diff --git a/pkg/engine/variables/operator/anyin.go b/pkg/engine/variables/operator/anyin.go index cc6ad419c1..cf667e5283 100644 --- a/pkg/engine/variables/operator/anyin.go +++ b/pkg/engine/variables/operator/anyin.go @@ -63,7 +63,7 @@ func anyKeyExistsInArray(key string, value interface{}, log logr.Logger) (invali case []interface{}: for _, val := range valuesAvailable { - if wildcard.Match(fmt.Sprint(val), key) { + if wildcard.Match(fmt.Sprint(val), key) || wildcard.Match(key, fmt.Sprint(val)) { return false, true } } diff --git a/pkg/engine/variables/operator/in.go b/pkg/engine/variables/operator/in.go index 2eaaeb88fe..763d3300b4 100644 --- a/pkg/engine/variables/operator/in.go +++ b/pkg/engine/variables/operator/in.go @@ -63,7 +63,7 @@ func keyExistsInArray(key string, value interface{}, log logr.Logger) (invalidTy case []interface{}: for _, val := range valuesAvailable { - if wildcard.Match(fmt.Sprint(val), key) { + if wildcard.Match(fmt.Sprint(val), key) || wildcard.Match(key, fmt.Sprint(val)) { return false, true } } diff --git a/test/cli/test/context-entries/kyverno-test.yaml b/test/cli/test/context-entries/kyverno-test.yaml index 1df2ecd642..a2463de519 100644 --- a/test/cli/test/context-entries/kyverno-test.yaml +++ b/test/cli/test/context-entries/kyverno-test.yaml @@ -44,3 +44,8 @@ results: resource: example kind: Pod result: pass + - policy: example + rule: wildcard-match + resource: example + kind: Pod + result: pass diff --git a/test/cli/test/context-entries/policies.yaml b/test/cli/test/context-entries/policies.yaml index 77062e3c85..6c95d44497 100644 --- a/test/cli/test/context-entries/policies.yaml +++ b/test/cli/test/context-entries/policies.yaml @@ -146,3 +146,20 @@ spec: - key: "{{ to_string(obj.notName) }}" operator: NotEquals value: 'null' + - name: wildcard-match + context: + - name: obj + variable: + value: + - A=ATest + - B=BTest + match: + resources: + kinds: + - Pod + validate: + deny: + conditions: + - key: "A=*" + operator: AnyNotIn + value: "{{ obj }}"