[BUG] Wildcard substitution fails to manifest properly when applied to lists

[maarek]

Software version numbers

• Kubernetes version: 1.19.7
• Kyverno version: 1.3.6

Describe the bug
When applying a mutation with patchStrategicMerge to a list, the substitution that occurs with {{*}} will apply the result from the first element of the list to all items in the list. Instead this should potentially apply the substitution to each item in the list. This can be seen with the replace-image-registry policy applied to a deployment/pod that has more than 1 container. All containers will have the result of the substitution against the first container's values.

To Reproduce
Apply the policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: replace-image-registry
  annotations:
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.3.6
spec:
  background: false
  rules:
    - name: replace-image-registry
      match:
        resources:
          kinds:
            - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                image: |-
                  {{ regex_replace_all('^((?!.*.ocir.io).*?)\/', '{{@}}', 'phx.ocir.io/something/') }}

Then apply a deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: two-containers
spec:
  replicas: 1
  selector:
    matchLabels:
      app: twc
  template:
    metadata:
      labels:
        app: twc
    spec:
      containers:
        - name: nginx-container
          image: gcr.io/nginx:123
        - name: debian-container
          image: phx.ocir.io/something/debian:456

The result is:

containers:
    - name: nginx-container
      image: phx.ocir.io/something/nginx:123
    - name: debian-container
      image: phx.ocir.io/something/nginx:123

The expected result is:

containers:
    - name: nginx-container
      image: phx.ocir.io/something/nginx:123
    - name: debian-container
      image: phx.ocir.io/something/debian:456

[maarek]

Discussion here https://kubernetes.slack.com/archives/CLGR9BJU9/p1622671359208000 with @realshuting

[realshuting]

Thank you @maarek!

@kacejot @JimBugwadia - let's discuss and address the issue accordingly.

[kacejot]

@realshuting, I think this is the same problem as I mentioned in my proposal for global anchors. It seems like conditional anchor doesn't work as expected in lists in patchStrategicMerge

[vyankyGH]

Hi @maarek I have tested this issue. This issue is already get fixed with one of the PR.
Here is the result which I get

containers:
  - image: gcr.io/nginx:123
    imagePullPolicy: IfNotPresent
    name: nginx-container
    resources: {}
    ...
  - image: phx.ocir.io/something/debian:456
    imagePullPolicy: IfNotPresent
    name: debian-container
    resources: {}

This changes will be available with Kyverno 1.4.2 release.

Thanks.

[vyankyGH]

Issue will resolve with 1.4.2 release. Closing.