fix: get ns labels in the cluster mode when using the CLI (#10348)

* fix: get ns labels in the cluster mode when using the CLI

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: fix chainsaw test

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* Update .vscode/launch.json

Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>

.github/workflows/conformance.yaml

@@ -967,6 +967,13 @@ jobs:
           name: kubectl-kyverno
       - name: Install chainsaw
         uses: kyverno/action-install-chainsaw@ef2517389320aae0fd7c067aa14b060eef08b76d # v0.2.3
+      # create cluster
+      - name: Create kind cluster
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        with:
+          node_image: kindest/node:v1.30.0
+          cluster_name: kind
+          config: ./scripts/config/kind/default.yaml
       - name: Install Kyverno CLI
         shell: bash
         run: |
@@ -980,7 +987,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -e
-          cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml --no-cluster
+          cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml
       - name: Fix test files
         shell: bash
         run: |

cmd/cli/kubectl-kyverno/processor/policy_processor.go

@@ -255,6 +255,14 @@ func (p *PolicyProcessor) makePolicyContext(
 			return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
 		}
 	}
+	if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" {
+		ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
+		if err != nil {
+			log.Log.Error(err, "failed to get the resource's namespace")
+			return nil, fmt.Errorf("failed to get the resource's namespace (%w)", err)
+		}
+		namespaceLabels = ns.GetLabels()
+	}
 	policyContext = policyContext.
 		WithPolicy(policy).
 		WithNamespaceLabels(namespaceLabels).

test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/README.md

@@ -0,0 +1,16 @@
+## Description
+
+This test makes sure that Kyverno CLI apply works as expected when an exception matches a pod with a namespace selector in case of cluster mode. (i.e. `--cluster` flag is set)
+
+## Steps
+
+1.  - Create a namespace `ns-1`
+1.  - Label the namespace `ns-1` with `kyverno.tess.io/mutateresource=false`
+1.  - Create a pod `test-pod` in namespace `ns-1`
+1.  - Create a policy that requires pod to run as non-root user.
+1.  - Create an exception that matches any pod whose ns selector is `kyverno.tess.io/mutateresource=false`
+1.  - Use `kyverno apply` command to apply the policy and the exception in a cluster mode. It is expected to have a `skip` as a result.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/10260

test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: apply-exception-with-ns-selector
+spec:
+  steps:
+  - name: step-01  
+    try:  
+    - script:  
+        content: kubectl create ns ns-1
+  - name: step-02
+    try:  
+    - script:  
+        content: kubectl label ns ns-1 kyverno.tess.io/mutateresource=false
+  - name: step-03
+    try:
+    - script:
+        content: kubectl apply -f pod.yaml
+  - name: step-04
+    try:
+    - script:
+        content: kyverno apply policy.yaml --exception exception.yaml --cluster --namespace ns-1
+        check:
+          ($stdout): |-
+            Applying 3 policy rule(s) to 1 resource(s) with 1 exception(s)...
+
+            pass: 0, fail: 0, warn: 0, error: 0, skip: 1

test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/exception.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: exception
+spec:
+  background: false
+  exceptions:
+  - policyName: require-run-as-non-root-user
+    ruleNames:
+    - run-as-non-root-user
+  match:
+    any:
+    - resources:
+        namespaceSelector:
+          matchExpressions:
+          - key: kyverno.tess.io/mutateresource
+            operator: In
+            values: 
+            - "false"
+        kinds:
+        - Pod
+        operations:
+        - UPDATE
+        - CREATE

test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/pod.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: ns-1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    # Grant necessary permissions using SecurityContext (optional)
+    securityContext:
+      runAsUser: 0
+    resources:
+      limits:
+        cpu: "1" 
+        memory: "1Gi"

test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-non-root-user
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: run-as-non-root-user
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Running the container as root user is not allowed.
+        pattern:
+          spec:
+            =(securityContext):
+              =(runAsUser): ">0"
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(runAsUser): ">0"
+            =(initContainers):
+              - =(securityContext):
+                  =(runAsUser): ">0"
+            containers:
+              - =(securityContext):
+                  =(runAsUser): ">0"