Validate GVK while installing policy & Fix any/all matching logic (#2458)

* Handle case-sensitive GVK & Fix any/all matching logic * Fix any/all matching logic in the background controller * fix cli issue * fix any all issue * add exclude block * add validation for exclude block * fix exclude issue
2025-03-31 03:45:17 +00:00 · 2021-10-05 00:30:57 +05:30 · 2021-10-05 00:30:57 +05:30 · 9541d2be3e
commit 9541d2be3e
parent b7c8368569
2 changed files with 52 additions and 16 deletions
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -30,7 +30,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 		}

 		match := rule.MatchResources
-		exclude := rule.ExcludeResources

 		for _, value := range match.Any {
 			pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
@ -38,13 +37,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 		for _, value := range match.All {
 			pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
 		}
-		for _, value := range exclude.All {
-			pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
-		}
-		for _, value := range exclude.Any {
-			pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
-		}
-
 		pc.processExistingKinds(match.Kinds, policy, rule, logger)
 	}
 }
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -10,13 +10,12 @@ import (

 	jsonpatch "github.com/evanphx/json-patch/v5"
 	"github.com/jmespath/go-jmespath"
-	c "github.com/kyverno/kyverno/pkg/common"
+	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
+	comn "github.com/kyverno/kyverno/pkg/common"
+	dclient "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/kyverno/common"
-
-	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
-	dclient "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/kyverno/kyverno/pkg/utils"
 	"github.com/minio/pkg/wildcard"
@ -177,12 +176,41 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		}

 		// Validate Kind with match resource kinds
-		for _, kind := range rule.MatchResources.Kinds {
-			_, k := c.GetKindFromGVK(kind)
-			if k == p.Kind {
-				return fmt.Errorf("kind and match resource kind should not be the same.")
+		match := rule.MatchResources
+		exclude := rule.ExcludeResources
+		for _, value := range match.Any {
+			err := validateKinds(value.ResourceDescription.Kinds, mock, client, p)
+			if err != nil {
+				return fmt.Errorf("the kind defined in the any match resource is invalid")
 			}
 		}
+		for _, value := range match.All {
+			err := validateKinds(value.ResourceDescription.Kinds, mock, client, p)
+			if err != nil {
+				return fmt.Errorf("the kind defined in the all match resource is invalid")
+			}
+		}
+		for _, value := range exclude.Any {
+			err := validateKinds(value.ResourceDescription.Kinds, mock, client, p)
+
+			if err != nil {
+				return fmt.Errorf("the kind defined in the any exclude resource is invalid")
+			}
+		}
+		for _, value := range exclude.All {
+			err := validateKinds(value.ResourceDescription.Kinds, mock, client, p)
+			if err != nil {
+				return fmt.Errorf("the kind defined in the all exclude resource is invalid")
+			}
+		}
+		err := validateKinds(rule.MatchResources.Kinds, mock, client, p)
+		if err != nil {
+			return fmt.Errorf("match resource kind is invalid ")
+		}
+		err = validateKinds(rule.ExcludeResources.Kinds, mock, client, p)
+		if err != nil {
+			return fmt.Errorf("exclude resource kind is invalid ")
+		}

 		// Validate string values in labels
 		if !isLabelAndAnnotationsString(rule) {
@ -1027,3 +1055,19 @@ func jsonPatchOnPod(rule kyverno.Rule) bool {

 	return false
 }
+
+func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.ClusterPolicy) error {
+	for _, kind := range kinds {
+		gv, k := comn.GetKindFromGVK(kind)
+		if !mock {
+			_, _, err := client.DiscoveryClient.FindResource(gv, k)
+			if err != nil || strings.ToLower(k) == k {
+				return fmt.Errorf("match resource kind  %s is invalid ", k)
+			}
+		}
+		if k == p.Kind {
+			return fmt.Errorf("kind and match resource kind should not be the same")
+		}
+	}
+	return nil
+}