fix: mutation policy inconsistent patching for ephemeralContainers (#5121)

* fix: mutation policy consistent patching for ephemeralContainers Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-30 19:35:06 +00:00 · 2022-10-26 10:50:32 +05:30 · 2022-10-26 10:50:32 +05:30 · c3740d1c5b
commit c3740d1c5b
parent e4bf66e756
2 changed files with 123 additions and 2 deletions
--- a/pkg/engine/mutate/patch/strategicPreprocessing.go
+++ b/pkg/engine/mutate/patch/strategicPreprocessing.go
@ -139,7 +139,8 @@ func processListOfMaps(logger logr.Logger, pattern, resource *yaml.RNode) error
 			var lastGlobalAnchorError error = nil

 			for _, resourceElement := range resourceElements {
-				if err := preProcessRecursive(logger, patternElement, resourceElement); err != nil {
+				patternElementCopy := patternElement.Copy()
+				if err := preProcessRecursive(logger, patternElementCopy, resourceElement); err != nil {
 					logger.V(3).Info("anchor mismatch", "reason", err.Error())
 					if isConditionError(err) {
 						continue
@ -157,7 +158,7 @@ func processListOfMaps(logger logr.Logger, pattern, resource *yaml.RNode) error
 					// global anchor has passed, there is no need to return an error
 					anyGlobalConditionPassed = true
 				} else {
-					if err := handlePatternName(pattern, patternElement, resourceElement); err != nil {
+					if err := handlePatternName(pattern, patternElementCopy, resourceElement); err != nil {
 						return errors.Wrap(err, "failed to update name in pattern")
 					}
 				}
--- a/pkg/engine/mutate/patch/strategicPreprocessing_test.go
+++ b/pkg/engine/mutate/patch/strategicPreprocessing_test.go
@ -16,6 +16,126 @@ func Test_preProcessStrategicMergePatch_multipleAnchors(t *testing.T) {
 		rawResource   []byte
 		expectedPatch []byte
 	}{
+		{
+			rawPolicy: []byte(`{
+			 "spec": {
+      "containers": [
+        {
+          "(name)": "*",
+          "securityContext": {
+              "+(allowPrivilegeEscalation)": false,
+              "+(capabilities)": {
+                  "drop": [
+                      "NET_CAP"
+                  ]
+              },
+              "+(privileged)": false
+          }
+        }
+      ],
+      "initContainers": [
+        {
+          "(name)": "*",
+          "securityContext": {
+              "+(allowPrivilegeEscalation)": false,
+              "+(capabilities)": {
+                  "drop": [
+                      "NET_ADMIN"
+                  ]
+              },
+              "+(privileged)": false
+          }
+        }
+      ]
+    }
+			}`),
+			rawResource: []byte(`{
+    "apiVersion": "v1",
+				"kind": "Pod",
+				"metadata": {
+				  "name": "mutation-debug",
+      "namespace": "amritapuri"
+				},
+				"spec": {
+     "containers": [
+       {
+        "name": "sleepy-container-1",
+        "image": "docker.io/library/ubuntu"
+       },
+       {
+        "name": "sleepy-container-2",
+        "image": "docker.io/library/ubuntu"
+       }
+     ],
+     "initContainers": [
+       {
+        "name": "init-container-1",
+        "image": "docker.io/library/ubuntu"
+       },
+       {
+        "name": "init-container-2",
+        "image": "docker.io/library/ubuntu"
+       }
+     ]
+				}
+			}`),
+			expectedPatch: []byte(`{
+				"spec": {
+				  "containers": [
+        {
+          "name": "sleepy-container-1",
+          "securityContext": {
+            "allowPrivilegeEscalation": false,
+            "capabilities": {
+              "drop": [
+                "NET_CAP"
+              ]
+            },
+            "privileged": false
+          }
+        },
+        {
+         "name": "sleepy-container-2",
+         "securityContext": {
+           "allowPrivilegeEscalation": false,
+           "capabilities": {
+             "drop": [
+               "NET_CAP"
+             ]
+           },
+           "privileged": false
+         }
+       }
+      ],
+      "initContainers": [
+        {
+          "name": "init-container-1",
+          "securityContext": {
+            "allowPrivilegeEscalation": false,
+            "capabilities": {
+              "drop": [
+                "NET_ADMIN"
+              ]
+            },
+            "privileged": false
+          }
+        },
+        {
+         "name": "init-container-2",
+         "securityContext": {
+           "allowPrivilegeEscalation": false,
+           "capabilities": {
+             "drop": [
+               "NET_ADMIN"
+             ]
+           },
+           "privileged": false
+         }
+       }
+      ]
+				}
+			  }`),
+		},
 		{
 			rawPolicy: []byte(`{
 				"metadata": {