Fix any_all wildcard issue (#3352)

pkg/policy/validate.go

@@ -255,27 +255,35 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		match := rule.MatchResources
 		exclude := rule.ExcludeResources
 		for _, value := range match.Any {
-			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
-			if err != nil {
-				return errors.Wrapf(err, "the kind defined in the any match resource is invalid")
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
+				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
+				if err != nil {
+					return errors.Wrapf(err, "the kind defined in the any match resource is invalid")
+				}
 			}
 		}
 		for _, value := range match.All {
-			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
-			if err != nil {
-				return errors.Wrapf(err, "the kind defined in the all match resource is invalid")
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
+				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
+				if err != nil {
+					return errors.Wrapf(err, "the kind defined in the all match resource is invalid")
+				}
 			}
 		}
 		for _, value := range exclude.Any {
-			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
-			if err != nil {
-				return errors.Wrapf(err, "the kind defined in the any exclude resource is invalid")
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
+				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
+				if err != nil {
+					return errors.Wrapf(err, "the kind defined in the any exclude resource is invalid")
+				}
 			}
 		}
 		for _, value := range exclude.All {
-			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
-			if err != nil {
-				return errors.Wrapf(err, "the kind defined in the all exclude resource is invalid")
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
+				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
+				if err != nil {
+					return errors.Wrapf(err, "the kind defined in the all exclude resource is invalid")
+				}
 			}
 		}
 		if !utils.ContainsString(rule.MatchResources.Kinds, "*") {

test/cli/test/any-all-wildcard/kyverno-test.yaml

@@ -0,0 +1,24 @@
+name: disallow-protected-namespaces
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test1
+    kind: Pod
+    namespace: namespace1
+    result: fail
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test2
+    kind: Pod
+    namespace: namespace2
+    result: fail
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test3
+    kind: Pod
+    namespace: namespace3
+    result: skip

test/cli/test/any-all-wildcard/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-protected-namespaces
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: disallow
+    match:
+      all:
+      - resources:
+          kinds:
+          - "*"
+          namespaces:
+          - "namespace1"
+          - "namespace2"
+    validate:
+      message: "This resource is protected and changes are not allowed."
+      deny: {}

test/cli/test/any-all-wildcard/resource.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test1
+  namespace: namespace1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test2
+  namespace: namespace2
+spec: 
+  containers:
+  - name: nginx
+    image: nginx
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test3
+  namespace: namespace3
+spec: 
+  containers:
+  - name: nginx
+    image: nginx