fix: mutate existing policy does not get applied when background=false (#5439)

* fix mutate existing policies when background=false

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add the kuttl test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/policy/policy_controller.go

@@ -139,8 +139,10 @@ func NewPolicyController(
 func (pc *PolicyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bool {
 	logger := pc.log.WithValues("policy", p.GetName())
 	if !p.BackgroundProcessingEnabled() {
-		logger.V(4).Info("background processed is disabled")
+		if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() {
-		return false
+			logger.V(4).Info("background processing is disabled")
+			return false
+		}
 	}
 
 	if err := ValidateVariables(p, true); err != nil {

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-privileged-existing-namespaces
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml

@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-privileged-existing-namespaces
+  annotations:
+    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
+    policies.kyverno.io/category: Pod Security Admission
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Namespace
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/description: >-
+      When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file
+      which sets either baseline or restricted, for example in many PaaS CIS profiles, it may
+      be necessary to relax this to privileged on a per-Namespace basis so that more
+      granular control can be provided. This policy labels new and existing Namespaces, except
+      that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.      
+spec:
+  mutateExistingOnPolicyUpdate: true
+  background: false
+  rules:
+  - name: label-privileged-namespaces
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Namespace
+      patchStrategicMerge:
+        metadata:
+          labels:
+            foo: bar

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: default
+  labels:
+    foo: bar

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This is a test for mutation of existing resources when background is set to false. 
+
+## Expected Behavior
+
+The mutateExisting policy does not require `.spec.background=true` to be applied.
+
+## Reference Issue(s)
+
+5430