From d4327aeaebdc1cd6b47ef47f15f39742542aff27 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Tue, 8 Dec 2020 22:17:53 -0800
Subject: [PATCH] match/exclude ns resource name

---
 pkg/engine/generation.go |  5 +++++
 pkg/engine/mutation.go   |  2 +-
 pkg/engine/utils.go      | 15 +++++++++++++--
 pkg/engine/validation.go |  2 +-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 9af9cd708d..7a513240d4 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -32,6 +32,8 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) {
 	return filterRules(policy, new, old, admissionInfo, ctx, logger, policyContext.ExcludeGroupRole, resCache, jsonContext)
 }
 
+// filterRule checks if a rule matches the rule selection criteria.
+//
 func filterRule(rule kyverno.Rule, new, old unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger, excludeGroupRole []string, resCache resourcecache.ResourceCacheIface, jsonContext *context.Context) *response.RuleResponse {
 	if !rule.HasGenerate() {
 		return nil
@@ -67,6 +69,7 @@ func filterRule(rule kyverno.Rule, new, old unstructured.Unstructured, admission
 		log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
 		return nil
 	}
+
 	// build rule Response
 	return &response.RuleResponse{
 		Name:    rule.Name,
@@ -89,10 +92,12 @@ func filterRules(policy kyverno.ClusterPolicy, new, old unstructured.Unstructure
 			},
 		},
 	}
+
 	for _, rule := range policy.Spec.Rules {
 		if ruleResp := filterRule(rule, new, old, admissionInfo, ctx, log, excludeGroupRole, resCache, jsonContext); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
 	}
+
 	return resp
 }
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index f8410ed352..a87b0f0f4c 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -65,7 +65,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 
 		// add configmap json data to context
 		if err := AddResourceToContext(logger, rule.Context, resCache, jsonContext); err != nil {
-			logger.V(4).Info("cannot add configmaps to context", "reason", err.Error())
+			logger.V(4).Info("failed to add configmaps to context", "reason", err.Error())
 			continue
 		}
 
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index a31ea07471..aca918fdf7 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -45,12 +45,18 @@ func checkName(name, resourceName string) bool {
 	return wildcard.Match(name, resourceName)
 }
 
-func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
+func checkNameSpace(namespaces []string, resource unstructured.Unstructured) bool {
+	resourceNameSpace := resource.GetNamespace()
+	if resource.GetKind() == "Namespace" {
+		resourceNameSpace = resource.GetName()
+	}
+
 	for _, namespace := range namespaces {
 		if wildcard.Match(namespace, resourceNameSpace) {
 			return true
 		}
 	}
+
 	return false
 }
 
@@ -108,26 +114,31 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin
 // should be: OR (across & inside) attributes
 func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo kyverno.RequestInfo, resource unstructured.Unstructured, dynamicConfig []string) []error {
 	var errs []error
+
 	if len(conditionBlock.Kinds) > 0 {
 		if !checkKind(conditionBlock.Kinds, resource.GetKind()) {
 			errs = append(errs, fmt.Errorf("kind does not match %v", conditionBlock.Kinds))
 		}
 	}
+
 	if conditionBlock.Name != "" {
 		if !checkName(conditionBlock.Name, resource.GetName()) {
 			errs = append(errs, fmt.Errorf("name does not match"))
 		}
 	}
+
 	if len(conditionBlock.Namespaces) > 0 {
-		if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) {
+		if !checkNameSpace(conditionBlock.Namespaces, resource) {
 			errs = append(errs, fmt.Errorf("namespace does not match"))
 		}
 	}
+
 	if len(conditionBlock.Annotations) > 0 {
 		if !checkAnnotations(conditionBlock.Annotations, resource.GetAnnotations()) {
 			errs = append(errs, fmt.Errorf("annotations does not match"))
 		}
 	}
+
 	if conditionBlock.Selector != nil {
 		hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
 		if err != nil {
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index bf79244e3f..ebb7fa42c8 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -54,7 +54,7 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 		for i := range resp.PolicyResponse.Rules {
 			messageInterface, err := variables.SubstituteVars(logger, ctx, resp.PolicyResponse.Rules[i].Message)
 			if err != nil {
-				logger.V(4).Info("failed to substitute JMES value", "error", err.Error())
+				logger.V(4).Info("failed to substitute variables", "error", err.Error())
 				continue
 			}
 			resp.PolicyResponse.Rules[i].Message, _ = messageInterface.(string)