Validation for generate loops and support ClusterPolicy/Policy in match block (#2275)

* add validation for kinds * remove cluster policy from excluded resources * fix typo
2025-04-17 17:56:33 +00:00 · 2021-08-21 03:58:49 +05:30 · 2021-08-21 03:58:49 +05:30 · 8c7858c4b0
commit 8c7858c4b0
parent 1f756c37ac
3 changed files with 14 additions and 4 deletions
--- a/pkg/policy/actions.go
+++ b/pkg/policy/actions.go
@ -8,6 +8,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/policy/generate"
 	"github.com/kyverno/kyverno/pkg/policy/mutate"
 	"github.com/kyverno/kyverno/pkg/policy/validate"
+	"github.com/kyverno/kyverno/pkg/utils"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )

@ -55,6 +56,10 @@ func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bo
 				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
 			}
 		}
+
+		if utils.ContainsString(rule.MatchResources.Kinds, rule.Generation.Kind) {
+			return fmt.Errorf("generation kind and match resource kind should not be the same.")
+		}
 	}

 	return nil
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -8,6 +8,7 @@ import (
 	"strings"

 	"github.com/jmespath/go-jmespath"
+	c "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/kyverno/common"
@ -133,6 +134,14 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 			return fmt.Errorf("wildcards (*) are currently not supported in the match.resources.kinds field. at least one resource kind must be specified in a kind block.")
 		}

+		// Validate Kind with match resource kinds
+		for _, kind := range rule.MatchResources.Kinds {
+			_, k := c.GetKindFromGVK(kind)
+			if k == p.Kind {
+				return fmt.Errorf("kind and match resource kind should not be the same.")
+			}
+		}
+
 		// Validate string values in labels
 		if !isLabelAndAnnotationsString(rule) {
 			return fmt.Errorf("labels and annotations supports only string values, \"use double quotes around the non string values\"")
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -170,10 +170,6 @@ func convertResource(raw []byte, group, version, kind, namespace string) (unstru

 func excludeKyvernoResources(kind string) bool {
 	switch kind {
-	case "ClusterPolicy":
-		return true
-	case "Policy":
-		return true
 	case "ClusterPolicyReport":
 		return true
 	case "PolicyReport":