fix: policy not denied when kinds set is empty (#5016)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-10-17 16:10:42 +02:00 · 2022-10-17 16:10:42 +02:00 · cb0410dcf1
commit cb0410dcf1
parent 6270d40f50
1 changed files with 14 additions and 14 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -165,20 +165,6 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 			return nil, fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}

-		// validate Cluster Resources in namespaced policy
-		// For namespaced policy, ClusterResource type field and values are not allowed in match and exclude
-		if namespaced {
-			return nil, checkClusterResourceInMatchAndExclude(rule, clusterResources, mock, res)
-		}
-
-		// validate rule actions
-		// - Mutate
-		// - Validate
-		// - Generate
-		if err := validateActions(i, &rules[i], client, mock); err != nil {
-			return nil, err
-		}
-
 		// If a rule's match block does not match any kind,
 		// we should only allow it to have metadata in its overlay
 		if len(rule.MatchResources.Any) > 0 {
@ -199,6 +185,20 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 			}
 		}

+		// validate Cluster Resources in namespaced policy
+		// For namespaced policy, ClusterResource type field and values are not allowed in match and exclude
+		if namespaced {
+			return nil, checkClusterResourceInMatchAndExclude(rule, clusterResources, mock, res)
+		}
+
+		// validate rule actions
+		// - Mutate
+		// - Validate
+		// - Generate
+		if err := validateActions(i, &rules[i], client, mock); err != nil {
+			return nil, err
+		}
+
 		if utils.ContainsString(rule.MatchResources.Kinds, "*") && spec.BackgroundProcessingEnabled() {
 			return nil, fmt.Errorf("wildcard policy not allowed in background mode. Set spec.background=false to disable background mode for this policy rule ")
 		}