initialize configmap resolver in background components (#5705)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>

cmd/kyverno/main.go

@@ -117,6 +117,7 @@ func createNonLeaderControllers(
 	policyCache policycache.Cache,
 	eventGenerator event.Interface,
 	manager openapi.Manager,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 ) ([]internal.Controller, func() error) {
 	policyCacheController := policycachecontroller.NewController(
 		dynamicClient,
@@ -143,6 +144,7 @@ func createNonLeaderControllers(
 		kubeKyvernoInformer.Core().V1().Pods(),
 		eventGenerator,
 		configuration,
+		informerCacheResolvers,
 	)
 	return []internal.Controller{
 			internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers),
@@ -166,6 +168,7 @@ func createReportControllers(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	kubeInformer kubeinformers.SharedInformerFactory,
 	kyvernoInformer kyvernoinformer.SharedInformerFactory,
+	configMapResolver resolvers.ConfigmapResolver,
 ) ([]internal.Controller, func(context.Context) error) {
 	var ctrls []internal.Controller
 	var warmups []func(context.Context) error
@@ -219,6 +222,7 @@ func createReportControllers(
 					kyvernoV1.ClusterPolicies(),
 					kubeInformer.Core().V1().Namespaces(),
 					resourceReportController,
+					configMapResolver,
 				),
 				backgroundScanWorkers,
 			))
@@ -255,6 +259,7 @@ func createrLeaderControllers(
 	eventGenerator event.Interface,
 	certRenewer tls.CertRenewer,
 	runtime runtimeutils.Runtime,
+	configMapResolver resolvers.ConfigmapResolver,
 ) ([]internal.Controller, func(context.Context) error, error) {
 	policyCtrl, err := policy.NewPolicyController(
 		kyvernoClient,
@@ -266,6 +271,7 @@ func createrLeaderControllers(
 		configuration,
 		eventGenerator,
 		kubeInformer.Core().V1().Namespaces(),
+		configMapResolver,
 		logging.WithName("PolicyController"),
 		time.Hour,
 		metricsConfig,
@@ -329,6 +335,7 @@ func createrLeaderControllers(
 		metadataInformer,
 		kubeInformer,
 		kyvernoInformer,
+		configMapResolver,
 	)
 	return append(
 			[]internal.Controller{
@@ -504,6 +511,7 @@ func main() {
 		policyCache,
 		eventGenerator,
 		openApiManager,
+		configMapResolver,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(signalCtx, kyvernoInformer, kubeInformer, kubeKyvernoInformer, cacheInformer) {
@@ -561,6 +569,7 @@ func main() {
 				eventGenerator,
 				certRenewer,
 				runtime,
+				configMapResolver,
 			)
 			if err != nil {
 				logger.Error(err, "failed to create leader controllers")

pkg/background/common/context.go

@@ -11,6 +11,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	utils "github.com/kyverno/kyverno/pkg/utils"
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -20,6 +21,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
 	policy kyvernov1.PolicyInterface,
 	trigger *unstructured.Unstructured,
 	cfg config.Configuration,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	namespaceLabels map[string]string,
 	logger logr.Logger,
 ) (*engine.PolicyContext, bool, error) {
@@ -84,7 +86,8 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
 		WithAdmissionInfo(ur.Spec.Context.UserRequestInfo).
 		WithConfiguration(cfg).
 		WithNamespaceLabels(namespaceLabels).
-		WithClient(dclient)
+		WithClient(dclient).
+		WithInformerCacheResolver(informerCacheResolvers)
 
 	return policyContext, false, nil
 }

pkg/background/generate/generate.go

@@ -23,6 +23,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
@@ -53,6 +54,7 @@ type GenerateController struct {
 	npolicyLister kyvernov1listers.PolicyLister
 
 	configuration          config.Configuration
+	informerCacheResolvers resolvers.ConfigmapResolver
 	eventGen               event.Interface
 
 	log logr.Logger
@@ -69,6 +71,7 @@ func NewGenerateController(
 	urLister kyvernov1beta1listers.UpdateRequestNamespaceLister,
 	nsLister corev1listers.NamespaceLister,
 	dynamicConfig config.Configuration,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	eventGen event.Interface,
 	log logr.Logger,
 ) *GenerateController {
@@ -82,6 +85,7 @@ func NewGenerateController(
 		urLister:               urLister,
 		nsLister:               nsLister,
 		configuration:          dynamicConfig,
+		informerCacheResolvers: informerCacheResolvers,
 		eventGen:               eventGen,
 		log:                    log,
 	}
@@ -193,7 +197,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
 		return nil, false, err
 	}
 
-	policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, namespaceLabels, logger)
+	policyContext, precreatedResource, err := common.NewBackgroundContext(c.client, &ur, &policy, &resource, c.configuration, c.informerCacheResolvers, namespaceLabels, logger)
 	if err != nil {
 		return nil, precreatedResource, err
 	}

pkg/background/mutate/mutate.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/registryclient"
@@ -36,6 +37,7 @@ type MutateExistingController struct {
 	npolicyLister kyvernov1listers.PolicyLister
 
 	configuration          config.Configuration
+	informerCacheResolvers resolvers.ConfigmapResolver
 	eventGen               event.Interface
 
 	log logr.Logger
@@ -49,6 +51,7 @@ func NewMutateExistingController(
 	policyLister kyvernov1listers.ClusterPolicyLister,
 	npolicyLister kyvernov1listers.PolicyLister,
 	dynamicConfig config.Configuration,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	eventGen event.Interface,
 	log logr.Logger,
 ) *MutateExistingController {
@@ -59,6 +62,7 @@ func NewMutateExistingController(
 		policyLister:           policyLister,
 		npolicyLister:          npolicyLister,
 		configuration:          dynamicConfig,
+		informerCacheResolvers: informerCacheResolvers,
 		eventGen:               eventGen,
 		log:                    log,
 	}
@@ -87,7 +91,7 @@ func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) e
 			continue
 		}
 
-		policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, nil, logger)
+		policyContext, _, err := common.NewBackgroundContext(c.client, ur, policy, trigger, c.configuration, c.informerCacheResolvers, nil, logger)
 		if err != nil {
 			logger.WithName(rule.Name).Error(err, "failed to build policy context")
 			errs = append(errs, err)

pkg/background/update_request_controller.go

@@ -18,6 +18,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	pkgCommon "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@@ -63,6 +64,7 @@ type controller struct {
 
 	eventGen               event.Interface
 	configuration          config.Configuration
+	informerCacheResolvers resolvers.ConfigmapResolver
 }
 
 // NewController returns an instance of the Generate-Request Controller
@@ -77,6 +79,7 @@ func NewController(
 	podInformer corev1informers.PodInformer,
 	eventGen event.Interface,
 	dynamicConfig config.Configuration,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 ) Controller {
 	urLister := urInformer.Lister().UpdateRequests(config.KyvernoNamespace())
 	c := controller{
@@ -91,6 +94,7 @@ func NewController(
 		queue:                  workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "update-request"),
 		eventGen:               eventGen,
 		configuration:          dynamicConfig,
+		informerCacheResolvers: informerCacheResolvers,
 	}
 	urInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    c.addUR,
@@ -409,10 +413,10 @@ func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error {
 	statusControl := common.NewStatusControl(c.kyvernoClient, c.urLister)
 	switch ur.Spec.Type {
 	case kyvernov1beta1.Mutate:
-		ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.eventGen, logger)
+		ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.rclient, c.cpolLister, c.polLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger)
 		return ctrl.ProcessUR(ur)
 	case kyvernov1beta1.Generate:
-		ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.eventGen, logger)
+		ctrl := generate.NewGenerateController(c.client, c.kyvernoClient, statusControl, c.rclient, c.cpolLister, c.polLister, c.urLister, c.nsLister, c.configuration, c.informerCacheResolvers, c.eventGen, logger)
 		return ctrl.ProcessUR(ur)
 	}
 	return nil

pkg/controllers/report/background/controller.go

@@ -15,6 +15,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/controllers/report/resource"
 	"github.com/kyverno/kyverno/pkg/controllers/report/utils"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -58,6 +59,8 @@ type controller struct {
 
 	// cache
 	metadataCache resource.MetadataCache
+
+	informerCacheResolvers resolvers.ConfigmapResolver
 }
 
 func NewController(
@@ -69,6 +72,7 @@ func NewController(
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
 	nsInformer corev1informers.NamespaceInformer,
 	metadataCache resource.MetadataCache,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 ) controllers.Controller {
 	bgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("backgroundscanreports"))
 	cbgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"))
@@ -86,6 +90,7 @@ func NewController(
 		bgscanEnqueue:          controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue),
 		cbgscanEnqueue:         controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue),
 		metadataCache:          metadataCache,
+		informerCacheResolvers: informerCacheResolvers,
 	}
 	controllerutils.AddEventHandlersT(polInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
 	controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
@@ -218,7 +223,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
 	}
 	//	if the resource changed, we need to rebuild the report
 	if !reportutils.CompareHash(meta, resource.Hash) {
-		scanner := utils.NewScanner(logger, c.client, c.rclient)
+		scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers)
 		before, err := c.getReport(ctx, meta.GetNamespace(), meta.GetName())
 		if err != nil {
 			return nil
@@ -307,7 +312,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
 		}
 		// creations
 		if len(toCreate) > 0 {
-			scanner := utils.NewScanner(logger, c.client, c.rclient)
+			scanner := utils.NewScanner(logger, c.client, c.rclient, c.informerCacheResolvers)
 			resource, err := c.client.GetResource(ctx, gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
 			if err != nil {
 				return err

pkg/controllers/report/utils/scanner.go

@@ -8,6 +8,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"go.uber.org/multierr"
@@ -18,6 +19,7 @@ type scanner struct {
 	logger                 logr.Logger
 	client                 dclient.Interface
 	rclient                registryclient.Client
+	informerCacheResolvers resolvers.ConfigmapResolver
 	excludeGroupRole       []string
 }
 
@@ -30,11 +32,12 @@ type Scanner interface {
 	ScanResource(context.Context, unstructured.Unstructured, map[string]string, ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult
 }
 
-func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, excludeGroupRole ...string) Scanner {
+func NewScanner(logger logr.Logger, client dclient.Interface, rclient registryclient.Client, informerCacheResolvers resolvers.ConfigmapResolver, excludeGroupRole ...string) Scanner {
 	return &scanner{
 		logger:                 logger,
 		client:                 client,
 		rclient:                rclient,
+		informerCacheResolvers: informerCacheResolvers,
 		excludeGroupRole:       excludeGroupRole,
 	}
 }
@@ -85,7 +88,8 @@ func (s *scanner) validateResource(ctx context.Context, resource unstructured.Un
 		WithPolicy(policy).
 		WithClient(s.client).
 		WithNamespaceLabels(nsLabels).
-		WithExcludeGroupRole(s.excludeGroupRole...)
+		WithExcludeGroupRole(s.excludeGroupRole...).
+		WithInformerCacheResolver(s.informerCacheResolvers)
 	return engine.Validate(ctx, s.rclient, policyCtx), nil
 }
 
@@ -108,7 +112,8 @@ func (s *scanner) validateImages(ctx context.Context, resource unstructured.Unst
 		WithPolicy(policy).
 		WithClient(s.client).
 		WithNamespaceLabels(nsLabels).
-		WithExcludeGroupRole(s.excludeGroupRole...)
+		WithExcludeGroupRole(s.excludeGroupRole...).
+		WithInformerCacheResolver(s.informerCacheResolvers)
 	response, _ := engine.VerifyAndPatchImages(ctx, s.rclient, policyCtx)
 	if len(response.PolicyResponse.Rules) > 0 {
 		s.logger.Info("validateImages", "policy", policy, "response", response)

pkg/policy/apply.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@@ -27,6 +28,7 @@ func applyPolicy(
 	excludeGroupRole []string,
 	client dclient.Interface,
 	rclient registryclient.Client,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	namespaceLabels map[string]string,
 ) (responses []*response.EngineResponse) {
 	startTime := time.Now()
@@ -63,7 +65,7 @@ func applyPolicy(
 		logger.Error(err, "unable to set operation in context")
 	}
 
-	engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, namespaceLabels)
+	engineResponseMutation, err = mutation(policy, resource, logger, ctx, rclient, informerCacheResolvers, namespaceLabels)
 	if err != nil {
 		logger.Error(err, "failed to process mutation rule")
 	}
@@ -73,7 +75,8 @@ func applyPolicy(
 		WithNewResource(resource).
 		WithNamespaceLabels(namespaceLabels).
 		WithClient(client).
-		WithExcludeGroupRole(excludeGroupRole...)
+		WithExcludeGroupRole(excludeGroupRole...).
+		WithInformerCacheResolver(informerCacheResolvers)
 
 	engineResponseValidation = engine.Validate(context.TODO(), rclient, policyCtx)
 	engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation))
@@ -87,12 +90,14 @@ func mutation(
 	log logr.Logger,
 	jsonContext enginecontext.Interface,
 	rclient registryclient.Client,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	namespaceLabels map[string]string,
 ) (*response.EngineResponse, error) {
 	policyContext := engine.NewPolicyContextWithJsonContext(jsonContext).
 		WithPolicy(policy).
 		WithNamespaceLabels(namespaceLabels).
-		WithNewResource(resource)
+		WithNewResource(resource).
+		WithInformerCacheResolver(informerCacheResolvers)
 
 	engineResponse := engine.Mutate(context.TODO(), rclient, policyContext)
 	if !engineResponse.IsSuccessful() {

pkg/policy/existing.go

@@ -81,7 +81,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour
 	}
 
 	namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
-	engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, namespaceLabels)
+	engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels)
 	engineResponses = append(engineResponses, engineResponse...)
 
 	// post-processing, register the resource as processed

pkg/policy/policy_controller.go

@@ -22,6 +22,7 @@ import (
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/registryclient"
@@ -77,6 +78,8 @@ type PolicyController struct {
 	// nsLister can list/get namespaces from the shared informer's store
 	nsLister corev1listers.NamespaceLister
 
+	informerCacheResolvers resolvers.ConfigmapResolver
+
 	informersSynced []cache.InformerSynced
 
 	// Resource manager, manages the mapping for already processed resource
@@ -103,6 +106,7 @@ func NewPolicyController(
 	configHandler config.Configuration,
 	eventGen event.Interface,
 	namespaces corev1informers.NamespaceInformer,
+	informerCacheResolvers resolvers.ConfigmapResolver,
 	log logr.Logger,
 	reconcilePeriod time.Duration,
 	metricsConfig metrics.MetricsConfigManager,

pkg/policy/updaterequest.go

@@ -100,7 +100,7 @@ func (pc *PolicyController) updateUR(policyKey string, policy kyvernov1.PolicyIn
 }
 
 func (pc *PolicyController) handleUpdateRequest(ur *kyvernov1beta1.UpdateRequest, triggerResource *unstructured.Unstructured, rule kyvernov1.Rule, policy kyvernov1.PolicyInterface) (skip bool, err error) {
-	policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, nil, pc.log)
+	policyContext, _, err := common.NewBackgroundContext(pc.client, ur, policy, triggerResource, pc.configHandler, pc.informerCacheResolvers, nil, pc.log)
 	if err != nil {
 		return false, errors.Wrapf(err, "failed to build policy context for rule %s", rule.Name)
 	}