refactor: resolve roles/cluster roles/top level GVK earlier in the admission chain (#6775)

* refactor: remove more admission request pointers

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: resolve roles/cluster roles earlier in the admission chain

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* enrich

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* enrich

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cleanup-controller/server.go

@@ -70,7 +70,7 @@ func NewServer(
 		"POST",
 		config.CleanupValidatingWebhookServicePath,
 		handlers.FromAdmissionFunc("VALIDATE", validationHandler).
-			WithDump(debugModeOpts.DumpPayload, nil, nil).
+			WithDump(debugModeOpts.DumpPayload).
 			WithSubResourceFilter().
 			WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookValidating).
 			WithAdmission(policyLogger.WithName("validate")).

cmd/kyverno/main.go

@@ -544,6 +544,7 @@ func main() {
 		runtime,
 		kubeInformer.Rbac().V1().RoleBindings().Lister(),
 		kubeInformer.Rbac().V1().ClusterRoleBindings().Lister(),
+		dClient.Discovery(),
 	)
 	// start informers and wait for cache sync
 	// we need to call start again because we potentially registered new informers

pkg/engine/policycontext/policy_context.go

@@ -5,7 +5,6 @@ import (
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
@@ -190,9 +189,9 @@ func NewPolicyContext(operation kyvernov1.AdmissionOperation) *PolicyContext {
 }
 
 func NewPolicyContextFromAdmissionRequest(
-	client dclient.IDiscovery,
 	request admissionv1.AdmissionRequest,
 	admissionInfo kyvernov1beta1.RequestInfo,
+	gvk schema.GroupVersionKind,
 	configuration config.Configuration,
 ) (*PolicyContext, error) {
 	ctx, err := newVariablesContext(request, &admissionInfo)
@@ -206,10 +205,6 @@ func NewPolicyContextFromAdmissionRequest(
 	if err := ctx.AddImageInfos(&newResource, configuration); err != nil {
 		return nil, fmt.Errorf("failed to add image information to the policy rule context: %w", err)
 	}
-	gvk, err := client.GetGVKFromGVR(schema.GroupVersionResource(request.Resource))
-	if err != nil {
-		return nil, err
-	}
 	policyContext := NewPolicyContextWithJsonContext(kyvernov1.AdmissionOperation(request.Operation), ctx).
 		WithNewResource(newResource).
 		WithOldResource(oldResource).

pkg/webhooks/handlers/admission.go

@@ -39,21 +39,16 @@ func (inner AdmissionHandler) withAdmission(logger logr.Logger) HttpHandler {
 			return
 		}
 		logger := logger.WithValues(
-			"kind", admissionReview.Request.Kind.Kind,
 			"gvk", admissionReview.Request.Kind,
+			"gvr", admissionReview.Request.Resource,
 			"namespace", admissionReview.Request.Namespace,
 			"name", admissionReview.Request.Name,
 			"operation", admissionReview.Request.Operation,
 			"uid", admissionReview.Request.UID,
 			"user", admissionReview.Request.UserInfo,
 		)
-		admissionReview.Response = &admissionv1.AdmissionResponse{
-			Allowed: true,
-			UID:     admissionReview.Request.UID,
-		}
 		admissionRequest := AdmissionRequest{
 			AdmissionRequest: *admissionReview.Request,
-			// TODO: roles/clusterroles
 		}
 		admissionResponse := inner(request.Context(), logger, admissionRequest, startTime)
 		admissionReview.Response = &admissionResponse

pkg/webhooks/handlers/dump.go

@@ -6,47 +6,37 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/kyverno/kyverno/pkg/userinfo"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
-	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
-	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
 )
 
 func (inner AdmissionHandler) WithDump(
 	enabled bool,
-	rbLister rbacv1listers.RoleBindingLister,
-	crbLister rbacv1listers.ClusterRoleBindingLister,
 ) AdmissionHandler {
 	if !enabled {
 		return inner
 	}
-	return inner.withDump(rbLister, crbLister).WithTrace("DUMP")
+	return inner.withDump().WithTrace("DUMP")
 }
 
-func (inner AdmissionHandler) withDump(
+func (inner AdmissionHandler) withDump() AdmissionHandler {
-	rbLister rbacv1listers.RoleBindingLister,
-	crbLister rbacv1listers.ClusterRoleBindingLister,
-) AdmissionHandler {
 	return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
 		response := inner(ctx, logger, request, startTime)
-		dumpPayload(logger, rbLister, crbLister, request.AdmissionRequest, response)
+		dumpPayload(logger, request, response)
 		return response
 	}
 }
 
 func dumpPayload(
 	logger logr.Logger,
-	rbLister rbacv1listers.RoleBindingLister,
+	request AdmissionRequest,
-	crbLister rbacv1listers.ClusterRoleBindingLister,
-	request admissionv1.AdmissionRequest,
 	response AdmissionResponse,
 ) {
-	reqPayload, err := newAdmissionRequestPayload(request, rbLister, crbLister)
+	reqPayload, err := newAdmissionRequestPayload(request)
 	if err != nil {
 		logger.Error(err, "Failed to extract resources")
 	} else {
@@ -77,11 +67,9 @@ type admissionRequestPayload struct {
 }
 
 func newAdmissionRequestPayload(
-	request admissionv1.AdmissionRequest,
+	request AdmissionRequest,
-	rbLister rbacv1listers.RoleBindingLister,
-	crbLister rbacv1listers.ClusterRoleBindingLister,
 ) (*admissionRequestPayload, error) {
-	newResource, oldResource, err := admissionutils.ExtractResources(nil, request)
+	newResource, oldResource, err := admissionutils.ExtractResources(nil, request.AdmissionRequest)
 	if err != nil {
 		return nil, err
 	}
@@ -92,15 +80,6 @@ func newAdmissionRequestPayload(
 			return nil, err
 		}
 	}
-	var roles, clusterRoles []string
-	if rbLister != nil && crbLister != nil {
-		if r, cr, err := userinfo.GetRoleRef(rbLister, crbLister, request.UserInfo); err != nil {
-			return nil, err
-		} else {
-			roles = r
-			clusterRoles = cr
-		}
-	}
 	return redactPayload(&admissionRequestPayload{
 		UID:                request.UID,
 		Kind:               request.Kind,
@@ -113,8 +92,8 @@ func newAdmissionRequestPayload(
 		Namespace:          request.Namespace,
 		Operation:          string(request.Operation),
 		UserInfo:           request.UserInfo,
-		Roles:              roles,
+		Roles:              request.Roles,
-		ClusterRoles:       clusterRoles,
+		ClusterRoles:       request.ClusterRoles,
 		Object:             newResource,
 		OldObject:          oldResource,
 		DryRun:             request.DryRun,

pkg/webhooks/handlers/dump_test.go

@@ -141,7 +141,7 @@ func Test_RedactPayload(t *testing.T) {
 			var req admissionv1.AdmissionRequest
 			err := json.Unmarshal(c.requestPayload, &req)
 			assert.NilError(t, err)
-			payload, err := newAdmissionRequestPayload(req, nil, nil)
+			payload, err := newAdmissionRequestPayload(AdmissionRequest{AdmissionRequest: req})
 			assert.NilError(t, err)
 			if payload.Object.Object != nil {
 				data, err := datautils.ToMap(payload.Object.Object["data"])

pkg/webhooks/handlers/enrich.go

@@ -0,0 +1,61 @@
+package handlers
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	"github.com/kyverno/kyverno/pkg/userinfo"
+	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
+)
+
+func (inner AdmissionHandler) WithRoles(
+	rbLister rbacv1listers.RoleBindingLister,
+	crbLister rbacv1listers.ClusterRoleBindingLister,
+) AdmissionHandler {
+	return inner.withRoles(rbLister, crbLister).WithTrace("ROLES")
+}
+
+func (inner AdmissionHandler) WithTopLevelGVK(
+	client dclient.IDiscovery,
+) AdmissionHandler {
+	return inner.withTopLevelGVK(client).WithTrace("GVK")
+}
+
+func (inner AdmissionHandler) withRoles(
+	rbLister rbacv1listers.RoleBindingLister,
+	crbLister rbacv1listers.ClusterRoleBindingLister,
+) AdmissionHandler {
+	return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
+		roles, clusterRoles, err := userinfo.GetRoleRef(rbLister, crbLister, request.UserInfo)
+		if err != nil {
+			return admissionutils.Response(request.UID, err)
+		}
+		request.Roles = roles
+		request.ClusterRoles = clusterRoles
+		logger = logger.WithValues(
+			"roles", roles,
+			"clusterroles", clusterRoles,
+		)
+		return inner(ctx, logger, request, startTime)
+	}
+}
+
+func (inner AdmissionHandler) withTopLevelGVK(
+	client dclient.IDiscovery,
+) AdmissionHandler {
+	return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
+		gvk, err := client.GetGVKFromGVR(schema.GroupVersionResource(request.Resource))
+		if err != nil {
+			return admissionutils.Response(request.UID, err)
+		}
+		request.GroupVersionKind = gvk
+		logger = logger.WithValues(
+			"resource.gvk", gvk,
+		)
+		return inner(ctx, logger, request, startTime)
+	}
+}

pkg/webhooks/handlers/protect.go

@@ -16,6 +16,8 @@ import (
 
 const namespaceControllerUsername = "system:serviceaccount:kube-system:namespace-controller"
 
+var kyvernoUsername = fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())
+
 func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
 	if !enabled {
 		return inner
@@ -37,7 +39,7 @@ func (inner AdmissionHandler) withProtection() AdmissionHandler {
 		for _, resource := range []unstructured.Unstructured{newResource, oldResource} {
 			resLabels := resource.GetLabels()
 			if resLabels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp {
-				if request.UserInfo.Username != fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName()) {
+				if request.UserInfo.Username != kyvernoUsername {
 					logger.Info("Access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")
 					return admissionutils.Response(request.UID, errors.New("A kyverno managed resource can only be modified by kyverno"))
 				}

pkg/webhooks/handlers/types.go

@@ -7,11 +7,21 @@ import (
 
 	"github.com/go-logr/logr"
 	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 type AdmissionRequest struct {
 	// AdmissionRequest is the original admission request.
 	admissionv1.AdmissionRequest
+
+	// Roles is a list of possible role send the request.
+	Roles []string
+
+	// ClusterRoles is a list of possible clusterRoles send the request.
+	ClusterRoles []string
+
+	// GroupVersionKind is the top level GVK.
+	GroupVersionKind schema.GroupVersionKind
 }
 
 type AdmissionResponse = admissionv1.AdmissionResponse

pkg/webhooks/resource/fake.go

@@ -36,8 +36,6 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 
 	dclient := dclient.NewEmptyFakeClient()
 	configuration := config.NewDefaultConfiguration()
-	rbLister := informers.Rbac().V1().RoleBindings().Lister()
-	crbLister := informers.Rbac().V1().ClusterRoleBindings().Lister()
 	urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
 	peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
 	rclient := registryclient.NewOrDie()
@@ -53,7 +51,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 		urGenerator:    updaterequest.NewFake(),
 		eventGen:       event.NewFake(),
 		openApiManager: openapi.NewFake(),
-		pcBuilder:      webhookutils.NewPolicyContextBuilder(configuration, dclient, rbLister, crbLister),
+		pcBuilder:      webhookutils.NewPolicyContextBuilder(configuration),
 		engine: engine.NewEngine(
 			configuration,
 			dclient,

pkg/webhooks/resource/handlers.go

@@ -96,7 +96,7 @@ func NewHandlers(
 		urGenerator:      urGenerator,
 		eventGen:         eventGen,
 		openApiManager:   openApiManager,
-		pcBuilder:        webhookutils.NewPolicyContextBuilder(configuration, client, rbLister, crbLister),
+		pcBuilder:        webhookutils.NewPolicyContextBuilder(configuration),
 		admissionReports: admissionReports,
 	}
 }
@@ -120,7 +120,7 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req
 
 	logger.V(4).Info("processing policies for validate admission request", "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies))
 
-	policyContext, err := h.pcBuilder.Build(request.AdmissionRequest)
+	policyContext, err := h.pcBuilder.Build(request.AdmissionRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
 	if err != nil {
 		return errorResponse(logger, request.UID, err, "failed create policy context")
 	}
@@ -132,7 +132,7 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req
 	policyContext = policyContext.WithNamespaceLabels(namespaceLabels)
 	vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.engine, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig, h.configuration)
 
-	ok, msg, warnings := vh.HandleValidation(ctx, request.AdmissionRequest, policies, policyContext, startTime)
+	ok, msg, warnings := vh.HandleValidation(ctx, request, policies, policyContext, startTime)
 	if !ok {
 		logger.Info("admission request denied")
 		return admissionutils.Response(request.UID, errors.New(msg), warnings...)
@@ -155,7 +155,7 @@ func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, reque
 		return admissionutils.ResponseSuccess(request.UID)
 	}
 	logger.V(4).Info("processing policies for mutate admission request", "mutatePolicies", len(mutatePolicies), "verifyImagesPolicies", len(verifyImagesPolicies))
-	policyContext, err := h.pcBuilder.Build(request.AdmissionRequest)
+	policyContext, err := h.pcBuilder.Build(request.AdmissionRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
 	if err != nil {
 		logger.Error(err, "failed to build policy context")
 		return admissionutils.Response(request.UID, err)
@@ -168,7 +168,7 @@ func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, reque
 	}
 	newRequest := patchRequest(mutatePatches, request.AdmissionRequest, logger)
 	// rebuild context to process images updated via mutate policies
-	policyContext, err = h.pcBuilder.Build(newRequest)
+	policyContext, err = h.pcBuilder.Build(newRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
 	if err != nil {
 		logger.Error(err, "failed to build policy context")
 		return admissionutils.Response(request.UID, err)

pkg/webhooks/resource/validation/validation.go

@@ -17,6 +17,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/tracing"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
+	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
 	webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
 	"go.opentelemetry.io/otel/trace"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -29,7 +30,7 @@ type ValidationHandler interface {
 	// HandleValidation handles validating webhook admission request
 	// If there are no errors in validating rule we apply generation rules
 	// patchedResource is the (resource + patches) after applying mutation rules
-	HandleValidation(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) (bool, string, []string)
+	HandleValidation(context.Context, handlers.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) (bool, string, []string)
 }
 
 func NewValidationHandler(
@@ -70,12 +71,12 @@ type validationHandler struct {
 
 func (v *validationHandler) HandleValidation(
 	ctx context.Context,
-	request admissionv1.AdmissionRequest,
+	request handlers.AdmissionRequest,
 	policies []kyvernov1.PolicyInterface,
 	policyContext *engine.PolicyContext,
 	admissionRequestTimestamp time.Time,
 ) (bool, string, []string) {
-	resourceName := admissionutils.GetResourceName(request)
+	resourceName := admissionutils.GetResourceName(request.AdmissionRequest)
 	logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind)
 
 	var deletionTimeStamp *metav1.Time
@@ -145,12 +146,12 @@ func (v *validationHandler) HandleValidation(
 func (v *validationHandler) buildAuditResponses(
 	ctx context.Context,
 	resource unstructured.Unstructured,
-	request admissionv1.AdmissionRequest,
+	request handlers.AdmissionRequest,
 	namespaceLabels map[string]string,
 ) ([]engineapi.EngineResponse, error) {
 	gvr := schema.GroupVersionResource(request.Resource)
 	policies := v.pCache.GetPolicies(policycache.ValidateAudit, gvr, request.SubResource, request.Namespace)
-	policyContext, err := v.pcBuilder.Build(request)
+	policyContext, err := v.pcBuilder.Build(request.AdmissionRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
 	if err != nil {
 		return nil, err
 	}
@@ -175,12 +176,12 @@ func (v *validationHandler) buildAuditResponses(
 func (v *validationHandler) handleAudit(
 	ctx context.Context,
 	resource unstructured.Unstructured,
-	request admissionv1.AdmissionRequest,
+	request handlers.AdmissionRequest,
 	namespaceLabels map[string]string,
 	engineResponses ...engineapi.EngineResponse,
 ) {
 	createReport := v.admissionReports
-	if admissionutils.IsDryRun(request) {
+	if admissionutils.IsDryRun(request.AdmissionRequest) {
 		createReport = false
 	}
 	// we don't need reports for deletions
@@ -208,7 +209,7 @@ func (v *validationHandler) handleAudit(
 			v.eventGen.Add(events...)
 			if createReport {
 				responses = append(responses, engineResponses...)
-				report := reportutils.BuildAdmissionReport(resource, request, responses...)
+				report := reportutils.BuildAdmissionReport(resource, request.AdmissionRequest, responses...)
 				if len(report.GetResults()) > 0 {
 					_, err = reportutils.CreateReport(ctx, report, v.kyvernoClient)
 					if err != nil {

pkg/webhooks/server.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/julienschmidt/httprouter"
+	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
@@ -81,6 +82,7 @@ func NewServer(
 	runtime runtimeutils.Runtime,
 	rbLister rbacv1listers.RoleBindingLister,
 	crbLister rbacv1listers.ClusterRoleBindingLister,
+	discovery dclient.IDiscovery,
 ) Server {
 	mux := httprouter.New()
 	resourceLogger := logger.WithName("resource")
@@ -96,7 +98,9 @@ func NewServer(
 			return handler.
 				WithFilter(configuration).
 				WithProtection(toggle.ProtectManagedResources.Enabled()).
-				WithDump(debugModeOpts.DumpPayload, rbLister, crbLister).
+				WithDump(debugModeOpts.DumpPayload).
+				WithTopLevelGVK(discovery).
+				WithRoles(rbLister, crbLister).
 				WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect).
 				WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookMutating).
 				WithAdmission(resourceLogger.WithName("mutate"))
@@ -111,7 +115,9 @@ func NewServer(
 			return handler.
 				WithFilter(configuration).
 				WithProtection(toggle.ProtectManagedResources.Enabled()).
-				WithDump(debugModeOpts.DumpPayload, rbLister, crbLister).
+				WithDump(debugModeOpts.DumpPayload).
+				WithTopLevelGVK(discovery).
+				WithRoles(rbLister, crbLister).
 				WithMetrics(resourceLogger, metricsConfig.Config(), metrics.WebhookValidating).
 				WithAdmission(resourceLogger.WithName("validate"))
 		},
@@ -120,7 +126,7 @@ func NewServer(
 		"POST",
 		config.PolicyMutatingWebhookServicePath,
 		handlers.FromAdmissionFunc("MUTATE", policyHandlers.Mutate).
-			WithDump(debugModeOpts.DumpPayload, rbLister, crbLister).
+			WithDump(debugModeOpts.DumpPayload).
 			WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookMutating).
 			WithAdmission(policyLogger.WithName("mutate")).
 			ToHandlerFunc(),
@@ -129,7 +135,7 @@ func NewServer(
 		"POST",
 		config.PolicyValidatingWebhookServicePath,
 		handlers.FromAdmissionFunc("VALIDATE", policyHandlers.Validate).
-			WithDump(debugModeOpts.DumpPayload, rbLister, crbLister).
+			WithDump(debugModeOpts.DumpPayload).
 			WithSubResourceFilter().
 			WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookValidating).
 			WithAdmission(policyLogger.WithName("validate")).
@@ -139,7 +145,7 @@ func NewServer(
 		"POST",
 		config.ExceptionValidatingWebhookServicePath,
 		handlers.FromAdmissionFunc("VALIDATE", exceptionHandlers.Validate).
-			WithDump(debugModeOpts.DumpPayload, rbLister, crbLister).
+			WithDump(debugModeOpts.DumpPayload).
 			WithSubResourceFilter().
 			WithMetrics(exceptionLogger, metricsConfig.Config(), metrics.WebhookValidating).
 			WithAdmission(exceptionLogger.WithName("validate")).

pkg/webhooks/utils/policy_context_builder.go

@@ -1,51 +1,34 @@
 package utils
 
 import (
-	"fmt"
-
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
-	"github.com/kyverno/kyverno/pkg/userinfo"
 	admissionv1 "k8s.io/api/admission/v1"
-	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 type PolicyContextBuilder interface {
-	Build(admissionv1.AdmissionRequest) (*engine.PolicyContext, error)
+	Build(admissionv1.AdmissionRequest, []string, []string, schema.GroupVersionKind) (*engine.PolicyContext, error)
 }
 
 type policyContextBuilder struct {
 	configuration config.Configuration
-	client        dclient.Interface
-	rbLister      rbacv1listers.RoleBindingLister
-	crbLister     rbacv1listers.ClusterRoleBindingLister
 }
 
 func NewPolicyContextBuilder(
 	configuration config.Configuration,
-	client dclient.Interface,
-	rbLister rbacv1listers.RoleBindingLister,
-	crbLister rbacv1listers.ClusterRoleBindingLister,
 ) PolicyContextBuilder {
 	return &policyContextBuilder{
 		configuration: configuration,
-		client:        client,
-		rbLister:      rbLister,
-		crbLister:     crbLister,
 	}
 }
 
-func (b *policyContextBuilder) Build(request admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {
+func (b *policyContextBuilder) Build(request admissionv1.AdmissionRequest, roles, clusterRoles []string, gvk schema.GroupVersionKind) (*engine.PolicyContext, error) {
 	userRequestInfo := kyvernov1beta1.RequestInfo{
 		AdmissionUserInfo: *request.UserInfo.DeepCopy(),
+		Roles:             roles,
+		ClusterRoles:      clusterRoles,
 	}
-	if roles, clusterRoles, err := userinfo.GetRoleRef(b.rbLister, b.crbLister, request.UserInfo); err != nil {
+	return engine.NewPolicyContextFromAdmissionRequest(request, userRequestInfo, gvk, b.configuration)
-		return nil, fmt.Errorf("failed to fetch RBAC information for request: %w", err)
-	} else {
-		userRequestInfo.Roles = roles
-		userRequestInfo.ClusterRoles = clusterRoles
-	}
-	return engine.NewPolicyContextFromAdmissionRequest(b.client.Discovery(), request, userRequestInfo, b.configuration)
 }