823 tested prototype

pkg/policy/validate.go

@@ -94,10 +94,6 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 // of match and exclude block is not an empty set
 func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
-	if reflect.DeepEqual(rule.MatchResources, kyverno.MatchResources{}) {
-		return true
-	}
-
 	if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
 		return false
 	}
@@ -137,6 +133,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeRoles) > 0 {
+		if len(rule.MatchResources.UserInfo.Roles) == 0 {
+			return false
+		}
+
 		for _, role := range rule.MatchResources.UserInfo.Roles {
 			if !excludeRoles[role] {
 				return false
@@ -145,6 +145,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeClusterRoles) > 0 {
+		if len(rule.MatchResources.UserInfo.ClusterRoles) == 0 {
+			return false
+		}
+
 		for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
 			if !excludeClusterRoles[clusterRole] {
 				return false
@@ -153,6 +157,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeSubjects) > 0 {
+		if len(rule.MatchResources.UserInfo.Subjects) == 0 {
+			return false
+		}
+
 		for _, subject := range rule.MatchResources.UserInfo.Subjects {
 			subjectRaw, _ := json.Marshal(subject)
 			if !excludeSubjects[string(subjectRaw)] {
@@ -168,6 +176,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeNamespaces) > 0 {
+		if len(rule.MatchResources.ResourceDescription.Namespaces) == 0 {
+			return false
+		}
+
 		for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
 			if !excludeNamespaces[namespace] {
 				return false
@@ -176,6 +188,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeKinds) > 0 {
+		if len(rule.MatchResources.ResourceDescription.Kinds) == 0 {
+			return false
+		}
+
 		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 			if !excludeKinds[kind] {
 				return false
@@ -185,6 +201,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
 	if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil {
 		if len(excludeMatchExpressions) > 0 {
+			if len(rule.MatchResources.ResourceDescription.Selector.MatchExpressions) == 0 {
+				return false
+			}
+
 			for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
 				matchExpressionRaw, _ := json.Marshal(matchExpression)
 				if !excludeMatchExpressions[string(matchExpressionRaw)] {
@@ -194,6 +214,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 		}
 
 		if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 0 {
+			if len(rule.MatchResources.ResourceDescription.Selector.MatchLabels) == 0 {
+				return false
+			}
+
 			for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
 				if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value {
 					return false

pkg/policy/validate_test.go

@@ -1022,6 +1022,11 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
 			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`),
 			expectedOutput: false,
 		},
+		{
+			description:    "empty case",
+			rule:           []byte(`{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.object.kind}}/{{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}`),
+			expectedOutput: false,
+		},
 	}
 
 	for i, testcase := range testcases {