refactor: hide json context from caller (#7139)

* refactor: hide json context from caller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* unit tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cli/kubectl-kyverno/apply/apply_command.go

@@ -389,7 +389,6 @@ func (c *ApplyCommandConfig) applyCommandHelper() (rc *common.ResultCounts, reso
 	skipInvalidPolicies.skipped = make([]string, 0)
 	skipInvalidPolicies.invalid = make([]string, 0)
 
-	kyvernoPolicy := common.KyvernoPolicies{}
 	for _, policy := range policies {
 		_, err := policyvalidation.Validate(policy, nil, nil, true, openApiManager, config.KyvernoUserName(config.KyvernoServiceAccountName()))
 		if err != nil {
@@ -438,7 +437,7 @@ func (c *ApplyCommandConfig) applyCommandHelper() (rc *common.ResultCounts, reso
 				AuditWarn:            c.AuditWarn,
 				Subresources:         subresources,
 			}
-			ers, err := kyvernoPolicy.ApplyPolicyOnResource(applyPolicyConfig)
+			ers, err := common.ApplyPolicyOnResource(applyPolicyConfig)
 			if err != nil {
 				return rc, resources, skipInvalidPolicies, responses, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err)
 			}

cmd/cli/kubectl-kyverno/test/test.go

@@ -194,7 +194,6 @@ func applyPoliciesFromPath(
 		fmt.Printf("applying %s to %s... \n", msgPolicies, msgResources)
 	}
 
-	kyvernoPolicy := common.KyvernoPolicies{}
 	for _, policy := range policies {
 		_, err := policyvalidation.Validate(policy, nil, nil, true, openApiManager, config.KyvernoUserName(config.KyvernoServiceAccountName()))
 		if err != nil {
@@ -234,7 +233,7 @@ func applyPoliciesFromPath(
 				Client:                    dClient,
 				Subresources:              subresources,
 			}
-			ers, err := kyvernoPolicy.ApplyPolicyOnResource(applyPolicyConfig)
+			ers, err := common.ApplyPolicyOnResource(applyPolicyConfig)
 			if err != nil {
 				return nil, nil, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err)
 			}

cmd/cli/kubectl-kyverno/utils/common/common_test.go

@@ -96,7 +96,6 @@ func Test_NamespaceSelector(t *testing.T) {
 		},
 	}
 	rc := &ResultCounts{}
-	kyvernoPolicy := KyvernoPolicies{}
 	for _, tc := range testcases {
 		policyArray, _, _ := yamlutils.GetPolicy(tc.policy)
 		resourceArray, _ := GetResource(tc.resource)
@@ -108,7 +107,7 @@ func Test_NamespaceSelector(t *testing.T) {
 			NamespaceSelectorMap: tc.namespaceSelectorMap,
 			Rc:                   rc,
 		}
-		kyvernoPolicy.ApplyPolicyOnResource(applyPolicyConfig)
+		ApplyPolicyOnResource(applyPolicyConfig)
 		assert.Equal(t, int64(rc.Pass), int64(tc.result.Pass))
 		assert.Equal(t, int64(rc.Fail), int64(tc.result.Fail))
 		// TODO: autogen rules seem to not be present when autogen internals is disabled

cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go

@@ -12,24 +12,22 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
-	engineContext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-type KyvernoPolicies struct{}
-
-func (p *KyvernoPolicies) ApplyPolicyOnResource(c ApplyPolicyConfig) ([]engineapi.EngineResponse, error) {
+// ApplyPolicyOnResource - function to apply policy on resource
+func ApplyPolicyOnResource(c ApplyPolicyConfig) ([]engineapi.EngineResponse, error) {
 	jp := jmespath.New(config.NewDefaultConfiguration(false))
 
 	var engineResponses []engineapi.EngineResponse
 	namespaceLabels := make(map[string]string)
-	operationIsDelete := false
+	operation := kyvernov1.Create
 
 	if c.Variables["request.operation"] == "DELETE" {
-		operationIsDelete = true
+		operation = kyvernov1.Delete
 	}
 
 	policyWithNamespaceSelector := false
@@ -86,30 +84,12 @@ OuterLoop:
 	if err != nil {
 		log.Error(err, "unable to convert raw resource to unstructured")
 	}
-	ctx := engineContext.NewContext(jp)
-
-	if operationIsDelete {
-		err = engineContext.AddOldResource(ctx, resourceRaw)
-	} else {
-		err = engineContext.AddResource(ctx, resourceRaw)
-	}
 
 	if err != nil {
 		log.Error(err, "failed to load resource in context")
 	}
 
-	for key, value := range c.Variables {
-		err = ctx.AddVariable(key, value)
-		if err != nil {
-			log.Error(err, "failed to add variable to context")
-		}
-	}
-
 	cfg := config.NewDefaultConfiguration(false)
-	if err := ctx.AddImageInfos(c.Resource, cfg); err != nil {
-		log.Error(err, "failed to add image variables to context")
-	}
-
 	gvk, subresource := updatedResource.GroupVersionKind(), ""
 	// If --cluster flag is not set, then we need to find the top level resource GVK and subresource
 	if c.Client == nil {
@@ -139,13 +119,29 @@ OuterLoop:
 		store.ContextLoaderFactory(nil),
 		nil,
 	)
-	policyContext := engine.NewPolicyContextWithJsonContext(kyvernov1.Create, ctx).
+	policyContext, err := engine.NewPolicyContext(
+		jp,
+		*updatedResource,
+		operation,
+		&c.UserInfo,
+		cfg,
+	)
+	if err != nil {
+		log.Error(err, "failed to create policy context")
+	}
+
+	policyContext = policyContext.
 		WithPolicy(c.Policy).
-		WithNewResource(*updatedResource).
 		WithNamespaceLabels(namespaceLabels).
-		WithAdmissionInfo(c.UserInfo).
 		WithResourceKind(gvk, subresource)
 
+	for key, value := range c.Variables {
+		err = policyContext.JSONContext().AddVariable(key, value)
+		if err != nil {
+			log.Error(err, "failed to add variable to context")
+		}
+	}
+
 	mutateResponse := eng.Mutate(context.Background(), policyContext)
 	engineResponses = append(engineResponses, mutateResponse)
 

pkg/background/common/context.go

@@ -9,7 +9,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
-	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -25,20 +24,14 @@ func NewBackgroundContext(
 	jp jmespath.Interface,
 	namespaceLabels map[string]string,
 ) (*engine.PolicyContext, error) {
-	ctx := context.NewContext(jp)
 	var new, old unstructured.Unstructured
 	var err error
 
 	if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
-		if err := ctx.AddRequest(*ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
-			return nil, fmt.Errorf("failed to load request in context: %w", err)
-		}
-
 		new, old, err = admissionutils.ExtractResources(nil, *ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load request in context: %w", err)
 		}
-
 		if new.Object != nil {
 			if !check(&new, trigger) {
 				err := fmt.Errorf("resources don't match")
@@ -46,46 +39,46 @@ func NewBackgroundContext(
 			}
 		}
 	}
-
 	if trigger == nil {
 		trigger = &old
 	}
-
 	if trigger == nil {
 		return nil, fmt.Errorf("trigger resource does not exist")
 	}
 
-	err = ctx.AddResource(trigger.Object)
+	var policyContext *engine.PolicyContext
+	if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest == nil {
+		policyContext, err = engine.NewPolicyContext(
+			jp,
+			*trigger,
+			kyvernov1.AdmissionOperation(ur.Spec.Context.AdmissionRequestInfo.Operation),
+			&ur.Spec.Context.UserRequestInfo,
+			cfg,
+		)
+	} else {
+		policyContext, err = engine.NewPolicyContextFromAdmissionRequest(
+			jp,
+			*ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest,
+			ur.Spec.Context.UserRequestInfo,
+			trigger.GroupVersionKind(),
+			cfg,
+		)
+	}
 	if err != nil {
-		return nil, fmt.Errorf("failed to load resource in context: %w", err)
+		return nil, err
 	}
-
-	err = ctx.AddOldResource(old.Object)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load resource in context: %w", err)
-	}
-
-	err = ctx.AddUserInfo(ur.Spec.Context.UserRequestInfo)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load SA in context: %w", err)
-	}
-
-	err = ctx.AddServiceAccount(ur.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load UserInfo in context: %w", err)
-	}
-
-	if err := ctx.AddImageInfos(trigger, cfg); err != nil {
-		logger.Error(err, "unable to add image info to variables context")
-	}
-
-	policyContext := engine.NewPolicyContextWithJsonContext(kyvernov1.AdmissionOperation(ur.Spec.Context.AdmissionRequestInfo.Operation), ctx).
+	policyContext = policyContext.
 		WithPolicy(policy).
 		WithNewResource(*trigger).
 		WithOldResource(old).
-		WithAdmissionInfo(ur.Spec.Context.UserRequestInfo).
-		WithNamespaceLabels(namespaceLabels)
-
+		WithNamespaceLabels(namespaceLabels).
+		WithAdmissionOperation(false)
+	if err = policyContext.JSONContext().AddResource(trigger.Object); err != nil {
+		return nil, fmt.Errorf("failed to load resource in context: %w", err)
+	}
+	if err = policyContext.JSONContext().AddOldResource(old.Object); err != nil {
+		return nil, fmt.Errorf("failed to load resource in context: %w", err)
+	}
 	return policyContext, nil
 }
 

pkg/controllers/report/utils/scanner.go

@@ -8,7 +8,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"go.uber.org/multierr"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -72,20 +71,11 @@ func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstru
 }
 
 func (s *scanner) validateResource(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*engineapi.EngineResponse, error) {
-	enginectx := enginecontext.NewContext(s.jp)
-	if err := enginectx.AddResource(resource.Object); err != nil {
+	policyCtx, err := engine.NewPolicyContext(s.jp, resource, kyvernov1.Create, nil, s.config)
+	if err != nil {
 		return nil, err
 	}
-	if err := enginectx.AddNamespace(resource.GetNamespace()); err != nil {
-		return nil, err
-	}
-	if err := enginectx.AddImageInfos(&resource, s.config); err != nil {
-		return nil, err
-	}
-	if err := enginectx.AddOperation("CREATE"); err != nil {
-		return nil, err
-	}
-	policyCtx := engine.NewPolicyContextWithJsonContext(kyvernov1.Create, enginectx).
+	policyCtx = policyCtx.
 		WithNewResource(resource).
 		WithPolicy(policy).
 		WithNamespaceLabels(nsLabels)
@@ -94,20 +84,11 @@ func (s *scanner) validateResource(ctx context.Context, resource unstructured.Un
 }
 
 func (s *scanner) validateImages(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*engineapi.EngineResponse, error) {
-	enginectx := enginecontext.NewContext(s.jp)
-	if err := enginectx.AddResource(resource.Object); err != nil {
+	policyCtx, err := engine.NewPolicyContext(s.jp, resource, kyvernov1.Create, nil, s.config)
+	if err != nil {
 		return nil, err
 	}
-	if err := enginectx.AddNamespace(resource.GetNamespace()); err != nil {
-		return nil, err
-	}
-	if err := enginectx.AddImageInfos(&resource, s.config); err != nil {
-		return nil, err
-	}
-	if err := enginectx.AddOperation("CREATE"); err != nil {
-		return nil, err
-	}
-	policyCtx := engine.NewPolicyContextWithJsonContext(kyvernov1.Create, enginectx).
+	policyCtx = policyCtx.
 		WithNewResource(resource).
 		WithPolicy(policy).
 		WithNamespaceLabels(nsLabels)

pkg/engine/handlers/validation/validate_manifest_test.go

@@ -788,11 +788,16 @@ func buildContext(t *testing.T, policy, resource string, oldResource string) eng
 	resourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(resource))
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, []byte(resource))
+	policyContext, err := policycontext.NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyvernov1.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
 
-	policyContext := policycontext.NewPolicyContextWithJsonContext(kyvernov1.Create, ctx).
+	policyContext = policyContext.
 		WithPolicy(&cpol).
 		WithNewResource(*resourceUnstructured)
 
@@ -800,16 +805,11 @@ func buildContext(t *testing.T, policy, resource string, oldResource string) eng
 		oldResourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(oldResource))
 		assert.NilError(t, err)
 
-		err = enginecontext.AddOldResource(ctx, []byte(oldResource))
+		err = enginecontext.AddOldResource(policyContext.JSONContext(), []byte(oldResource))
 		assert.NilError(t, err)
 
 		policyContext = policyContext.WithOldResource(*oldResourceUnstructured)
 	}
 
-	if err := ctx.AddImageInfos(resourceUnstructured, cfg); err != nil {
-		t.Errorf("unable to add image info to variables context: %v", err)
-		t.Fail()
-	}
-
 	return policyContext
 }

pkg/engine/image_verify_test.go

@@ -221,11 +221,16 @@ func buildContext(t *testing.T, policy, resource string, oldResource string) *Po
 	resourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(resource))
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, []byte(resource))
+	policyContext, err := policycontext.NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
 
-	policyContext := policycontext.NewPolicyContextWithJsonContext(kyverno.Create, ctx).
+	policyContext = policyContext.
 		WithPolicy(&cpol).
 		WithNewResource(*resourceUnstructured)
 
@@ -233,17 +238,12 @@ func buildContext(t *testing.T, policy, resource string, oldResource string) *Po
 		oldResourceUnstructured, err := kubeutils.BytesToUnstructured([]byte(oldResource))
 		assert.NilError(t, err)
 
-		err = enginecontext.AddOldResource(ctx, []byte(oldResource))
+		err = enginecontext.AddOldResource(policyContext.JSONContext(), []byte(oldResource))
 		assert.NilError(t, err)
 
 		policyContext = policyContext.WithOldResource(*oldResourceUnstructured)
 	}
 
-	if err := ctx.AddImageInfos(resourceUnstructured, cfg); err != nil {
-		t.Errorf("unable to add image info to variables context: %v", err)
-		t.Fail()
-	}
-
 	return policyContext
 }
 

pkg/engine/mutation_test.go

@@ -11,7 +11,6 @@ import (
 	client "github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@@ -105,21 +104,16 @@ func Test_VariableSubstitutionPatchStrategicMerge(t *testing.T) {
 	}
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	if err != nil {
-		t.Error(err)
-	}
-	value, err := ctx.Query("request.object.metadata.name")
 
-	t.Log(value)
-	if err != nil {
-		t.Error(err)
-	}
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
+	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 	t.Log(string(expectedPatch))
@@ -186,13 +180,15 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 	assert.Equal(t, len(er.PolicyResponse.Rules), 1)
@@ -263,13 +259,15 @@ func Test_variableSubstitutionCLI(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(
 		context.TODO(),
@@ -383,16 +381,15 @@ func Test_chained_rules(t *testing.T) {
 	resource, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddResource(resource.Object)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resource)
-
-	err = ctx.AddImageInfos(resource, cfg)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resource,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 	containers, _, err := unstructured.NestedSlice(er.PatchedResource.Object, "spec", "containers")
@@ -471,13 +468,15 @@ func Test_precondition(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, enginetest.ContextLoaderFactory(nil, nil))
 	t.Log(string(expectedPatch))
@@ -565,13 +564,15 @@ func Test_nonZeroIndexNumberPatchesJson6902(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, enginetest.ContextLoaderFactory(nil, nil))
 	t.Log(string(expectedPatch))
@@ -651,16 +652,15 @@ func Test_foreach(t *testing.T) {
 	resource, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddResource(resource.Object)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resource)
-
-	err = ctx.AddImageInfos(resource, cfg)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resource,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 
@@ -753,16 +753,15 @@ func Test_foreach_element_mutation(t *testing.T) {
 	resource, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddResource(resource.Object)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resource)
-
-	err = ctx.AddImageInfos(resource, cfg)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resource,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 
@@ -874,16 +873,15 @@ func Test_Container_InitContainer_foreach(t *testing.T) {
 	resource, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddResource(resource.Object)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resource)
-
-	err = ctx.AddImageInfos(resource, cfg)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resource,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 
@@ -1019,16 +1017,15 @@ func testApplyPolicyToResource(t *testing.T, policyRaw, resourceRaw []byte) engi
 	resource, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddResource(resource.Object)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resource)
-
-	err = ctx.AddImageInfos(resource, cfg)
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resource,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 	return er
@@ -1557,10 +1554,6 @@ func Test_mutate_existing_resources(t *testing.T) {
 			target, err := kubeutils.BytesToUnstructured(target)
 			assert.NilError(t, err)
 
-			ctx := enginecontext.NewContext(jp)
-			err = ctx.AddResource(trigger.Object)
-			assert.NilError(t, err)
-
 			gvrToListKind := map[schema.GroupVersionResource]string{
 				{Group: target.GroupVersionKind().Group, Version: target.GroupVersionKind().Version, Resource: target.GroupVersionKind().Kind}: test.targetList,
 			}
@@ -1574,9 +1567,15 @@ func Test_mutate_existing_resources(t *testing.T) {
 			_, err = dclient.GetResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName())
 			assert.NilError(t, err)
 
-			policyContext = NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-				WithPolicy(&policy).
-				WithNewResource(*trigger)
+			policyContext, err = NewPolicyContext(
+				jp,
+				*trigger,
+				kyverno.Create,
+				nil,
+				cfg,
+			)
+			assert.NilError(t, err)
+			policyContext = policyContext.WithPolicy(&policy)
 
 			er := testMutate(context.TODO(), dclient, registryclient.NewOrDie(), policyContext, nil)
 
@@ -1672,18 +1671,16 @@ func Test_RuleSelectorMutate(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	if err != nil {
-		t.Error(err)
-	}
 
-	_, err = ctx.Query("request.object.metadata.name")
+	policyContext, err := NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyverno.Create,
+		nil,
+		cfg,
+	)
 	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContext = policyContext.WithPolicy(&policy)
 
 	er := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil)
 	assert.Equal(t, len(er.PolicyResponse.Rules), 2)
@@ -2052,17 +2049,16 @@ func Test_SpecialCharacters(t *testing.T) {
 				t.Fatalf("ConvertToUnstructured() error = %v", err)
 			}
 
-			// Create JSON context and add the resource.
-			ctx := enginecontext.NewContext(jp)
-			err = ctx.AddResource(resource.Object)
-			if err != nil {
-				t.Fatalf("ctx.AddResource() error = %v", err)
-			}
-
 			// Create policy context.
-			policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-				WithPolicy(&policy).
-				WithNewResource(*resource)
+			policyContext, err := NewPolicyContext(
+				jp,
+				*resource,
+				kyverno.Create,
+				nil,
+				cfg,
+			)
+			assert.NilError(t, err)
+			policyContext = policyContext.WithPolicy(&policy)
 
 			// Mutate and make sure that we got the expected amount of rules.
 			patches := testMutate(context.TODO(), nil, registryclient.NewOrDie(), policyContext, nil).GetPatches()

pkg/engine/policy_context.go

@@ -8,7 +8,6 @@ import (
 type PolicyContext = policycontext.PolicyContext
 
 var (
-	NewPolicyContextWithJsonContext      = policycontext.NewPolicyContextWithJsonContext
 	NewPolicyContext                     = policycontext.NewPolicyContext
 	NewPolicyContextFromAdmissionRequest = policycontext.NewPolicyContextFromAdmissionRequest
 )

pkg/engine/policycontext/policy_context.go

@@ -166,7 +166,7 @@ func (c *PolicyContext) WithResources(newResource unstructured.Unstructured, old
 	return c.WithNewResource(newResource).WithOldResource(oldResource)
 }
 
-func (c *PolicyContext) withAdmissionOperation(admissionOperation bool) *PolicyContext {
+func (c *PolicyContext) WithAdmissionOperation(admissionOperation bool) *PolicyContext {
 	copy := c.copy()
 	copy.admissionOperation = admissionOperation
 	return copy
@@ -178,15 +178,51 @@ func (c PolicyContext) copy() *PolicyContext {
 
 // Constructors
 
-func NewPolicyContextWithJsonContext(operation kyvernov1.AdmissionOperation, jsonContext enginectx.Interface) *PolicyContext {
+func newPolicyContextWithJsonContext(operation kyvernov1.AdmissionOperation, jsonContext enginectx.Interface) *PolicyContext {
 	return &PolicyContext{
 		operation:   operation,
 		jsonContext: jsonContext,
 	}
 }
 
-func NewPolicyContext(jp jmespath.Interface, operation kyvernov1.AdmissionOperation) *PolicyContext {
-	return NewPolicyContextWithJsonContext(operation, enginectx.NewContext(jp))
+func NewPolicyContext(
+	jp jmespath.Interface,
+	resource unstructured.Unstructured,
+	operation kyvernov1.AdmissionOperation,
+	admissionInfo *kyvernov1beta1.RequestInfo,
+	configuration config.Configuration,
+) (*PolicyContext, error) {
+	enginectx := enginectx.NewContext(jp)
+	if err := enginectx.AddResource(resource.Object); err != nil {
+		return nil, err
+	}
+	if err := enginectx.AddNamespace(resource.GetNamespace()); err != nil {
+		return nil, err
+	}
+	if err := enginectx.AddImageInfos(&resource, configuration); err != nil {
+		return nil, err
+	}
+	if admissionInfo != nil {
+		if err := enginectx.AddUserInfo(*admissionInfo); err != nil {
+			return nil, err
+		}
+		if err := enginectx.AddServiceAccount(admissionInfo.AdmissionUserInfo.Username); err != nil {
+			return nil, err
+		}
+	}
+	if err := enginectx.AddOperation(string(operation)); err != nil {
+		return nil, err
+	}
+	policyContext := newPolicyContextWithJsonContext(operation, enginectx)
+	if operation != kyvernov1.Delete {
+		policyContext = policyContext.WithNewResource(resource)
+	} else {
+		policyContext = policyContext.WithOldResource(resource)
+	}
+	if admissionInfo != nil {
+		policyContext = policyContext.WithAdmissionInfo(*admissionInfo)
+	}
+	return policyContext, nil
 }
 
 func NewPolicyContextFromAdmissionRequest(
@@ -207,11 +243,11 @@ func NewPolicyContextFromAdmissionRequest(
 	if err := ctx.AddImageInfos(&newResource, configuration); err != nil {
 		return nil, fmt.Errorf("failed to add image information to the policy rule context: %w", err)
 	}
-	policyContext := NewPolicyContextWithJsonContext(kyvernov1.AdmissionOperation(request.Operation), ctx).
+	policyContext := newPolicyContextWithJsonContext(kyvernov1.AdmissionOperation(request.Operation), ctx).
 		WithNewResource(newResource).
 		WithOldResource(oldResource).
 		WithAdmissionInfo(admissionInfo).
-		withAdmissionOperation(true).
+		WithAdmissionOperation(true).
 		WithResourceKind(gvk, request.SubResource).
 		WithRequestResource(request.Resource)
 	return policyContext, nil

pkg/engine/validation_test.go

@@ -7,16 +7,18 @@ import (
 	"testing"
 
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"gotest.tools/assert"
 	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 func testValidate(
@@ -44,6 +46,18 @@ func testValidate(
 	)
 }
 
+func newPolicyContext(
+	t *testing.T,
+	resource unstructured.Unstructured,
+	operation kyvernov1.AdmissionOperation,
+	admissionInfo *kyvernov1beta1.RequestInfo,
+) *PolicyContext {
+	t.Helper()
+	p, err := NewPolicyContext(jp, resource, operation, admissionInfo, cfg)
+	assert.NilError(t, err)
+	return p
+}
+
 func TestValidate_image_tag_fail(t *testing.T) {
 	// If image tag is latest then imagepull policy needs to be checked
 	rawPolicy := []byte(`{
@@ -137,7 +151,7 @@ func TestValidate_image_tag_fail(t *testing.T) {
 		"validation error: imagePullPolicy 'Always' required with tag 'latest'. rule validate-latest failed at path /spec/containers/0/imagePullPolicy/",
 	}
 
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message(), msgs[index])
 	}
@@ -237,7 +251,7 @@ func TestValidate_image_tag_pass(t *testing.T) {
 		"validation rule 'validate-tag' passed.",
 		"validation rule 'validate-latest' passed.",
 	}
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message(), msgs[index])
 	}
@@ -311,7 +325,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	assert.Assert(t, !er.IsSuccessful())
 
 	msgs := []string{"validation error: A namespace is required. rule check-default-namespace[0] failed at path /metadata/namespace/ rule check-default-namespace[1] failed at path /metadata/namespace/"}
@@ -394,7 +408,7 @@ func TestValidate_host_network_port(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation error: Host network and port are not allowed. rule validate-host-network-port failed at path /spec/containers/0/ports/0/hostPort/"}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -484,7 +498,7 @@ func TestValidate_anchor_arraymap_pass(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'validate-host-path' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -572,7 +586,7 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	assert.NilError(t, err)
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation error: Host path '/var/lib/' is not allowed. rule validate-host-path failed at path /spec/volumes/0/hostPath/path/"}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -642,7 +656,7 @@ func TestValidate_anchor_map_notfound(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod rule 2' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -715,7 +729,7 @@ func TestValidate_anchor_map_found_valid(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod rule 2' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -789,7 +803,7 @@ func TestValidate_inequality_List_Processing(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod rule 2' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -869,7 +883,7 @@ func TestValidate_inequality_List_ProcessingBrackets(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod rule 2' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -943,7 +957,7 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation error: pod: validate run as non root user. rule pod rule 2 failed at path /spec/securityContext/runAsNonRoot/"}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -1018,7 +1032,7 @@ func TestValidate_AnchorList_pass(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod image rule' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -1093,7 +1107,7 @@ func TestValidate_AnchorList_fail(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	assert.Assert(t, !er.IsSuccessful())
 }
 
@@ -1163,7 +1177,7 @@ func TestValidate_existenceAnchor_fail(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	assert.Assert(t, !er.IsSuccessful())
 }
 
@@ -1233,7 +1247,7 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'pod image rule' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -1321,7 +1335,7 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation error: Host path is not allowed. rule validate-host-path failed at path /spec/volumes/0/hostPath/"}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -1408,7 +1422,7 @@ func TestValidate_negationAnchor_pass(t *testing.T) {
 
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
 	assert.NilError(t, err)
-	er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 	msgs := []string{"validation rule 'validate-host-path' passed."}
 
 	for index, r := range er.PolicyResponse.Rules {
@@ -1476,11 +1490,7 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 
 	assert.Equal(t, len(er.PolicyResponse.Rules), 1)
@@ -1566,11 +1576,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSu
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 
 	assert.Equal(t, len(er.PolicyResponse.Rules), 1)
@@ -1624,11 +1630,7 @@ func Test_VariableSubstitution_NotOperatorWithStringVariable(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusFail)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message(), "validation error: rule not-operator-with-variable-should-alway-fail-validation failed at path /spec/content/")
@@ -1712,11 +1714,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 
 	assert.Equal(t, len(er.PolicyResponse.Rules), 1)
@@ -1802,11 +1800,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 
 	assert.Equal(t, er.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusFail)
@@ -1904,11 +1898,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusFail)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message(), "The animal cow is not in the allowed list of animals.")
@@ -1954,11 +1944,7 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) {
 		resourceUnstructured, err := kubeutils.BytesToUnstructured(test.resourceRaw)
 		assert.NilError(t, err)
 
-		ctx := enginecontext.NewContext(jp)
-		err = enginecontext.AddResource(ctx, test.resourceRaw)
-		assert.NilError(t, err)
-
-		policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+		policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy)
 		er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, nil)
 
 		for i, rule := range er.PolicyResponse.Rules {
@@ -2096,32 +2082,14 @@ func executeTest(t *testing.T, test testCase) {
 		t.Fatal(err)
 	}
 
-	ctx := enginecontext.NewContext(jp)
-	err = ctx.AddRequest(request)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = ctx.AddUserInfo(userInfo)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = ctx.AddServiceAccount(userInfo.AdmissionUserInfo.Username)
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	newR, oldR, err := admissionutils.ExtractResources(nil, request)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	pc := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
+	pc := newPolicyContext(t, newR, kyvernov1.AdmissionOperation(request.Operation), &userInfo).
 		WithPolicy(&policy).
-		WithNewResource(newR).
-		WithOldResource(oldR).
-		WithAdmissionInfo(userInfo)
+		WithOldResource(oldR)
 
 	resp := testValidate(context.TODO(), registryclient.NewOrDie(), pc, cfg, nil)
 	if resp.IsSuccessful() && test.requestDenied {
@@ -2206,7 +2174,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) {
 	er := testValidate(
 		context.TODO(),
 		registryclient.NewOrDie(),
-		NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured),
+		newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy),
 		cfg,
 		enginetest.ContextLoaderFactory(
 			nil,
@@ -2304,17 +2272,12 @@ func Test_EmptyStringInDenyCondition(t *testing.T) {
 	err := json.Unmarshal(policyRaw, &policy)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	er := testValidate(context.TODO(), registryclient.NewOrDie(),
-		NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-			WithPolicy(&policy).
-			WithNewResource(*resourceUnstructured),
+		newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).
+			WithPolicy(&policy),
 		cfg, nil)
 	assert.Assert(t, !er.IsSuccessful())
 }
@@ -2397,17 +2360,12 @@ func Test_StringInDenyCondition(t *testing.T) {
 	err := json.Unmarshal(policyRaw, &policy)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	er := testValidate(context.TODO(), registryclient.NewOrDie(),
-		NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-			WithPolicy(&policy).
-			WithNewResource(*resourceUnstructured),
+		newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).
+			WithPolicy(&policy),
 		cfg, nil)
 	assert.Assert(t, er.IsSuccessful())
 }
@@ -3080,13 +3038,9 @@ func testForEach(t *testing.T, policyraw []byte, resourceRaw []byte, msg string,
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
+	policyContext := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).
+		WithPolicy(&policy)
 
-	policyContext := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
 	er := testValidate(context.TODO(), registryclient.NewOrDie(), policyContext, cfg, contextLoader)
 
 	assert.Equal(t, er.PolicyResponse.Rules[0].Status(), status)
@@ -3142,21 +3096,15 @@ func Test_delete_ignore_pattern(t *testing.T) {
 	resourceUnstructured, err := kubeutils.BytesToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
-	ctx := enginecontext.NewContext(jp)
-	err = enginecontext.AddResource(ctx, resourceRaw)
-	assert.NilError(t, err)
-
-	policyContextCreate := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithNewResource(*resourceUnstructured)
+	policyContextCreate := newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).
+		WithPolicy(&policy)
 
 	engineResponseCreate := testValidate(context.TODO(), registryclient.NewOrDie(), policyContextCreate, cfg, nil)
 	assert.Equal(t, len(engineResponseCreate.PolicyResponse.Rules), 1)
 	assert.Equal(t, engineResponseCreate.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusFail)
 
-	policyContextDelete := NewPolicyContextWithJsonContext(kyverno.Create, ctx).
-		WithPolicy(&policy).
-		WithOldResource(*resourceUnstructured)
+	policyContextDelete := newPolicyContext(t, *resourceUnstructured, kyverno.Delete, nil).
+		WithPolicy(&policy)
 
 	engineResponseDelete := testValidate(context.TODO(), registryclient.NewOrDie(), policyContextDelete, cfg, nil)
 	assert.Equal(t, len(engineResponseDelete.PolicyResponse.Rules), 0)
@@ -3217,7 +3165,7 @@ func Test_ValidatePattern_anyPattern(t *testing.T) {
 			resourceUnstructured, err := kubeutils.BytesToUnstructured(tc.rawResource)
 			assert.NilError(t, err)
 
-			er := testValidate(context.TODO(), registryclient.NewOrDie(), NewPolicyContextWithJsonContext(kyverno.Create, enginecontext.NewContext(jp)).WithPolicy(&policy).WithNewResource(*resourceUnstructured), cfg, nil)
+			er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyverno.Create, nil).WithPolicy(&policy), cfg, nil)
 			if tc.expectedFailed {
 				assert.Assert(t, er.IsFailed())
 			} else if tc.expectedSkipped {

pkg/webhooks/resource/validation_test.go

@@ -1068,7 +1068,16 @@ func TestValidate_failure_action_overrides(t *testing.T) {
 			resourceUnstructured, err := kubeutils.BytesToUnstructured(tc.rawResource)
 			assert.NilError(t, err)
 
-			ctx := engine.NewPolicyContext(jp, kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured).WithNamespaceLabels(tc.rawResourceNamespaceLabels)
+			ctx, err := engine.NewPolicyContext(
+				jp,
+				*resourceUnstructured,
+				kyvernov1.Create,
+				nil,
+				cfg,
+			)
+			assert.NilError(t, err)
+
+			ctx = ctx.WithPolicy(&policy).WithNamespaceLabels(tc.rawResourceNamespaceLabels)
 			er := eng.Validate(
 				context.TODO(),
 				ctx,
@@ -1132,7 +1141,16 @@ func Test_RuleSelector(t *testing.T) {
 
 	cfg := config.NewDefaultConfiguration(false)
 	jp := jmespath.New(cfg)
-	ctx := engine.NewPolicyContext(jp, kyvernov1.Create).WithPolicy(&policy).WithNewResource(*resourceUnstructured)
+	ctx, err := engine.NewPolicyContext(
+		jp,
+		*resourceUnstructured,
+		kyvernov1.Create,
+		nil,
+		cfg,
+	)
+	assert.NilError(t, err)
+
+	ctx = ctx.WithPolicy(&policy)
 
 	eng := engine.NewEngine(
 		cfg,