From e3188fca8c39a264d959bc41c8f9f4354f281a60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Tue, 12 Sep 2023 20:56:31 +0200
Subject: [PATCH] fix: Overridden request.operation is not considered by
 match/exclude with operations (#8361)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: verifyImages w/ multiple entries is not consistent

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* clean

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: Kyverno apply produces false positives when validating 'empty dangling' tags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: Overridden request.operation is not considered by match/exclude with operations

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 cmd/cli/kubectl-kyverno/processor/policy_processor.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
index 7624f7f422..d19d1c4f40 100644
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@@ -204,8 +204,11 @@ func (p *PolicyProcessor) makePolicyContext(
 		}
 		resourceValues = vals
 	}
-	if resourceValues["request.operation"] == "DELETE" {
+	switch resourceValues["request.operation"] {
+	case "DELETE":
 		operation = kyvernov1.Delete
+	case "UPDATE":
+		operation = kyvernov1.Update
 	}
 	policyContext, err := engine.NewPolicyContext(
 		jp,
@@ -217,6 +220,9 @@ func (p *PolicyProcessor) makePolicyContext(
 	if err != nil {
 		log.Log.Error(err, "failed to create policy context")
 	}
+	if operation == kyvernov1.Update {
+		policyContext = policyContext.WithOldResource(resource)
+	}
 	policyContext = policyContext.
 		WithPolicy(policy).
 		WithNamespaceLabels(namespaceLabels).