From 551c5ff860aa957c6967c4831af45b25a2e23cf1 Mon Sep 17 00:00:00 2001
From: ShutingZhao <shuting@nirmata.com>
Date: Fri, 30 Aug 2024 17:53:40 +0800
Subject: [PATCH] fix: add auth check to the admission controller for generate
 policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/validation/policy/actions.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/validation/policy/actions.go b/pkg/validation/policy/actions.go
index 6dba3fb15759..473119296a8b 100644
--- a/pkg/validation/policy/actions.go
+++ b/pkg/validation/policy/actions.go
@@ -8,6 +8,7 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	authChecker "github.com/kyverno/kyverno/pkg/auth/checker"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/policy/generate"
 	"github.com/kyverno/kyverno/pkg/policy/mutate"
@@ -76,6 +77,14 @@ func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mo
 				warnings = append(warnings, w...)
 			}
 		} else {
+			admissionSA := fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())
+			checker = generate.NewGenerateFactory(client, rule.Generation, admissionSA, logging.GlobalLogger())
+			if w, path, err := checker.Validate(context.TODO()); err != nil {
+				return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
+			} else if warnings != nil {
+				warnings = append(warnings, w...)
+			}
+
 			checker = generate.NewGenerateFactory(client, rule.Generation, backgroundSA, logging.GlobalLogger())
 			if w, path, err := checker.Validate(context.TODO()); err != nil {
 				return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)