[BUG] Evaluate userInfo with match & exclude filters

[shivdudhani]

As userInfo is defined under match and exclude it makes sense to evaluate all the conditions together.

Currently, they are independent checks
https://github.com/nirmata/kyverno/blob/4d2bea3c0de47d9c57d2c0b729e71f2ad16df8ca/pkg/engine/mutation.go#L57-L67

Needs to be updated for 'Mutation, 'Validation & 'Generation`. The conditions need to be evaluated together.

[JimBugwadia]

The intention is that the UserInfo and other elements of the Match / Exclude are processed as a logical AND.

[JimBugwadia]

This relates to: https://github.com/nirmata/kyverno/issues/634

[shravanshetty1]

What needs to be done is clear, however why it needs to be done is unclear @shivdudhani @JimBugwadia

[shravanshetty1]

Since i am unclear on why these changes are required, i would like these changes to be reviewed before i test them .etc. https://github.com/nirmata/kyverno/pull/662

[realshuting]

@shravanshetty1 As long as MatchAdmissionInfo and MatchesResourceDescription are processed as a logical AND, I think it's ok to keep them separate.

For PR #662, I'm not sure if we want to move match/exclude filters out of the engine. The intent for the engine is to take any policy and the resource context(including userInfo and such), then apply the policy to the resource. The engine is also used in CLI, if we move that logic out of the engine, we'll have to add the filter checks in the CLI as well, before we pass to the engine.

[shravanshetty1]

@realshuting I updated the PR with new understanding of the issue, kindly check