Fix CLI test/apply when any/all use namespaceSelector (#3050)

* Fix CLI test/apply when any/all use namespaceSelector Fixes #3047 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * gofmt fix Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-29 10:55:05 +00:00 · 2022-01-25 03:06:17 -05:00 · 2022-01-25 03:06:17 -05:00 · cd4650eb5a
commit cd4650eb5a
parent e5e64f86cf
5 changed files with 77 additions and 0 deletions
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@ -470,12 +470,37 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 	}

 	policyWithNamespaceSelector := false
+OuterLoop:
 	for _, p := range policy.Spec.Rules {
 		if p.MatchResources.ResourceDescription.NamespaceSelector != nil ||
 			p.ExcludeResources.ResourceDescription.NamespaceSelector != nil {
 			policyWithNamespaceSelector = true
 			break
 		}
+		for _, m := range p.MatchResources.Any {
+			if m.ResourceDescription.NamespaceSelector != nil {
+				policyWithNamespaceSelector = true
+				break OuterLoop
+			}
+		}
+		for _, m := range p.MatchResources.All {
+			if m.ResourceDescription.NamespaceSelector != nil {
+				policyWithNamespaceSelector = true
+				break OuterLoop
+			}
+		}
+		for _, e := range p.ExcludeResources.Any {
+			if e.ResourceDescription.NamespaceSelector != nil {
+				policyWithNamespaceSelector = true
+				break OuterLoop
+			}
+		}
+		for _, e := range p.ExcludeResources.All {
+			if e.ResourceDescription.NamespaceSelector != nil {
+				policyWithNamespaceSelector = true
+				break OuterLoop
+			}
+		}
 	}

 	if policyWithNamespaceSelector {
--- a/test/cli/test/any-namespaceSelector/policy.yaml
+++ b/test/cli/test/any-namespaceSelector/policy.yaml
@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-pod-name
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: validate-name
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaceSelector:
+                matchExpressions:
+                - key: foo.com/managed-state
+                  operator: In
+                  values:
+                  - managed
+      validate:
+        message: "The Pod must end with -nginx"
+        pattern:
+          metadata:
+            name: "*-nginx"
--- a/test/cli/test/any-namespaceSelector/resource.yaml
+++ b/test/cli/test/any-namespaceSelector/resource.yaml
@ -0,0 +1,9 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: test-nginx
+  namespace: test1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
--- a/test/cli/test/any-namespaceSelector/test.yaml
+++ b/test/cli/test/any-namespaceSelector/test.yaml
@ -0,0 +1,14 @@
+---
+name: enforce-pod-name
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+variables: value.yaml
+results:
+  - policy: enforce-pod-name
+    rule: validate-name
+    resource: test-nginx
+    kind: Pod
+    namespace: test1
+    result: pass
--- a/test/cli/test/any-namespaceSelector/value.yaml
+++ b/test/cli/test/any-namespaceSelector/value.yaml
@ -0,0 +1,4 @@
+namespaceSelector:
+  - name: test1
+    labels:
+      foo.com/managed-state: managed