issue-5100:added logic to check nsPolicies

api/kyverno/v1beta1/constants.go

@@ -14,4 +14,8 @@ const (
 	URGenerateResourceNSLabel      = "generate.kyverno.io/resource-namespace"
 	URGenerateResourceKindLabel    = "generate.kyverno.io/resource-kind"
 	URGenerateRetryCountAnnotation = "generate.kyverno.io/retry-count"
+	URGenerateClonePolicyKindLabel = "generate.kyverno.io/clone-policy-kind"
+
+	PolicyKindNamespace = "Namespace"
+	PolicyKindCluster   = "Cluster"
 )

go.mod

@@ -69,6 +69,7 @@ require (
 	k8s.io/klog/v2 v2.80.1
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 	k8s.io/pod-security-admission v0.25.2
+	k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85
 	sigs.k8s.io/controller-runtime v0.13.0
 	sigs.k8s.io/kustomize/api v0.12.1
 	sigs.k8s.io/kustomize/kyaml v0.13.9
@@ -361,7 +362,6 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/component-base v0.25.2 // indirect
 	k8s.io/kubectl v0.25.2 // indirect
-	k8s.io/utils v0.0.0-20221012122500-cfd413dd9e85 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/release-utils v0.7.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

pkg/background/generate/generate.go

@@ -278,10 +278,8 @@ func (c *GenerateController) getPolicySpec(ur kyvernov1beta1.UpdateRequest) (kyv
 		return policy, err
 	}
 	return kyvernov1.ClusterPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: pName,
-		},
-		Spec: npolicyObj.Spec,
+		ObjectMeta: npolicyObj.ObjectMeta,
+		Spec:       npolicyObj.Spec,
 	}, nil
 }
 
@@ -493,6 +491,12 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, r
 		}
 
 		label["policy.kyverno.io/policy-name"] = policy.GetName()
+		if policy.IsNamespaced() {
+			label["policy.kyverno.io/policy-kind"] = kyvernov1beta1.PolicyKindNamespace
+		} else {
+			label["policy.kyverno.io/policy-kind"] = kyvernov1beta1.PolicyKindCluster
+		}
+
 		label["policy.kyverno.io/gr-name"] = ur.Name
 		if rdata.Action == Create {
 			if rule.Generation.Synchronize {

pkg/common/common.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
@@ -136,7 +137,7 @@ func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[s
 		if strings.Contains(policyNames, pName) {
 			desiredLabels := make(map[string]string, len(labels)-1)
 			for k, v := range labels {
-				if k != "generate.kyverno.io/clone-policy-name" {
+				if k != "generate.kyverno.io/clone-policy-name" && k != kyvernov1beta1.URGenerateClonePolicyKindLabel {
 					desiredLabels[k] = v
 				}
 			}

pkg/webhooks/resource/generation/generation.go

@@ -137,6 +137,7 @@ func (h *generationHandler) HandleUpdatesForGenerateRules(request *admissionv1.A
 	resource, err := enginutils.ConvertToUnstructured(request.OldObject.Raw)
 	if err != nil {
 		h.log.Error(err, "failed to convert object resource to unstructured format")
+		return
 	}
 
 	resLabels := resource.GetLabels()
@@ -185,13 +186,24 @@ func (h *generationHandler) handleUpdateGenerateTargetResource(request *admissio
 	newRes, err := enginutils.ConvertToUnstructured(request.Object.Raw)
 	if err != nil {
 		h.log.Error(err, "failed to convert object resource to unstructured format")
+		return
 	}
-
+	policyKind := kyvernov1beta1.PolicyKindCluster
 	policyName := resLabels["policy.kyverno.io/policy-name"]
+
+	if resLabels["policy.kyverno.io/policy-kind"] == kyvernov1beta1.PolicyKindNamespace {
+		policyKind = kyvernov1beta1.PolicyKindNamespace
+	}
+
 	targetSourceName := newRes.GetName()
 	targetSourceKind := newRes.GetKind()
+	var policy kyvernov1.PolicyInterface
+	if policyKind == kyvernov1beta1.PolicyKindCluster {
+		policy, err = h.kyvernoClient.KyvernoV1().ClusterPolicies().Get(context.TODO(), policyName, metav1.GetOptions{})
+	} else {
+		policy, err = h.kyvernoClient.KyvernoV1().Policies(newRes.GetNamespace()).Get(context.TODO(), policyName, metav1.GetOptions{})
+	}
 
-	policy, err := h.kyvernoClient.KyvernoV1().ClusterPolicies().Get(context.TODO(), policyName, metav1.GetOptions{})
 	if err != nil {
 		h.log.Error(err, "failed to get policy from kyverno client.", "policy name", policyName)
 		return
@@ -202,6 +214,7 @@ func (h *generationHandler) handleUpdateGenerateTargetResource(request *admissio
 			updatedRule, err := getGeneratedByResource(newRes, resLabels, h.client, rule, h.log)
 			if err != nil {
 				h.log.V(4).Info("skipping generate policy and resource pattern validaton", "error", err)
+				continue
 			} else {
 				data := updatedRule.Generation.DeepCopy().GetData()
 				if data != nil {