fix: return engine responses without checking TestResult.rule since it is empty in case of VAPs (#8251)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cli/kubectl-kyverno/commands/test/command.go

@@ -211,12 +211,17 @@ func lookupEngineResponses(test api.TestResults, resourceName string, responses
 
 func lookupRuleResponses(test api.TestResults, responses ...engineapi.RuleResponse) []engineapi.RuleResponse {
 	var matches []engineapi.RuleResponse
-	for _, response := range responses {
-		rule := response.Name()
-		if rule != test.Rule && rule != "autogen-"+test.Rule && rule != "autogen-cronjob-"+test.Rule {
-			continue
+	// Since there are no rules in case of validating admission policies, responses are returned without checking rule names.
+	if test.IsValidatingAdmissionPolicy {
+		matches = responses
+	} else {
+		for _, response := range responses {
+			rule := response.Name()
+			if rule != test.Rule && rule != "autogen-"+test.Rule && rule != "autogen-cronjob-"+test.Rule {
+				continue
+			}
+			matches = append(matches, response)
 		}
-		matches = append(matches, response)
 	}
 	return matches
 }

test/cli/test/validating-admission-policies/disallow-host-path/deployments.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-pass
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx-server
+        image: nginx
+        volumeMounts:
+          - name: temp
+            mountPath: /scratch
+      volumes:
+      - name: temp
+        emptyDir: {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx-server
+        image: nginx
+        volumeMounts:
+          - name: udev
+            mountPath: /data
+      volumes:
+      - name: udev
+        hostPath:
+          path: /etc/udev

test/cli/test/validating-admission-policies/disallow-host-path/disallow-host-path.yaml

@@ -0,0 +1,15 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: disallow-host-path
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
+      message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."

test/cli/test/validating-admission-policies/disallow-host-path/kyverno-test.yaml

@@ -0,0 +1,16 @@
+name: disallow-host-path-test
+policies:
+  - disallow-host-path.yaml
+resources:
+  - deployments.yaml
+results:
+  - policy: disallow-host-path
+    resource: deployment-pass
+    isValidatingAdmissionPolicy: true
+    kind: Deployment
+    result: pass
+  - policy: disallow-host-path
+    resource: deployment-fail
+    isValidatingAdmissionPolicy: true
+    kind: Deployment
+    result: fail