chore: add match conditions with variable chainsaw test

tests/e2e/authz-server/allow/chainsaw-test.yaml

@@ -1,7 +1,7 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: deny
+  name: allow
 spec:
   namespace: app
   steps: 

tests/e2e/authz-server/default/chainsaw-test.yaml

@@ -1,7 +1,7 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: deny
+  name: default
 spec:
   namespace: app
   steps: 

tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml

@@ -0,0 +1,15 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: no-variables
+spec:
+  steps: 
+  - try:
+    - create:
+        file: ./policy.yaml
+        expect:
+        - check:
+            ($error): |-
+              admission webhook "kyverno-authz-server-validation.kyverno.svc" denied the request: AuthorizationPolicy.envoy.kyverno.io "policy" is invalid: spec.matchConditions[0].expression: Invalid value: "variables.foo": ERROR: <input>:1:10: undefined field 'foo'
+               | variables.foo
+               | .........^

tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  matchConditions:
+  - name: check-foo
+    expression: variables.foo
+  variables:
+  - name: foo
+    expression: >
+      true
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()

website/docs/policies/match-conditions.md

@@ -6,7 +6,7 @@ Match conditions are **CEL expressions**. All match conditions must evaluate to
 
 !!!info
 
-    Match conditions have access to the same CEL variables as validation expressions.
+    The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy.
 
 ## Example