fix: namespaced policy not validated in engine (#4653)

* fix: namespaced policy not validated in engine Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-09-26 06:47:37 +02:00 · 2022-09-26 06:47:37 +02:00 · 4d7e1281de
commit 4d7e1281de
parent e8839a3ff7
2 changed files with 11 additions and 2 deletions
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -99,6 +99,16 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
 	matchCount := 0
 	applyRules := ctx.Policy.GetSpec().GetApplyRules()

+	if ctx.Policy.IsNamespaced() {
+		polNs := ctx.Policy.GetNamespace()
+		if ctx.NewResource.Object != nil && (ctx.NewResource.GetNamespace() != polNs || ctx.NewResource.GetNamespace() == "") {
+			return resp
+		}
+		if ctx.OldResource.Object != nil && (ctx.OldResource.GetNamespace() != polNs || ctx.OldResource.GetNamespace() == "") {
+			return resp
+		}
+	}
+
 	for i := range rules {
 		rule := &rules[i]
 		hasValidate := rule.HasValidate()
--- a/test/cli/test/jmespath-brackets/policy.yaml
+++ b/test/cli/test/jmespath-brackets/policy.yaml
@ -25,10 +25,9 @@ spec:
              test: ""
 ---
 apiVersion: kyverno.io/v1
-kind: Policy
+kind: ClusterPolicy
 metadata:
  name: namespace-validation
-  namespace: kyverno
 spec:
  validationFailureAction: enforce
  background: false