kyverno: [Bug] blocking whole apiGroup not possible

Kyverno Version

1.9.3

Kubernetes Version

1.26.x

Kubernetes Platform

OpenShift

Kyverno Rule Type

Validate

Description

I am trying to block API requests for an entire API group. However, wildcarding for the kind is not supported in <apiGroup>/<version>/<kind> format (e.g. myapigroup.io//). As soon as a “*” is used for the kind, there is no entry for this policy in the ValidatingWebConfiguration of kyverno.

If a non-existing kind is used for the selected api-group and api-version, no entry is created in the ValidatingWebConfiguration. Therefore I assume that kyverno checks which kinds are present on the cluster and enters only existing ones in the ValidatingWebConfiguration.

I also tried to create a ValidatingWebConfiguration which use “*” for resources (kinds) by myself and it looks like kubernetes does support this.

Steps to reproduce

Create ClusterPolicy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: forbid-api-groups
spec:
  validationFailureAction: enforce
  background: false
  failurePolicy: Fail
  rules:
    - match:
        any:
          - resources:
              kinds:
                - apps.openshift.io/*/*
                - image.openshift.io/*/*
                - build.openshift.io/*/*
      name: check-for-forbidden-api-groups
      validate:
        deny: {}
        message: "{{request.operation}} of {{request.kind.group}}/{{request.kind.version}}/{{request.kind.kind}} is not allowed."

Expected behavior

The corresponding ValidateWebhookConfiguration object for kyverno should contain something like:

rules:
- operations:
    - CREATE
    - UPDATE
  apiGroups:
    - apps.openshift.io
    - image.openshift.io
    - build.openshift.io
  apiVersions:
    - '*'
  resources:
    - '*'
  scope: '*'