From 66969d35ea070bc350edbeca1e38f7c863983d5e Mon Sep 17 00:00:00 2001
From: Prateek Pandey <prateekpandey14@gmail.com>
Date: Wed, 23 Feb 2022 22:27:18 +0530
Subject: [PATCH] validate and block policy based on the matched kind cache
 (#3283)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
---
 go.mod                      |  3 ++-
 go.sum                      |  1 +
 pkg/policy/validate.go      | 20 ++++++++++++++------
 pkg/policy/validate_test.go |  2 +-
 4 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/go.mod b/go.mod
index 90ce5c4d68..1b8333a9dc 100644
--- a/go.mod
+++ b/go.mod
@@ -57,7 +57,9 @@ require (
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6
 	github.com/blang/semver/v4 v4.0.0
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
+	github.com/evanphx/json-patch v4.12.0+incompatible
 	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220125170349-50dfc2733d10
+	github.com/gorilla/mux v1.8.0
 	gopkg.in/inf.v0 v0.9.1
 )
 
@@ -118,7 +120,6 @@ require (
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
diff --git a/go.sum b/go.sum
index 945ce4c82f..77ecefb352 100644
--- a/go.sum
+++ b/go.sum
@@ -1030,6 +1030,7 @@ github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhj
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 80357d9dbe..b41cb8e4da 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -256,26 +256,25 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		for _, value := range match.Any {
 			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 			if err != nil {
-				return fmt.Errorf("the kind defined in the any match resource is invalid")
+				return errors.Wrapf(err, "the kind defined in the any match resource is invalid")
 			}
 		}
 		for _, value := range match.All {
 			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 			if err != nil {
-				return fmt.Errorf("the kind defined in the all match resource is invalid")
+				return errors.Wrapf(err, "the kind defined in the all match resource is invalid")
 			}
 		}
 		for _, value := range exclude.Any {
 			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
-
 			if err != nil {
-				return fmt.Errorf("the kind defined in the any exclude resource is invalid")
+				return errors.Wrapf(err, "the kind defined in the any exclude resource is invalid")
 			}
 		}
 		for _, value := range exclude.All {
 			err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
 			if err != nil {
-				return fmt.Errorf("the kind defined in the all exclude resource is invalid")
+				return errors.Wrapf(err, "the kind defined in the all exclude resource is invalid")
 			}
 		}
 		if !utils.ContainsString(rule.MatchResources.Kinds, "*") {
@@ -1483,12 +1482,21 @@ func jsonPatchOnPod(rule kyverno.Rule) bool {
 	return false
 }
 
+// validateKinds verifies if an API resource that matches 'kind' is valid kind
+// and found in the cache, returns error if not found
 func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.ClusterPolicy) error {
 	for _, kind := range kinds {
-		_, k := comn.GetKindFromGVK(kind)
+		gv, k := comn.GetKindFromGVK(kind)
 		if k == p.Kind {
 			return fmt.Errorf("kind and match resource kind should not be the same")
 		}
+
+		if !mock {
+			_, _, err := client.DiscoveryClient.FindResource(gv, k)
+			if err != nil {
+				return fmt.Errorf("unable to convert GVK to GVR, %s, err: %s", kinds, err)
+			}
+		}
 	}
 	return nil
 }
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 712d3a3db2..ec40d671f4 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1555,6 +1555,6 @@ func Test_patchesJson6902_Policy(t *testing.T) {
 	assert.NilError(t, err)
 
 	openAPIController, _ := openapi.NewOpenAPIController()
-	err = Validate(policy, nil, false, openAPIController)
+	err = Validate(policy, nil, true, openAPIController)
 	assert.NilError(t, err)
 }