fix ns selector (#6216)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/webhooks/resource/validation/validation.go

@@ -140,7 +140,7 @@ func (v *validationHandler) HandleValidation(
 		return false, webhookutils.GetBlockedMessages(engineResponses), nil
 	}
 
-	go v.handleAudit(ctx, policyContext.NewResource(), request, engineResponses...)
+	go v.handleAudit(ctx, policyContext.NewResource(), request, policyContext.NamespaceLabels(), engineResponses...)
 
 	warnings := webhookutils.GetWarningMessages(engineResponses)
 	return true, "", warnings
@@ -150,6 +150,7 @@ func (v *validationHandler) buildAuditResponses(
 	ctx context.Context,
 	resource unstructured.Unstructured,
 	request *admissionv1.AdmissionRequest,
+	namespaceLabels map[string]string,
 ) ([]*engineapi.EngineResponse, error) {
 	policies := v.pCache.GetPolicies(policycache.ValidateAudit, request.Kind.Kind, request.Namespace)
 	policyContext, err := v.pcBuilder.Build(request)
@@ -163,7 +164,7 @@ func (v *validationHandler) buildAuditResponses(
 			"pkg/webhooks/resource/validate",
 			fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()),
 			func(ctx context.Context, span trace.Span) {
-				policyContext := policyContext.WithPolicy(policy)
+				policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels)
 				responses = append(responses, v.engine.Validate(ctx, policyContext))
 			},
 		)
@@ -175,6 +176,7 @@ func (v *validationHandler) handleAudit(
 	ctx context.Context,
 	resource unstructured.Unstructured,
 	request *admissionv1.AdmissionRequest,
+	namespaceLabels map[string]string,
 	engineResponses ...*engineapi.EngineResponse,
 ) {
 	if !v.admissionReports {
@@ -196,7 +198,7 @@ func (v *validationHandler) handleAudit(
 		"",
 		fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind),
 		func(ctx context.Context, span trace.Span) {
-			responses, err := v.buildAuditResponses(ctx, resource, request)
+			responses, err := v.buildAuditResponses(ctx, resource, request, namespaceLabels)
 			if err != nil {
 				v.log.Error(err, "failed to build audit responses")
 			}

test/conformance/kuttl/reports/admission/namespaceselector/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/reports/admission/namespaceselector/02-pod.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: pods.yaml
+assert:
+- pods.yaml

test/conformance/kuttl/reports/admission/namespaceselector/03-report.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- report-expected.yaml
+error:
+- report-unexpected.yaml

test/conformance/kuttl/reports/admission/namespaceselector/README.md

@@ -0,0 +1,8 @@
+## Description
+
+This test validate the reporting ability for a audit policy with the `namespaceSelector` defined.
+
+## Expected Behavior
+
+A policy report should be created for the pod `test-audit-reports-namespacesselector/audit-pod`, but not for `test-non-audit-reports-namespacesselector/non-audit-pod` as the namespace selector doesn't match.
+

test/conformance/kuttl/reports/admission/namespaceselector/pods.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: audit-pod
+  namespace: test-audit-reports-namespacesselector
+spec:
+  containers:
+  - image: nginx:latest
+    name: audit-pod
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: non-audit-pod
+  namespace: test-non-audit-reports-namespacesselector
+spec:
+  containers:
+  - image: nginx:latest
+    name: non-audit-pod

test/conformance/kuttl/reports/admission/namespaceselector/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-audit-reports-namespacesselector
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/reports/admission/namespaceselector/policy.yaml

@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-audit-reports-namespacesselector
+  annotations:  
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  background: false
+  mutateExistingOnPolicyUpdate: false
+  validationFailureAction: Audit
+  rules:
+  - name: test-audit-reports-namespacesselector
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          namespaceSelector:
+            matchExpressions:
+              - key: org
+                operator: Exists
+    validate:
+      pattern:
+        metadata:
+          annotations:
+            validate: namespaceselector
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    org: kyverno-test
+  name: test-audit-reports-namespacesselector
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-non-audit-reports-namespacesselector

test/conformance/kuttl/reports/admission/namespaceselector/report-expected.yaml

@@ -0,0 +1,14 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  name: cpol-test-audit-reports-namespacesselector
+  namespace: test-audit-reports-namespacesselector
+results:
+- policy: test-audit-reports-namespacesselector
+  resources:
+  - apiVersion: v1
+    kind: Pod
+    name: audit-pod
+    namespace: test-audit-reports-namespacesselector
+  result: fail
+  rule: test-audit-reports-namespacesselector

test/conformance/kuttl/reports/admission/namespaceselector/report-unexpected.yaml

@@ -0,0 +1,5 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  name: cpol-test-audit-reports-namespacesselector
+  namespace: test-non-nonaudit-reports-namespacesselector