fix mutate targets variable (#5862)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/engine/mutate/mutation.go

@@ -56,8 +56,14 @@ func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.U
 		return NewResponse(response.RuleStatusSkip, resource, nil, "no patches applied")
 	}
 
-	if err := ctx.AddResource(patchedResource.Object); err != nil {
-		return NewErrorResponse("failed to update patched resource in the JSON context", err)
+	if rule.IsMutateExisting() {
+		if err := ctx.AddTargetResource(patchedResource.Object); err != nil {
+			return NewErrorResponse("failed to update patched resource in the JSON context", err)
+		}
+	} else {
+		if err := ctx.AddResource(patchedResource.Object); err != nil {
+			return NewErrorResponse("failed to update patched resource in the JSON context", err)
+		}
 	}
 
 	return NewResponse(response.RuleStatusPass, patchedResource, resp.Patches, resp.Message)

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: reload
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: reload
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+  - name: trigger
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          selector:
+            matchLabels:
+              kyverno.io/watch: "true"
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: Equals
+        value: UPDATE
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Pod
+          namespace: "{{ request.namespace }}"
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            corp.org/random: "{{ request.object.data.fookey }}"
+        spec:
+          volumes:
+          - configMap:
+              <(name): "{{ request.object.metadata.name }}"

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+data:
+  fookey: fakeval
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: foo
+  labels:
+    kyverno.io/watch: "true"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+  namespace: foo

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: foo
+---
+apiVersion: v1
+data:
+  fookey: fakeval
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: foo
+  labels:
+    kyverno.io/watch: "true"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+  namespace: foo
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: ["sleep", "1d"]
+    volumeMounts:
+    - name: mycm
+      mountPath: /etc/mycm
+  volumes:
+    - name: mycm
+      configMap:
+        name: mycm
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: unwatched
+  namespace: foo
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+    command: ["sleep", "1d"]
+    volumeMounts:
+    - name: othercm
+      mountPath: /etc/fooconfig
+  volumes:
+    - name: othercm
+      configMap:
+        name: othercm
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: othercm
+  namespace: foo
+data:
+  foo: bar

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- update-mycm.yaml
+assert:
+- update-mycm.yaml

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  fookey: bar
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: foo

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-policy.yaml,02-resources.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks that variable `request.object` always references the admission request object data in mutateExisting policies.
+
+## Expected Behavior
+
+With the mutateExisting policy, the variable `request.object` should always be substituted to the matching configmap's name `mycm`, not any pod's name. When the test finishes, the annotation `corp.org/random=bar` should be added to the pod `foo/mypod`.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/5820

test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  fookey: bar
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: foo
+  labels:
+    kyverno.io/watch: "true"