[BUG] Generate policies with no Namespace field

[chipzoller]

Software version numbers
State the version numbers of applications involved in the bug.

• Kubernetes version: 1.21
• Kubernetes platform (if applicable; ex., EKS, GKE, OpenShift): K3d
• Kyverno version: 1.4.2

Describe the bug
A generate policy which generates a Namespaced resource is allowed to be created without containing the namespace field. This leads to a failure of the generation and a logged message which is misleading:

E0828 14:01:18.272095       1 generate.go:237] GenerateController "msg"="failed to apply generate rule" "error"="the server does not allow this method on the requested resource" "apiVersion"="v1" "kind"="Service" "name"="lbtest" "namespace"="default" "policy"="demo-ownerref" "resource"="lbtest" "rule"="demo-ownerref-svc-cm" "suggestion"="users need to grant Kyverno's service account additional privileges"

To Reproduce
Steps to reproduce the behavior:

1. Create the policy referenced here but delete or comment out the namespace field.
2. Create a Service resource perhaps as referenced here.
3. See Kyverno does not generate the downstream ConfigMap.
4. See error in logs as shown above.
5. See a failed GenerateRequest.

Expected behavior
Kyverno needs to do either or both of two things:

1. Validate the generate policy and see that the generated kind is Namespaced but it does not contain the namespace field. Reject the policy as invalid and print a message back to stdout which explains this.
2. Print an accurate message in the logs and corresponding GenerateRequest that the proposed generated resource requires a namespace reference in order to be successfully generated.

Additional context
The suggestion potentially sends users on a wild goose chase as it does not point to the cause of the problem.

[yogeek]

I had the same kind of issue but in a reversed way :
I created a policy to generate a non-namespaced resource, but forget to remove the namespace (coming from another policy copy/paste)
And when kyverno tried to generate it :

kyverno-7d97cd77f6-dzlzj kyverno E0920 16:31:18.976962       1 generate.go:237] GenerateController "msg"="failed to apply generate rule" "error"="the server could not find the requested resource" "apiVersion"="v1" "kind"="Namespace" "name"="demo-ns" "namespace"="" "policy"="ns-rolebinding" "resource"="demo-ns" "rule"="ns-rbac-definition" "suggestion"="users need to grant Kyverno's service account additional privileges"

This is not very easy to debug, I spent all day on this...
So I agree with @chipzoller for the pre-validation to explain that the generated resources is or is not namespaced and so that the clusterpolicy generate section must or must not mention the namespace.

I do not know if I must open a new issue for this as it is quite similar...