fix: check the resource namespace (#10738)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-07-26 16:45:54 +03:00 · 2024-07-26 16:45:54 +03:00 · 734f1df059
commit 734f1df059
parent f618717f75
3 changed files with 42 additions and 1 deletions
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -254,7 +254,7 @@ func (p *PolicyProcessor) makePolicyContext(
 			return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
 		}
 	}
-	if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" {
+	if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" && resource.GetNamespace() != "" {
 		ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
 		if err != nil {
 			log.Log.Error(err, "failed to get the resource's namespace")
--- a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml
@ -0,0 +1,21 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: apply-on-cluster-scoped-resources
+spec:
+  steps:
+  - name: step-01  
+    try:  
+    - script:  
+        content: kubectl create rolebinding my-rolebinding --role=my-role --user=my-user
+  - name: step-02
+    try:  
+    - script:  
+        content: kubectl create clusterrolebinding clusterrolebinding --clusterrole=my-clusterrole --user=my-user
+  - name: step-04
+    try:
+    - script:
+        content: kyverno apply policy.yaml --cluster
+        check:  
+          ($error != null): false
--- a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml
+++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-binding-system-groups      
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: restrict-masters
+      match:
+        any:
+        - resources:
+            kinds:
+              - RoleBinding
+              - ClusterRoleBinding
+      validate:
+        message: "Binding to system:masters is not allowed."
+        pattern:
+          roleRef:
+            name: "!system:masters"