Fix regression in wildcard matches in In/AnyIn operators (#3686)

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-04-26 19:03:05 +01:00 · 2022-04-26 19:03:05 +01:00 · 25badfe4fb
commit 25badfe4fb
parent 8c930134ef
4 changed files with 24 additions and 2 deletions
--- a/pkg/engine/variables/operator/anyin.go
+++ b/pkg/engine/variables/operator/anyin.go
@ -63,7 +63,7 @@ func anyKeyExistsInArray(key string, value interface{}, log logr.Logger) (invali
 	case []interface{}:
 		for _, val := range valuesAvailable {
-			if wildcard.Match(fmt.Sprint(val), key) {
+			if wildcard.Match(fmt.Sprint(val), key) || wildcard.Match(key, fmt.Sprint(val)) {
 				return false, true
 			}
 		}
--- a/pkg/engine/variables/operator/in.go
+++ b/pkg/engine/variables/operator/in.go
@ -63,7 +63,7 @@ func keyExistsInArray(key string, value interface{}, log logr.Logger) (invalidTy
 	case []interface{}:
 		for _, val := range valuesAvailable {
-			if wildcard.Match(fmt.Sprint(val), key) {
+			if wildcard.Match(fmt.Sprint(val), key) || wildcard.Match(key, fmt.Sprint(val)) {
 				return false, true
 			}
 		}
--- a/test/cli/test/context-entries/kyverno-test.yaml
+++ b/test/cli/test/context-entries/kyverno-test.yaml
@ -44,3 +44,8 @@ results:
    resource: example
    kind: Pod
    result: pass
  - policy: example
    rule:  wildcard-match
    resource: example
    kind: Pod
    result: pass
--- a/test/cli/test/context-entries/policies.yaml
+++ b/test/cli/test/context-entries/policies.yaml
@ -146,3 +146,20 @@ spec:
            - key: "{{ to_string(obj.notName) }}"
              operator: NotEquals
              value: 'null'
  - name: wildcard-match
    context:
    - name: obj
      variable:
        value: 
         - A=ATest
         - B=BTest
    match:
      resources:
        kinds:
        - Pod
    validate:
      deny:
        conditions:
          - key: "A=*"
            operator: AnyNotIn
            value: "{{ obj }}"