fix ns labels matching (#6022)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/engine/utils.go

@@ -169,7 +169,8 @@ func doesResourceMatchConditionBlock(subresourceGVKToAPIResource map[string]*met
 		}
 	}
 
-	if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && resource.GetKind() != "" {
+	if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" &&
+		(resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) {
 		hasPassed, err := checkSelector(conditionBlock.NamespaceSelector, namespaceLabels)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- ns.yaml

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: pod-fail.yaml
+    shouldFail: true
+  - file: pod-pass.yaml
+    shouldFail: false

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md

@@ -0,0 +1,12 @@
+# ## Description
+
+This test validates that the namespaceSelector is applied to a wildcard policy successfully.
+
+## Expected Behavior
+
+The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` is created.
+
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6015

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-wildcard
+  labels:
+    freeze: "true"

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx-block
+  namespace: test-wildcard
+spec:
+  containers:
+  - image: nginx
+    name: test

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx-pass
+  namespace: default
+spec:
+  containers:
+  - image: nginx
+    name: test

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: freeze-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: freeze-policy
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: freeze-rule
+      match:
+        any:
+        - resources:
+            kinds:
+            - "*"
+            namespaceSelector:
+              matchExpressions:
+                - key: freeze
+                  operator: In
+                  values:
+                  - "true"
+      validate:
+        message: "Namespace is frozen."
+        deny: {}