fix: mutate existing auth check (#7219)

* fix auth check when using variables in ns

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/policy/mutate/validate.go

@@ -93,7 +93,7 @@ func (m *Mutate) hasPatchesJSON6902() bool {
 func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetResourceSpec) error {
 	var errs []error
 	for _, target := range targets {
-		if !regex.IsVariable(target.Namespace) {
+		if !regex.IsVariable(target.Kind) {
 			_, _, k, sub := kubeutils.ParseKindSelector(target.Kind)
 			srcKey := k
 			if sub != "" {

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test ensures that a mutate existing policy is denied when the target has the namespace defined as variable.
+
+## Expected Behavior
+
+The test fails if the policy creation is allowed, otherwise passes.
+
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/7213

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml

@@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-namespace-variable
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: apply-flag
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              selector:
+                matchLabels:
+                  policy.lan/flag: 'true'
+      mutate:
+        targets:
+          - kind: PersistentVolumeClaim
+            apiVersion: v1
+            namespace: "{{ request.object.metadata.name }}"
+        patchStrategicMerge:
+          metadata:
+            labels:
+              policy.lan/apply-flag: 'true'

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: policy.yaml
+  shouldFail: true