From e3fe8e0cc11e223665ab0f9399665a5072945565 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 18 Oct 2021 15:42:34 -0700
Subject: [PATCH] fix mutate handling of skipped rules (#2557)

---
 pkg/engine/mutation.go           |  5 +++--
 test/cli/test-mutate/policy.yaml | 15 +++++++++++++++
 test/cli/test-mutate/test.yaml   |  2 --
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 139ae82d84..76d2b23f9f 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -208,7 +208,7 @@ func mutateResource(rule *kyverno.Rule, ctx *context.Context, resource unstructu
 	mutateResp := &mutateResponse{false, unstructured.Unstructured{}, nil, ""}
 
 	// Pre-conditions checks for the list of foreach rules should ideally be performed once.
-	// Currently they are performed for each entry in the foreach list.
+	// Currently, they are performed for each entry in the foreach list.
 	// Also, the foreach index parameter should be removed and a set of patches should be passed in.
 	anyAllConditions, err := variables.SubstituteAllInPreconditions(logger, ctx, rule.AnyAllConditions)
 	if err != nil {
@@ -221,7 +221,8 @@ func mutateResource(rule *kyverno.Rule, ctx *context.Context, resource unstructu
 	}
 
 	if !variables.EvaluateConditions(logger, ctx, copyConditions) {
-		return errors.Wrapf(err, "preconditions mismatch"), mutateResp
+		mutateResp.skip = true
+		return fmt.Errorf("preconditions mismatch"), mutateResp
 	}
 
 	updatedRule, err := variables.SubstituteAllInRule(logger, ctx, *rule)
diff --git a/test/cli/test-mutate/policy.yaml b/test/cli/test-mutate/policy.yaml
index 1d9050b7e3..dbd37c7017 100644
--- a/test/cli/test-mutate/policy.yaml
+++ b/test/cli/test-mutate/policy.yaml
@@ -28,6 +28,21 @@ spec:
         metadata:
           labels:
             color: orange
+  - name: "impossible-rule"
+    match:
+      resources:
+        kinds:
+          - Pod
+    preconditions:
+      all:
+        - key: "not-the-name" # This precondition should always fail!
+          operator: In
+          value: "{{ request.object.metadata.labels | keys(@) }}"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            something: "something"
 
 ---
 
diff --git a/test/cli/test-mutate/test.yaml b/test/cli/test-mutate/test.yaml
index 0b8925e206..63fd061cb4 100644
--- a/test/cli/test-mutate/test.yaml
+++ b/test/cli/test-mutate/test.yaml
@@ -43,8 +43,6 @@ results:
     patchedResource: patchedResource6.yaml
     kind: Pod
     result: pass
-  
-
   - policy: testing/add-ndots
     rule: add-ndots
     resource: resource-equal-to-patch-res-for-cp