fix: pass resource names to auth check for mutateExisting policies (#10808)

pkg/policy/auth/auth.go

@@ -11,13 +11,13 @@ import (
 // Operations provides methods to performing operations on resource
 type Operations interface {
 	// CanICreate returns 'true' if self can 'create' resource
-	CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error)
+	CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
 	// CanIUpdate returns 'true' if self can 'update' resource
-	CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error)
+	CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
 	// CanIDelete returns 'true' if self can 'delete' resource
-	CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error)
+	CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
 	// CanIGet returns 'true' if self can 'get' resource
-	CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error)
+	CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
 }
 
 // Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
@@ -38,8 +38,8 @@ func NewAuth(client dclient.Interface, user string, log logr.Logger) *Auth {
 }
 
 // CanICreate returns 'true' if self can 'create' resource
-func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "create", "", a.user)
+func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
+	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "create", "", a.user)
 	ok, _, err := canI.RunAccessCheck(ctx)
 	if err != nil {
 		return false, err
@@ -48,8 +48,8 @@ func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource strin
 }
 
 // CanIUpdate returns 'true' if self can 'update' resource
-func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "update", "", a.user)
+func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
+	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "update", "", a.user)
 	ok, _, err := canI.RunAccessCheck(ctx)
 	if err != nil {
 		return false, err
@@ -58,8 +58,8 @@ func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource strin
 }
 
 // CanIDelete returns 'true' if self can 'delete' resource
-func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "delete", "", a.user)
+func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
+	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "delete", "", a.user)
 	ok, _, err := canI.RunAccessCheck(ctx)
 	if err != nil {
 		return false, err
@@ -68,8 +68,8 @@ func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource strin
 }
 
 // CanIGet returns 'true' if self can 'get' resource
-func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "get", "", a.user)
+func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
+	canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "get", "", a.user)
 	ok, _, err := canI.RunAccessCheck(ctx)
 	if err != nil {
 		return false, err

pkg/policy/auth/fake/auth.go

@@ -12,21 +12,21 @@ func NewFakeAuth() *FakeAuth {
 }
 
 // CanICreate returns 'true'
-func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, sub string) (bool, error) {
+func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, name, sub string) (bool, error) {
 	return true, nil
 }
 
 // CanIUpdate returns 'true'
-func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, sub string) (bool, error) {
+func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, name, sub string) (bool, error) {
 	return true, nil
 }
 
 // CanIDelete returns 'true'
-func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, sub string) (bool, error) {
+func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, name, sub string) (bool, error) {
 	return true, nil
 }
 
 // CanIGet returns 'true'
-func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, sub string) (bool, error) {
+func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, name, sub string) (bool, error) {
 	return true, nil
 }

pkg/policy/generate/validate.go

@@ -110,7 +110,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 	// Skip if there is variable defined
 	authCheck := g.authCheck
 	if !regex.IsVariable(gvk) {
-		ok, err := authCheck.CanICreate(ctx, gvk, namespace, subresource)
+		ok, err := authCheck.CanICreate(ctx, gvk, namespace, "", subresource)
 		if err != nil {
 			return err
 		}
@@ -118,7 +118,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}
 
-		ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource)
+		ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, "", subresource)
 		if err != nil {
 			return err
 		}
@@ -126,7 +126,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}
 
-		ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource)
+		ok, err = authCheck.CanIGet(ctx, gvk, namespace, "", subresource)
 		if err != nil {
 			return err
 		}
@@ -134,7 +134,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
 			return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
 		}
 
-		ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource)
+		ok, err = authCheck.CanIDelete(ctx, gvk, namespace, "", subresource)
 		if err != nil {
 			return err
 		}

pkg/policy/mutate/validate.go

@@ -101,13 +101,13 @@ func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetRes
 				srcKey = srcKey + "/" + sub
 			}
 
-			if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil {
+			if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil {
 				errs = append(errs, err)
 			} else if !ok {
 				errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "update", target.APIVersion, srcKey, target.Namespace))
 			}
 
-			if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil {
+			if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil {
 				errs = append(errs, err)
 			} else if !ok {
 				errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "get", target.APIVersion, srcKey, target.Namespace))