Feature/print mutated policy (#1014)

* added printing mutation policy * added mutated method in common * improved yaml print * updated readme * small fix * small fix
2025-03-31 03:45:17 +00:00 · 2020-07-29 21:41:58 +05:30 · 2020-07-29 21:41:58 +05:30 · 7195b20e90
commit 7195b20e90
parent a7c3594f10
6 changed files with 188 additions and 136 deletions
--- a/documentation/kyverno-cli.md
+++ b/documentation/kyverno-cli.md
@ -54,6 +54,14 @@ Example:
 kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
 ```

+Use the -o <yaml/json> flag to display the mutated policy.
+
+Example:
+```
+kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies -o yaml
+```
+
+
 #### Apply
 Applies policies on resources, and supports applying multiple policies on multiple resources in a single command.
 Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster.
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@ -11,50 +11,49 @@ import (

 //GenerateRequest is a request to process generate rule
 type GenerateRequest struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
 	// Spec is the information to identify the generate request
-	Spec GenerateRequestSpec `json:"spec"`
+	Spec GenerateRequestSpec `json:"spec" yaml:"spec"`
 	// Status contains statistics related to generate request
-	Status GenerateRequestStatus `json:"status"`
+	Status GenerateRequestStatus `json:"status" yaml:"status"`
 }

 //GenerateRequestSpec stores the request specification
 type GenerateRequestSpec struct {
 	// Specifies the name of the policy
-	Policy string `json:"policy"`
+	Policy string `json:"policy" yaml:"policy"`
 	// ResourceSpec is the information to identify the generate request
-	Resource ResourceSpec `json:"resource"`
+	Resource ResourceSpec `json:"resource" yaml:"resource"`
 	// Context ...
-	Context GenerateRequestContext `json:"context"`
+	Context GenerateRequestContext `json:"context" yaml:"context"`
 }

 //GenerateRequestContext stores the context to be shared
 type GenerateRequestContext struct {
-	// UserRequestInfo ...
-	UserRequestInfo RequestInfo `json:"userInfo,omitempty"`
+	UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
 }

 // RequestInfo contains permission info carried in an admission request
 type RequestInfo struct {
 	// Roles is a list of possible role send the request
-	Roles []string `json:"roles"`
+	Roles []string `json:"roles" yaml:"roles"`
 	// ClusterRoles is a list of possible clusterRoles send the request
-	ClusterRoles []string `json:"clusterRoles"`
+	ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"`
 	// UserInfo is the userInfo carried in the admission request
-	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo"`
+	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
 }

 //GenerateRequestStatus stores the status of generated request
 type GenerateRequestStatus struct {
 	// State represents state of the generate request
-	State GenerateRequestState `json:"state"`
+	State GenerateRequestState `json:"state" yaml:"state"`
 	// Specifies request status message
 	// +optional
-	Message string `json:"message,omitempty"`
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
 	// This will track the resources that are generated by the generate Policy
 	// Will be used during clean up resources
-	GeneratedResources []ResourceSpec `json:"generatedResources,omitempty"`
+	GeneratedResources []ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
 }

 //GenerateRequestState defines the state of
@ -73,9 +72,9 @@ const (

 //GenerateRequestList stores the list of generate requests
 type GenerateRequestList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []GenerateRequest `json:"items"`
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []GenerateRequest `json:"items" yaml:"items"`
 }

 // +genclient
@ -89,9 +88,9 @@ type ClusterPolicy Policy

 // ClusterPolicyList ...
 type ClusterPolicyList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []ClusterPolicy `json:"items"`
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []ClusterPolicy `json:"items" yaml:"items"`
 }

 // +genclient
@ -105,9 +104,9 @@ type ClusterPolicyViolation PolicyViolationTemplate

 // ClusterPolicyViolationList ...
 type ClusterPolicyViolationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []ClusterPolicyViolation `json:"items"`
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []ClusterPolicyViolation `json:"items" yaml:"items"`
 }

 // +genclient
@ -120,67 +119,67 @@ type PolicyViolation PolicyViolationTemplate

 // PolicyViolationList ...
 type PolicyViolationList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []PolicyViolation `json:"items"`
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []PolicyViolation `json:"items" yaml:"items"`
 }

 // Policy contains rules to be applied to created resources
 type Policy struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
+	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
 	// Spec is the information to identify the policy
-	Spec Spec `json:"spec"`
+	Spec Spec `json:"spec" yaml:"spec"`
 	// Status contains statistics related to policy
-	Status PolicyStatus `json:"status,omitempty"`
+	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
 }

 // Spec describes policy behavior by its rules
 type Spec struct {
 	// Rules contains the list of rules to be applied to resources
-	Rules []Rule `json:"rules"`
+	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
 	// ValidationFailureAction provides choice to enforce rules to resources during policy violations.
 	// Default value is "audit".
-	ValidationFailureAction string `json:"validationFailureAction"`
+	ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
 	// Background provides choice for applying rules to existing resources.
 	// Default value is "true".
-	Background *bool `json:"background"`
+	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
 }

 // Rule is set of mutation, validation and generation actions
 // for the single resource description
 type Rule struct {
 	// Specifies rule name
-	Name string `json:"name"`
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 	// Specifies resources for which the rule has to be applied.
 	// If it's defined, "kind" inside MatchResources block is required.
 	// +optional
-	MatchResources MatchResources `json:"match"`
+	MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
 	// Specifies resources for which rule can be excluded
 	// +optional
-	ExcludeResources ExcludeResources `json:"exclude,omitempty"`
+	ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
 	// Allows controlling policy rule execution
 	// +optional
-	Conditions []Condition `json:"preconditions,omitempty"`
+	Conditions []Condition `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
 	// Specifies patterns to mutate resources
 	// +optional
-	Mutation Mutation `json:"mutate,omitempty"`
+	Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
 	// Specifies patterns to validate resources
 	// +optional
-	Validation Validation `json:"validate,omitempty"`
+	Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
 	// Specifies patterns to create additional resources
 	// +optional
-	Generation Generation `json:"generate,omitempty"`
+	Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
 }

 //Condition defines the evaluation condition
 type Condition struct {
 	// Key contains key to compare
-	Key interface{} `json:"key"`
+	Key interface{} `json:"key,omitempty" yaml:"key,omitempty"`
 	// Operator to compare against value
-	Operator ConditionOperator `json:"operator"`
+	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
 	// Value to be compared
-	Value interface{} `json:"value"`
+	Value interface{} `json:"value,omitempty" yaml:"value,omitempty"`
 }

 // ConditionOperator defines the type for condition operator
@ -202,47 +201,47 @@ const (
 //MatchResources contains resource description of the resources that the rule is to apply on
 type MatchResources struct {
 	// Specifies user information
-	UserInfo
+	UserInfo `json:",omitempty" yaml:",omitempty"`
 	// Specifies resources to which rule is applied
-	ResourceDescription `json:"resources"`
+	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
 }

 //ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule
 type ExcludeResources struct {
 	// Specifies user information
-	UserInfo
+	UserInfo `json:",omitempty" yaml:",omitempty"`
 	// Specifies resources to which rule is excluded
-	ResourceDescription `json:"resources"`
+	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
 }

 // UserInfo filter based on users
 type UserInfo struct {
 	// Specifies list of namespaced role names
-	Roles []string `json:"roles,omitempty"`
+	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
 	// Specifies list of cluster wide role names
-	ClusterRoles []string `json:"clusterRoles,omitempty"`
+	ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
 	// Specifies list of subject names like users, user groups, and service accounts
-	Subjects []rbacv1.Subject `json:"subjects,omitempty"`
+	Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
 }

 // ResourceDescription describes the resource to which the PolicyRule will be applied.
 type ResourceDescription struct {
 	// Specifies list of resource kind
-	Kinds []string `json:"kinds,omitempty"`
+	Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
 	// Specifies name of the resource
-	Name string `json:"name,omitempty"`
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 	// Specifies list of namespaces
-	Namespaces []string `json:"namespaces,omitempty"`
+	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 	// Specifies the set of selectors
-	Selector *metav1.LabelSelector `json:"selector,omitempty"`
+	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
 }

 // Mutation describes the way how Mutating Webhook will react on resource creation
 type Mutation struct {
 	// Specifies overlay patterns
-	Overlay interface{} `json:"overlay,omitempty"`
+	Overlay interface{} `json:"overlay,omitempty" yaml:"overlay,omitempty"`
 	// Specifies JSON Patch
-	Patches []Patch `json:"patches,omitempty"`
+	Patches []Patch `json:"patches,omitempty" yaml:"patches,omitempty"`
 }

 // +k8s:deepcopy-gen=false
@ -250,130 +249,130 @@ type Mutation struct {
 // Patch declares patch operation for created object according to RFC 6902
 type Patch struct {
 	// Specifies path of the resource
-	Path string `json:"path"`
-	// Specifies operations supported by JSON Patch. 
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+	// Specifies operations supported by JSON Patch.
 	// i.e:- add, replace and delete
-	Operation string `json:"op"`
+	Operation string `json:"op,omitempty" yaml:"op,omitempty"`
 	// Specifies the value to be applied
-	Value interface{} `json:"value"`
+	Value interface{} `json:"value,omitempty" yaml:"value,omitempty"`
 }

 // Validation describes the way how Validating Webhook will check the resource on creation
 type Validation struct {
 	// Specifies message to be displayed on validation policy violation
-	Message string `json:"message,omitempty"`
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
 	// Specifies validation pattern
-	Pattern interface{} `json:"pattern,omitempty"`
+	Pattern interface{} `json:"pattern,omitempty" yaml:"pattern,omitempty"`
 	// Specifies list of validation patterns
-	AnyPattern []interface{} `json:"anyPattern,omitempty"`
+	AnyPattern []interface{} `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
 	// Specifies conditions to deny validation
-	Deny *Deny `json:"deny,omitempty"`
+	Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
 }

 type Deny struct {
 	// Specifies set of condition to deny validation
-	Conditions []Condition `json:"conditions,omitempty"`
+	Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }

 // Generation describes which resources will be created when other resource is created
 type Generation struct {
 	ResourceSpec
 	// To keep resources synchronized with source resource
-	Synchronize bool `json:"synchronize,omitempty"`
+	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
 	// Data ...
-	Data interface{} `json:"data,omitempty"`
+	Data interface{} `json:"data,omitempty" yaml:"data,omitempty"`
 	// To clone resource from other resource
-	Clone CloneFrom `json:"clone,omitempty"`
+	Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"`
 }

 // CloneFrom - location of the resource
 // which will be used as source when applying 'generate'
 type CloneFrom struct {
 	// Specifies resource namespace
-	Namespace string `json:"namespace,omitempty"`
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	// Specifies name of the resource
-	Name string `json:"name,omitempty"`
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 }

 // PolicyStatus mostly contains statistics related to policy
 type PolicyStatus struct {
 	// average time required to process the policy rules on a resource
-	AvgExecutionTime string `json:"averageExecutionTime,omitempty"`
+	AvgExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"`
 	// number of violations created by this policy
-	ViolationCount int `json:"violationCount,omitempty"`
+	ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"`
 	// Count of rules that failed
-	RulesFailedCount int `json:"rulesFailedCount,omitempty"`
+	RulesFailedCount int `json:"rulesFailedCount,omitempty" yaml:"rulesFailedCount,omitempty"`
 	// Count of rules that were applied
-	RulesAppliedCount int `json:"rulesAppliedCount,omitempty"`
+	RulesAppliedCount int `json:"rulesAppliedCount,omitempty" yaml:"rulesAppliedCount,omitempty"`
 	// Count of resources that were blocked for failing a validate, across all rules
-	ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty"`
+	ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"`
 	// Count of resources that were successfully mutated, across all rules
-	ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty"`
+	ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"`
 	// Count of resources that were successfully generated, across all rules
-	ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty"`
+	ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"`

-	Rules []RuleStats `json:"ruleStatus,omitempty"`
+	Rules []RuleStats `json:"ruleStatus,omitempty" yaml:"ruleStatus,omitempty"`
 }

 //RuleStats provides status per rule
 type RuleStats struct {
 	// Rule name
-	Name string `json:"ruleName"`
+	Name string `json:"ruleName" yaml:"ruleName"`
 	// average time require to process the rule
-	ExecutionTime string `json:"averageExecutionTime,omitempty"`
+	ExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"`
 	// number of violations created by this rule
-	ViolationCount int `json:"violationCount,omitempty"`
+	ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"`
 	// Count of rules that failed
-	FailedCount int `json:"failedCount,omitempty"`
+	FailedCount int `json:"failedCount,omitempty" yaml:"failedCount,omitempty"`
 	// Count of rules that were applied
-	AppliedCount int `json:"appliedCount,omitempty"`
+	AppliedCount int `json:"appliedCount,omitempty" yaml:"appliedCount,omitempty"`
 	// Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules
-	ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty"`
+	ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"`
 	// Count of resources that were successfully mutated
-	ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty"`
+	ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"`
 	// Count of resources that were successfully generated
-	ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty"`
+	ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"`
 }

 // PolicyList is a list of Policy resources

 // PolicyViolationTemplate stores the information regarinding the resources for which a policy failed to apply
 type PolicyViolationTemplate struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicyViolationSpec   `json:"spec"`
-	Status            PolicyViolationStatus `json:"status"`
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" `
+	Spec              PolicyViolationSpec   `json:"spec" yaml:"spec"`
+	Status            PolicyViolationStatus `json:"status" yaml:"status"`
 }

 // PolicyViolationSpec describes policy behavior by its rules
 type PolicyViolationSpec struct {
 	// Specifies name of the policy
-	Policy       string `json:"policy"`
-	ResourceSpec `json:"resource"`
+	Policy       string `json:"policy" yaml:"policy"`
+	ResourceSpec `json:"resource" yaml:"resource"`
 	// Specifies list of violated rule
-	ViolatedRules []ViolatedRule `json:"rules"`
+	ViolatedRules []ViolatedRule `json:"rules" yaml:"rules"`
 }

 // ResourceSpec information to identify the resource
 type ResourceSpec struct {
 	// Specifies resource kind
 	// +optional
-	Kind string `json:"kind"`
+	Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
 	// Specifies resource namespace
 	// +optional
-	Namespace string `json:"namespace,omitempty"`
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
 	// Specifies resource name
-	Name string `json:"name"`
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 }

 // ViolatedRule stores the information regarding the rule
 type ViolatedRule struct {
 	// Specifies violated rule name
-	Name string `json:"name"`
+	Name string `json:"name" yaml:"name"`
 	// Specifies violated rule type
-	Type string `json:"type"`
+	Type string `json:"type" yaml:"type"`
 	// Specifies violation message
-	Message string `json:"message"`
+	Message string `json:"message" yaml:"message"`
 }

 //PolicyViolationStatus provides information regarding policyviolation status
@ -381,5 +380,5 @@ type ViolatedRule struct {
 //		LastUpdateTime : the time the policy violation was updated
 type PolicyViolationStatus struct {
 	// LastUpdateTime : the time the policy violation was updated
-	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty"`
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" yaml:"lastUpdateTime,omitempty"`
 }
--- a/pkg/engine/utils/utils_test.go
+++ b/pkg/engine/utils/utils_test.go
@ -2,8 +2,9 @@ package utils

 import (
 	"encoding/json"
-	"gotest.tools/assert"
 	"testing"
+
+	"gotest.tools/assert"
 )

 func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) {
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@ -11,7 +11,6 @@ import (
 	"time"

 	client "github.com/nirmata/kyverno/pkg/dclient"
-	"github.com/nirmata/kyverno/pkg/policymutation"

 	"github.com/nirmata/kyverno/pkg/utils"

@ -36,8 +35,6 @@ import (
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes/scheme"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
-
-	jsonpatch "github.com/evanphx/json-patch"
 )

 func Command() *cobra.Command {
@ -122,7 +119,7 @@ func Command() *cobra.Command {
 				return sanitizedError.NewWithError("failed to load resources", err)
 			}

-			newPolicies, err := mutatePolicy(policies)
+			newPolicies, err := mutatePolices(policies)
 			if err != nil {
 				return sanitizedError.NewWithError("failed to mutate policy", err)
 			}
@ -353,42 +350,20 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 	return nil
 }

-// mutatePolicy - function to apply mutation on policies
-func mutatePolicy(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) {
+// mutatePolicies - function to apply mutation on policies
+func mutatePolices(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) {
 	newPolicies := make([]*v1.ClusterPolicy, 0)
 	logger := log.Log.WithName("apply")

 	for _, policy := range policies {
-		patches, _ := policymutation.GenerateJSONPatchesForDefaults(policy, logger)
-
-		type jsonPatch struct {
-			Path  string      `json:"path"`
-			Op    string      `json:"op"`
-			Value interface{} `json:"value"`
-		}
-
-		var jsonPatches []jsonPatch
-		err := json.Unmarshal(patches, &jsonPatches)
+		p, err := common.MutatePolicy(policy, logger)
 		if err != nil {
-			return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to unmarshal patches for %s policy", policy.Name), err)
+			if !sanitizedError.IsErrorSanitized(err) {
+				return nil, sanitizedError.NewWithError("failed to mutate policy.", err)
+			}
+			return nil, err
 		}
-		patch, err := jsonpatch.DecodePatch(patches)
-		if err != nil {
-			return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to decode patch for %s policy", policy.Name), err)
-		}
-
-		policyBytes, _ := json.Marshal(policy)
-		if err != nil {
-			return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to marshal %s policy", policy.Name), err)
-		}
-		modifiedPolicy, err := patch.Apply(policyBytes)
-		if err != nil {
-			return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to apply %s policy", policy.Name), err)
-		}
-
-		var p v1.ClusterPolicy
-		json.Unmarshal(modifiedPolicy, &p)
-		newPolicies = append(newPolicies, &p)
+		newPolicies = append(newPolicies, p)
 	}
 	return newPolicies, nil
 }
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@ -11,9 +11,12 @@ import (
 	"path/filepath"
 	"regexp"

+	jsonpatch "github.com/evanphx/json-patch"
+	"github.com/go-logr/logr"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 	"github.com/nirmata/kyverno/pkg/openapi"
+	"github.com/nirmata/kyverno/pkg/policymutation"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
@ -154,3 +157,41 @@ func PolicyHasVariables(policy v1.ClusterPolicy) bool {
 	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
 	return len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0
 }
+
+// MutatePolicy - applies mutation to a policy
+func MutatePolicy(policy *v1.ClusterPolicy, logger logr.Logger) (*v1.ClusterPolicy, error) {
+	patches, _ := policymutation.GenerateJSONPatchesForDefaults(policy, logger)
+
+	type jsonPatch struct {
+		Path  string      `json:"path"`
+		Op    string      `json:"op"`
+		Value interface{} `json:"value"`
+	}
+
+	var jsonPatches []jsonPatch
+	err := json.Unmarshal(patches, &jsonPatches)
+	if err != nil {
+		return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to unmarshal patches for %s policy", policy.Name), err)
+	}
+	patch, err := jsonpatch.DecodePatch(patches)
+	if err != nil {
+		return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to decode patch for %s policy", policy.Name), err)
+	}
+
+	policyBytes, _ := json.Marshal(policy)
+	if err != nil {
+		return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to marshal %s policy", policy.Name), err)
+	}
+	modifiedPolicy, err := patch.Apply(policyBytes)
+	if err != nil {
+		return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to apply %s policy", policy.Name), err)
+	}
+
+	var p v1.ClusterPolicy
+	err = json.Unmarshal(modifiedPolicy, &p)
+	if err != nil {
+		return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to unmarshal %s policy", policy.Name), err)
+	}
+
+	return &p, nil
+}
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@ -1,6 +1,7 @@
 package validate

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
@ -15,10 +16,12 @@ import (

 	_ "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation"

+	yamlv2 "gopkg.in/yaml.v2"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 )

 func Command() *cobra.Command {
+	var outputType string
 	cmd := &cobra.Command{
 		Use:     "validate",
 		Short:   "Validates kyverno policies",
@ -33,6 +36,12 @@ func Command() *cobra.Command {
 				}
 			}()

+			if outputType != "" {
+				if outputType != "yaml" && outputType != "json" {
+					return sanitizedError.NewWithError(fmt.Sprintf("%s format is not supported", outputType), errors.New("yaml and json are supported"))
+				}
+			}
+
 			policies, openAPIController, err := common.GetPoliciesValidation(policyPaths)
 			if err != nil {
 				return err
@ -53,7 +62,25 @@ func Command() *cobra.Command {
 					invalidPolicyFound = true
 				} else {
 					fmt.Printf("Policy %s is valid.\n\n", policy.Name)
+					if outputType != "" {
+						logger := log.Log.WithName("validate")
+						p, err := common.MutatePolicy(policy, logger)
+						if err != nil {
+							if !sanitizedError.IsErrorSanitized(err) {
+								return sanitizedError.NewWithError("failed to mutate policy.", err)
+							}
+							return err
+						}
+						if outputType == "yaml" {
+							yamlPolicy, _ := yamlv2.Marshal(p)
+							fmt.Println(string(yamlPolicy))
+						} else {
+							jsonPolicy, _ := json.MarshalIndent(p, "", "  ")
+							fmt.Println(string(jsonPolicy))
+						}
+					}
 				}
+				fmt.Println("-----------------------------------------------------------------------")
 			}

 			if invalidPolicyFound == true {
@ -62,5 +89,6 @@ func Command() *cobra.Command {
 			return nil
 		},
 	}
+	cmd.Flags().StringVarP(&outputType, "output", "o", "", "Prints the mutated policy")
 	return cmd
 }