From cb0410dcf1c988c7fdd30007245076a115b8c252 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Mon, 17 Oct 2022 16:10:42 +0200
Subject: [PATCH] fix: policy not denied when kinds set is empty (#5016)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 pkg/policy/validate.go | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index be43b2c3f1..73c0235d8f 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -165,20 +165,6 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 			return nil, fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
 
-		// validate Cluster Resources in namespaced policy
-		// For namespaced policy, ClusterResource type field and values are not allowed in match and exclude
-		if namespaced {
-			return nil, checkClusterResourceInMatchAndExclude(rule, clusterResources, mock, res)
-		}
-
-		// validate rule actions
-		// - Mutate
-		// - Validate
-		// - Generate
-		if err := validateActions(i, &rules[i], client, mock); err != nil {
-			return nil, err
-		}
-
 		// If a rule's match block does not match any kind,
 		// we should only allow it to have metadata in its overlay
 		if len(rule.MatchResources.Any) > 0 {
@@ -199,6 +185,20 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 			}
 		}
 
+		// validate Cluster Resources in namespaced policy
+		// For namespaced policy, ClusterResource type field and values are not allowed in match and exclude
+		if namespaced {
+			return nil, checkClusterResourceInMatchAndExclude(rule, clusterResources, mock, res)
+		}
+
+		// validate rule actions
+		// - Mutate
+		// - Validate
+		// - Generate
+		if err := validateActions(i, &rules[i], client, mock); err != nil {
+			return nil, err
+		}
+
 		if utils.ContainsString(rule.MatchResources.Kinds, "*") && spec.BackgroundProcessingEnabled() {
 			return nil, fmt.Errorf("wildcard policy not allowed in background mode. Set spec.background=false to disable background mode for this policy rule ")
 		}