fix: disable autogen in foreach mutation with json patches (#6996)

* fix: disable autogen in foreach mutation with json patches

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/autogen/autogen.go

@@ -73,6 +73,11 @@ func CanAutoGen(spec *kyvernov1.Spec) (applyAutoGen bool, controllers string) {
 		if rule.Mutation.PatchesJSON6902 != "" || rule.HasGenerate() {
 			return false, "none"
 		}
+		for _, foreach := range rule.Mutation.ForEachMutation {
+			if foreach.PatchesJSON6902 != "" {
+				return false, "none"
+			}
+		}
 		match, exclude := rule.MatchResources, rule.ExcludeResources
 		if !checkAutogenSupport(&needed, match.ResourceDescription, exclude.ResourceDescription) {
 			debug.Info("skip generating rule on pod controllers: Name / Selector in resource description may not be applicable.", "rule", rule.Name)

test/conformance/kuttl/autogen/foreach-jsonpatch/01-policy.yaml

@@ -0,0 +1,8 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
+error:
+- policy-error.yaml

test/conformance/kuttl/autogen/foreach-jsonpatch/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test creates a cluster policy with a mutation rule containing a foreach and json patch.
+
+## Expected Behavior
+
+No autogen rules should be present in the status as json patches are supposed to disable autogen.
+
+## Reference Issue(s)
+
+- https://github.com/kyverno/kyverno/issues/4731

test/conformance/kuttl/autogen/foreach-jsonpatch/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-pod-require-non-root-user
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  autogen: {}

test/conformance/kuttl/autogen/foreach-jsonpatch/policy-error.yaml

@@ -0,0 +1,13 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-pod-require-non-root-user
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  autogen:
+    rules:
+    - name: autogen-require-non-root-user
+    - name: autogen-cronjob-require-non-root-user

test/conformance/kuttl/autogen/foreach-jsonpatch/policy.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-pod-require-non-root-user
+spec:
+  schemaValidation: false
+  rules:
+    - name: require-non-root-user
+      match:
+        all:
+          - resources:
+              kinds:
+                - Pod
+      mutate:
+        foreach:
+          - list: request.object.spec.containers
+            preconditions:
+              all:
+                # skip images that are exempt (allowed to run as a root user);
+                # escape quotes where the replaced value may contain hyphens
+                - key: "{{images.containers.\"{{element.name}}\".path}}"
+                  operator: AnyNotIn
+                  value:
+                    - myorg/exempt-image-name
+            patchesJson6902: |-
+              - path: /spec/containers/{{elementIndex}}/securityContext/runAsNonRoot
+                op: add
+                value: true