From 35bed4bc6aef6622b89f0fc4dee9a175aa9768ff Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 4 Nov 2019 17:55:13 -0800
Subject: [PATCH] add safe-to-evict annotation

---
 documentation/writing-policies-validate.md    |  8 +++----
 pkg/testrunner/scenario.go                    | 10 ++++++---
 pkg/testrunner/testrunner_test.go             |  4 ++--
 .../add_safe-to-evict_annotation.yaml         | 22 +++++++++++++++++++
 test/output/pod-with-emptydir.yaml            | 14 ++++++++++++
 test/resources/pod-with-emptydir.yaml         | 14 ++++++++++++
 .../other/scenario_mutate_validate_qos.yaml   |  2 +-
 .../scenario_mutate_safe-to-evict.yaml        | 19 ++++++++++++++++
 8 files changed, 83 insertions(+), 10 deletions(-)
 create mode 100644 samples/best_practices/add_safe-to-evict_annotation.yaml
 create mode 100644 test/output/pod-with-emptydir.yaml
 create mode 100644 test/resources/pod-with-emptydir.yaml
 create mode 100644 test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml

diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md
index 89d1c45b52..d908143c6a 100644
--- a/documentation/writing-policies-validate.md
+++ b/documentation/writing-policies-validate.md
@@ -53,16 +53,16 @@ For conditional anchors, the child element is considered to be part of the "if"
 
 ````yaml
   pattern:
+    metadata:
+      labels:
+        allow-docker: true
     spec:
-      metadata:
-        labels:
-          allow-docker: true
       (volumes):
         (hostPath):
           path: "/var/run/docker.sock"
 ````
 
-This reads as "If a hostPath volume exists and the path it equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."
+This reads as "If a hostPath volume exists and the path equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."
 
 For equality anchors, a child element is considered to be part of the "then" clause. Consider this pattern:
 
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 97234f3840..b63b44ad97 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -3,6 +3,7 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
+	"flag"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -283,9 +284,8 @@ func compareResourceSpec(t *testing.T, resource engine.ResourceSpec, expectedRes
 func compareRules(t *testing.T, rule engine.RuleResponse, expectedRule engine.RuleResponse) {
 	// name
 	if rule.Name != expectedRule.Name {
-		t.Errorf("rule name: expected %s, recieved %s", expectedRule.Name, rule.Name)
+		t.Errorf("rule name: expected %s, recieved %+v", expectedRule.Name, rule.Name)
 		// as the rule names dont match no need to compare the rest of the information
-		return
 	}
 	// type
 	if rule.Type != expectedRule.Type {
@@ -443,11 +443,15 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }
 
 func testScenario(t *testing.T, path string) {
-	//load scenario
+	flag.Parse()
+	flag.Set("v", "10")
+	flag.Set("logtostderr", "true")
+
 	scenario, err := loadScenario(t, path)
 	if err != nil {
 		t.Error(err)
 		return
 	}
+
 	runScenario(t, scenario)
 }
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 09df29a465..438a27d59c 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -123,6 +123,6 @@ func Test_validate_disallow_docker_sock_mount(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
 }
 
-func Test_validate_disallow_helm_tiller(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")
+func Test_mutate_add_safe_to_evict_annotation(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml")
 }
diff --git a/samples/best_practices/add_safe-to-evict_annotation.yaml b/samples/best_practices/add_safe-to-evict_annotation.yaml
new file mode 100644
index 0000000000..ac468ecbae
--- /dev/null
+++ b/samples/best_practices/add_safe-to-evict_annotation.yaml
@@ -0,0 +1,22 @@
+apiVersion: "kyverno.io/v1alpha1"
+kind: "ClusterPolicy"
+metadata: 
+  name: "annotate-emptyDir"
+  annotations:
+    policies.kyverno.io/category: AutoScaling
+    policies.kyverno.io/description: 
+spec: 
+  rules: 
+  - name: "add-safe-to-evict-annotation"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    mutate: 
+      overlay:
+        metadata:
+          annotations:
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
+        spec:          
+          volumes: 
+          - (emptyDir): {}
\ No newline at end of file
diff --git a/test/output/pod-with-emptydir.yaml b/test/output/pod-with-emptydir.yaml
new file mode 100644
index 0000000000..f729d797a3
--- /dev/null
+++ b/test/output/pod-with-emptydir.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-emptydir
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+  volumes:
+  - name: cache-volume
+    emptyDir: {}
\ No newline at end of file
diff --git a/test/resources/pod-with-emptydir.yaml b/test/resources/pod-with-emptydir.yaml
new file mode 100644
index 0000000000..87ed864569
--- /dev/null
+++ b/test/resources/pod-with-emptydir.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-emptydir
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+  volumes:
+  - name: cache-volume
+    emptyDir: {}
diff --git a/test/scenarios/other/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml
index 5fce2dfbd8..19220a53cb 100644
--- a/test/scenarios/other/scenario_mutate_validate_qos.yaml
+++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml
@@ -1,4 +1,4 @@
-# file path relative to project root
+# file path is relative to project root
 input:
   policy: test/policy/mutate/policy_mutate_validate_qos.yaml
   resource: test/resources/resource_mutate_validate_qos.yaml
diff --git a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml b/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml
new file mode 100644
index 0000000000..0cef289009
--- /dev/null
+++ b/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml
@@ -0,0 +1,19 @@
+# file path is relative to project root
+input:
+  policy: samples/best_practices/add_safe-to-evict_annotation.yaml
+  resource: test/resources/pod-with-emptydir.yaml
+expected:
+  mutation:
+    patchedresource: test/output/pod-with-emptydir.yaml
+    policyresponse:
+      policy: annotate-emptyDir
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: pod-with-emptydir
+      rules:
+        - name: add-safe-to-evict-annotation
+          type: Mutation
+          success: true
+          message: "succesfully processed overlay"
\ No newline at end of file