cherry-pick kyverno#7800 (kyverno#7819)

Signed-off-by: ShutingZhao <[email protected]>

api/kyverno/v1/common_types.go

@@ -590,9 +590,17 @@ func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace
 		if err := g.validateTargetsScope(clusterResources, policyNamespace); err != nil {
 			errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), fmt.Sprintf("target resource scope mismatched: %v ", err)))
 		}
-	} else {
-		if g.GetNamespace() == "" && g.CloneList.Namespace == "" {
-			errs = append(errs, field.Forbidden(path.Child("generate"), "target namespace must be set in a clusterpolicy"))
+	}
+
+	if g.GetKind() != "" {
+		if !clusterResources.Has(g.GetAPIVersion() + "/" + g.GetKind()) {
+			if g.GetNamespace() == "" {
+				errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), "target namespace must be set for a namespaced resource"))
+			}
+		} else {
+			if g.GetNamespace() != "" {
+				errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), "target namespace must not be set for a cluster-wide resource"))
+			}
 		}
 	}
 

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/01-update-clusterrole.yaml

@@ -18,6 +18,15 @@ rules:
   - update
   - delete
   - get
+- apiGroups:
+  - "kyverno.io"
+  resources:
+  - clustercleanuppolicies
+  verbs:
+  - create
+  - update
+  - delete
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/02-check.yaml

@@ -1,9 +1,13 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
-- file: policy-namespaced-target.yaml
+- file: policy-fail-1-no-ns-namespaced-target.yaml
   shouldFail: true
-- file: policy-cluster-target.yaml
+- file: policy-fail-2-ns-cluster-target.yaml
+  shouldFail: true
+- file: policy-pass-1-ns-namespaced-target.yaml
+  shouldFail: false
+- file: policy-pass-2-no-ns-cluster-target.yaml
   shouldFail: false
-- file: policy-pass.yaml
+- file: policy-pass-3.yaml
   shouldFail: false

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/README.md

@@ -10,4 +10,5 @@ The test fails if the policy creation is allowed, otherwise passes.
 ## Reference Issue(s)
 
 https://github.com/kyverno/kyverno/issues/7038
-https://github.com/kyverno/kyverno/issues/7470
+https://github.com/kyverno/kyverno/issues/7470
+https://github.com/kyverno/kyverno/issues/7750

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-pass.yaml → test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml

@@ -26,34 +26,4 @@ spec:
                 - Namespace
               names:
                 - dev-*
-      name: role-per-namespace
----
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: user-per-namespace-pass-2
-spec:
-  generateExistingOnPolicyUpdate: true
-  rules:
-    - generate:
-        apiVersion: rbac.authorization.k8s.io/v1
-        data:
-          rules:
-            - verbs:
-                - "*"
-              apiGroups:
-                - "*"
-              resources:
-                - "*"
-        kind: Role
-        name: superuser
-        namespace: "{{request.object.metadata.name}}"
-        synchronize: true
-      match:
-        any:
-          - resources:
-              kinds:
-                - Namespace
-              names:
-                - dev-*
       name: role-per-namespace

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: user-per-namespace-pass-2
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - generate:
+        apiVersion: rbac.authorization.k8s.io/v1
+        data:
+          rules:
+            - verbs:
+                - "*"
+              apiGroups:
+                - "*"
+              resources:
+                - "*"
+        kind: Role
+        name: superuser
+        namespace: "{{request.object.metadata.name}}"
+        synchronize: true
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              names:
+                - dev-*
+      name: role-per-namespace

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: target-namespace-scope-pass-1
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - generate:
+        apiVersion: iam.aws.crossplane.io/v1beta1
+        data:
+          rules:
+            - verbs:
+                - "*"
+              apiGroups:
+                - "*"
+              resources:
+                - "*"
+        kind: Role
+        name: superuser
+        synchronize: true
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+              names:
+                - dev-*
+      name: role-per-namespace

test/conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml

@@ -0,0 +1,48 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: expiration-for-policyexceptions
+  annotations:
+    policies.kyverno.io/title: Expiration for PolicyExceptions
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: PolicyException
+    kyverno.io/kyverno-version: 1.9.0
+    policies.kyverno.io/minversion: 1.9.0
+    kyverno.io/kubernetes-version: "1.24"
+    policies.kyverno.io/description: >-
+      In situations where Ops/Platform teams want to allow exceptions on a
+      temporary basis, there must be a way to remove the PolicyException once the
+      expiration time has been reached. After the exception is removed, the rule(s)
+      for which the exception is granted go back into full effect. This policy generates
+      a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException
+      is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller
+      ServiceAccounts additional permissions to operate this policy.
+spec:
+  rules:
+  - name: expire-four-hours
+    match:
+      any:
+      - resources:
+          kinds:
+          - PolicyException
+    generate:
+      apiVersion: kyverno.io/v2alpha1
+      kind: ClusterCleanupPolicy
+      name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
+      synchronize: false
+      data:
+        metadata:
+          labels:
+            kyverno.io/automated: "true"
+        spec:
+          schedule: "{{ time_add('{{ time_now_utc() }}','4h') | time_to_cron(@) }}"
+          match:
+            any:
+            - resources:
+                kinds:
+                  - PolicyException
+                namespaces:
+                - "{{ request.namespace }}"
+                names:
+                - "{{ request.object.metadata.name }}"