fix: update KeysAreMissing() to ignore negations in resource (#8953) (#8982)

* fix: update KeysAreMissing() to ignore negations in resource

KeysAreMissing() checks if a key is missing in a resource, since a negation should not be present in the resource, it should not count as a missing key



* feat: add tests



* fix: pod is supposed to fail



---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

pkg/engine/anchor/anchormap.go

@@ -18,8 +18,12 @@ func NewAnchorMap() *AnchorMap {
 // if any of (key)=false then return KeysAreMissing() as true
 // if all the keys exists in the pattern exists in resource then return KeysAreMissing() as false
 func (ac *AnchorMap) KeysAreMissing() bool {
-	for _, v := range ac.anchorMap {
+	for k, v := range ac.anchorMap {
 		if !v {
+			// Negations should not be present in the resource so they count as missing.
+			if a := Parse(k); IsNegation(a) {
+				continue
+			}
 			return true
 		}
 	}

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: pod.yaml
+  shouldFail: true

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test verifies that when failurePolicy is set to to Ignore for a policy that was set to Enforce, Admission webhook denies requests when validation of a resource fails. The error should not get consumed by ignore failurePolicy 
+
+## Expected Behavior
+
+The pod should be not created.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/8916

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallow-annotations-example
+  namespace: default
+  annotations:
+    kyverno-policies-test/key: disallowed
+spec:
+  containers:
+  - name: example
+    image: busybox
+    args: ["sleep", "infinity"]

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-annotations

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-annotations
+spec:
+  background: true
+  failurePolicy: Ignore
+  rules:
+  - match:
+      all:
+      - resources:
+          kinds:
+          - Pod
+    name: disallow-annotations
+    validate:
+      message: One or more annotations is not allowed per the policies disallowed
+        values list.
+      pattern:
+        metadata:
+          =(annotations):
+            =(kyverno-policies-test/key): '!disallowed'
+            X(kyverno-policies-test/disallowed): "null"
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30