Bugfix : Make match.resources.kinds required

pkg/policy/validate.go

@@ -113,6 +113,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 				return fmt.Errorf("policy can only deal with the metadata field of the resource if" +
 					" the rule does not match an kind")
 			}
+			return fmt.Errorf("At least one element must be specified in a kind block. The kind attribute is mandatory when working with the resources element")
 		}
 
 		// Validate string values in labels

pkg/policy/validate_test.go

@@ -1240,6 +1240,52 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
 	}
 }
 
+func Test_Validate_Kind(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "policy-to-monitor-root-user-access"
+		},
+		"spec": {
+		  "validationFailureAction": "audit",
+		  "rules": [
+			{
+			  "name": "monitor-annotation-for-root-user-access",
+			  "match": {
+				"resources": {
+				  "selector": {
+					"matchLabels": {
+					  "AllowRootUserAccess": "true"
+					}
+				  }
+				}
+			  },
+			  "validate": {
+				"message": "Label provisioner.wg.net/cloudprovider is required",
+				"pattern": {
+				  "metadata": {
+					"labels": {
+					  "provisioner.wg.net/cloudprovider": "*"
+					}
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }
+	`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, true, openAPIController)
+	assert.Assert(t, err != nil)
+}
 func Test_checkAutoGenRules(t *testing.T) {
 	testCases := []struct {
 		name           string