From 34af7a930c1e36313c1bea4a730b58c29f345529 Mon Sep 17 00:00:00 2001
From: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Date: Thu, 29 Apr 2021 23:44:55 +0530
Subject: [PATCH] Bugfix : Make match.resources.kinds required (#1852)

* Fix Dev setup

* Bugfix : Make match.resources.kinds required

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
---
 pkg/policy/validate.go      |  1 +
 pkg/policy/validate_test.go | 46 +++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index fee82629d9aa..910626b5bb69 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -113,6 +113,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 				return fmt.Errorf("policy can only deal with the metadata field of the resource if" +
 					" the rule does not match an kind")
 			}
+			return fmt.Errorf("At least one element must be specified in a kind block. The kind attribute is mandatory when working with the resources element")
 		}
 
 		// Validate string values in labels
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 7366e7d0b221..6ec93bb7a39d 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1240,6 +1240,52 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
 	}
 }
 
+func Test_Validate_Kind(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "policy-to-monitor-root-user-access"
+		},
+		"spec": {
+		  "validationFailureAction": "audit",
+		  "rules": [
+			{
+			  "name": "monitor-annotation-for-root-user-access",
+			  "match": {
+				"resources": {
+				  "selector": {
+					"matchLabels": {
+					  "AllowRootUserAccess": "true"
+					}
+				  }
+				}
+			  },
+			  "validate": {
+				"message": "Label provisioner.wg.net/cloudprovider is required",
+				"pattern": {
+				  "metadata": {
+					"labels": {
+					  "provisioner.wg.net/cloudprovider": "*"
+					}
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }
+	`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, true, openAPIController)
+	assert.Assert(t, err != nil)
+}
 func Test_checkAutoGenRules(t *testing.T) {
 	testCases := []struct {
 		name           string