fix: use validate.message in case there is no message associated with the CEL expression (#9025)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/engine/handlers/validation/validate_cel.go

@@ -49,7 +49,7 @@ func (h validateCELHandler) Process(
 	// check if a corresponding validating admission policy is generated
 	vapStatus := policyContext.Policy().GetStatus().ValidatingAdmissionPolicy
 	if vapStatus.Generated {
-		logger.V(3).Info("skipping CEL validation due to the generation of its corresponding validating admission policy")
+		logger.V(3).Info("skipping CEL validation due to the generation of its corresponding ValidatingAdmissionPolicy")
 		return resource, nil
 	}
 
@@ -79,6 +79,11 @@ func (h validateCELHandler) Process(
 	// extract CEL expressions used in validations and audit annotations
 	variables := rule.Validation.CEL.Variables
 	validations := rule.Validation.CEL.Expressions
+	for i := range validations {
+		if validations[i].Message == "" {
+			validations[i].Message = rule.Validation.Message
+		}
+	}
 	auditAnnotations := rule.Validation.CEL.AuditAnnotations
 
 	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/02-resources.yaml

@@ -0,0 +1,14 @@
+## Checks that there is a message displayed when the resource is blocked.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f pod-fail.yaml 2>&1 | grep -q 'host-port-pods: hostPort must either be unset or set to 0' 
+    then 
+        echo "Test succeeded. The message is displayed."
+        exit 0
+    else 
+        echo "Test failed. The message isn't found."
+        exit 1
+    fi

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test creates a policy that uses CEL expressions to disallow host ports in pods.
+
+## Expected Behavior
+
+The pod `pod-fail` is blocked, and a message is displayed indicating the reason of failure.
+
+## Reference Issue(s)
+
+8826

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/pod-fail.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: webserver-pod
+spec:
+  containers:
+  - name: webserver
+    image: nginx:latest
+    ports:
+    - hostPort: 80
+      containerPort: 8080

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-port-in-pods
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-port-in-pods
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: host-port-pods
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: "hostPort must either be unset or set to 0"
+        cel:
+          expressions:
+            - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))"