Refactor Kyverno CLI (#7995)

* Initial changes for cli refactoring Signed-off-by: anushkamittal2001 <anushka@nirmata.com> * Invoke engine in the correct order Signed-off-by: anushkamittal2001 <anushka@nirmata.com> * Refactor apply_command.go Signed-off-by: anushkamittal2001 <anushka@nirmata.com> * Resolve lint errors Signed-off-by: anushkamittal2001 <anushka@nirmata.com> * Removed unnecessary leading newline Signed-off-by: anushkamittal2001 <anushka@nirmata.com> --------- Signed-off-by: anushkamittal2001 <anushka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-08-18 15:58:47 +05:30 · 2023-08-18 15:58:47 +05:30 · 72ccc55d78
commit 72ccc55d78
parent bdad59cfc8
3 changed files with 217 additions and 161 deletions
--- a/cmd/cli/kubectl-kyverno/apply/apply_command.go
+++ b/cmd/cli/kubectl-kyverno/apply/apply_command.go
@ -16,6 +16,7 @@ import (
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
 	sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/values"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
@ -32,6 +33,10 @@ import (
 	"sigs.k8s.io/yaml"
 )

+// load res
+// load pol
+// apply
+// show res
 const divider = "----------------------------------------------------------------------"

 type SkippedInvalidPolicies struct {
@ -202,39 +207,17 @@ func Command() *cobra.Command {
 }

 func (c *ApplyCommandConfig) applyCommandHelper() (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error) {
-	var skipInvalidPolicies SkippedInvalidPolicies
-	// check arguments
-	if c.ValuesFile != "" && c.Variables != nil {
-		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("pass the values either using set flag or values_file flag")
-	}
-	if len(c.PolicyPaths) == 0 {
-		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("require policy")
-	}
-	if (len(c.PolicyPaths) > 0 && c.PolicyPaths[0] == "-") && len(c.ResourcePaths) > 0 && c.ResourcePaths[0] == "-" {
-		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("a stdin pipe can be used for either policies or resources, not both")
-	}
-	if len(c.ResourcePaths) == 0 && !c.Cluster {
-		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("resource file(s) or cluster required")
-	}
-	mutateLogPathIsDir, err := checkMutateLogPath(c.MutateLogPath)
+	rc, uu, skipInvalidPolicies, er, err := c.checkArguments()
 	if err != nil {
-		if !sanitizederror.IsErrorSanitized(err) {
-			return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to create file/folder", err)
-		}
-		return nil, nil, skipInvalidPolicies, nil, err
+		return rc, uu, skipInvalidPolicies, er, err
 	}
-	// empty the previous contents of the file just in case if the file already existed before with some content(so as to perform overwrites)
-	// the truncation of files for the case when mutateLogPath is dir, is handled under pkg/kyverno/apply/common.go
-	if !mutateLogPathIsDir && c.MutateLogPath != "" {
-		c.MutateLogPath = filepath.Clean(c.MutateLogPath)
-		// Necessary for us to include the file via variable as it is part of the CLI.
-		_, err := os.OpenFile(c.MutateLogPath, os.O_TRUNC|os.O_WRONLY, 0o600) // #nosec G304
-		if err != nil {
-			if !sanitizederror.IsErrorSanitized(err) {
-				return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to truncate the existing file at "+c.MutateLogPath, err)
-			}
-			return nil, nil, skipInvalidPolicies, nil, err
-		}
+	rc, uu, skipInvalidPolicies, er, err, mutateLogPathIsDir := c.getMutateLogPathIsDir(skipInvalidPolicies)
+	if err != nil {
+		return rc, uu, skipInvalidPolicies, er, err
+	}
+	rc, uu, skipInvalidPolicies, er, err = c.cleanPreviousContent(mutateLogPathIsDir, skipInvalidPolicies)
+	if err != nil {
+		return rc, uu, skipInvalidPolicies, er, err
 	}
 	var userInfo v1beta1.RequestInfo
 	if c.UserInfoPath != "" {
@ -255,90 +238,61 @@ func (c *ApplyCommandConfig) applyCommandHelper() (*common.ResultCounts, []*unst
 	if err != nil {
 		return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to initialize openAPIController", err)
 	}
-	// init store
-	store.SetLocal(true)
-	store.SetRegistryAccess(c.RegistryAccess)
-	if c.Cluster {
-		store.AllowApiCall(true)
-	}
-	// init cluster client
-	var dClient dclient.Interface
-	if c.Cluster {
-		restConfig, err := config.CreateClientConfigWithContext(c.KubeConfig, c.Context)
-		if err != nil {
-			return nil, nil, skipInvalidPolicies, nil, err
-		}
-		kubeClient, err := kubernetes.NewForConfig(restConfig)
-		if err != nil {
-			return nil, nil, skipInvalidPolicies, nil, err
-		}
-		dynamicClient, err := dynamic.NewForConfig(restConfig)
-		if err != nil {
-			return nil, nil, skipInvalidPolicies, nil, err
-		}
-		dClient, err = dclient.NewClient(context.Background(), dynamicClient, kubeClient, 15*time.Minute)
-		if err != nil {
-			return nil, nil, skipInvalidPolicies, nil, err
-		}
-	}
-	// load policies
-	fs := memfs.New()
-	var policies []kyvernov1.PolicyInterface
-	var validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy
-
-	for _, policy := range c.PolicyPaths {
-		policyPaths := []string{policy}
-		isGit := common.IsGitSourcePath(policyPaths)
-
-		if isGit {
-			gitSourceURL, err := url.Parse(policyPaths[0])
-			if err != nil {
-				fmt.Printf("Error: failed to load policies\nCause: %s\n", err)
-				osExit(1)
-			}
-
-			pathElems := strings.Split(gitSourceURL.Path[1:], "/")
-			if len(pathElems) <= 1 {
-				err := fmt.Errorf("invalid URL path %s - expected https://<any_git_source_domain>/:owner/:repository/:branch (without --git-branch flag) OR https://<any_git_source_domain>/:owner/:repository/:directory (with --git-branch flag)", gitSourceURL.Path)
-				fmt.Printf("Error: failed to parse URL \nCause: %s\n", err)
-				osExit(1)
-			}
-
-			gitSourceURL.Path = strings.Join([]string{pathElems[0], pathElems[1]}, "/")
-			repoURL := gitSourceURL.String()
-			var gitPathToYamls string
-			c.GitBranch, gitPathToYamls = common.GetGitBranchOrPolicyPaths(c.GitBranch, repoURL, policyPaths)
-			_, cloneErr := gitutils.Clone(repoURL, fs, c.GitBranch)
-			if cloneErr != nil {
-				fmt.Printf("Error: failed to clone repository \nCause: %s\n", cloneErr)
-				log.Log.V(3).Info(fmt.Sprintf("failed to clone repository  %v as it is not valid", repoURL), "error", cloneErr)
-				osExit(1)
-			}
-			policyYamls, err := gitutils.ListYamls(fs, gitPathToYamls)
-			if err != nil {
-				return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to list YAMLs in repository", err)
-			}
-
-			policyPaths = policyYamls
-		}
-
-		policiesFromFile, admissionPoliciesFromFile, err := common.GetPoliciesFromPaths(fs, policyPaths, isGit, "")
-		if err != nil {
-			fmt.Printf("Error: failed to load policies\nCause: %s\n", err)
-			osExit(1)
-		}
-
-		policies = append(policies, policiesFromFile...)
-		validatingAdmissionPolicies = append(validatingAdmissionPolicies, admissionPoliciesFromFile...)
-	}
-
-	// load resources
-	resources, err := common.GetResourceAccordingToResourcePath(nil, c.ResourcePaths, c.Cluster, policies, validatingAdmissionPolicies, dClient, c.Namespace, c.PolicyReport, false, "")
+	rc, uu, skipInvalidPolicies, er, err, dClient := c.initStoreAndClusterClient(skipInvalidPolicies)
 	if err != nil {
-		fmt.Printf("Error: failed to load resources\nCause: %s\n", err)
-		osExit(1)
+		return rc, uu, skipInvalidPolicies, er, err
 	}
-	// init variables
+	rc, uu, skipInvalidPolicies, er, err, policies, validatingAdmissionPolicies := c.loadPolicies(skipInvalidPolicies)
+	if err != nil {
+		return rc, uu, skipInvalidPolicies, er, err
+	}
+	resources := c.loadResources(policies, validatingAdmissionPolicies, dClient)
+	rc, uu, skipInvalidPolicies, er, err = c.applyPolicytoResource(variables, policies, validatingAdmissionPolicies, resources, openApiManager, skipInvalidPolicies, valuesMap, dClient, subresources, globalValMap, userInfo, mutateLogPathIsDir, namespaceSelectorMap)
+	if err != nil {
+		return rc, uu, skipInvalidPolicies, er, err
+	}
+	rc, uu, skipInvalidPolicies, er, err = c.applyValidatingAdmissionPolicytoResource(validatingAdmissionPolicies, resources, rc, dClient, subresources, skipInvalidPolicies, er)
+	if err != nil {
+		return rc, uu, skipInvalidPolicies, er, err
+	}
+	return rc, resources, skipInvalidPolicies, er, nil
+}
+
+func (c *ApplyCommandConfig) getMutateLogPathIsDir(skipInvalidPolicies SkippedInvalidPolicies) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error, bool) {
+	mutateLogPathIsDir, err := checkMutateLogPath(c.MutateLogPath)
+	if err != nil {
+		if !sanitizederror.IsErrorSanitized(err) {
+			return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to create file/folder", err), false
+		}
+		return nil, nil, skipInvalidPolicies, nil, err, false
+	}
+	return nil, nil, skipInvalidPolicies, nil, err, mutateLogPathIsDir
+}
+
+func (c *ApplyCommandConfig) applyValidatingAdmissionPolicytoResource(validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, resources []*unstructured.Unstructured, rc *common.ResultCounts, dClient dclient.Interface, subresources []values.Subresource, skipInvalidPolicies SkippedInvalidPolicies, responses []engineapi.EngineResponse) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error) {
+	validatingAdmissionPolicy := common.ValidatingAdmissionPolicies{}
+	for _, resource := range resources {
+		for _, policy := range validatingAdmissionPolicies {
+			applyPolicyConfig := common.ApplyPolicyConfig{
+				ValidatingAdmissionPolicy: policy,
+				Resource:                  resource,
+				PolicyReport:              c.PolicyReport,
+				Rc:                        rc,
+				Client:                    dClient,
+				AuditWarn:                 c.AuditWarn,
+				Subresources:              subresources,
+			}
+			ers, err := validatingAdmissionPolicy.ApplyPolicyOnResource(applyPolicyConfig)
+			if err != nil {
+				return rc, resources, skipInvalidPolicies, responses, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err)
+			}
+			responses = append(responses, ers...)
+		}
+	}
+	return rc, resources, skipInvalidPolicies, responses, nil
+}
+
+func (c *ApplyCommandConfig) applyPolicytoResource(variables map[string]string, policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, resources []*unstructured.Unstructured, openApiManager openapi.Manager, skipInvalidPolicies SkippedInvalidPolicies, valuesMap map[string]map[string]values.Resource, dClient dclient.Interface, subresources []values.Subresource, globalValMap map[string]string, userInfo v1beta1.RequestInfo, mutateLogPathIsDir bool, namespaceSelectorMap map[string]map[string]string) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error) {
 	if len(variables) != 0 {
 		variables = common.SetInStoreContext(policies, variables)
 	}
@ -354,34 +308,31 @@ func (c *ApplyCommandConfig) applyCommandHelper() (*common.ResultCounts, []*unst

 	var rc common.ResultCounts
 	var responses []engineapi.EngineResponse
-	for _, policy := range policies {
-		_, err := policyvalidation.Validate(policy, nil, nil, true, openApiManager, config.KyvernoUserName(config.KyvernoServiceAccountName()))
-		if err != nil {
-			log.Log.Error(err, "policy validation error")
-			if strings.HasPrefix(err.Error(), "variable 'element.name'") {
-				skipInvalidPolicies.invalid = append(skipInvalidPolicies.invalid, policy.GetName())
-			} else {
-				skipInvalidPolicies.skipped = append(skipInvalidPolicies.skipped, policy.GetName())
-			}
-
-			continue
-		}
-
-		matches := common.HasVariables(policy)
-		variable := common.RemoveDuplicateAndObjectVariables(matches)
-		if len(variable) > 0 {
-			if len(variables) == 0 {
-				// check policy in variable file
-				if c.ValuesFile == "" || valuesMap[policy.GetName()] == nil {
+	for _, resource := range resources {
+		for _, policy := range policies {
+			_, err := policyvalidation.Validate(policy, nil, nil, true, openApiManager, config.KyvernoUserName(config.KyvernoServiceAccountName()))
+			if err != nil {
+				log.Log.Error(err, "policy validation error")
+				if strings.HasPrefix(err.Error(), "variable 'element.name'") {
+					skipInvalidPolicies.invalid = append(skipInvalidPolicies.invalid, policy.GetName())
+				} else {
 					skipInvalidPolicies.skipped = append(skipInvalidPolicies.skipped, policy.GetName())
-					continue
+				}
+
+				continue
+			}
+			matches := common.HasVariables(policy)
+			variable := common.RemoveDuplicateAndObjectVariables(matches)
+			if len(variable) > 0 {
+				if len(variables) == 0 {
+					// check policy in variable file
+					if c.ValuesFile == "" || valuesMap[policy.GetName()] == nil {
+						skipInvalidPolicies.skipped = append(skipInvalidPolicies.skipped, policy.GetName())
+						continue
+					}
 				}
 			}
-		}
-
-		kindOnwhichPolicyIsApplied := common.GetKindsFromPolicy(policy, subresources, dClient)
-
-		for _, resource := range resources {
+			kindOnwhichPolicyIsApplied := common.GetKindsFromPolicy(policy, subresources, dClient)
 			thisPolicyResourceValues, err := common.CheckVariableForPolicy(valuesMap, globalValMap, policy.GetName(), resource.GetName(), resource.GetKind(), variables, kindOnwhichPolicyIsApplied, variable)
 			if err != nil {
 				return &rc, resources, skipInvalidPolicies, responses, sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.GetName(), resource.GetName()), err)
@ -409,28 +360,133 @@ func (c *ApplyCommandConfig) applyCommandHelper() (*common.ResultCounts, []*unst
 			responses = append(responses, processSkipEngineResponses(ers, applyPolicyConfig)...)
 		}
 	}
+	return &rc, resources, skipInvalidPolicies, responses, nil
+}

-	validatingAdmissionPolicy := common.ValidatingAdmissionPolicies{}
-	for _, policy := range validatingAdmissionPolicies {
-		for _, resource := range resources {
-			applyPolicyConfig := common.ApplyPolicyConfig{
-				ValidatingAdmissionPolicy: policy,
-				Resource:                  resource,
-				PolicyReport:              c.PolicyReport,
-				Rc:                        &rc,
-				Client:                    dClient,
-				AuditWarn:                 c.AuditWarn,
-				Subresources:              subresources,
-			}
-			ers, err := validatingAdmissionPolicy.ApplyPolicyOnResource(applyPolicyConfig)
+func (c *ApplyCommandConfig) loadResources(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, dClient dclient.Interface) []*unstructured.Unstructured {
+	resources, err := common.GetResourceAccordingToResourcePath(nil, c.ResourcePaths, c.Cluster, policies, validatingAdmissionPolicies, dClient, c.Namespace, c.PolicyReport, false, "")
+	if err != nil {
+		fmt.Printf("Error: failed to load resources\nCause: %s\n", err)
+		osExit(1)
+	}
+	return resources
+}
+
+func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPolicies) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy) {
+	// load policies
+	fs := memfs.New()
+	var policies []kyvernov1.PolicyInterface
+	var validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy
+
+	for _, policy := range c.PolicyPaths {
+		policyPaths := []string{policy}
+		isGit := common.IsGitSourcePath(policyPaths)
+
+		if isGit {
+			gitSourceURL, err := url.Parse(policyPaths[0])
 			if err != nil {
-				return &rc, resources, skipInvalidPolicies, responses, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err)
+				fmt.Printf("Error: failed to load policies\nCause: %s\n", err)
+				osExit(1)
 			}
-			responses = append(responses, ers...)
+
+			pathElems := strings.Split(gitSourceURL.Path[1:], "/")
+			if len(pathElems) <= 1 {
+				err := fmt.Errorf("invalid URL path %s - expected https://<any_git_source_domain>/:owner/:repository/:branch (without --git-branch flag) OR https://<any_git_source_domain>/:owner/:repository/:directory (with --git-branch flag)", gitSourceURL.Path)
+				fmt.Printf("Error: failed to parse URL \nCause: %s\n", err)
+				osExit(1)
+			}
+			gitSourceURL.Path = strings.Join([]string{pathElems[0], pathElems[1]}, "/")
+			repoURL := gitSourceURL.String()
+			var gitPathToYamls string
+			c.GitBranch, gitPathToYamls = common.GetGitBranchOrPolicyPaths(c.GitBranch, repoURL, policyPaths)
+			_, cloneErr := gitutils.Clone(repoURL, fs, c.GitBranch)
+			if cloneErr != nil {
+				fmt.Printf("Error: failed to clone repository \nCause: %s\n", cloneErr)
+				log.Log.V(3).Info(fmt.Sprintf("failed to clone repository  %v as it is not valid", repoURL), "error", cloneErr)
+				osExit(1)
+			}
+			policyYamls, err := gitutils.ListYamls(fs, gitPathToYamls)
+			if err != nil {
+				return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to list YAMLs in repository", err), nil, nil
+			}
+
+			policyPaths = policyYamls
 		}
+
+		policiesFromFile, admissionPoliciesFromFile, err := common.GetPoliciesFromPaths(fs, policyPaths, isGit, "")
+		if err != nil {
+			fmt.Printf("Error: failed to load policies\nCause: %s\n", err)
+			osExit(1)
+		}
+
+		policies = append(policies, policiesFromFile...)
+		validatingAdmissionPolicies = append(validatingAdmissionPolicies, admissionPoliciesFromFile...)
 	}

-	return &rc, resources, skipInvalidPolicies, responses, nil
+	return nil, nil, skipInvalidPolicies, nil, nil, policies, validatingAdmissionPolicies
+}
+
+func (c *ApplyCommandConfig) initStoreAndClusterClient(skipInvalidPolicies SkippedInvalidPolicies) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error, dclient.Interface) {
+	store.SetLocal(true)
+	store.SetRegistryAccess(c.RegistryAccess)
+	if c.Cluster {
+		store.AllowApiCall(true)
+	}
+	var err error
+	var dClient dclient.Interface
+	if c.Cluster {
+		restConfig, err := config.CreateClientConfigWithContext(c.KubeConfig, c.Context)
+		if err != nil {
+			return nil, nil, skipInvalidPolicies, nil, err, nil
+		}
+		kubeClient, err := kubernetes.NewForConfig(restConfig)
+		if err != nil {
+			return nil, nil, skipInvalidPolicies, nil, err, nil
+		}
+		dynamicClient, err := dynamic.NewForConfig(restConfig)
+		if err != nil {
+			return nil, nil, skipInvalidPolicies, nil, err, nil
+		}
+		dClient, err = dclient.NewClient(context.Background(), dynamicClient, kubeClient, 15*time.Minute)
+		if err != nil {
+			return nil, nil, skipInvalidPolicies, nil, err, nil
+		}
+	}
+	return nil, nil, skipInvalidPolicies, nil, err, dClient
+}
+
+func (c *ApplyCommandConfig) cleanPreviousContent(mutateLogPathIsDir bool, skipInvalidPolicies SkippedInvalidPolicies) (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error) {
+	// empty the previous contents of the file just in case if the file already existed before with some content(so as to perform overwrites)
+	// the truncation of files for the case when mutateLogPath is dir, is handled under pkg/kyverno/apply/common.go
+	if !mutateLogPathIsDir && c.MutateLogPath != "" {
+		c.MutateLogPath = filepath.Clean(c.MutateLogPath)
+		// Necessary for us to include the file via variable as it is part of the CLI.
+		_, err := os.OpenFile(c.MutateLogPath, os.O_TRUNC|os.O_WRONLY, 0o600) // #nosec G304
+		if err != nil {
+			if !sanitizederror.IsErrorSanitized(err) {
+				return nil, nil, skipInvalidPolicies, nil, sanitizederror.NewWithError("failed to truncate the existing file at "+c.MutateLogPath, err)
+			}
+			return nil, nil, skipInvalidPolicies, nil, err
+		}
+	}
+	return nil, nil, skipInvalidPolicies, nil, nil
+}
+
+func (c *ApplyCommandConfig) checkArguments() (*common.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, error) {
+	var skipInvalidPolicies SkippedInvalidPolicies
+	if c.ValuesFile != "" && c.Variables != nil {
+		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("pass the values either using set flag or values_file flag")
+	}
+	if len(c.PolicyPaths) == 0 {
+		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("require policy")
+	}
+	if (len(c.PolicyPaths) > 0 && c.PolicyPaths[0] == "-") && len(c.ResourcePaths) > 0 && c.ResourcePaths[0] == "-" {
+		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("a stdin pipe can be used for either policies or resources, not both")
+	}
+	if len(c.ResourcePaths) == 0 && !c.Cluster {
+		return nil, nil, skipInvalidPolicies, nil, sanitizederror.New("resource file(s) or cluster required")
+	}
+	return nil, nil, skipInvalidPolicies, nil, nil
 }

 func printSkippedAndInvalidPolicies(skipInvalidPolicies SkippedInvalidPolicies) {
--- a/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
+++ b/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
@ -354,5 +354,5 @@ func copyFileToThisDir(sourceFile string) (string, error) {
 		return "", err
 	}

-	return filepath.Base(sourceFile), os.WriteFile(filepath.Base(sourceFile), input, 0644)
+	return filepath.Base(sourceFile), os.WriteFile(filepath.Base(sourceFile), input, 0o644)
 }
--- a/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
@ -159,6 +159,12 @@ OuterLoop:
 		}
 	}

+	verifyImageResponse, _ := eng.VerifyAndPatchImages(context.TODO(), policyContext)
+	if !verifyImageResponse.IsEmpty() {
+		verifyImageResponse = combineRuleResponses(verifyImageResponse)
+		engineResponses = append(engineResponses, verifyImageResponse)
+	}
+
 	var policyHasValidate bool
 	for _, rule := range autogen.ComputeRules(c.Policy) {
 		if rule.HasValidate() || rule.HasVerifyImageChecks() {
@ -178,12 +184,6 @@ OuterLoop:
 		engineResponses = append(engineResponses, validateResponse)
 	}

-	verifyImageResponse, _ := eng.VerifyAndPatchImages(context.TODO(), policyContext)
-	if !verifyImageResponse.IsEmpty() {
-		verifyImageResponse = combineRuleResponses(verifyImageResponse)
-		engineResponses = append(engineResponses, verifyImageResponse)
-	}
-
 	var policyHasGenerate bool
 	for _, rule := range autogen.ComputeRules(c.Policy) {
 		if rule.HasGenerate() {