feat: support wildcard in subjects statements (#8068)

* feat: support wildcard in subjects statements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* sa tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.github/workflows/conformance.yaml

@@ -60,6 +60,7 @@ jobs:
           - deferred
           - events
           - exceptions
+          - filter
           - generate/clusterpolicy
           - generate/policy
           - generate/validation

pkg/utils/match/subjects.go

@@ -1,6 +1,7 @@
 package match
 
 import (
+	"github.com/kyverno/kyverno/pkg/utils/wildcard"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 )
@@ -14,17 +15,17 @@ func CheckSubjects(
 		switch subject.Kind {
 		case rbacv1.ServiceAccountKind:
 			username := "system:serviceaccount:" + subject.Namespace + ":" + subject.Name
-			if userInfo.Username == username {
+			if wildcard.Match(username, userInfo.Username) {
 				return true
 			}
 		case rbacv1.GroupKind:
 			for _, group := range userInfo.Groups {
-				if group == subject.Name {
+				if wildcard.Match(subject.Name, group) {
 					return true
 				}
 			}
 		case rbacv1.UserKind:
-			if userInfo.Username == subject.Name {
+			if wildcard.Match(subject.Name, userInfo.Username) {
 				return true
 			}
 		}

test/conformance/kuttl/filter/exclude/sa/no-wildcard/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/sa/no-wildcard/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/exclude/sa/no-wildcard/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding service account `system:serviceaccount:kyverno:kyverno`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/sa/no-wildcard/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: ServiceAccount
+          name: kyverno
+          namespace: kyverno
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/sa/no-wildcard/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/exclude/sa/wildcard/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/sa/wildcard/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/exclude/sa/wildcard/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding service account `system:serviceaccount:?*:?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/sa/wildcard/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/sa/wildcard/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: ServiceAccount
+          name: '?*'
+          namespace: '?*'
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/sa/wildcard/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users `not-kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: not-kubernetes-admin
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/user/no-wildcard/block/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users `kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: kubernetes-admin
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/user/no-wildcard/pass/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/exclude/user/wildcard/block/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/user/wildcard/block/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/exclude/user/wildcard/block/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users with wildcard `not-?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/user/wildcard/block/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/user/wildcard/block/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: not-?*
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/user/wildcard/block/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/exclude/user/wildcard/pass/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/exclude/user/wildcard/pass/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/exclude/user/wildcard/pass/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, excluding users with wildcard `?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/exclude/user/wildcard/pass/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    exclude:
+      any:
+      - subjects:
+        - kind: User
+          name: '?*'
+    validate:
+      deny: {}

test/conformance/kuttl/filter/exclude/user/wildcard/pass/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/sa/no-wildcard/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/sa/no-wildcard/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/match/sa/no-wildcard/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching service account `system:serviceaccount:kyverno:kyverno`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/sa/no-wildcard/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/sa/no-wildcard/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: ServiceAccount
+          name: kyverno
+          namespace: kyverno
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/sa/no-wildcard/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/sa/wildcard/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/sa/wildcard/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/match/sa/wildcard/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching service account `system:serviceaccount:?*:?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/sa/wildcard/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/sa/wildcard/policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: ServiceAccount
+          name: '?*'
+          namespace: '?*'
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/sa/wildcard/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/user/no-wildcard/block/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/user/no-wildcard/block/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/match/user/no-wildcard/block/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users `kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/user/no-wildcard/block/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/user/no-wildcard/block/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: kubernetes-admin
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/user/no-wildcard/block/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/user/no-wildcard/pass/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/user/no-wildcard/pass/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/match/user/no-wildcard/pass/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users `not-kubernetes-admin`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/user/no-wildcard/pass/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: not-kubernetes-admin
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/user/no-wildcard/pass/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/user/wildcard/block/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/user/wildcard/block/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: true

test/conformance/kuttl/filter/match/user/wildcard/block/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users with wildcard `?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be denied (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/user/wildcard/block/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/user/wildcard/block/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: '?*'
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/user/wildcard/block/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80

test/conformance/kuttl/filter/match/user/wildcard/pass/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/filter/match/user/wildcard/pass/02-resource.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml
+  shouldFail: false

test/conformance/kuttl/filter/match/user/wildcard/pass/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test creates a policy, matching users with wildcard `not-?*`.
+This policy denies pod creation.
+
+## Expected Behavior
+
+The pod should be accepted (user is `kubernetes-admin`).
+
+## Related issue(s)
+
+- https://github.com/kyverno/kyverno/issues/7938

test/conformance/kuttl/filter/match/user/wildcard/pass/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/filter/match/user/wildcard/pass/policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-pod
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: block-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+        subjects:
+        - kind: User
+          name: not-?*
+    validate:
+      deny: {}

test/conformance/kuttl/filter/match/user/wildcard/pass/resource.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  containers:
+    - name: container
+      image: nginx:latest
+      ports:
+        - containerPort: 80