From 734f1df059aeb12a3578198bfb12f27589691651 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Fri, 26 Jul 2024 16:45:54 +0300
Subject: [PATCH] fix: check the resource namespace (#10738)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 .../processor/policy_processor.go             |  2 +-
 .../chainsaw-test.yaml                        | 21 +++++++++++++++++++
 .../policy.yaml                               | 20 ++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml
 create mode 100644 test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml

diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
index 415191dfed..f7235f4c93 100644
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@@ -254,7 +254,7 @@ func (p *PolicyProcessor) makePolicyContext(
 			return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
 		}
 	}
-	if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" {
+	if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" && resource.GetNamespace() != "" {
 		ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
 		if err != nil {
 			log.Log.Error(err, "failed to get the resource's namespace")
diff --git a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml
new file mode 100644
index 0000000000..1e4110b4ff
--- /dev/null
+++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml
@@ -0,0 +1,21 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: apply-on-cluster-scoped-resources
+spec:
+  steps:
+  - name: step-01  
+    try:  
+    - script:  
+        content: kubectl create rolebinding my-rolebinding --role=my-role --user=my-user
+  - name: step-02
+    try:  
+    - script:  
+        content: kubectl create clusterrolebinding clusterrolebinding --clusterrole=my-clusterrole --user=my-user
+  - name: step-04
+    try:
+    - script:
+        content: kyverno apply policy.yaml --cluster
+        check:  
+          ($error != null): false
diff --git a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml
new file mode 100644
index 0000000000..8afa58827f
--- /dev/null
+++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-binding-system-groups      
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: restrict-masters
+      match:
+        any:
+        - resources:
+            kinds:
+              - RoleBinding
+              - ClusterRoleBinding
+      validate:
+        message: "Binding to system:masters is not allowed."
+        pattern:
+          roleRef:
+            name: "!system:masters"
\ No newline at end of file