[BUG] - Safe to evict policy fails on cronjobs without volumes

[nomeelnoj]

Software version numbers
State the version numbers of applications involved in the bug.

• Kubernetes version: 1.19
• Kyverno version: 1.3.5

Describe the bug
When using the recommended safe-to-evict policy from the docs, it fails to properly validate on cronjobs that do not have a volume present

To Reproduce
Steps to reproduce the behavior:

1. Create cronjob manifest without a volume definition:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: mycronjob
  namespace: default
spec:
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - envFrom:
            - configMapRef:
                name: myconfigmap
            image: myimage:latest
            imagePullPolicy: Always
            name: myjob
          restartPolicy: OnFailure
  schedule: 0 0 * * *

2. Use the default policy from the website
3. Run the policy in cluster or check it with the kyverno CLI:

kyverno apply add-safe-to-evict.yaml --resource mycron.yaml

4. Observe the error

╰─ kyverno apply add-safe-to-evict.yaml --resource mycron.yaml

applying 1 policy to 1 resource...
E0517 12:43:22.654826   47224 strategicMergePatch.go:69] EngineMutate "msg"="failed to apply patchStrategicMerge" "error"="failed to preProcess rule: wrong Node Kind for  expected: SequenceNode was MappingNode: value: {{\"containers\": [{\"envFrom\": [{\"configMapRef\": {\"name\": \"myconfigmap\"}}], \"image\": \"myimage:latest\", \"imagePullPolicy\": \"Always\", \"name\": \"myjob\"}], \"restartPolicy\": \"OnFailure\"}}" "kind"="CronJob" "name"="mycronjob" "namespace"="default" "policy"="add-safe-to-evict" "rule"="autogen-cronjob-annotate-empty-dir"
E0517 12:43:22.655304   47224 strategicMergePatch.go:69] EngineMutate "msg"="failed to apply patchStrategicMerge" "error"="failed to preProcess rule: wrong Node Kind for  expected: SequenceNode was MappingNode: value: {{\"containers\": [{\"envFrom\": [{\"configMapRef\": {\"name\": \"myconfigmap\"}}], \"image\": \"myimage:latest\", \"imagePullPolicy\": \"Always\", \"name\": \"myjob\"}], \"restartPolicy\": \"OnFailure\"}}" "kind"="CronJob" "name"="mycronjob" "namespace"="default" "policy"="add-safe-to-evict" "rule"="autogen-cronjob-annotate-host-path"
Failed to apply mutate policy add-safe-to-evict -> resource default/CronJob/mycronjob
1. failed to apply patchStrategicMerge: failed to preProcess rule: wrong Node Kind for  expected: SequenceNode was MappingNode: value: {{"containers": [{"envFrom": [{"configMapRef": {"name": "myconfigmap"}}], "image": "myimage:latest", "imagePullPolicy": "Always", "name": "myjob"}], "restartPolicy": "OnFailure"}}
2. failed to apply patchStrategicMerge: failed to preProcess rule: wrong Node Kind for  expected: SequenceNode was MappingNode: value: {{"containers": [{"envFrom": [{"configMapRef": {"name": "myconfigmap"}}], "image": "myimage:latest", "imagePullPolicy": "Always", "name": "myjob"}], "restartPolicy": "OnFailure"}}
pass: 0, fail: 1, warn: 0, error: 0, skip: 0

Expected behavior
The policy applies the annotation if an emptydir or host path is present, or passes without error if not.

You can get it to work by changing the policy mutate spec from:

spec:
  volumes:
  - (emptyDir): {}

to

spec:
  (volumes):
  - (emptyDir): {}

Opening per request of @realshuting in kyverno/policies#61

[realshuting]

@kacejot - are you planning to take this issue? Is this the same issue as what we have in #1658? If so, I can re-assign this issue to you and let's close both issues with fixing PR.