From 40836ff6fc06a6ded359749e7e733ca96c9d0052 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Wed, 4 Jan 2023 21:22:43 -0800
Subject: [PATCH] fix validation checks for foreach and nested foreach (#5875)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 pkg/policy/validate/validate.go | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
index aca82b0532..5d0d88e6a2 100644
--- a/pkg/policy/validate/validate.go
+++ b/pkg/policy/validate/validate.go
@@ -2,7 +2,6 @@ package validate
 
 import (
 	"fmt"
-	"strings"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor"
@@ -110,17 +109,13 @@ func (v *Validate) validateForEach(foreach kyvernov1.ForEachValidation) error {
 		return fmt.Errorf("foreach.list is required")
 	}
 
-	if !strings.HasPrefix(foreach.List, "request.object") && !strings.HasPrefix(foreach.List, "request.userInfo") {
-		return fmt.Errorf("foreach.list must start with either 'request.object' or 'request.userInfo', e.g. 'request.object.spec.containers', 'request.userInfo.groups'")
-	}
-
 	count := foreachElemCount(foreach)
 	if count == 0 {
-		return fmt.Errorf("one of pattern, anyPattern, deny must be specified")
+		return fmt.Errorf("one of pattern, anyPattern, deny, or a nested foreach must be specified")
 	}
 
 	if count > 1 {
-		return fmt.Errorf("only one of pattern, anyPattern, deny can be specified")
+		return fmt.Errorf("only one of pattern, anyPattern, deny, or a nested foreach can be specified")
 	}
 
 	return nil
@@ -140,5 +135,9 @@ func foreachElemCount(foreach kyvernov1.ForEachValidation) int {
 		count++
 	}
 
+	if foreach.ForEachValidation != nil {
+		count++
+	}
+
 	return count
 }