Enable schema validation for validate policies

[realshuting]

Is your feature request related to a problem? Please describe.
With Kyverno v1.3.6-rc1, the schema validation(of the resource) is only enabled for the mutate policy, not validate.

If I create the mutate policy with the following overlay, Kyverno denies it as it's invalid.

$ k apply -f mutate.yaml
Error from server: error when creating "test.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: ValidationError(io.k8s.api.apps.v1.Deployment.spec.template): unknown field "data" in io.k8s.api.core.v1.PodTemplateSpec

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-root-user
spec:
  background: true
  rules:
  - exclude:
      resources:
        namespaces:
        - test
    match:
      resources:
        kinds:
        - Pod
    name: check-root-user
    mutate:
      patchStrategicMerge:
        data:
          securityContext:
            runAsNonRoot: true

But the following validate policy can be created successfully:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-root-user
spec:
  background: true
  rules:
  - exclude:
      resources:
        namespaces:
        - test
    match:
      resources:
        kinds:
        - Pod
    name: check-root-user
    validate:
      pattern:
        data:
          securityContext:
            runAsNonRoot: true
      message: Root user is not allowed. Set runAsNonRoot to true.
  validationFailureAction: audit

Describe the solution you'd like
The logic is there to check the mutate policy, we just need to extend it for the validate policy.

kyverno/pkg/openapi/validation.go

Lines 111 to 119 in f921bf4

	func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
	var kindToRules = make(map[string][]v1.Rule)
	for _, rule := range policy.Spec.Rules {
	if rule.HasMutate() {
	for _, kind := range rule.MatchResources.Kinds {
	kindToRules[kind] = append(kindToRules[kind], rule)
	}
	}
	}

[anishagg17]

Hi @realshuting, I would like to work on this one.

[chipzoller]

See also relevant comment here.

[anishagg17]

See also relevant comment here.

Alright, I got your point that we need to adapt validation according to the case. I will consider all those points within the PR(if applicable) and you can then look up if there's something missing.

[realshuting]

An update about the issue - after v1.3.6-rc3, this schema validation for strategicMergePatch is temporarily missing, as we reverted one change #1898 due to #1896. That means such invalid strategicMergePatch polices won't be blocked during creation. But this has nothing to do with validation policy.

[chipzoller]

@anishagg17 are you still working on this issue?

[harshitasao]

Hi @realshuting, I would like to work on this issue. Could you please provide some pointers, resources to start with.

[realshuting]

@harshitasao - did you check the issue description #1869 (comment)?
Is anything unclear to you?