fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

pkg/engine/mutation.go

@@ -98,16 +98,19 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 		if rule.Mutation.ForEachMutation != nil {
 			ruleResp, patchedResource = mutateForEachResource(ruleCopy, policyContext, patchedResource, logger)
 		} else {
-			skip := false
 			err, mutateResp := mutateResource(ruleCopy, policyContext.JSONContext, patchedResource, logger)
 			if err != nil {
-				if skip {
+				if mutateResp.skip {
 					ruleResp = ruleResponse(&rule, utils.Mutation, err.Error(), response.RuleStatusSkip)
 				} else {
 					ruleResp = ruleResponse(&rule, utils.Mutation, err.Error(), response.RuleStatusError)
 				}
 			} else {
-				ruleResp = ruleResponse(&rule, utils.Mutation, "mutated resource", response.RuleStatusPass)
+				if mutateResp.message == "" {
+					mutateResp.message = "mutated resource"
+				}
+
+				ruleResp = ruleResponse(&rule, utils.Mutation, mutateResp.message, response.RuleStatusPass)
 				ruleResp.Patches = mutateResp.patches
 				patchedResource = mutateResp.patchedResource
 			}
@@ -193,10 +196,11 @@ type mutateResponse struct {
 	skip bool
 	patchedResource unstructured.Unstructured
 	patches [][]byte
+	message string
 }
 
 func mutateResource(rule *kyverno.Rule, ctx *context.Context, resource unstructured.Unstructured, logger logr.Logger) (error, *mutateResponse) {
-	mutateResp := &mutateResponse{false, unstructured.Unstructured{}, nil}
+	mutateResp := &mutateResponse{false, unstructured.Unstructured{}, nil, ""}
 	anyAllConditions, err := variables.SubstituteAllInPreconditions(logger, ctx, rule.AnyAllConditions)
 	if err != nil {
 		return errors.Wrapf(err, "failed to substitute vars in preconditions"), mutateResp
@@ -229,6 +233,7 @@ func mutateResource(rule *kyverno.Rule, ctx *context.Context, resource unstructu
 		mutateResp.skip = false
 		mutateResp.patchedResource = patchedResource
 		mutateResp.patches = resp.Patches
+		mutateResp.message = resp.Message
 		logger.V(4).Info("mutate rule applied successfully", "ruleName", rule.Name)
 	}
 

pkg/testrunner/scenario.go

@@ -230,11 +230,11 @@ func validateResource(t *testing.T, responseResource unstructured.Unstructured,
 		return
 	}
 
-	resourcePrint(responseResource, "response resource")
-	resourcePrint(*expectedResource, "expected resource")
 	// compare the resources
 	if !reflect.DeepEqual(responseResource, *expectedResource) {
 		t.Error("failed: response resource returned does not match expected resource")
+		resourcePrint(responseResource, "response resource")
+		resourcePrint(*expectedResource, "expected resource")
 		return
 	}
 	t.Log("success: response resource returned matches expected resource")
@@ -339,6 +339,12 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured {
 		t.Logf("more than one resource specified in the file %s", file)
 		t.Log("considering the first one for policy application")
 	}
+
+	for _, r := range resources {
+		metadata := r.UnstructuredContent()["metadata"].(map[string]interface{})
+		delete(metadata, "creationTimestamp")
+	}
+
 	return resources[0]
 }
 

test/output/pod-with-emptydir.yaml

@@ -3,7 +3,7 @@ kind: Pod
 metadata:
   name: pod-with-emptydir
   annotations:
-    cluster-autoscaler.kubernetes.io/safe-to-evict: true
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
 spec:
   containers:
   - image: k8s.gcr.io/test-webserver
@@ -13,4 +13,4 @@ spec:
       name: cache-volume
   volumes:
   - name: cache-volume
-    emptyDir: {}
+    emptyDir: {}

test/output/pod-with-hostpath.yaml

@@ -3,7 +3,7 @@ kind: Pod
 metadata:
   name: pod-with-hostpath
   annotations:
-    cluster-autoscaler.kubernetes.io/safe-to-evict: true
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
 spec:
   containers:
   - image: k8s.gcr.io/test-webserver

test/resources/pod-with-hostpath.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: pod-with-hostpath
+  annotations:
 spec:
   containers:
   - image: k8s.gcr.io/test-webserver

test/scenarios/samples/best_practices/add_safe_to_evict.yaml

@@ -15,7 +15,11 @@ expected:
         namespace: ''
         name: pod-with-emptydir
       rules:
-        - name: annotate-empty-dir
+      - name: annotate-empty-dir
-          type: Mutation
+        type: Mutation
-          status: pass
+        status: pass
-          message: "successfully processed strategic merge patch"
+        message: "successfully processed strategic merge patch"
+      - name: annotate-host-path
+        type: Mutation
+        status: skip
+        message: "resource does not match pattern"

test/scenarios/samples/best_practices/add_safe_to_evict2.yaml

@@ -15,6 +15,10 @@ expected:
         namespace: ''
         name: pod-with-hostpath
       rules:
+        - name: annotate-empty-dir
+          type: Mutation
+          status: skip
+          message: "resource does not match pattern"
         - name: annotate-host-path
           type: Mutation
           status: pass

test/scenarios/samples/best_practices/add_safe_to_evict3.yaml

@@ -14,4 +14,14 @@ expected:
         apiVersion: v1
         namespace: ''
         name: pod-with-default-volume
-      rules:
+      rules:
+        - name: annotate-empty-dir
+          type: Mutation
+          status: skip
+          message: "resource does not match pattern"      
+        - name: annotate-host-path
+          type: Mutation
+          status: skip
+          message: "resource does not match pattern"      
+
+