fix: schema validation for mutateExisting type of policy (#6602)

Signed-off-by: HIHIA <283304489@qq.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/openapi/manager.go

@@ -123,17 +123,23 @@ func (o *manager) ValidatePolicyMutation(policy kyvernov1.PolicyInterface) error
 	kindToRules := make(map[string][]kyvernov1.Rule)
 	for _, rule := range autogen.ComputeRules(policy) {
 		if rule.HasMutate() {
-			for _, kind := range rule.MatchResources.Kinds {
-				kindToRules[kind] = append(kindToRules[kind], rule)
-			}
-			for _, resourceFilter := range rule.MatchResources.Any {
-				for _, kind := range resourceFilter.Kinds {
+			if rule.IsMutateExisting() {
+				for _, target := range rule.Mutation.Targets {
+					kindToRules[target.Kind] = append(kindToRules[target.Kind], rule)
+				}
+			} else {
+				for _, kind := range rule.MatchResources.Kinds {
 					kindToRules[kind] = append(kindToRules[kind], rule)
 				}
-			}
-			for _, resourceFilter := range rule.MatchResources.All {
-				for _, kind := range resourceFilter.Kinds {
-					kindToRules[kind] = append(kindToRules[kind], rule)
+				for _, resourceFilter := range rule.MatchResources.Any {
+					for _, kind := range resourceFilter.Kinds {
+						kindToRules[kind] = append(kindToRules[kind], rule)
+					}
+				}
+				for _, resourceFilter := range rule.MatchResources.All {
+					for _, kind := range resourceFilter.Kinds {
+						kindToRules[kind] = append(kindToRules[kind], rule)
+					}
 				}
 			}
 		}

test/conformance/kuttl/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/00-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - policy.yaml
+assert:
+  - policy-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensure Schema validation should validate the target resource rather than the trigger for the mutateExisting type of policy.
+
+## Expected Behavior
+
+ClusterPolicy should be successfully created.
+
+## Reference Issue(s)
+
+6594

test/conformance/kuttl/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-cm-for-kube-state-metrics-crds
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy.yaml

@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-cm-for-kube-state-metrics-crds
+  annotations:
+    policies.kyverno.io/description: >-
+      This policy generates and synchronizes a configmap for custom resource kube-state-metrics.
+spec:
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+    - name: restart-kube-state-metrics-on-cm-change
+      match:
+        any:
+          - resources:
+              kinds:
+                - ConfigMap
+              names:
+                - "kube-state-metrics-crds"
+              namespaces:
+                - "kube-state-metrics"
+      preconditions:
+        all:
+          - key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}"
+            operator: NotEquals
+            value: source
+      mutate:
+        targets:
+          - apiVersion: apps/v1
+            kind: Deployment
+            name: kube-state-metrics
+            namespace: kube-state-metrics
+        patchStrategicMerge:
+          spec:
+            template:
+              metadata:
+                annotations:
+                  platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}"