update documentation/mutate.md

documentation/writing-policies-mutate.md

@@ -35,13 +35,13 @@ spec :
           kinds:
           - Deployment
       mutate:
-        patches:
-        - path: "/spec/template/spec/initContainers/0/"
-          op: add
-          value:
-            - image: "nirmata.io/kube-vault-client:v2"
-              name: "init-secrets"
-
+        overlay:
+          spec:
+            template:
+              spec:
+                initContainers:
+                  - name: init-secrets
+                    image: nirmata.io/kube-vault-client:v2
 ````
 
 Here is the example of a patch that removes a label from the secret:
@@ -178,25 +178,30 @@ A variation of an anchor, is to add a field value if it is not already defined.
 
 An `add anchor` is processed as part of applying the mutation. Typically, every non-anchor tag-value is applied as part of the mutation. If the `add anchor` is set on a tag, the tag and value are only applied if they do not exist in the resource.
 
-For example, this overlay will set the port to 6443, if a port is not already defined:
+For example, this policy matches and mutates pods with `emptyDir` volume, to add the `safe-to-evict` annotation if it is not specified.
 
 ````yaml
 apiVersion: kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy-set-port
-spec :
+kind: ClusterPolicy
+metadata: 
+  name: add-safe-to-evict
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+spec: 
   rules: 
-  - name: "Set port"
+  - name: "annotate-empty-dir"
     match: 
       resources: 
-        kinds :
-          - Endpoints
+        kinds: 
+        - Pod
     mutate: 
       overlay:
-        subsets:
-        - (ports):
-            +(port): 6443
+        metadata:
+          annotations:
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
+        spec:          
+          volumes: 
+          - (emptyDir): {}
 ````
 
 #### Anchor processing flow