Merge pull request #133575 from aerosouund/fix-nil-selectors

[BUG] [Selectors]: Return an error in case nil selectors are passed to the matcher functions

staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/generic/policy_matcher.go

@@ -45,6 +45,8 @@ type PolicyMatcher interface {
 	GetNamespace(name string) (*corev1.Namespace, error)
 }
 
+var errNilSelector = "a nil %s selector was passed, please ensure selectors are initialized properly"
+
 type matcher struct {
 	Matcher *matching.Matcher
 }
@@ -66,6 +68,13 @@ func (c *matcher) DefinitionMatches(a admission.Attributes, o admission.ObjectIn
 	if constraints == nil {
 		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf("policy contained no match constraints, a required field")
 	}
+	if constraints.NamespaceSelector == nil {
+		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "namespace")
+	}
+	if constraints.ObjectSelector == nil {
+		return false, schema.GroupVersionResource{}, schema.GroupVersionKind{}, fmt.Errorf(errNilSelector, "object")
+	}
+
 	criteria := matchCriteria{constraints: constraints}
 	return c.Matcher.Matches(a, o, &criteria)
 }
@@ -76,6 +85,12 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter
 	if matchResources == nil {
 		return true, nil
 	}
+	if matchResources.NamespaceSelector == nil {
+		return false, fmt.Errorf(errNilSelector, "namespace")
+	}
+	if matchResources.ObjectSelector == nil {
+		return false, fmt.Errorf(errNilSelector, "object")
+	}
 
 	criteria := matchCriteria{constraints: matchResources}
 	isMatch, _, _, err := c.Matcher.Matches(a, o, &criteria)