Fix wildcards issue for match/exclude kind block (#2137)

* Fix wildcards issue for match/exclude kind block

* fix typo

pkg/policy/validate.go

@@ -116,7 +116,11 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 				return fmt.Errorf("policy can only deal with the metadata field of the resource if" +
 					" the rule does not match an kind")
 			}
-			return fmt.Errorf("At least one element must be specified in a kind block. The kind attribute is mandatory when working with the resources element")
+			return fmt.Errorf("at least one element must be specified in a kind block. the kind attribute is mandatory when working with the resources element")
+		}
+
+		if utils.ContainsString(rule.MatchResources.Kinds, "*") || utils.ContainsString(rule.ExcludeResources.Kinds, "*") {
+			return fmt.Errorf("wildcards (*) are currently not supported in the match.resources.kinds field. at least one resource kind must be specified in a kind block.")
 		}
 
 		// Validate string values in labels

pkg/policy/validate_test.go

@@ -1369,3 +1369,47 @@ func Test_Validate_ApiCall(t *testing.T) {
 		}
 	}
 }
+func Test_Wildcards_Kind(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "require-labels"
+		},
+		"spec": {
+		  "validationFailureAction": "enforce",
+		  "rules": [
+			{
+			  "name": "check-for-labels",
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"*"
+				  ]
+				}
+			  },
+			  "validate": {
+				"message": "label 'app.kubernetes.io/name' is required",
+				"pattern": {
+				  "metadata": {
+					"labels": {
+					  "app.kubernetes.io/name": "?*"
+					}
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }
+	`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, true, openAPIController)
+	assert.Assert(t, err != nil)
+}