diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 2e2b463baf..65f2571a16 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -117,6 +117,7 @@ func createNonLeaderControllers( policyCache policycache.Cache, eventGenerator event.Interface, manager openapi.Manager, + informerCacheResolvers resolvers.ConfigmapResolver, ) ([]internal.Controller, func() error) { policyCacheController := policycachecontroller.NewController( dynamicClient, @@ -143,6 +144,7 @@ func createNonLeaderControllers( kubeKyvernoInformer.Core().V1().Pods(), eventGenerator, configuration, + informerCacheResolvers, ) return []internal.Controller{ internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers), @@ -166,6 +168,7 @@ func createReportControllers( metadataFactory metadatainformers.SharedInformerFactory, kubeInformer kubeinformers.SharedInformerFactory, kyvernoInformer kyvernoinformer.SharedInformerFactory, + configMapResolver resolvers.ConfigmapResolver, ) ([]internal.Controller, func(context.Context) error) { var ctrls []internal.Controller var warmups []func(context.Context) error @@ -219,6 +222,7 @@ func createReportControllers( kyvernoV1.ClusterPolicies(), kubeInformer.Core().V1().Namespaces(), resourceReportController, + configMapResolver, ), backgroundScanWorkers, )) @@ -255,6 +259,7 @@ func createrLeaderControllers( eventGenerator event.Interface, certRenewer tls.CertRenewer, runtime runtimeutils.Runtime, + configMapResolver resolvers.ConfigmapResolver, ) ([]internal.Controller, func(context.Context) error, error) { policyCtrl, err := policy.NewPolicyController( kyvernoClient, @@ -266,6 +271,7 @@ func createrLeaderControllers( configuration, eventGenerator, kubeInformer.Core().V1().Namespaces(), + configMapResolver, logging.WithName("PolicyController"), time.Hour, metricsConfig, @@ -329,6 +335,7 @@ func createrLeaderControllers( metadataInformer, kubeInformer, kyvernoInformer, + configMapResolver, ) return append( []internal.Controller{ @@ -504,6 +511,7 @@ func main() { policyCache, eventGenerator, openApiManager, + configMapResolver, ) // start informers and wait for cache sync if !internal.StartInformersAndWaitForCacheSync(signalCtx, kyvernoInformer, kubeInformer, kubeKyvernoInformer, cacheInformer) { @@ -561,6 +569,7 @@ func main() { eventGenerator, certRenewer, runtime, + configMapResolver, ) if err != nil { logger.Error(err, "failed to create leader controllers") diff --git a/pkg/background/common/context.go b/pkg/background/common/context.go index 8178d630d5..834063dc1b 100644 --- a/pkg/background/common/context.go +++ b/pkg/background/common/context.go @@ -11,6 +11,7 @@ import ( "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" utils "github.com/kyverno/kyverno/pkg/utils" "github.com/pkg/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -20,6 +21,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe policy kyvernov1.PolicyInterface, trigger *unstructured.Unstructured, cfg config.Configuration, + informerCacheResolvers resolvers.ConfigmapResolver, namespaceLabels map[string]string, logger logr.Logger, ) (*engine.PolicyContext, bool, error) { @@ -84,7 +86,8 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe WithAdmissionInfo(ur.Spec.Context.UserRequestInfo). WithConfiguration(cfg). WithNamespaceLabels(namespaceLabels). - WithClient(dclient) + WithClient(dclient). + WithInformerCacheResolver(informerCacheResolvers) return policyContext, false, nil } diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index 04ad0828aa..9e5583c4a4 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -23,6 +23,7 @@ import ( "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/variables" @@ -52,8 +53,9 @@ type GenerateController struct { policyLister kyvernov1listers.ClusterPolicyLister npolicyLister kyvernov1listers.PolicyLister - configuration config.Configuration - eventGen event.Interface + configuration config.Configuration + informerCacheResolvers resolvers.ConfigmapResolver + eventGen event.Interface log logr.Logger } @@ -69,21 +71,23 @@ func NewGenerateController( urLister kyvernov1beta1listers.UpdateRequestNamespaceLister, nsLister corev1listers.NamespaceLister, dynamicConfig config.Configuration, + informerCacheResolvers resolvers.ConfigmapResolver, eventGen event.Interface, log logr.Logger, ) *GenerateController { c := GenerateController{ - client: client, - kyvernoClient: kyvernoClient, - statusControl: statusControl, - rclient: rclient, - policyLister: policyLister, - npolicyLister: npolicyLister, - urLister: urLister, - nsLister: nsLister, - configuration: dynamicConfig, - eventGen: eventGen, - log: log, + client: client, + kyvernoClient: kyvernoClient, + statusControl: statusControl, + rclient: rclient, + policyLister: policyLister, + npolicyLister: npolicyLister, + urLister: urLister, + nsLister: nsLister, + configuration: dynamicConfig, + informerCacheResolvers: informerCacheResolvers, + eventGen: eventGen, + log: log, } return &c } @@ -193,7 +197,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u return nil, false, err } - policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, namespaceLabels, logger) + policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, c.informerCacheResolvers, namespaceLabels, logger) if err != nil { return nil, precreatedResource, err } diff --git a/pkg/background/mutate/mutate.go b/pkg/background/mutate/mutate.go index bd1f8ebfbc..4a94033270 100644 --- a/pkg/background/mutate/mutate.go +++ b/pkg/background/mutate/mutate.go @@ -13,6 +13,7 @@ import ( "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/registryclient" @@ -35,8 +36,9 @@ type MutateExistingController struct { policyLister kyvernov1listers.ClusterPolicyLister npolicyLister kyvernov1listers.PolicyLister - configuration config.Configuration - eventGen event.Interface + configuration config.Configuration + informerCacheResolvers resolvers.ConfigmapResolver + eventGen event.Interface log logr.Logger } @@ -49,18 +51,20 @@ func NewMutateExistingController( policyLister kyvernov1listers.ClusterPolicyLister, npolicyLister kyvernov1listers.PolicyLister, dynamicConfig config.Configuration, + informerCacheResolvers resolvers.ConfigmapResolver, eventGen event.Interface, log logr.Logger, ) *MutateExistingController { c := MutateExistingController{ - client: client, - statusControl: statusControl, - rclient: rclient, - policyLister: policyLister, - npolicyLister: npolicyLister, - configuration: dynamicConfig, - eventGen: eventGen, - log: log, + client: client, + statusControl: statusControl, + rclient: rclient, + policyLister: policyLister, + npolicyLister: npolicyLister, + configuration: dynamicConfig, + informerCacheResolvers: informerCacheResolvers, + eventGen: eventGen, + log: log, } return &c } @@ -87,7 +91,7 @@ func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) e continue } - policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, nil, logger) + policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, c.informerCacheResolvers, nil, logger) if err != nil { logger.WithName(rule.Name).Error(err, "failed to build policy context") errs = append(errs, err) diff --git a/pkg/background/update_request_controller.go b/pkg/background/update_request_controller.go index d62d016362..0583feb8d6 100644 --- a/pkg/background/update_request_controller.go +++ b/pkg/background/update_request_controller.go @@ -18,6 +18,7 @@ import ( "github.com/kyverno/kyverno/pkg/clients/dclient" pkgCommon "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/registryclient" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" @@ -61,8 +62,9 @@ type controller struct { // queue queue workqueue.RateLimitingInterface - eventGen event.Interface - configuration config.Configuration + eventGen event.Interface + configuration config.Configuration + informerCacheResolvers resolvers.ConfigmapResolver } // NewController returns an instance of the Generate-Request Controller @@ -77,20 +79,22 @@ func NewController( podInformer corev1informers.PodInformer, eventGen event.Interface, dynamicConfig config.Configuration, + informerCacheResolvers resolvers.ConfigmapResolver, ) Controller { urLister := urInformer.Lister().UpdateRequests(config.KyvernoNamespace()) c := controller{ - client: client, - kyvernoClient: kyvernoClient, - rclient: rclient, - cpolLister: cpolInformer.Lister(), - polLister: polInformer.Lister(), - urLister: urLister, - nsLister: namespaceInformer.Lister(), - podLister: podInformer.Lister(), - queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"), - eventGen: eventGen, - configuration: dynamicConfig, + client: client, + kyvernoClient: kyvernoClient, + rclient: rclient, + cpolLister: cpolInformer.Lister(), + polLister: polInformer.Lister(), + urLister: urLister, + nsLister: namespaceInformer.Lister(), + podLister: podInformer.Lister(), + queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"), + eventGen: eventGen, + configuration: dynamicConfig, + informerCacheResolvers: informerCacheResolvers, } urInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: c.addUR, @@ -409,10 +413,10 @@ func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error { statusControl := common.NewStatusControl(c.kyvernoClient, c.urLister) switch ur.Spec.Type { case kyvernov1beta1.Mutate: - ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.eventGen, logger) + ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger) return ctrl.ProcessUR(ur) case kyvernov1beta1.Generate: - ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.eventGen, logger) + ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger) return ctrl.ProcessUR(ur) } return nil diff --git a/pkg/controllers/report/background/controller.go b/pkg/controllers/report/background/controller.go index 6abf48653e..45a774a1f2 100644 --- a/pkg/controllers/report/background/controller.go +++ b/pkg/controllers/report/background/controller.go @@ -15,6 +15,7 @@ import ( "github.com/kyverno/kyverno/pkg/controllers" "github.com/kyverno/kyverno/pkg/controllers/report/resource" "github.com/kyverno/kyverno/pkg/controllers/report/utils" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/registryclient" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" @@ -58,6 +59,8 @@ type controller struct { // cache metadataCache resource.MetadataCache + + informerCacheResolvers resolvers.ConfigmapResolver } func NewController( @@ -69,23 +72,25 @@ func NewController( cpolInformer kyvernov1informers.ClusterPolicyInformer, nsInformer corev1informers.NamespaceInformer, metadataCache resource.MetadataCache, + informerCacheResolvers resolvers.ConfigmapResolver, ) controllers.Controller { bgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("backgroundscanreports")) cbgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports")) queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName) c := controller{ - client: client, - kyvernoClient: kyvernoClient, - rclient: rclient, - polLister: polInformer.Lister(), - cpolLister: cpolInformer.Lister(), - bgscanrLister: bgscanr.Lister(), - cbgscanrLister: cbgscanr.Lister(), - nsLister: nsInformer.Lister(), - queue: queue, - bgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue), - cbgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue), - metadataCache: metadataCache, + client: client, + kyvernoClient: kyvernoClient, + rclient: rclient, + polLister: polInformer.Lister(), + cpolLister: cpolInformer.Lister(), + bgscanrLister: bgscanr.Lister(), + cbgscanrLister: cbgscanr.Lister(), + nsLister: nsInformer.Lister(), + queue: queue, + bgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue), + cbgscanEnqueue: controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue), + metadataCache: metadataCache, + informerCacheResolvers: informerCacheResolvers, } controllerutils.AddEventHandlersT(polInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy) controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy) @@ -218,7 +223,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s } // if the resource changed, we need to rebuild the report if !reportutils.CompareHash(meta, resource.Hash) { - scanner := utils.NewScanner(logger, c.client, c.rclient) + scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers) before, err := c.getReport(ctx, meta.GetNamespace(), meta.GetName()) if err != nil { return nil @@ -307,7 +312,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s } // creations if len(toCreate) > 0 { - scanner := utils.NewScanner(logger, c.client, c.rclient) + scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers) resource, err := c.client.GetResource(ctx, gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name) if err != nil { return err diff --git a/pkg/controllers/report/utils/scanner.go b/pkg/controllers/report/utils/scanner.go index d66b3d2f4e..507ebf54d4 100644 --- a/pkg/controllers/report/utils/scanner.go +++ b/pkg/controllers/report/utils/scanner.go @@ -8,6 +8,7 @@ import ( "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/engine" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/registryclient" "go.uber.org/multierr" @@ -15,10 +16,11 @@ import ( ) type scanner struct { - logger logr.Logger - client dclient.Interface - rclient registryclient.Client - excludeGroupRole []string + logger logr.Logger + client dclient.Interface + rclient registryclient.Client + informerCacheResolvers resolvers.ConfigmapResolver + excludeGroupRole []string } type ScanResult struct { @@ -30,12 +32,13 @@ type Scanner interface { ScanResource(context.Context, unstructured.Unstructured, map[string]string, ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult } -func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, excludeGroupRole ...string) Scanner { +func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, informerCacheResolvers resolvers.ConfigmapResolver, excludeGroupRole ...string) Scanner { return &scanner{ - logger: logger, - client: client, - rclient: rclient, - excludeGroupRole: excludeGroupRole, + logger: logger, + client: client, + rclient: rclient, + informerCacheResolvers: informerCacheResolvers, + excludeGroupRole: excludeGroupRole, } } @@ -85,7 +88,8 @@ func (s *scanner) validateResource(ctx context.Context, resource unstructured.Un WithPolicy(policy). WithClient(s.client). WithNamespaceLabels(nsLabels). - WithExcludeGroupRole(s.excludeGroupRole...) + WithExcludeGroupRole(s.excludeGroupRole...). + WithInformerCacheResolver(s.informerCacheResolvers) return engine.Validate(ctx, s.rclient, policyCtx), nil } @@ -108,7 +112,8 @@ func (s *scanner) validateImages(ctx context.Context, resource unstructured.Unst WithPolicy(policy). WithClient(s.client). WithNamespaceLabels(nsLabels). - WithExcludeGroupRole(s.excludeGroupRole...) + WithExcludeGroupRole(s.excludeGroupRole...). + WithInformerCacheResolver(s.informerCacheResolvers) response, _ := engine.VerifyAndPatchImages(ctx, s.rclient, policyCtx) if len(response.PolicyResponse.Rules) > 0 { s.logger.Info("validateImages", "policy", policy, "response", response) diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index e898329eb8..a204e95c36 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -13,6 +13,7 @@ import ( "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/engine" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/registryclient" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" @@ -27,6 +28,7 @@ func applyPolicy( excludeGroupRole []string, client dclient.Interface, rclient registryclient.Client, + informerCacheResolvers resolvers.ConfigmapResolver, namespaceLabels map[string]string, ) (responses []*response.EngineResponse) { startTime := time.Now() @@ -63,7 +65,7 @@ func applyPolicy( logger.Error(err, "unable to set operation in context") } - engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, namespaceLabels) + engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, informerCacheResolvers, namespaceLabels) if err != nil { logger.Error(err, "failed to process mutation rule") } @@ -73,7 +75,8 @@ func applyPolicy( WithNewResource(resource). WithNamespaceLabels(namespaceLabels). WithClient(client). - WithExcludeGroupRole(excludeGroupRole...) + WithExcludeGroupRole(excludeGroupRole...). + WithInformerCacheResolver(informerCacheResolvers) engineResponseValidation = engine.Validate(context.TODO(), rclient, policyCtx) engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation)) @@ -87,12 +90,14 @@ func mutation( log logr.Logger, jsonContext enginecontext.Interface, rclient registryclient.Client, + informerCacheResolvers resolvers.ConfigmapResolver, namespaceLabels map[string]string, ) (*response.EngineResponse, error) { policyContext := engine.NewPolicyContextWithJsonContext(jsonContext). WithPolicy(policy). WithNamespaceLabels(namespaceLabels). - WithNewResource(resource) + WithNewResource(resource). + WithInformerCacheResolver(informerCacheResolvers) engineResponse := engine.Mutate(context.TODO(), rclient, policyContext) if !engineResponse.IsSuccessful() { diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 23603e671a..6a9c4697ac 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -81,7 +81,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour } namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger) - engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, namespaceLabels) + engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels) engineResponses = append(engineResponses, engineResponse...) // post-processing, register the resource as processed diff --git a/pkg/policy/policy_controller.go b/pkg/policy/policy_controller.go index ac8c886102..2df14f918a 100644 --- a/pkg/policy/policy_controller.go +++ b/pkg/policy/policy_controller.go @@ -22,6 +22,7 @@ import ( kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/registryclient" @@ -77,6 +78,8 @@ type PolicyController struct { // nsLister can list/get namespaces from the shared informer's store nsLister corev1listers.NamespaceLister + informerCacheResolvers resolvers.ConfigmapResolver + informersSynced []cache.InformerSynced // Resource manager, manages the mapping for already processed resource @@ -103,6 +106,7 @@ func NewPolicyController( configHandler config.Configuration, eventGen event.Interface, namespaces corev1informers.NamespaceInformer, + informerCacheResolvers resolvers.ConfigmapResolver, log logr.Logger, reconcilePeriod time.Duration, metricsConfig metrics.MetricsConfigManager, diff --git a/pkg/policy/updaterequest.go b/pkg/policy/updaterequest.go index ab44c6ed4e..6505c8a189 100644 --- a/pkg/policy/updaterequest.go +++ b/pkg/policy/updaterequest.go @@ -100,7 +100,7 @@ func (pc *PolicyController) updateUR(policyKey string, policy kyvernov1.PolicyIn } func (pc *PolicyController) handleUpdateRequest(ur *kyvernov1beta1.UpdateRequest, triggerResource *unstructured.Unstructured, rule kyvernov1.Rule, policy kyvernov1.PolicyInterface) (skip bool, err error) { - policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, nil, pc.log) + policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, pc.informerCacheResolvers, nil, pc.log) if err != nil { return false, errors.Wrapf(err, "failed to build policy context for rule %s", rule.Name) }