[Bug] Autogen for Pod validation policies creates rules that match non-Kubernetes resources

Kyverno Version

1.15.0

Description

Kyverno Version 1.15.2 (chart 3.5.2)

Kubernetes Version v1.32.x

The auto-generated rules for Pod Controllers in response to plain Pod validation policies are too broad, such that they match resource kinds from CRDs that share the same name as a Pod Controller, i.e. Job.

For example, in our cluster we have:

apiVersion: compute.databricks.crossplane.io/v1alpha1
kind: Job

When defining a Pod policy that triggers auto-generation, such as restrict-image-registries, the auto-generated rules for the ClusterPolicy look like:

status:
  autogen:
    rules:
    - match:
        any:
        - resources:
            kinds:
            - DaemonSet
            - Deployment
            - Job
            - ReplicaSet
            - ReplicationController
            - StatefulSet
# (and CronJob further down)

Since compute.databricks.crossplane.io also defines a Job resource kind, the autogen rules match, causing policy violation reports on the CRD resource:

policy restrict-image-registries/autogen-validate-registries fail: validation error: Unknown image registry. rule autogen-validate-registries failed at path /spec/template/

Workaround

Adding a precondition to the policy rules works, because the preconditions also get copied into the autogen rules:

    preconditions:
      any:
      - key: "{{ to_string(request.object.apiVersion) }}"
        operator: AnyIn
        value: ['v1', 'apps/v1', 'batch/v1']

This ensures that only builtin Kubernetes Pod Controllers match the autogen rules, and CRD kinds with the same name are ignored. Someone mentioned exclude as another workaround, but this didn't work for us as the exclude rules did not get copied into the autogen rules.

Impacts

• Having to modify policies to restrict the scope of auto-generated rules makes it tedious and error prone to stay up to date with the best-practice policies developed and tested in the Kyverno policies repo
• The workaround depends on autogen precondition copying behavior not changing in the future

Suggested fix

Auto-generated rules should use fully-qualified GVKs in the match resource kinds, so that only built-in Kubernetes resources are matched.

Related issues

• Closed as not planned: #11675 (closed)

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.