fix: skip generating VAPs in case namespace's name contains wildcards (#10205)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/validatingadmissionpolicy/kyvernopolicy_checker.go

@@ -104,6 +104,12 @@ func checkResources(resource kyvernov1.ResourceDescription) (bool, string) {
 			return false, msg
 		}
 	}
+	for _, ns := range resource.Namespaces {
+		if wildcard.ContainsWildcard(ns) {
+			msg = "skip generating ValidatingAdmissionPolicy: wildcards in namespace name is not applicable."
+			return false, msg
+		}
+	}
 	return true, msg
 }
 

pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go

@@ -32,6 +32,40 @@ func Test_Check_Resources(t *testing.T) {
 `),
 			expected: true,
 		},
+		{
+			name: "namespaces-with-wildcards",
+			resource: []byte(`
+{
+  "kinds": [
+    "Service"
+  ],
+  "namespaces": [
+    "prod-*"
+  ],
+  "operations": [
+    "CREATE"
+  ]
+}
+`),
+			expected: false,
+		},
+		{
+			name: "resource-names-with-wildcards",
+			resource: []byte(`
+{
+  "kinds": [
+    "Service"
+  ],
+  "names": [
+    "svc-*"
+  ],
+  "operations": [
+    "CREATE"
+  ]
+}
+`),
+			expected: false,
+		},
 		{
 			name: "resource-with-annotations",
 			resource: []byte(`

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml

@@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-any-match-resources-in-namespaces-with-wildcard
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - error:
+        file: validatingadmissionpolicy.yaml
+    - error:
+        file: validatingadmissionpolicybinding.yaml

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml

@@ -0,0 +1,12 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-label-app-5
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  validatingadmissionpolicy:
+    generated: false
+  

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-label-app-5
+spec:
+  validationFailureAction: Audit
+  rules:
+    - name: check-label-app
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+            namespaces: 
+            - "prod-*"
+            - "staging"
+      validate:
+        cel:
+          expressions:
+            - expression: "'app' in object.metadata.labels"

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml

@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: check-label-app-5
+spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml

@@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: check-label-app-5-binding
+spec: {}