fix: validate subject kind (#7582)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

api/kyverno/v1/user_info_types.go

@@ -35,6 +35,8 @@ func (u *UserInfo) ValidateSubjects(path *field.Path) (errs field.ErrorList) {
 		entry := path.Index(index)
 		if subject.Kind == "" {
 			errs = append(errs, field.Required(entry.Child("kind"), ""))
+		} else if subject.Kind != rbacv1.GroupKind && subject.Kind != rbacv1.ServiceAccountKind && subject.Kind != rbacv1.UserKind {
+			errs = append(errs, field.Invalid(entry.Child("kind"), subject.Kind, "kind must be 'User', 'Group', or 'ServiceAccount'"))
 		}
 		if subject.Name == "" {
 			errs = append(errs, field.Required(entry.Child("name"), ""))

test/conformance/kuttl/policy-validation/cluster-policy/invalid-subject-kind/01-policies.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: policy.yaml
+  shouldFail: true

test/conformance/kuttl/policy-validation/cluster-policy/invalid-subject-kind/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test tries to create a policy with invalid an invalid subject kind (`Foo`).
+Only kinds supported are `User`, `Group`, or `ServiceAccount`.
+
+## Expected Behavior
+
+Policy should be rejected.
+
+## Related Issue
+
+https://github.com/kyverno/kyverno/issues/7052

test/conformance/kuttl/policy-validation/cluster-policy/invalid-subject-kind/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: temp
+spec:
+  background: false
+  rules:
+    - name: test-rule
+      match:
+        any:
+        - resources:
+            kinds:
+            - ConfigMap
+          subjects:
+          - name: foo
+            kind: Foo
+      validate:
+        deny: {}