r.patches
}

6
pkg/engine/engine.go
View file

@ -141,8 +141,10 @@ func (e *engine) VerifyAndPatchImages(
ivm := engineapi.ImageVerificationMetadata{}
logger := internal.LoggerWithPolicyContext(logging.WithName("engine.verify"), policyContext)
if internal.MatchPolicyContext(logger, policyContext, e.configuration) {
policyResponse, innerIvm := e.verifyAndPatchImages(ctx, logger, policyContext)
response, ivm = response.WithPolicyResponse(policyResponse), innerIvm
policyResponse, patchedResource, innerIvm := e.verifyAndPatchImages(ctx, logger, policyContext)
response, ivm = response.
WithPolicyResponse(policyResponse).
WithPatchedResource(patchedResource), innerIvm
}
response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)

2
pkg/engine/handlers/mutation/mutate_image.go
View file

@ -79,7 +79,7 @@ func (h mutateImageHandler) Process(
}
var patches []jsonpatch.JsonPatchOperation
for _, response := range engineResponses {
patches = append(patches, response.Patches()...)
patches = append(patches, response.DeprecatedPatches()...)
}
if len(patches) != 0 {
patch := jsonutils.JoinPatches(patch.ConvertPatches(patches...)...)

6
pkg/engine/image_verify.go
View file

@ -11,13 +11,14 @@ import (
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/handlers/mutation"
"github.com/kyverno/kyverno/pkg/engine/internal"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func (e *engine) verifyAndPatchImages(
ctx context.Context,
logger logr.Logger,
policyContext engineapi.PolicyContext,
) (engineapi.PolicyResponse, engineapi.ImageVerificationMetadata) {
) (engineapi.PolicyResponse, unstructured.Unstructured, engineapi.ImageVerificationMetadata) {
resp := engineapi.NewPolicyResponse()
policy := policyContext.Policy()
matchedResource := policyContext.NewResource()
@ -59,6 +60,5 @@ func (e *engine) verifyAndPatchImages(
break
}
}
// TODO: it doesn't make sense to not return the patched resource here
return resp, ivm
return resp, matchedResource, ivm
}

4
pkg/engine/image_verify_test.go
View file

@ -480,8 +480,8 @@ func Test_SignatureGoodSigned(t *testing.T) {
engineResp, _ := testVerifyAndPatchImages(context.TODO(), registryclient.NewOrDie(), nil, policyContext, cfg)
assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1)
assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusPass, engineResp.PolicyResponse.Rules[0].Message())
assert.Equal(t, len(engineResp.PolicyResponse.Rules[0].Patches()), 1)
patch := engineResp.PolicyResponse.Rules[0].Patches()[0]
assert.Equal(t, len(engineResp.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
patch := engineResp.PolicyResponse.Rules[0].DeprecatedPatches()[0]
assert.Equal(t, patch.Json(), "{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"ghcr.io/kyverno/test-verify-image:signed@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105\"}")
}

22
pkg/engine/mutate/mutation_test.go
View file

@ -69,7 +69,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) {
rr, _ := applyPatches(emptyRule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusError)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func makeAddIsMutatedLabelPatch() jsonPatch {
@ -103,14 +103,14 @@ func TestProcessPatches_EmptyDocument(t *testing.T) {
rule := makeRuleWithPatch(t, makeAddIsMutatedLabelPatch())
rr, _ := applyPatches(rule, unstructured.Unstructured{})
assert.Equal(t, rr.Status(), engineapi.RuleStatusError)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func TestProcessPatches_AllEmpty(t *testing.T) {
emptyRule := &types.Rule{}
rr, _ := applyPatches(emptyRule, unstructured.Unstructured{})
assert.Equal(t, rr.Status(), engineapi.RuleStatusError)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
@ -123,7 +123,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
}
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusSkip)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func TestProcessPatches_RemovePathDoesntExist(t *testing.T) {
@ -135,7 +135,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) {
}
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusSkip)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) {
@ -148,7 +148,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) {
}
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusPass)
assert.Equal(t, len(rr.Patches()), 1)
assert.Equal(t, len(rr.DeprecatedPatches()), 1)
}
func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResult(t *testing.T) {
@ -163,8 +163,8 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusPass)
assert.Assert(t, len(rr.Patches()) != 0)
assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, []byte(rr.Patches()[0].Json()))
assert.Assert(t, len(rr.DeprecatedPatches()) != 0)
assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, []byte(rr.DeprecatedPatches()[0].Json()))
}
func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) {
@ -176,7 +176,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) {
}
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusSkip)
assert.Assert(t, len(rr.Patches()) == 0)
assert.Assert(t, len(rr.DeprecatedPatches()) == 0)
}
func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) {
@ -189,8 +189,8 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) {
}
rr, _ := applyPatches(rule, *resourceUnstructured)
assert.Equal(t, rr.Status(), engineapi.RuleStatusPass)
assert.Assert(t, len(rr.Patches()) == 1)
assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, []byte(rr.Patches()[0].Json()))
assert.Assert(t, len(rr.DeprecatedPatches()) == 1)
assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, []byte(rr.DeprecatedPatches()[0].Json()))
}
func assertEqStringAndData(t *testing.T, str string, data []byte) {

46
pkg/engine/mutation_test.go
View file

@ -120,9 +120,9 @@ func Test_VariableSubstitutionPatchStrategicMerge(t *testing.T) {
t.Log(string(expectedPatch))
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 1)
t.Log(er.PolicyResponse.Rules[0].Patches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
t.Log(er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("patches dont match")
}
}
@ -291,10 +291,10 @@ func Test_variableSubstitutionCLI(t *testing.T) {
),
)
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
t.Log(string(expectedPatch))
t.Log(er.PolicyResponse.Rules[0].Patches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
t.Log(er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("patches don't match")
}
}
@ -398,11 +398,11 @@ func Test_chained_rules(t *testing.T) {
assert.Equal(t, containers[0].(map[string]interface{})["image"], "otherregistry.corp.com/foo/bash:5.0")
assert.Equal(t, len(er.PolicyResponse.Rules), 2)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[1].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[1].DeprecatedPatches()), 1)
assert.Equal(t, er.PolicyResponse.Rules[0].Patches()[0].Json(), `{"op":"replace","path":"/spec/containers/0/image","value":"myregistry.corp.com/foo/bash:5.0"}`)
assert.Equal(t, er.PolicyResponse.Rules[1].Patches()[0].Json(), `{"op":"replace","path":"/spec/containers/0/image","value":"otherregistry.corp.com/foo/bash:5.0"}`)
assert.Equal(t, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json(), `{"op":"replace","path":"/spec/containers/0/image","value":"myregistry.corp.com/foo/bash:5.0"}`)
assert.Equal(t, er.PolicyResponse.Rules[1].DeprecatedPatches()[0].Json(), `{"op":"replace","path":"/spec/containers/0/image","value":"otherregistry.corp.com/foo/bash:5.0"}`)
}
func Test_precondition(t *testing.T) {
@ -481,8 +481,8 @@ func Test_precondition(t *testing.T) {
er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, enginetest.ContextLoaderFactory(nil, nil))
t.Log(string(expectedPatch))
t.Log(er.PolicyResponse.Rules[0].Patches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
t.Log(er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("patches don't match")
}
}
@ -577,8 +577,8 @@ func Test_nonZeroIndexNumberPatchesJson6902(t *testing.T) {
er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, enginetest.ContextLoaderFactory(nil, nil))
t.Log(string(expectedPatch))
t.Log(er.PolicyResponse.Rules[0].Patches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
t.Log(er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json())
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("patches don't match")
}
}
@ -1140,7 +1140,7 @@ func Test_mutate_nested_foreach(t *testing.T) {
er := testApplyPolicyToResource(t, policyRaw, resourceRaw)
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
assert.Equal(t, er.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusPass)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 2)
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 2)
tlsArr, _, err := unstructured.NestedSlice(er.PatchedResource.Object, "spec", "tls")
assert.NilError(t, err)
@ -1581,8 +1581,8 @@ func Test_mutate_existing_resources(t *testing.T) {
er := testMutate(context.TODO(), dclient, registryclient.NewOrDie(), policyContext, nil)
for _, rr := range er.PolicyResponse.Rules {
for i, p := range rr.Patches() {
assert.Equal(t, test.patches[i], p.Json(), "test %s failed:\nGot %s\nExpected: %s", test.name, rr.Patches()[i], test.patches[i])
for i, p := range rr.DeprecatedPatches() {
assert.Equal(t, test.patches[i], p.Json(), "test %s failed:\nGot %s\nExpected: %s", test.name, rr.DeprecatedPatches()[i], test.patches[i])
assert.Equal(t, rr.Status(), engineapi.RuleStatusPass, rr.Status())
}
}
@ -1685,13 +1685,13 @@ func Test_RuleSelectorMutate(t *testing.T) {
er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
assert.Equal(t, len(er.PolicyResponse.Rules), 2)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[1].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[1].DeprecatedPatches()), 1)
if !reflect.DeepEqual(expectedPatch1, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
if !reflect.DeepEqual(expectedPatch1, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("rule 1 patches dont match")
}
if !reflect.DeepEqual(expectedPatch2, er.PolicyResponse.Rules[1].Patches()[0].Json()) {
if !reflect.DeepEqual(expectedPatch2, er.PolicyResponse.Rules[1].DeprecatedPatches()[0].Json()) {
t.Errorf("rule 2 patches dont match")
}
@ -1700,9 +1700,9 @@ func Test_RuleSelectorMutate(t *testing.T) {
er = testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].Patches()), 1)
assert.Equal(t, len(er.PolicyResponse.Rules[0].DeprecatedPatches()), 1)
if !reflect.DeepEqual(expectedPatch1, er.PolicyResponse.Rules[0].Patches()[0].Json()) {
if !reflect.DeepEqual(expectedPatch1, er.PolicyResponse.Rules[0].DeprecatedPatches()[0].Json()) {
t.Error("rule 1 patches dont match")
}
}

2
pkg/utils/annotations.go
View file

@ -130,7 +130,7 @@ func annotationFromEngineResponses(engineResponses []engineapi.EngineResponse, l
func annotationFromPolicyResponse(policyResponse engineapi.PolicyResponse, log logr.Logger) []RulePatch {
var RulePatches []RulePatch
for _, ruleInfo := range policyResponse.Rules {
for _, patch := range ruleInfo.Patches() {
for _, patch := range ruleInfo.DeprecatedPatches() {
rp := RulePatch{
RuleName: ruleInfo.Name(),
Op: patch.Operation,