initial commit, remove kubeclient from policy engine

main.go

@@ -8,7 +8,6 @@ import (
 	policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned"
 	informers "github.com/nirmata/kube-policy/pkg/client/informers/externalversions"
 	controller "github.com/nirmata/kube-policy/pkg/controller"
-	engine "github.com/nirmata/kube-policy/pkg/engine"
 	event "github.com/nirmata/kube-policy/pkg/event"
 	violation "github.com/nirmata/kube-policy/pkg/violation"
 	"github.com/nirmata/kube-policy/pkg/webhooks"
@@ -43,11 +42,9 @@ func main() {
 
 	eventController := event.NewEventController(kubeclient, policyInformer.Lister(), nil)
 	violationBuilder := violation.NewPolicyViolationBuilder(kubeclient, policyInformer.Lister(), policyClientset, eventController, nil)
-	policyEngine := engine.NewPolicyEngine(kubeclient, nil)
 
 	policyController := controller.NewPolicyController(policyClientset,
 		policyInformer,
-		policyEngine,
 		violationBuilder,
 		eventController,
 		nil,

pkg/controller/controller.go

@@ -10,7 +10,6 @@ import (
 	policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned"
 	infomertypes "github.com/nirmata/kube-policy/pkg/client/informers/externalversions/policy/v1alpha1"
 	lister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1"
-	engine "github.com/nirmata/kube-policy/pkg/engine"
 	event "github.com/nirmata/kube-policy/pkg/event"
 	violation "github.com/nirmata/kube-policy/pkg/violation"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -27,7 +26,6 @@ type PolicyController struct {
 	policyLister     lister.PolicyLister
 	policyInterface  policyclientset.Interface
 	policySynced     cache.InformerSynced
-	policyEngine     engine.PolicyEngine
 	violationBuilder violation.Generator
 	eventBuilder     event.Generator
 	logger           *log.Logger
@@ -37,7 +35,6 @@ type PolicyController struct {
 // NewPolicyController from cmd args
 func NewPolicyController(policyInterface policyclientset.Interface,
 	policyInformer infomertypes.PolicyInformer,
-	policyEngine engine.PolicyEngine,
 	violationBuilder violation.Generator,
 	eventController event.Generator,
 	logger *log.Logger,
@@ -48,7 +45,6 @@ func NewPolicyController(policyInterface policyclientset.Interface,
 		policyLister:     policyInformer.Lister(),
 		policyInterface:  policyInterface,
 		policySynced:     policyInformer.Informer().HasSynced,
-		policyEngine:     policyEngine,
 		violationBuilder: violationBuilder,
 		eventBuilder:     eventController,
 		logger:           logger,

pkg/controller/processPolicy.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
+	engine "github.com/nirmata/kube-policy/pkg/engine"
 	"github.com/nirmata/kube-policy/pkg/engine/mutation"
 	event "github.com/nirmata/kube-policy/pkg/event"
 	violation "github.com/nirmata/kube-policy/pkg/violation"
@@ -57,7 +58,7 @@ func (pc *PolicyController) processPolicy(policy types.Policy) (
 				continue
 			}
 
-			violation, eventInfos, err := pc.policyEngine.ProcessExisting(policy, rawResource)
+			violation, eventInfos, err := engine.ProcessExisting(policy, rawResource)
 			if err != nil {
 				pc.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
 				continue

pkg/engine/engine.go

@@ -1,105 +1,97 @@
 package engine
 
 import (
-	"fmt"
-	"log"
-
-	kubeClient "github.com/nirmata/kube-policy/kubeclient"
 	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
-	"github.com/nirmata/kube-policy/pkg/engine/mutation"
-	event "github.com/nirmata/kube-policy/pkg/event"
-	violation "github.com/nirmata/kube-policy/pkg/violation"
+	"github.com/nirmata/kube-policy/pkg/event"
+	"github.com/nirmata/kube-policy/pkg/violation"
 )
 
-type PolicyEngine interface {
-	// ProcessMutation should be called from admission contoller
-	// when there is an creation / update of the resource
-	// ProcessMutation(policy types.Policy, rawResource []byte) (patchBytes []byte, events []Events, err error)
-	Mutate(policy types.Policy, rawResource []byte) []mutation.PatchBytes
+// As the logic to process the policies in stateless, we do not need to define struct and implement behaviors for it
+// Instead we expose them as standalone functions passing the logger and the required atrributes
+// The each function returns the changes that need to be applied on the resource
+// the caller is responsible to apply the changes to the resource
 
-	// ProcessValidation should be called from admission contoller
-	// when there is an creation / update of the resource
-	Validate(policy types.Policy, rawResource []byte)
-
-	// ProcessExisting should be called from policy controller
-	// when there is an create / update of the policy
-	// we should process the policy on matched resources, generate violations accordingly
-	// TODO: This method should not be in PolicyEngine. Validate will do this work instead
-	ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error)
-
-	// TODO: Add Generate method
-	// Generate()
+func ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
+	return nil, nil, nil
 }
 
-type policyEngine struct {
-	kubeClient *kubeClient.KubeClient
-	logger     *log.Logger
-}
+// type PolicyEngine interface {
+// 	// ProcessMutation should be called from admission contoller
+// 	// when there is an creation / update of the resource
+// 	// ProcessMutation(policy types.Policy, rawResource []byte) (patchBytes []byte, events []Events, err error)
+// 	Mutate(policy types.Policy, rawResource []byte) []mutation.PatchBytes
 
-func NewPolicyEngine(kubeClient *kubeClient.KubeClient, logger *log.Logger) PolicyEngine {
-	return &policyEngine{
-		kubeClient: kubeClient,
-		logger:     logger,
-	}
-}
+// 	// ProcessValidation should be called from admission contoller
+// 	// when there is an creation / update of the resource
+// 	Validate(policy types.Policy, rawResource []byte)
 
-func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
-	var violations []violation.Info
-	var events []event.Info
+// 	// ProcessExisting should be called from policy controller
+// 	// when there is an create / update of the policy
+// 	// we should process the policy on matched resources, generate violations accordingly
+// 	// TODO: This method should not be in PolicyEngine. Validate will do this work instead
+// 	ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error)
 
-	for _, rule := range policy.Spec.Rules {
-		err := rule.Validate()
-		if err != nil {
-			p.logger.Printf("Invalid rule detected: #%s in policy %s, err: %v\n", rule.Name, policy.ObjectMeta.Name, err)
-			continue
-		}
+// 	// TODO: Add Generate method
+// 	// Generate()
+// }
 
-		if ok, err := mutation.IsRuleApplicableToResource(rawResource, rule.ResourceDescription); !ok {
-			p.logger.Printf("Rule %s of policy %s is not applicable to the request", rule.Name, policy.Name)
-			return nil, nil, err
-		}
+// func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
+// 	var violations []violation.Info
+// 	var events []event.Info
 
-		violation, eventInfos, err := p.processRuleOnResource(policy.Name, rule, rawResource)
-		if err != nil {
-			p.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
-			continue
-		}
-		// } else {
-		// 	policyPatches = append(policyPatches, processedPatches...)
-		// }
-		violations = append(violations, violation)
-		events = append(events, eventInfos...)
-	}
-	return violations, events, nil
-}
+// 	for _, rule := range policy.Spec.Rules {
+// 		err := rule.Validate()
+// 		if err != nil {
+// 			p.logger.Printf("Invalid rule detected: #%s in policy %s, err: %v\n", rule.Name, policy.ObjectMeta.Name, err)
+// 			continue
+// 		}
 
-func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule, rawResource []byte) (
-	violation.Info, []event.Info, error) {
+// 		if ok, err := mutation.IsRuleApplicableToResource(rawResource, rule.ResourceDescription); !ok {
+// 			p.logger.Printf("Rule %s of policy %s is not applicable to the request", rule.Name, policy.Name)
+// 			return nil, nil, err
+// 		}
 
-	var violationInfo violation.Info
-	var eventInfos []event.Info
+// 		violation, eventInfos, err := p.processRuleOnResource(policy.Name, rule, rawResource)
+// 		if err != nil {
+// 			p.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
+// 			continue
+// 		}
+// 		// } else {
+// 		// 	policyPatches = append(policyPatches, processedPatches...)
+// 		// }
+// 		violations = append(violations, violation)
+// 		events = append(events, eventInfos...)
+// 	}
+// 	return violations, events, nil
+// }
 
-	resourceKind := mutation.ParseKindFromObject(rawResource)
-	resourceName := mutation.ParseNameFromObject(rawResource)
-	resourceNamespace := mutation.ParseNamespaceFromObject(rawResource)
+// func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule, rawResource []byte) (
+// 	violation.Info, []event.Info, error) {
 
-	rulePatchesProcessed, err := mutation.ProcessPatches(rule.Mutation.Patches, nil)
-	if err != nil {
-		return violationInfo, eventInfos, fmt.Errorf("Failed to process patches from rule %s: %v", rule.Name, err)
-	}
+// 	var violationInfo violation.Info
+// 	var eventInfos []event.Info
 
-	if rulePatchesProcessed != nil {
-		log.Printf("Rule %s: prepared %d patches", rule.Name, len(rulePatchesProcessed))
+// 	resourceKind := mutation.ParseKindFromObject(rawResource)
+// 	resourceName := mutation.ParseNameFromObject(rawResource)
+// 	resourceNamespace := mutation.ParseNamespaceFromObject(rawResource)
 
-		violationInfo = violation.NewViolation(policyName, resourceKind, resourceNamespace+"/"+resourceName, rule.Name)
-		// add a violation to queue
+// 	rulePatchesProcessed, err := mutation.ProcessPatches(rule.Mutation.Patches, nil)
+// 	if err != nil {
+// 		return violationInfo, eventInfos, fmt.Errorf("Failed to process patches from rule %s: %v", rule.Name, err)
+// 	}
 
-		// add an event to policy
-		//TODO: event msg
-		eventInfos = append(eventInfos, event.NewEvent("Policy", policyName, event.PolicyViolation, event.FResourcePolcy))
-		// add an event to resource
-		eventInfos = append(eventInfos, event.NewEvent(resourceKind, resourceNamespace+"/"+resourceName, event.PolicyViolation, event.FResourcePolcy))
-	}
+// 	if rulePatchesProcessed != nil {
+// 		log.Printf("Rule %s: prepared %d patches", rule.Name, len(rulePatchesProcessed))
 
-	return violationInfo, eventInfos, nil
-}
+// 		violationInfo = violation.NewViolation(policyName, resourceKind, resourceNamespace+"/"+resourceName, rule.Name)
+// 		// add a violation to queue
+
+// 		// add an event to policy
+// 		//TODO: event msg
+// 		eventInfos = append(eventInfos, event.NewEvent("Policy", policyName, event.PolicyViolation, event.FResourcePolcy))
+// 		// add an event to resource
+// 		eventInfos = append(eventInfos, event.NewEvent(resourceKind, resourceNamespace+"/"+resourceName, event.PolicyViolation, event.FResourcePolcy))
+// 	}
+
+// 	return violationInfo, eventInfos, nil
+// }

pkg/engine/generation.go

@@ -10,16 +10,16 @@ import (
 // TODO: To be reworked due to spec policy-v2
 
 // Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
-func (p *policyEngine) applyRuleGenerators(rawResource []byte, rule kubepolicy.Rule) error {
+func applyRuleGenerators(rawResource []byte, rule kubepolicy.Rule) error {
 	kind := mutation.ParseKindFromObject(rawResource)
 
 	// configMapGenerator and secretGenerator can be applied only to namespaces
 	if kind == "Namespace" {
 		namespaceName := mutation.ParseNameFromObject(rawResource)
 
-		err := p.applyConfigGenerator(rule.Generation, namespaceName, "ConfigMap")
+		err := applyConfigGenerator(rule.Generation, namespaceName, "ConfigMap")
 		if err == nil {
-			err = p.applyConfigGenerator(rule.Generation, namespaceName, "Secret")
+			err = applyConfigGenerator(rule.Generation, namespaceName, "Secret")
 		}
 		return err
 	}
@@ -27,7 +27,7 @@ func (p *policyEngine) applyRuleGenerators(rawResource []byte, rule kubepolicy.R
 }
 
 // Creates resourceKind (ConfigMap or Secret) with parameters specified in generator in cluster specified in request.
-func (p *policyEngine) applyConfigGenerator(generator *kubepolicy.Generation, namespace string, configKind string) error {
+func applyConfigGenerator(generator *kubepolicy.Generation, namespace string, configKind string) error {
 	if generator == nil {
 		return nil
 	}
@@ -37,11 +37,12 @@ func (p *policyEngine) applyConfigGenerator(generator *kubepolicy.Generation, na
 		return fmt.Errorf("Generator for '%s' is invalid: %s", configKind, err)
 	}
 
+	// TODO:
 	switch configKind {
 	case "ConfigMap":
-		err = p.kubeClient.GenerateConfigMap(*generator, namespace)
+		// err = p.kubeClient.GenerateConfigMap(*generator, namespace)
 	case "Secret":
-		err = p.kubeClient.GenerateSecret(*generator, namespace)
+		// err = p.kubeClient.GenerateSecret(*generator, namespace)
 	default:
 		err = fmt.Errorf("Unsupported config Kind '%s'", configKind)
 	}

pkg/engine/mutation.go

@@ -1,12 +1,15 @@
 package engine
 
 import (
+	"log"
+
 	kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
 	"github.com/nirmata/kube-policy/pkg/engine/mutation"
 )
 
 // Mutate performs mutation. Overlay first and then mutation patches
-func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mutation.PatchBytes {
+// TODO: pass in logger?
+func Mutate(policy kubepolicy.Policy, rawResource []byte) []mutation.PatchBytes {
 	var policyPatches []mutation.PatchBytes
 
 	for i, rule := range policy.Spec.Rules {
@@ -18,18 +21,18 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mu
 
 		err := rule.Validate()
 		if err != nil {
-			p.logger.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
+			log.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			continue
 		}
 
 		ok, err := mutation.IsRuleApplicableToResource(rawResource, rule.ResourceDescription)
 		if err != nil {
-			p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
+			log.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			continue
 		}
 
 		if !ok {
-			p.logger.Printf("Rule is not applicable t the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
+			log.Printf("Rule is not applicable t the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			continue
 		}
 
@@ -38,7 +41,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mu
 		if rule.Mutation.Overlay != nil {
 			overlayPatches, err := mutation.ProcessOverlay(rule.Mutation.Overlay, rawResource)
 			if err != nil {
-				p.logger.Printf("Overlay application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
+				log.Printf("Overlay application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			} else {
 				policyPatches = append(policyPatches, overlayPatches...)
 			}
@@ -49,7 +52,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mu
 		if rule.Mutation.Patches != nil {
 			processedPatches, err := mutation.ProcessPatches(rule.Mutation.Patches, rawResource)
 			if err != nil {
-				p.logger.Printf("Patches application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
+				log.Printf("Patches application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			} else {
 				policyPatches = append(policyPatches, processedPatches...)
 			}

pkg/engine/mutation/patches.go

@@ -10,8 +10,7 @@ import (
 
 type PatchBytes []byte
 
-// Test patches on given document according to given sets.
-// Returns array from separate patches that can be applied to the document
+// ProcessPatches Returns array from separate patches that can be applied to the document
 // Returns error ONLY in case when creation of resource should be denied.
 func ProcessPatches(patches []kubepolicy.Patch, resource []byte) ([]PatchBytes, error) {
 	if len(resource) == 0 {

pkg/engine/validation.go

@@ -2,4 +2,4 @@ package engine
 
 import types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
 
-func (p *policyEngine) Validate(policy types.Policy, rawResource []byte) {}
+func Validate(policy types.Policy, rawResource []byte) {}

pkg/webhooks/admission_test.go

@@ -1,9 +1,10 @@
 package webhooks_test
 
 import (
-	"gotest.tools/assert"
 	"testing"
 
+	"gotest.tools/assert"
+
 	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
 	"github.com/nirmata/kube-policy/webhooks"
 	v1beta1 "k8s.io/api/admission/v1beta1"

pkg/webhooks/registration_test.go

@@ -1,21 +1,20 @@
 package webhooks_test
 
 import (
-	"gotest.tools/assert"
+	"bytes"
 	"io/ioutil"
 	"testing"
-	"bytes"
-
-	"github.com/nirmata/kube-policy/webhooks"
 
+	"github.com/nirmata/kube-policy/pkg/webhooks"
+	"gotest.tools/assert"
 	rest "k8s.io/client-go/rest"
 )
 
 func TestExtractCA_EmptyBundle(t *testing.T) {
 	CAFile := "resources/CAFile"
 
-	config := &rest.Config {
-		TLSClientConfig: rest.TLSClientConfig {
+	config := &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
 			CAData: nil,
 			CAFile: CAFile,
 		},
@@ -30,8 +29,8 @@ func TestExtractCA_EmptyBundle(t *testing.T) {
 func TestExtractCA_EmptyCAFile(t *testing.T) {
 	CABundle := []byte(`LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXhPVEUwTURjd05Gb1hEVEk1TURNeE5qRTBNRGN3TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTStQClVLVmExcm9tQndOZzdqNnBBSGo5TDQ4RVJpdEplRzRXM1pUYmNMNWNKbnVTQmFsc1h1TWpQTGZmbUV1VEZIdVAKenRqUlBEUHcreEg1d3VTWFF2U0tIaXF2VE1pUm9DSlJFa09sQXpIa1dQM0VrdnUzNzRqZDVGV3Q3NEhnRk91cApIZ1ZwdUxPblczK2NDVE5iQ3VkeDFMVldRbGgwQzJKbm1Lam5uS1YrTkxzNFJVaVk1dk91ekpuNHl6QldLRjM2CmJLZ3ZDOVpMWlFSM3dZcnJNZWllYzBnWVY2VlJtaGgxSjRDV3V1UWd0ckM2d2NJanFWZFdEUlJyNHFMdEtDcDIKQVNIZmNieitwcEdHblJ5Z2FzcWNJdnpiNUVwV3NIRGtHRStUUW5WQ0JmTmsxN0NEOTZBQ1pmRWVybzEvWE16MgpRbzZvcUE0dnF5ZkdWWVU5RVZFQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNWFVpUVJpdUc4cGdzcHMrZTdGZWdCdEJOZEcKZlFUdHVLRWFUZ0U0RjQwamJ3UmdrN25DTHlsSHgvRG04aVRRQmsyWjR4WnNuY0huRys4SkwrckRLdlJBSE5iVQpsYnpReXA1V3FwdjdPcThwZ01wU0o5bTdVY3BGZmRVZkorNW43aXFnTGdMb3lhNmtRVTR2Rk0yTE1rWjI5NVpxCmVId0hnREo5Z3IwWGNyOWM1L2tRdkxFc2Z2WU5QZVhuamNyWXlDb2JNcVduSElxeVd3cHM1VTJOaGgraXhSZEIKbzRRL3RJS04xOU93WGZBaVc5SENhNzZMb3ZXaUhPU2UxVnFzK1h1N1A5ckx4eW1vQm91aFcxVmZ0bUo5Qy9vTAp3cFVuNnlXRCttY0tkZ3J5QTFjTWJ4Q281bUd6YTNLaFk1QTd5eDQ1cThkSEIzTWU4d0FCam1wWEs0ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`)
 
-	config := &rest.Config {
-		TLSClientConfig: rest.TLSClientConfig {
+	config := &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
 			CAData: CABundle,
 			CAFile: "",
 		},
@@ -42,8 +41,8 @@ func TestExtractCA_EmptyCAFile(t *testing.T) {
 }
 
 func TestExtractCA_EmptyConfig(t *testing.T) {
-	config := &rest.Config {
-		TLSClientConfig: rest.TLSClientConfig {
+	config := &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
 			CAData: nil,
 			CAFile: "",
 		},
@@ -54,8 +53,8 @@ func TestExtractCA_EmptyConfig(t *testing.T) {
 }
 
 func TestExtractCA_InvalidFile(t *testing.T) {
-	config := &rest.Config {
-		TLSClientConfig: rest.TLSClientConfig {
+	config := &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
 			CAData: nil,
 			CAFile: "somenonexistingfile",
 		},
@@ -63,4 +62,4 @@ func TestExtractCA_InvalidFile(t *testing.T) {
 
 	actual := webhooks.ExtractCA(config)
 	assert.Assert(t, actual == nil)
-}
+}

pkg/webhooks/server.go

@@ -29,7 +29,6 @@ import (
 // MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
 type WebhookServer struct {
 	server       http.Server
-	policyEngine engine.PolicyEngine
 	policyLister policylister.PolicyLister
 	logger       *log.Logger
 }
@@ -55,10 +54,8 @@ func NewWebhookServer(
 		return nil, err
 	}
 	tlsConfig.Certificates = []tls.Certificate{pair}
-	policyEngine := engine.NewPolicyEngine(kubeclient, logger)
 
 	ws := &WebhookServer{
-		policyEngine: policyEngine,
 		policyLister: policyLister,
 		logger:       logger,
 	}
@@ -185,7 +182,7 @@ func (ws *WebhookServer) Mutate(request *v1beta1.AdmissionRequest) *v1beta1.Admi
 	for _, policy := range policies {
 		ws.logger.Printf("Applying policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
 
-		policyPatches := ws.policyEngine.Mutate(policy, request.Object.Raw)
+		policyPatches := engine.Mutate(policy, request.Object.Raw)
 		allPatches = append(allPatches, policyPatches...)
 
 		if len(policyPatches) > 0 {