refactor: remove json patches from engine response (#7449)

* refactor: remove json patches from engine response

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* remove filtering

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/engine/forceMutate.go

@@ -88,7 +88,7 @@ func applyPatches(name string, mergePatch apiextensions.JSON, jsonPatch string,
 	if err != nil {
 		return resource, err
 	}
-	resourceBytes, _, err = patcher.Patch(logger, resourceBytes)
+	resourceBytes, err = patcher.Patch(logger, resourceBytes)
 	if err != nil {
 		return resource, err
 	}

pkg/engine/handlers/mutation/common.go

@@ -11,7 +11,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/utils/api"
-	"github.com/mattbaird/jsonpatch"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -27,7 +26,6 @@ type forEachMutator struct {
 
 func (f *forEachMutator) mutateForEach(ctx context.Context) *mutate.Response {
 	var applyCount int
-	var allPatches []jsonpatch.JsonPatchOperation
 
 	for _, foreach := range f.foreach {
 		elements, err := engineutils.EvaluateList(foreach.List, f.policyContext.JSONContext())
@@ -43,9 +41,8 @@ func (f *forEachMutator) mutateForEach(ctx context.Context) *mutate.Response {
 
 		if mutateResp.Status != engineapi.RuleStatusSkip {
 			applyCount++
-			if len(mutateResp.Patches) > 0 {
+			if mutateResp.Status == engineapi.RuleStatusPass {
 				f.resource.unstructured = mutateResp.PatchedResource
-				allPatches = append(allPatches, mutateResp.Patches...)
 			}
 			f.logger.Info("mutateResp.PatchedResource", "resource", mutateResp.PatchedResource)
 			if err := f.policyContext.JSONContext().AddResource(mutateResp.PatchedResource.Object); err != nil {
@@ -56,10 +53,10 @@ func (f *forEachMutator) mutateForEach(ctx context.Context) *mutate.Response {
 
 	msg := fmt.Sprintf("%d elements processed", applyCount)
 	if applyCount == 0 {
-		return mutate.NewResponse(engineapi.RuleStatusSkip, f.resource.unstructured, allPatches, msg)
+		return mutate.NewResponse(engineapi.RuleStatusSkip, f.resource.unstructured, msg)
 	}
 
-	return mutate.NewResponse(engineapi.RuleStatusPass, f.resource.unstructured, allPatches, msg)
+	return mutate.NewResponse(engineapi.RuleStatusPass, f.resource.unstructured, msg)
 }
 
 func (f *forEachMutator) mutateElements(ctx context.Context, foreach kyvernov1.ForEachMutation, elements []interface{}) *mutate.Response {
@@ -67,7 +64,6 @@ func (f *forEachMutator) mutateElements(ctx context.Context, foreach kyvernov1.F
 	defer f.policyContext.JSONContext().Restore()
 
 	patchedResource := f.resource
-	var allPatches []jsonpatch.JsonPatchOperation
 	reverse := false
 	if foreach.RawPatchStrategicMerge != nil {
 		reverse = true
@@ -132,12 +128,11 @@ func (f *forEachMutator) mutateElements(ctx context.Context, foreach kyvernov1.F
 			return mutateResp
 		}
 
-		if len(mutateResp.Patches) > 0 {
+		if mutateResp.Status == engineapi.RuleStatusPass {
 			patchedResource.unstructured = mutateResp.PatchedResource
-			allPatches = append(allPatches, mutateResp.Patches...)
 		}
 	}
-	return mutate.NewResponse(engineapi.RuleStatusPass, patchedResource.unstructured, allPatches, "")
+	return mutate.NewResponse(engineapi.RuleStatusPass, patchedResource.unstructured, "")
 }
 
 func buildRuleResponse(rule *kyvernov1.Rule, mutateResp *mutate.Response, info resourceInfo) *engineapi.RuleResponse {

pkg/engine/mutate/mutation.go

@@ -3,6 +3,7 @@ package mutate
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@@ -11,7 +12,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
-	"github.com/mattbaird/jsonpatch"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -19,15 +19,13 @@ import (
 type Response struct {
 	Status          engineapi.RuleStatus
 	PatchedResource unstructured.Unstructured
-	Patches         []jsonpatch.JsonPatchOperation
 	Message         string
 }
 
-func NewResponse(status engineapi.RuleStatus, resource unstructured.Unstructured, patches []jsonpatch.JsonPatchOperation, msg string) *Response {
+func NewResponse(status engineapi.RuleStatus, resource unstructured.Unstructured, msg string) *Response {
 	return &Response{
 		Status:          status,
 		PatchedResource: resource,
-		Patches:         patches,
 		Message:         msg,
 	}
 }
@@ -36,7 +34,7 @@ func NewErrorResponse(msg string, err error) *Response {
 	if err != nil {
 		msg = fmt.Sprintf("%s: %v", msg, err)
 	}
-	return NewResponse(engineapi.RuleStatusError, unstructured.Unstructured{}, nil, msg)
+	return NewResponse(engineapi.RuleStatusError, unstructured.Unstructured{}, msg)
 }
 
 func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.Unstructured, logger logr.Logger) *Response {
@@ -53,14 +51,14 @@ func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.U
 	if err != nil {
 		return NewErrorResponse("failed to marshal resource", err)
 	}
-	resourceBytes, patches, err := patcher.Patch(logger, resourceBytes)
+	patchedBytes, err := patcher.Patch(logger, resourceBytes)
 	if err != nil {
 		return NewErrorResponse("failed to patch resource", err)
 	}
-	if len(patches) == 0 {
-		return NewResponse(engineapi.RuleStatusSkip, resource, nil, "no patches applied")
+	if strings.TrimSpace(string(resourceBytes)) == strings.TrimSpace(string(patchedBytes)) {
+		return NewResponse(engineapi.RuleStatusSkip, resource, "no patches applied")
 	}
-	if err := resource.UnmarshalJSON(resourceBytes); err != nil {
+	if err := resource.UnmarshalJSON(patchedBytes); err != nil {
 		return NewErrorResponse("failed to unmarshal patched resource", err)
 	}
 	if rule.IsMutateExisting() {
@@ -72,7 +70,7 @@ func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.U
 			return NewErrorResponse("failed to update patched resource in the JSON context", err)
 		}
 	}
-	return NewResponse(engineapi.RuleStatusPass, resource, patches, "resource patched")
+	return NewResponse(engineapi.RuleStatusPass, resource, "resource patched")
 }
 
 func ForEach(name string, foreach kyvernov1.ForEachMutation, policyContext engineapi.PolicyContext, resource unstructured.Unstructured, element interface{}, logger logr.Logger) *Response {
@@ -89,19 +87,19 @@ func ForEach(name string, foreach kyvernov1.ForEachMutation, policyContext engin
 	if err != nil {
 		return NewErrorResponse("failed to marshal resource", err)
 	}
-	resourceBytes, patches, err := patcher.Patch(logger, resourceBytes)
+	patchedBytes, err := patcher.Patch(logger, resourceBytes)
 	if err != nil {
 		return NewErrorResponse("failed to patch resource", err)
 	}
-	if len(patches) == 0 {
-		return NewResponse(engineapi.RuleStatusSkip, resource, nil, "no patches applied")
+	if strings.TrimSpace(string(resourceBytes)) == strings.TrimSpace(string(patchedBytes)) {
+		return NewResponse(engineapi.RuleStatusSkip, resource, "no patches applied")
 	}
-	if err := resource.UnmarshalJSON(resourceBytes); err != nil {
+	if err := resource.UnmarshalJSON(patchedBytes); err != nil {
 		return NewErrorResponse("failed to unmarshal patched resource", err)
 	} else if err := ctx.AddResource(resource.Object); err != nil {
 		return NewErrorResponse("failed to update patched resource in the JSON context", err)
 	} else {
-		return NewResponse(engineapi.RuleStatusPass, resource, patches, "resource patched")
+		return NewResponse(engineapi.RuleStatusPass, resource, "resource patched")
 	}
 }
 

pkg/engine/mutate/mutation_test.go

@@ -130,7 +130,9 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
 	rr, patched := applyPatches(rule, resource)
 
 	// assert
-	require.Equal(t, engineapi.RuleStatusSkip, rr.Status())
+	require.Equal(t, engineapi.RuleStatusPass, rr.Status())
+	require.NotEqual(t, patched.UnstructuredContent(), resource.UnstructuredContent())
+	unstructured.SetNestedField(resource.UnstructuredContent(), "true", "metadata", "additional", "is-mutated")
 	require.Equal(t, resource, patched)
 }
 

pkg/engine/mutate/patch/patchJSON6902.go

@@ -5,19 +5,16 @@ import (
 
 	jsonpatch "github.com/evanphx/json-patch/v5"
 	"github.com/go-logr/logr"
-	"sigs.k8s.io/yaml"
 )
 
 // ProcessPatchJSON6902 ...
-func ProcessPatchJSON6902(logger logr.Logger, patchesJSON6902 []byte, resource resource) (resource, patches, error) {
-	if patchedResourceRaw, err := applyPatchesWithOptions(resource, patchesJSON6902); err != nil {
+func ProcessPatchJSON6902(logger logr.Logger, patchesJSON6902 []byte, resource resource) (resource, error) {
+	patchedResourceRaw, err := applyPatchesWithOptions(resource, patchesJSON6902)
+	if err != nil {
 		logger.Error(err, "failed to apply JSON Patch")
-		return nil, nil, err
-	} else if patchesBytes, err := generatePatches(resource, patchedResourceRaw); err != nil {
-		return nil, nil, err
-	} else {
-		return patchedResourceRaw, patchesBytes, nil
+		return nil, err
 	}
+	return patchedResourceRaw, nil
 }
 
 func applyPatchesWithOptions(resource, patch []byte) ([]byte, error) {
@@ -32,19 +29,3 @@ func applyPatchesWithOptions(resource, patch []byte) ([]byte, error) {
 	}
 	return patchedResource, nil
 }
-
-func ConvertPatchesToJSON(patchesJSON6902 string) ([]byte, error) {
-	if len(patchesJSON6902) == 0 {
-		return []byte(patchesJSON6902), nil
-	}
-	if patchesJSON6902[0] != '[' {
-		// If the patch doesn't look like a JSON6902 patch, we
-		// try to parse it to json.
-		op, err := yaml.YAMLToJSON([]byte(patchesJSON6902))
-		if err != nil {
-			return nil, fmt.Errorf("failed to convert patchesJSON6902 to JSON: %v", err)
-		}
-		return op, nil
-	}
-	return []byte(patchesJSON6902), nil
-}

pkg/engine/mutate/patch/patchJSON6902_test.go

@@ -6,6 +6,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/go-logr/logr"
 	assert "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -33,29 +34,24 @@ func TestTypeConversion(t *testing.T) {
   value: my-nginx
 `)
 
-	expectedPatches := [][]byte{
-		[]byte(`{"op":"replace","path":"/spec/template/spec/containers/0/name","value":"my-nginx"}`),
-	}
+	expectedBytes := []byte(`{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"name":"myDeploy"},"spec":{"replica":2,"template":{"metadata":{"labels":{"old-label":"old-value"}},"spec":{"containers":[{"image":"nginx","name":"my-nginx"}]}}}}`)
 
 	// serialize resource
 	inputJSON, err := yaml.YAMLToJSON(inputBytes)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 
 	var resource unstructured.Unstructured
 	err = resource.UnmarshalJSON(inputJSON)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 
 	jsonPatches, err := yaml.YAMLToJSON(patchesJSON6902)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	// apply patches
 	resourceBytes, err := resource.MarshalJSON()
-	assert.Nil(t, err)
-	resourceBytes, patches, err := ProcessPatchJSON6902(logr.Discard(), jsonPatches, resourceBytes)
-	if !assert.Nil(t, err) {
-		t.Fatal()
-	}
-
-	assert.Equal(t, expectedPatches, ConvertPatches(patches...))
+	require.NoError(t, err)
+	patchedBytes, err := ProcessPatchJSON6902(logr.Discard(), jsonPatches, resourceBytes)
+	require.NoError(t, err)
+	require.Equal(t, string(expectedBytes), string(patchedBytes))
 }
 
 func TestJsonPatch(t *testing.T) {

pkg/engine/mutate/patch/patchers.go

@@ -2,18 +2,16 @@ package patch
 
 import (
 	"github.com/go-logr/logr"
-	"github.com/mattbaird/jsonpatch"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 )
 
 type (
 	resource = []byte
-	patches  = []jsonpatch.JsonPatchOperation
 )
 
 // Patcher patches the resource
 type Patcher interface {
-	Patch(logr.Logger, resource) (resource, patches, error)
+	Patch(logr.Logger, resource) (resource, error)
 }
 
 // patchStrategicMergeHandler
@@ -27,7 +25,7 @@ func NewPatchStrategicMerge(patch apiextensions.JSON) Patcher {
 	}
 }
 
-func (h patchStrategicMergeHandler) Patch(logger logr.Logger, resource resource) (resource, patches, error) {
+func (h patchStrategicMergeHandler) Patch(logger logr.Logger, resource resource) (resource, error) {
 	return ProcessStrategicMergePatch(logger, h.patch, resource)
 }
 
@@ -42,11 +40,11 @@ func NewPatchesJSON6902(patches string) Patcher {
 	}
 }
 
-func (h patchesJSON6902Handler) Patch(logger logr.Logger, resource resource) (resource, patches, error) {
-	patchesJSON6902, err := ConvertPatchesToJSON(h.patches)
+func (h patchesJSON6902Handler) Patch(logger logr.Logger, resource resource) (resource, error) {
+	patchesJSON6902, err := convertPatchesToJSON(h.patches)
 	if err != nil {
 		logger.Error(err, "error in type conversion")
-		return nil, nil, err
+		return nil, err
 	}
 	return ProcessPatchJSON6902(logger, patchesJSON6902, resource)
 }

pkg/engine/mutate/patch/patchesUtils.go

@@ -1,10 +1,10 @@
 package patch
 
 import (
-	"strings"
+	"fmt"
 
-	"github.com/kyverno/kyverno/pkg/utils/wildcard"
 	"github.com/mattbaird/jsonpatch"
+	"sigs.k8s.io/yaml"
 )
 
 func ConvertPatches(in ...jsonpatch.JsonPatchOperation) [][]byte {
@@ -17,45 +17,26 @@ func ConvertPatches(in ...jsonpatch.JsonPatchOperation) [][]byte {
 	return out
 }
 
+func convertPatchesToJSON(patchesJSON6902 string) ([]byte, error) {
+	if len(patchesJSON6902) == 0 {
+		return []byte(patchesJSON6902), nil
+	}
+	if patchesJSON6902[0] != '[' {
+		// If the patch doesn't look like a JSON6902 patch, we
+		// try to parse it to json.
+		op, err := yaml.YAMLToJSON([]byte(patchesJSON6902))
+		if err != nil {
+			return nil, fmt.Errorf("failed to convert patchesJSON6902 to JSON: %v", err)
+		}
+		return op, nil
+	}
+	return []byte(patchesJSON6902), nil
+}
+
 func generatePatches(src, dst []byte) ([]jsonpatch.JsonPatchOperation, error) {
-	if pp, err := jsonpatch.CreatePatch(src, dst); err != nil {
+	pp, err := jsonpatch.CreatePatch(src, dst)
+	if err != nil {
 		return nil, err
-	} else {
-		return filterInvalidPatches(pp), err
 	}
-}
-
-// filterInvalidPatches filters out patch with the following path:
-// - not */metadata/name, */metadata/namespace, */metadata/labels, */metadata/annotations
-// - /status
-func filterInvalidPatches(patches []jsonpatch.JsonPatchOperation) []jsonpatch.JsonPatchOperation {
-	res := []jsonpatch.JsonPatchOperation{}
-	for _, patch := range patches {
-		if ignorePatch(patch.Path) {
-			continue
-		}
-		res = append(res, patch)
-	}
-	return res
-}
-
-func ignorePatch(path string) bool {
-	if wildcard.Match("/spec/triggers/*/metadata/*", path) {
-		return false
-	}
-	if wildcard.Match("*/metadata", path) {
-		return false
-	}
-	if strings.Contains(path, "/metadata") {
-		if !strings.Contains(path, "/metadata/name") &&
-			!strings.Contains(path, "/metadata/namespace") &&
-			!strings.Contains(path, "/metadata/annotations") &&
-			!strings.Contains(path, "/metadata/labels") &&
-			!strings.Contains(path, "/metadata/ownerReferences") &&
-			!strings.Contains(path, "/metadata/generateName") &&
-			!strings.Contains(path, "/metadata/finalizers") {
-			return true
-		}
-	}
-	return false
+	return pp, nil
 }

pkg/engine/mutate/patch/patchesUtils_test.go

@@ -1,7 +1,6 @@
 package patch
 
 import (
-	"fmt"
 	"testing"
 
 	"github.com/go-logr/logr"
@@ -132,89 +131,6 @@ var overlayBytes = []byte(`
 }
 `)
 
-var expectBytes = []byte(`{"apiVersion": "apps/v1","kind": "Deployment","metadata": {"name": "wordpress","labels": {"app": "wordpress"}},"spec": {"selector": {"matchLabels": {"app": "wordpress"}},"strategy": {"type": "Recreate"},"template": {"metadata": {"labels": {"app": "wordpress"}},"spec": {"containers": [{"name": "nginx","image": "nginx"},{"image": "wordpress:4.8-apache","name": "wordpress","ports": [{"containerPort": 80,"name": "wordpress"}],"volumeMounts": [{"name": "wordpress-persistent-storage","mountPath": "/var/www/html"}],"env": [{"name": "WORDPRESS_DB_HOST","value": "$(MYSQL_SERVICE)"},{"name": "WORDPRESS_DB_PASSWORD","valueFrom": {"secretKeyRef": {"name": "mysql-pass","key": "password"}}}]}],"volumes": [{"name": "wordpress-persistent-storage"}],"initContainers": [{"name": "init-command","image": "debian","command": ["echo $(WORDPRESS_SERVICE)","echo $(MYSQL_SERVICE)"]}]}}}}`)
-
-func Test_ignorePath(t *testing.T) {
-	tests := []struct {
-		path   string
-		ignore bool
-	}{
-		{
-			path:   "/",
-			ignore: false,
-		},
-		{
-			path:   "/metadata",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/name",
-			ignore: false,
-		},
-		{
-			path:   "spec/template/metadata/name",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/namespace",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/annotations",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/labels",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/ownerReferences",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/finalizers",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/generateName",
-			ignore: false,
-		},
-		{
-			path:   "/metadata/creationTimestamp",
-			ignore: true,
-		},
-		{
-			path:   "spec/template/metadata/creationTimestamp",
-			ignore: true,
-		},
-		{
-			path:   "/metadata/resourceVersion",
-			ignore: true,
-		},
-		{
-			path:   "/status",
-			ignore: false,
-		},
-		{
-			path:   "/spec",
-			ignore: false,
-		},
-		{
-			path:   "/kind",
-			ignore: false,
-		},
-		{
-			path:   "/spec/triggers/0/metadata/serverAddress",
-			ignore: false,
-		},
-	}
-
-	for _, test := range tests {
-		res := ignorePatch(test.path)
-		assert.Equal(t, test.ignore, res, fmt.Sprintf("test fails at %s", test.path))
-	}
-}
-
 func Test_GeneratePatches_sortRemovalPatches(t *testing.T) {
 	base := []byte(`{"apiVersion": "apps/v1","kind": "Deployment","metadata": {"name": "nginx-deployment","labels": {"app": "nginx"}},"spec": {"selector": {"matchLabels": {"app": "nginx"}},"replicas": 1,"template": {"metadata": {"labels": {"app": "nginx"}},"spec": {"containers": [{"name": "nginx","image": "nginx:1.14.2","ports": [{"containerPort": 80}]}],"tolerations": [{"effect": "NoExecute","key": "node.kubernetes.io/not-ready","operator": "Exists","tolerationSeconds": 300},{"effect": "NoExecute","key": "node.kubernetes.io/unreachable","operator": "Exists","tolerationSeconds": 300}]}}}}`)
 	expectedResource := []byte(`{"apiVersion": "apps/v1","kind": "Deployment","metadata": {"name": "nginx-deployment","labels": {"app": "nginx"}},"spec": {"selector": {"matchLabels": {"app": "nginx"}},"replicas": 1,"template": {"metadata": {"labels": {"app": "nginx"}},"spec": {"containers": [{"name": "nginx","image": "nginx:1.14.2","ports": [{"containerPort": 80}]}],"tolerations": [{"effect": "NoSchedule","key": "networkzone","operator": "Equal","value": "dmz"}]}}}}`)

pkg/engine/mutate/patch/strategicMergePatch.go

@@ -12,22 +12,18 @@ import (
 )
 
 // ProcessStrategicMergePatch ...
-func ProcessStrategicMergePatch(logger logr.Logger, overlay interface{}, resource resource) (resource, patches, error) {
+func ProcessStrategicMergePatch(logger logr.Logger, overlay interface{}, resource resource) (resource, error) {
 	overlayBytes, err := json.Marshal(overlay)
 	if err != nil {
 		logger.Error(err, "failed to marshal resource")
-		return nil, nil, err
+		return nil, err
 	}
 	patchedBytes, err := strategicMergePatch(logger, string(resource), string(overlayBytes))
 	if err != nil {
 		logger.Error(err, "failed to apply patchStrategicMerge")
-		return nil, nil, err
+		return nil, err
 	}
-	patches, err := generatePatches(resource, patchedBytes)
-	if err != nil {
-		return nil, nil, err
-	}
-	return patchedBytes, patches, nil
+	return patchedBytes, nil
 }
 
 func strategicMergePatch(logger logr.Logger, base, overlay string) ([]byte, error) {

pkg/engine/mutate/patch/strategicMergePatch_test.go

@@ -13,6 +13,7 @@ import (
 )
 
 func TestMergePatch(t *testing.T) {
+	var expectBytes = []byte(`{"apiVersion": "apps/v1","kind": "Deployment","metadata": {"name": "wordpress","labels": {"app": "wordpress"}},"spec": {"selector": {"matchLabels": {"app": "wordpress"}},"strategy": {"type": "Recreate"},"template": {"metadata": {"labels": {"app": "wordpress"}},"spec": {"containers": [{"name": "nginx","image": "nginx"},{"image": "wordpress:4.8-apache","name": "wordpress","ports": [{"containerPort": 80,"name": "wordpress"}],"volumeMounts": [{"name": "wordpress-persistent-storage","mountPath": "/var/www/html"}],"env": [{"name": "WORDPRESS_DB_HOST","value": "$(MYSQL_SERVICE)"},{"name": "WORDPRESS_DB_PASSWORD","valueFrom": {"secretKeyRef": {"name": "mysql-pass","key": "password"}}}]}],"volumes": [{"name": "wordpress-persistent-storage"}],"initContainers": [{"name": "init-command","image": "debian","command": ["echo $(WORDPRESS_SERVICE)","echo $(MYSQL_SERVICE)"]}]}}}}`)
 	testCases := []struct {
 		rawPolicy   []byte
 		rawResource []byte
@@ -170,6 +171,7 @@ func TestMergePatch(t *testing.T) {
 }
 
 func Test_PolicyDeserilize(t *testing.T) {
+	var expectBytes = []byte(`{"apiVersion": "apps/v1","kind": "Deployment","metadata": {"name": "wordpress","labels": {"app": "wordpress"}},"spec": {"selector": {"matchLabels": {"app": "wordpress"}},"strategy": {"type": "Recreate"},"template": {"metadata": {"labels": {"app": "wordpress"}},"spec": {"containers": [{"name": "nginx","image": "nginx"},{"image": "wordpress:4.8-apache","name": "wordpress","ports": [{"containerPort": 80,"name": "wordpress"}],"volumeMounts": [{"name": "wordpress-persistent-storage","mountPath": "/var/www/html"}],"env": [{"name": "WORDPRESS_DB_HOST","value": "$(MYSQL_SERVICE)"},{"name": "WORDPRESS_DB_PASSWORD","valueFrom": {"secretKeyRef": {"name": "mysql-pass","key": "password"}}}]}],"volumes": [{"name": "wordpress-persistent-storage"}],"initContainers": [{"name": "init-command","image": "debian","command": ["echo $(WORDPRESS_SERVICE)","echo $(MYSQL_SERVICE)"]}]}}}}`)
 	rawPolicy := []byte(`
 {
   "apiVersion": "kyverno.io/v1",