test: add kuttl tests for policy kinds validation (#6547)

* test: add kuttl tests for policy kinds validation

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/policy/validate.go

@@ -1285,16 +1285,22 @@ func validateWildcard(kinds []string, spec *kyvernov1.Spec, rule kyvernov1.Rule)
 // and found in the cache, returns error if not found. It also returns an error if background scanning
 // is enabled for a subresource.
 func validateKinds(kinds []string, mock, backgroundScanningEnabled, isValidationPolicy bool, client dclient.Interface) error {
-	for _, kind := range kinds {
+	for _, k := range kinds {
-		if !mock && !strings.Contains(kind, "*") {
+		if !mock {
-			gv, k := kubeutils.GetKindFromGVK(kind)
+			group, version, kind, subresource := kubeutils.ParseKindSelector(k)
-			_, _, gvr, err := client.Discovery().FindResource(gv, k)
+			gvrs, err := client.Discovery().FindResources(group, version, kind, subresource)
 			if err != nil {
 				return fmt.Errorf("unable to convert GVK to GVR for kinds %s, err: %s", k, err)
 			}
-			_, subresource := kubeutils.SplitSubresource(gvr.Resource)
+			if len(gvrs) == 0 {
-			if subresource != "" && isValidationPolicy && backgroundScanningEnabled {
+				return fmt.Errorf("unable to convert GVK to GVR for kinds %s", k)
-				return fmt.Errorf("background scan enabled with subresource %s", subresource)
+			}
+			if backgroundScanningEnabled {
+				for _, gvr := range gvrs {
+					if strings.Contains(gvr.Resource, "/") {
+						return fmt.Errorf("background scan enabled with subresource %s", subresource)
+					}
+				}
 			}
 		}
 	}
@@ -1310,7 +1316,6 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string)
 	if notOk {
 		return fmt.Errorf("wildcard pattern '%s' matches with namespace '%s'", pat, ns)
 	}
-
 	pat1, pat2, notOk := wildcard.MatchPatterns(auditW, enforceW...)
 	if notOk {
 		return fmt.Errorf("wildcard pattern '%s' conflicts with the pattern '%s'", pat1, pat2)
@@ -1319,7 +1324,6 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string)
 	if notOk {
 		return fmt.Errorf("wildcard pattern '%s' conflicts with the pattern '%s'", pat1, pat2)
 	}
-
 	return nil
 }
 

test/conformance/kuttl/webhooks/unknown-kind/01-unknown-kind.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: policy-1.yaml
+    shouldFail: true

test/conformance/kuttl/webhooks/unknown-kind/02-unknown-kind-subresource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: policy-2.yaml
+    shouldFail: true

test/conformance/kuttl/webhooks/unknown-kind/03-wrong-version.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: policy-3.yaml
+    shouldFail: true

test/conformance/kuttl/webhooks/unknown-kind/04-unknown-subresource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: policy-4.yaml
+    shouldFail: true

test/conformance/kuttl/webhooks/unknown-kind/README.md

@@ -0,0 +1,4 @@
+## Description
+
+This test tries to create policies with different combinations of unknown kind and/or subresource.
+The policies should be rejected.

test/conformance/kuttl/webhooks/unknown-kind/policy-1.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: unknown
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: unknown
+      match:
+        any:
+          - resources:
+              kinds:
+                - Foo
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'

test/conformance/kuttl/webhooks/unknown-kind/policy-2.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: unknown
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: unknown
+      match:
+        any:
+          - resources:
+              kinds:
+                - Foo/*
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'

test/conformance/kuttl/webhooks/unknown-kind/policy-3.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: unknown
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: unknown
+      match:
+        any:
+          - resources:
+              kinds:
+                - v2/Pod
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'

test/conformance/kuttl/webhooks/unknown-kind/policy-4.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: unknown
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: unknown
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod/foo
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'