fix: add validation check for podSecurity subrule (#9770)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/policy/validate/validate.go

@@ -68,6 +68,20 @@ func (v *Validate) Validate(ctx context.Context) (string, error) {
 		}
 	}
 
+	if v.rule.PodSecurity != nil {
+		if len(v.rule.PodSecurity.Exclude) != 0 {
+			for _, exclude := range v.rule.PodSecurity.Exclude {
+				if exclude.RestrictedField != "" && len(exclude.Values) == 0 {
+					return "", fmt.Errorf("podSecurity.exclude.values is required")
+				}
+
+				if exclude.RestrictedField == "" && len(exclude.Values) != 0 {
+					return "", fmt.Errorf("podSecurity.exclude.restrictedField is required")
+				}
+			}
+		}
+	}
+
 	if v.rule.CEL != nil {
 		for _, expression := range v.rule.CEL.Expressions {
 			if expression.Expression == "" {

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: invalid-pod-security-rule
+spec:
+  steps:
+  - name: Apply the first policy
+    try:
+    - script:
+        content: kubectl apply -f policy-1.yaml
+        check:
+          # This check ensures that the string "undefined field 'automountServiceAccountToken';" is found
+          # in stderr or else fails
+          (contains($stderr, 'podSecurity.exclude.values is required')): true
+  - name: Apply the second policy
+    try:
+    - script:
+        content: kubectl apply -f policy-2.yaml
+        check:
+          # This check ensures that the string "podSecurity.exclude.restrictedField is required" is found
+          # in stderr or else fails
+          (contains($stderr, 'podSecurity.exclude.restrictedField is required')): true

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psa-1
+spec:
+  background: true
+  validationFailureAction: Enforce
+  rules:
+  - name: baseline
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: baseline
+        version: latest
+        exclude:
+        - controlName: "/proc Mount Type"
+          images:
+          - nginx
+          restrictedField: "spec.containers[*].securityContext.procMount"

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psa-2
+spec:
+  background: true
+  validationFailureAction: Enforce
+  rules:
+  - name: baseline
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: baseline
+        version: latest
+        exclude:
+        - controlName: "/proc Mount Type"
+          images:
+          - nginx
+          values:
+          - "bar"