fix: exceptions not considered on delete (#7433)

* fix: helm template for cleanup jobs image

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: exceptions not considered on delete

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/engine/exceptions.go

@@ -48,9 +48,13 @@ func matchesException(
 		return nil, err
 	}
 	gvk, subresource := policyContext.ResourceKind()
+	resource := policyContext.NewResource()
+	if resource.Object == nil {
+		resource = policyContext.OldResource()
+	}
 	for _, candidate := range candidates {
 		err := matched.CheckMatchesResources(
-			policyContext.NewResource(),
+			resource,
 			candidate.Spec.Match,
 			policyContext.NamespaceLabels(),
 			policyContext.AdmissionInfo(),

test/conformance/kuttl/exceptions/applies-to-delete/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/exceptions/applies-to-delete/02-exception.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- exception.yaml

test/conformance/kuttl/exceptions/applies-to-delete/03-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- namespace.yaml

test/conformance/kuttl/exceptions/applies-to-delete/04-deployment.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: deployment.yaml

test/conformance/kuttl/exceptions/applies-to-delete/05-delete.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: apps/v1
+  kind: Deployment
+  name: test-dpl1
+  namespace: reza-dev

test/conformance/kuttl/exceptions/applies-to-delete/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test creates a policy, a policy exception and tries to create a deployment violating the policy.
+The deployment is then deleted.
+
+
+## Expected Behavior
+
+Both creation and deletion should be accepted, the exception applies to all operations.
+
+## Reference Issue(s)
+
+7423

test/conformance/kuttl/exceptions/applies-to-delete/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-dpl1
+  namespace: reza-dev
+spec:
+  selector:
+    matchLabels:
+      app: test-dpl1
+  template:
+    metadata:
+      labels:
+        app: test-dpl1
+    spec:
+      securityContext:
+        seccompProfile:
+          type: Unconfined
+      containers:
+      - name: test-dpl1
+        image: busybox:1.35.0
+        command:
+        - sleep
+        - "infinity"

test/conformance/kuttl/exceptions/applies-to-delete/exception.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: delta-exception
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: psa
+    ruleNames:
+    - "*"
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        namespaces:
+        - reza-dev
+        names:
+        - test-dpl1*

test/conformance/kuttl/exceptions/applies-to-delete/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: reza-dev

test/conformance/kuttl/exceptions/applies-to-delete/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psa
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/exceptions/applies-to-delete/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psa
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: restricted
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        podSecurity:
+          level: restricted
+          version: v1.25