feat: support generating VAPs in case of matching resources in specific namespaces (#9981)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/validatingadmissionpolicy/builder.go

@@ -115,7 +115,20 @@ func translateResource(discoveryClient dclient.IDiscovery, matchResources *admis
 	}
 
 	matchResources.ResourceRules = *rules
-	matchResources.NamespaceSelector = res.NamespaceSelector
+	if len(res.Namespaces) > 0 {
+		namespaceSelector := &metav1.LabelSelector{
+			MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "kubernetes.io/metadata.name",
+					Operator: "In",
+					Values:   res.Namespaces,
+				},
+			},
+		}
+		matchResources.NamespaceSelector = namespaceSelector
+	} else {
+		matchResources.NamespaceSelector = res.NamespaceSelector
+	}
 	matchResources.ObjectSelector = res.Selector
 	return nil
 }

pkg/validatingadmissionpolicy/kyvernopolicy_checker.go

@@ -90,8 +90,8 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
 
 func checkResources(resource kyvernov1.ResourceDescription) (bool, string) {
 	var msg string
-	if len(resource.Namespaces) != 0 || len(resource.Annotations) != 0 {
-		msg = "skip generating ValidatingAdmissionPolicy: Namespaces / Annotations in resource description is not applicable."
+	if len(resource.Annotations) != 0 {
+		msg = "skip generating ValidatingAdmissionPolicy: Annotations in resource description is not applicable."
 		return false, msg
 	}
 	if resource.Name != "" && wildcard.ContainsWildcard(resource.Name) {

pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go

@@ -30,7 +30,7 @@ func Test_Check_Resources(t *testing.T) {
   ]
 }
 `),
-			expected: false,
+			expected: true,
 		},
 		{
 			name: "resource-with-annotations",

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/chainsaw-test.yaml

@@ -13,7 +13,7 @@ spec:
         file: policy-assert.yaml
   - name: step-02
     try:
-    - error:
+    - assert:
         file: validatingadmissionpolicy.yaml
-    - error:
+    - assert:
         file: validatingadmissionpolicybinding.yaml

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy-assert.yaml

@@ -8,5 +8,5 @@ status:
     status: "True"
     type: Ready
   validatingadmissionpolicy:
-    generated: false
+    generated: true
   

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml

@@ -10,12 +10,13 @@ spec:
         any:
         - resources:
             kinds:
-              - Deployment
+            - Deployment
             operations:
             - CREATE
             - UPDATE
             namespaces:
-            - prod
+            - production
+            - staging
       validate:
         cel:
           expressions:

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml

@@ -0,0 +1,35 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-t4
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path-t4
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    namespaceSelector:
+      matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+        - production
+        - staging
+    resourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - deployments
+  validations:
+  - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume,
+      !has(volume.hostPath))'
+    message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath
+      must be unset.

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml

@@ -4,4 +4,10 @@ metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
   name: disallow-host-path-t4-binding
-spec: {}
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path-t4
+spec:
+  policyName: disallow-host-path-t4
+  validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml

@@ -1,7 +0,0 @@
-apiVersion: admissionregistration.k8s.io/v1alpha1
-kind: ValidatingAdmissionPolicy
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t4
-spec: {}