fix: handle auth permission for cloneList validation (#4684)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2025-04-08 18:15:48 +00:00 · 2022-09-26 13:23:00 +05:30 · 2022-09-26 13:23:00 +05:30 · 9cc1e6b2b3
commit 9cc1e6b2b3
parent 4d7e1281de
2 changed files with 12 additions and 3 deletions
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -10,6 +10,7 @@ import (
 	commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/policy/common"
+	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 )

 // Generate provides implementation to validate 'generate' rule
@ -74,8 +75,17 @@ func (g *Generate) Validate() (string, error) {
 	// instructions to modify the RBAC for kyverno are mentioned at https://github.com/kyverno/kyverno/blob/master/documentation/installation.md
 	// - operations required: create/update/delete/get
 	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
-	if err := g.canIGenerate(kind, namespace); err != nil {
-		return "", err
+	if len(rule.CloneList.Kinds) != 0 {
+		for _, kind = range rule.CloneList.Kinds {
+			_, kind = kubeutils.GetKindFromGVK(kind)
+			if err := g.canIGenerate(kind, namespace); err != nil {
+				return "", err
+			}
+		}
+	} else {
+		if err := g.canIGenerate(kind, namespace); err != nil {
+			return "", err
+		}
 	}
 	return "", nil
 }
--- a/test/e2e/generate/resources.go
+++ b/test/e2e/generate/resources.go
@ -440,7 +440,6 @@ spec:
          - kube-public
          - kyverno
    generate:
-      kind: Secret
      namespace: "{{request.object.metadata.name}}"
      synchronize : true
      cloneList: