From d84fc7b4e123ba109d83f55e89e3c76a634b1427 Mon Sep 17 00:00:00 2001
From: Mohd Uzair <muzair.shaikh810@gmail.com>
Date: Fri, 3 Jan 2025 15:21:44 +0530
Subject: [PATCH] fix panic when rules are empty (#11821)

Signed-off-by: MUzairS15 <muzair.shaikh810@gmail.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 .../kyvernopolicy_checker.go                      |  4 ++++
 .../kyvernopolicy_checker_test.go                 | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
index ab76e5252c..656a1d9a04 100644
--- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
+++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
@@ -114,6 +114,10 @@ func checkPolicy(spec *kyvernov1.Spec) (bool, string) {
 
 func checkRuleCount(spec *kyvernov1.Spec) (bool, string) {
 	var msg string
+	if len(spec.Rules) == 0 {
+		msg = "skip generating ValidatingAdmissionPolicy: no rules found."
+		return false, msg
+	}
 	if len(spec.Rules) > 1 {
 		msg = "skip generating ValidatingAdmissionPolicy: multiple rules are not applicable."
 		return false, msg
diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
index 07670636b2..f5985a8c4f 100644
--- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
+++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
@@ -841,6 +841,21 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
 `),
 			expected: true,
 		},
+		{
+			name: "policy-with-no-rules",
+			policy: []byte(`
+{
+  "apiVersion": "kyverno.io/v1",
+  "kind": "ClusterPolicy",
+  "metadata": {
+    "name": "empty-policy"
+  },
+  "spec": {
+    "rules": []
+  }
+}`),
+			expected: false,
+		},
 	}
 
 	for _, test := range testCases {