From 81ec6c96a102ff377d25734091ff43a31428917d Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Mon, 27 Mar 2023 19:56:24 +0800
Subject: [PATCH] fix auth validation (#6696)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/policy/mutate/validate.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
index 081e975363..fbf391b829 100644
--- a/pkg/policy/mutate/validate.go
+++ b/pkg/policy/mutate/validate.go
@@ -95,22 +95,21 @@ func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.ResourceS
 	for _, target := range targets {
 		if !regex.IsVariable(target.Namespace) {
 			_, _, k, sub := kubeutils.ParseKindSelector(target.Kind)
-			if ok, err := m.authChecker.CanICreate(ctx, k, target.Namespace, sub); err != nil {
-				errs = append(errs, err)
-			} else if !ok {
-				errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "create", k, sub, target.Namespace))
+			srcKey := k
+			if sub != "" {
+				srcKey = srcKey + "/" + sub
 			}
 
 			if ok, err := m.authChecker.CanIUpdate(ctx, k, target.Namespace, sub); err != nil {
 				errs = append(errs, err)
 			} else if !ok {
-				errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "update", k, sub, target.Namespace))
+				errs = append(errs, fmt.Errorf("cannot %s %s in namespace %s", "update", srcKey, target.Namespace))
 			}
 
 			if ok, err := m.authChecker.CanIGet(ctx, k, target.Namespace, sub); err != nil {
 				errs = append(errs, err)
 			} else if !ok {
-				errs = append(errs, fmt.Errorf("cannot %s %s/%s in namespace %s", "get", k, sub, target.Namespace))
+				errs = append(errs, fmt.Errorf("cannot %s %s in namespace %s", "get", srcKey, target.Namespace))
 			}
 		}
 	}