diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml
index 4917904e1f..579ed85f07 100644
--- a/.github/workflows/conformance.yaml
+++ b/.github/workflows/conformance.yaml
@@ -60,6 +60,7 @@ jobs:
           - deferred
           - events
           - exceptions
+          - filter
           - generate/clusterpolicy
           - generate/policy
           - generate/validation
diff --git a/pkg/utils/match/subjects.go b/pkg/utils/match/subjects.go
index b8d0ea66eb..d1923e141e 100644
--- a/pkg/utils/match/subjects.go
+++ b/pkg/utils/match/subjects.go
@@ -1,6 +1,7 @@
 package match
 
 import (
+	"github.com/kyverno/kyverno/pkg/utils/wildcard"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 )
@@ -14,17 +15,17 @@ func CheckSubjects(
 		switch subject.Kind {
 		case rbacv1.ServiceAccountKind:
 			username := "system:serviceaccount:" + subject.Namespace + ":" + subject.Name
-			if userInfo.Username == username {
+			if wildcard.Match(username, userInfo.Username) {
 				return true
 			}
 		case rbacv1.GroupKind:
 			for _, group := range userInfo.Groups {
-				if group == subject.Name {
+				if wildcard.Match(subject.Name, group) {
 					return true
 				}
 			}
 		case rbacv1.UserKind:
-			if userInfo.Username == subject.Name {
+			if wildcard.Match(subject.Name, userInfo.Username) {
 				return true
 			}
 		}
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/01-policy.yaml b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/02-resource.yaml b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/README.md b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/README.md
new file mode 100644
index 0000000000..8d4dcb4f30
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding service account `system:serviceaccount:kyverno:kyverno`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy.yaml b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy.yaml
new file mode 100644
index 0000000000..172b3a2037
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: ServiceAccount
+          name: kyverno
+          namespace: kyverno
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/sa/no-wildcard/resource.yaml b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/no-wildcard/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/01-policy.yaml b/test/conformance/kuttl/filter/exclude/sa/wildcard/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/02-resource.yaml b/test/conformance/kuttl/filter/exclude/sa/wildcard/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/README.md b/test/conformance/kuttl/filter/exclude/sa/wildcard/README.md
new file mode 100644
index 0000000000..fe454ef26b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding service account `system:serviceaccount:?*:?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/sa/wildcard/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/policy.yaml b/test/conformance/kuttl/filter/exclude/sa/wildcard/policy.yaml
new file mode 100644
index 0000000000..5a780f0b21
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: ServiceAccount
+          name: '?*'
+          namespace: '?*'
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/sa/wildcard/resource.yaml b/test/conformance/kuttl/filter/exclude/sa/wildcard/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/sa/wildcard/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/01-policy.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/02-resource.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/README.md b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/README.md
new file mode 100644
index 0000000000..f2711a54bc
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users `not-kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy.yaml
new file mode 100644
index 0000000000..3f258d6215
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: not-kubernetes-admin
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/resource.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/block/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/01-policy.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/02-resource.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/README.md b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/README.md
new file mode 100644
index 0000000000..41a04ba99f
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users `kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy.yaml
new file mode 100644
index 0000000000..6dbdc24a99
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: kubernetes-admin
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/resource.yaml b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/01-policy.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/block/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/02-resource.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/block/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/README.md b/test/conformance/kuttl/filter/exclude/user/wildcard/block/README.md
new file mode 100644
index 0000000000..62724a00ec
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users with wildcard `not-?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy.yaml
new file mode 100644
index 0000000000..5320014c97
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: not-?*
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/block/resource.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/block/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/block/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/01-policy.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/02-resource.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/README.md b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/README.md
new file mode 100644
index 0000000000..8a2f239a0a
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users with wildcard `?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy-assert.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy.yaml
new file mode 100644
index 0000000000..b92e77c337
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: '?*'
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/exclude/user/wildcard/pass/resource.yaml b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/exclude/user/wildcard/pass/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/01-policy.yaml b/test/conformance/kuttl/filter/match/sa/no-wildcard/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/02-resource.yaml b/test/conformance/kuttl/filter/match/sa/no-wildcard/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/README.md b/test/conformance/kuttl/filter/match/sa/no-wildcard/README.md
new file mode 100644
index 0000000000..b48c686463
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching service account `system:serviceaccount:kyverno:kyverno`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/policy-assert.yaml b/test/conformance/kuttl/filter/match/sa/no-wildcard/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/policy.yaml b/test/conformance/kuttl/filter/match/sa/no-wildcard/policy.yaml
new file mode 100644
index 0000000000..4968d662ca
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: ServiceAccount
+          name: kyverno
+          namespace: kyverno
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/sa/no-wildcard/resource.yaml b/test/conformance/kuttl/filter/match/sa/no-wildcard/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/no-wildcard/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/01-policy.yaml b/test/conformance/kuttl/filter/match/sa/wildcard/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/02-resource.yaml b/test/conformance/kuttl/filter/match/sa/wildcard/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/README.md b/test/conformance/kuttl/filter/match/sa/wildcard/README.md
new file mode 100644
index 0000000000..058a113b6b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching service account `system:serviceaccount:?*:?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/policy-assert.yaml b/test/conformance/kuttl/filter/match/sa/wildcard/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/policy.yaml b/test/conformance/kuttl/filter/match/sa/wildcard/policy.yaml
new file mode 100644
index 0000000000..cfe930ca08
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: ServiceAccount
+          name: '?*'
+          namespace: '?*'
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/sa/wildcard/resource.yaml b/test/conformance/kuttl/filter/match/sa/wildcard/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/sa/wildcard/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/01-policy.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/block/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/02-resource.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/block/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/README.md b/test/conformance/kuttl/filter/match/user/no-wildcard/block/README.md
new file mode 100644
index 0000000000..ba0463ebf6
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users `kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy-assert.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy.yaml
new file mode 100644
index 0000000000..5a269a41b6
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/policy.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: kubernetes-admin
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/block/resource.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/block/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/block/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/01-policy.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/02-resource.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/README.md b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/README.md
new file mode 100644
index 0000000000..a69cb1b559
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users `not-kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy-assert.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy.yaml
new file mode 100644
index 0000000000..d4f8b61e2a
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: not-kubernetes-admin
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/user/no-wildcard/pass/resource.yaml b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/no-wildcard/pass/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/01-policy.yaml b/test/conformance/kuttl/filter/match/user/wildcard/block/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/02-resource.yaml b/test/conformance/kuttl/filter/match/user/wildcard/block/02-resource.yaml
new file mode 100644
index 0000000000..b2edcffef7
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/README.md b/test/conformance/kuttl/filter/match/user/wildcard/block/README.md
new file mode 100644
index 0000000000..2871c9c2b4
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users with wildcard `?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/policy-assert.yaml b/test/conformance/kuttl/filter/match/user/wildcard/block/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/policy.yaml b/test/conformance/kuttl/filter/match/user/wildcard/block/policy.yaml
new file mode 100644
index 0000000000..391727e652
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/policy.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: '?*'
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/block/resource.yaml b/test/conformance/kuttl/filter/match/user/wildcard/block/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/block/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/01-policy.yaml b/test/conformance/kuttl/filter/match/user/wildcard/pass/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/02-resource.yaml b/test/conformance/kuttl/filter/match/user/wildcard/pass/02-resource.yaml
new file mode 100644
index 0000000000..d363ac8c71
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/02-resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/README.md b/test/conformance/kuttl/filter/match/user/wildcard/pass/README.md
new file mode 100644
index 0000000000..b3791bd8e0
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/README.md
@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users with wildcard `not-?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/policy-assert.yaml b/test/conformance/kuttl/filter/match/user/wildcard/pass/policy-assert.yaml
new file mode 100644
index 0000000000..a7c862fb2b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/policy-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/policy.yaml b/test/conformance/kuttl/filter/match/user/wildcard/pass/policy.yaml
new file mode 100644
index 0000000000..5cc4323566
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/policy.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: not-?*
+    validate:
+      deny: {}
diff --git a/test/conformance/kuttl/filter/match/user/wildcard/pass/resource.yaml b/test/conformance/kuttl/filter/match/user/wildcard/pass/resource.yaml
new file mode 100644
index 0000000000..3e067cb88b
--- /dev/null
+++ b/test/conformance/kuttl/filter/match/user/wildcard/pass/resource.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80