From f59f17c05cc5aaf1f0a23a513ba33952960a351c Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 4 Jan 2023 19:35:46 +0800 Subject: [PATCH] fix mutate targets variable (#5862) Signed-off-by: ShutingZhao Signed-off-by: ShutingZhao --- pkg/engine/mutate/mutation.go | 10 +++- .../variables-mutate-existing/01-assert.yaml | 9 +++ .../variables-mutate-existing/01-policy.yaml | 34 +++++++++++ .../variables-mutate-existing/02-assert.yaml | 15 +++++ .../02-resources.yaml | 58 +++++++++++++++++++ .../03-update-cm.yaml | 6 ++ .../04-cm-assert.yaml | 7 +++ .../variables-mutate-existing/99-cleanup.yaml | 4 ++ .../variables-mutate-existing/README.md | 11 ++++ .../update-mycm.yaml | 9 +++ 10 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml diff --git a/pkg/engine/mutate/mutation.go b/pkg/engine/mutate/mutation.go index aa0b9a99a4..4d225247a0 100644 --- a/pkg/engine/mutate/mutation.go +++ b/pkg/engine/mutate/mutation.go @@ -56,8 +56,14 @@ func Mutate(rule *kyvernov1.Rule, ctx context.Interface, resource unstructured.U return NewResponse(response.RuleStatusSkip, resource, nil, "no patches applied") } - if err := ctx.AddResource(patchedResource.Object); err != nil { - return NewErrorResponse("failed to update patched resource in the JSON context", err) + if rule.IsMutateExisting() { + if err := ctx.AddTargetResource(patchedResource.Object); err != nil { + return NewErrorResponse("failed to update patched resource in the JSON context", err) + } + } else { + if err := ctx.AddResource(patchedResource.Object); err != nil { + return NewErrorResponse("failed to update patched resource in the JSON context", err) + } } return NewResponse(response.RuleStatusPass, patchedResource, resp.Patches, resp.Message) diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml new file mode 100644 index 0000000000..e8ffe05a08 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: reload +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml new file mode 100644 index 0000000000..cea8c6bb60 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: reload +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: trigger + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + kyverno.io/watch: "true" + preconditions: + all: + - key: "{{ request.operation }}" + operator: Equals + value: UPDATE + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.namespace }}" + patchStrategicMerge: + metadata: + annotations: + corp.org/random: "{{ request.object.data.fookey }}" + spec: + volumes: + - configMap: + <(name): "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml new file mode 100644 index 0000000000..f7559ecae3 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + fookey: fakeval +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: foo \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml new file mode 100644 index 0000000000..3209e361b9 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foo +--- +apiVersion: v1 +data: + fookey: fakeval +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: foo +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "1d"] + volumeMounts: + - name: mycm + mountPath: /etc/mycm + volumes: + - name: mycm + configMap: + name: mycm +--- +apiVersion: v1 +kind: Pod +metadata: + name: unwatched + namespace: foo +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "1d"] + volumeMounts: + - name: othercm + mountPath: /etc/fooconfig + volumes: + - name: othercm + configMap: + name: othercm +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: othercm + namespace: foo +data: + foo: bar \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml new file mode 100644 index 0000000000..e1b90a1682 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- update-mycm.yaml +assert: +- update-mycm.yaml diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml new file mode 100644 index 0000000000..0e7ab156a2 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + fookey: bar +kind: ConfigMap +metadata: + name: mycm + namespace: foo \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml new file mode 100644 index 0000000000..d0ff9174a7 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-policy.yaml,02-resources.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md new file mode 100644 index 0000000000..be1452c2f4 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks that variable `request.object` always references the admission request object data in mutateExisting policies. + +## Expected Behavior + +With the mutateExisting policy, the variable `request.object` should always be substituted to the matching configmap's name `mycm`, not any pod's name. When the test finishes, the annotation `corp.org/random=bar` should be added to the pod `foo/mypod`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5820 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml new file mode 100644 index 0000000000..d9c273541d --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + fookey: bar +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" \ No newline at end of file