fix: Policies skipped because of preconditions not met should not be included in admission requests denial responses (#9719)

* Update block.go

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update block.go

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* lint

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update block.go

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* test added

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* test

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* test

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* --signoff

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Create README.md

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Rename Policy1.yaml to policy-1.yaml

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/README.md

Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/README.md

Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml

Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Rename Policy2.yaml to policy-2.yaml

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

* Update chainsaw-test.yaml

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>

---------

Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

pkg/webhooks/utils/block.go

@@ -43,7 +43,7 @@ func GetBlockedMessages(engineResponses []engineapi.EngineResponse) string {
 	for _, er := range engineResponses {
 		ruleToReason := make(map[string]string)
 		for _, rule := range er.PolicyResponse.Rules {
-			if rule.Status() != engineapi.RuleStatusPass {
+			if rule.Status() != engineapi.RuleStatusPass && rule.Status() != engineapi.RuleStatusSkip {
 				ruleToReason[rule.Name()] = rule.Message()
 			}
 		}

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that the policies that are skipped because of preconditions aren't included in admission requests denial responses
+
+## Expected Behavior
+
+The resource will be blocked because it violates the `require-ns-owner-label` policy. As a result, its message will only be displayed.
+
+## Reference Issue(s)
+
+#9502

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: check-message-upon-resource-failure
+spec:
+  steps:
+  - name: step-01
+    try: 
+    - apply:
+        file: policy-1.yaml
+    - assert:
+        file: policy-assert1.yaml    
+  - name: step-02
+    try:
+    - apply:
+        file: policy-2.yaml
+    - assert:
+        file: policy-assert2.yaml    
+  - name: step-03
+    try:
+    - script:
+       content: kubectl apply -f resource.yaml
+       check:
+         # This check ensures the contents of stderr are exactly as shown.
+         ($stderr): |-
+           Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 
+
+           resource Namespace//asdfhl was blocked due to the following policies 
+
+           require-ns-owner-label:
+             check-for-namespace-owner-label: 'validation error: The label `uw.systems/owner`
+               is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
+               for allowed label values. rule check-for-namespace-owner-label failed at path
+               /metadata/labels/uw.systems/owner/'

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml

@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-ns-owner-label
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: check-for-namespace-owner-label
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    validate:
+      message: >-
+        The label `uw.systems/owner` is required. Check policy at
+        https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
+        for allowed label values.
+      pattern:
+        metadata:
+          labels:
+            uw.systems/owner: >-
+              account-platform
+                |bill
+                |billing
+                |btg-operations
+                |btg-security
+                |cbc
+                |contact-channels
+                |crm
+                |customer
+                |customer-platform
+                |customer-support
+                |data
+                |data-infra
+                |dev-enablement
+                |digital-support
+                |energy
+                |iam
+                |insurance
+                |partner
+                |payment
+                |system
+                |telecom
+                |unicom

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: preconditions-check
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: check-label
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    preconditions:
+      all:
+      - key: "{{ request.object.metadata.annotations.foo || '' }}"
+        operator: Equals
+        value: foo
+    validate:
+      message: >-
+        The label `uw.systems/owner` is required. Check policy at
+        https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml
+        for allowed label values.
+      pattern:
+        metadata:
+          labels:
+            uw.systems/foo: bar

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-assert1.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-ns-owner-label
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-assert2.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: preconditions-check
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/resource.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: asdfhl
+  labels:
+    app-type: corp
+  annotations:
+    cloud.platformzero.com/serviceClass: "xl2"