Fix any_all wildcard issue (#3352)

2025-03-31 03:45:17 +00:00 · 2022-03-08 18:29:33 +05:30 · 2022-03-08 18:29:33 +05:30 · 148a892277
commit 148a892277
parent 8187b9331e
4 changed files with 95 additions and 12 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -255,29 +255,37 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		match := rule.MatchResources
 		exclude := rule.ExcludeResources
 		for _, value := range match.Any {
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
 				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 				if err != nil {
 					return errors.Wrapf(err, "the kind defined in the any match resource is invalid")
 				}
 			}
+		}
 		for _, value := range match.All {
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
 				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 				if err != nil {
 					return errors.Wrapf(err, "the kind defined in the all match resource is invalid")
 				}
 			}
+		}
 		for _, value := range exclude.Any {
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
 				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 				if err != nil {
 					return errors.Wrapf(err, "the kind defined in the any exclude resource is invalid")
 				}
 			}
+		}
 		for _, value := range exclude.All {
+			if !utils.ContainsString(value.ResourceDescription.Kinds, "*") {
 				err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 				if err != nil {
 					return errors.Wrapf(err, "the kind defined in the all exclude resource is invalid")
 				}
 			}
+		}
 		if !utils.ContainsString(rule.MatchResources.Kinds, "*") {
 			err := validateKinds(rule.MatchResources.Kinds, mock, client, *policy)
 			if err != nil {
--- a/test/cli/test/any-all-wildcard/kyverno-test.yaml
+++ b/test/cli/test/any-all-wildcard/kyverno-test.yaml
@ -0,0 +1,24 @@
+name: disallow-protected-namespaces
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test1
+    kind: Pod
+    namespace: namespace1
+    result: fail
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test2
+    kind: Pod
+    namespace: namespace2
+    result: fail
+  - policy: disallow-protected-namespaces
+    rule: disallow
+    resource: test3
+    kind: Pod
+    namespace: namespace3
+    result: skip
--- a/test/cli/test/any-all-wildcard/policy.yaml
+++ b/test/cli/test/any-all-wildcard/policy.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-protected-namespaces
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: disallow
+    match:
+      all:
+      - resources:
+          kinds:
+          - "*"
+          namespaces:
+          - "namespace1"
+          - "namespace2"
+    validate:
+      message: "This resource is protected and changes are not allowed."
+      deny: {}
--- a/test/cli/test/any-all-wildcard/resource.yaml
+++ b/test/cli/test/any-all-wildcard/resource.yaml
@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test1
+  namespace: namespace1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test2
+  namespace: namespace2
+spec: 
+  containers:
+  - name: nginx
+    image: nginx
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test3
+  namespace: namespace3
+spec: 
+  containers:
+  - name: nginx
+    image: nginx