fix mutate wildcard issue (#3193)

Co-authored-by: shuting <shuting@nirmata.com>

pkg/webhooks/mutation.go

@@ -150,9 +150,11 @@ func (ws *WebhookServer) applyMutation(request *v1beta1.AdmissionRequest, policy
 		return nil, nil, fmt.Errorf("failed to apply policy %s rules %v", policyContext.Policy.Name, engineResponse.GetFailedRules())
 	}
 
-	err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetAPIVersion(), engineResponse.PatchedResource.GetKind())
-	if err != nil {
-		return nil, nil, errors.Wrapf(err, "failed to validate resource mutated by policy %s", policyContext.Policy.Name)
+	if engineResponse.PatchedResource.GetKind() != "*" {
+		err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetAPIVersion(), engineResponse.PatchedResource.GetKind())
+		if err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to validate resource mutated by policy %s", policyContext.Policy.Name)
+		}
 	}
 
 	return engineResponse, policyPatches, nil

test/cli/test/wildcard_mutate/kyverno-test.yaml

@@ -0,0 +1,18 @@
+name: wildcard-support-in-matchlabels
+policies:
+  -  policy.yaml
+resources:
+  -  resources.yaml
+results:
+  - policy: mutate-wildcard
+    rule: mutate-wildcard
+    resource: wildcard-mutate
+    patchedResource: patchedResource.yaml
+    kind: Pod
+    result: pass
+  - policy: mutate-wildcard
+    rule: mutate-wildcard
+    resource: wildcard-mutate-fail
+    patchedResource: patchedResource1.yaml
+    kind: Pod
+    result: fail

test/cli/test/wildcard_mutate/patchedResource.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    test: app
+  name: wildcard-mutate
+  namespace: default
+spec:
+  containers:
+  - image: nginx:latest
+    name: nginx

test/cli/test/wildcard_mutate/patchedResource1.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: wildcard-mutate
+  namespace: default
+spec:
+  containers:
+  - image: nginx:latest
+    name: nginx

test/cli/test/wildcard_mutate/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-wildcard
+spec:
+  background: false
+  failurePolicy: Ignore
+  rules:
+  - name: mutate-wildcard
+    match:
+      all:
+        - resources:
+            kinds:
+            - "*"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            test: "app"

test/cli/test/wildcard_mutate/resources.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: wildcard-mutate
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: wildcard-mutate-fail
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest

test/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: who-created-this
+spec:
+  background: false
+  failurePolicy: Ignore
+  rules:
+  - name: who-created-this
+    match:
+      all:
+        - resources:
+            kinds:
+            - "*"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            test: "app"

test/resources.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-require-image-tag-pass
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest