From 8bf704edc58e7f1405f2ff30481f93f53a348ac0 Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Thu, 10 Oct 2024 13:32:38 +0300
Subject: [PATCH] feat(cache): use shallow copy instead of deep copy (#11378)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
---
 pkg/policycache/cache.go | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go
index b9f4508739..117f721eac 100644
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@@ -3,7 +3,6 @@ package policycache
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/ext/wildcard"
-	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -80,8 +79,12 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
 }
 
 func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) (bool, kyvernov1.PolicyInterface) {
-	var filteredRules []kyvernov1.Rule
-	for _, rule := range autogen.ComputeRules(policy, "") {
+	filteredRules := make([]kyvernov1.Rule, 0, len(policy.GetSpec().Rules))
+
+	// Use pointer to avoid copying the rule in each iteration
+	for i := range policy.GetSpec().Rules {
+		rule := &policy.GetSpec().Rules[i]
+
 		if !rule.HasValidate() {
 			continue
 		}
@@ -89,7 +92,8 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
 		// if the field isn't set, use the higher level policy setting
 		validationFailureAction := rule.Validation.FailureAction
 		if validationFailureAction == nil {
-			validationFailureAction = &policy.GetSpec().ValidationFailureAction
+			policyAction := policy.GetSpec().ValidationFailureAction
+			validationFailureAction = &policyAction
 		}
 
 		validationFailureActionOverrides := rule.Validation.FailureActionOverrides
@@ -98,21 +102,29 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
 		}
 
 		if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce {
-			filteredRules = append(filteredRules, rule)
+			filteredRules = append(filteredRules, *rule)
 			continue
 		}
+
 		for _, action := range validationFailureActionOverrides {
 			if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) {
-				filteredRules = append(filteredRules, rule)
-				continue
+				filteredRules = append(filteredRules, *rule)
+				break // Changed continue to break since we found a match
 			}
 		}
 	}
+
 	if len(filteredRules) > 0 {
-		filteredPolicy := policy.CreateDeepCopy()
-		filteredPolicy.GetSpec().Rules = filteredRules
+		var filteredPolicy kyvernov1.PolicyInterface
+		if _, ok := policy.(*kyvernov1.Policy); ok {
+			shallowCopy := *policy.(*kyvernov1.Policy)
+			filteredPolicy = &shallowCopy
+		} else {
+			shallowCopy := *policy.(*kyvernov1.ClusterPolicy)
+			filteredPolicy = &shallowCopy
+		}
+		filteredPolicy.GetSpec().SetRules(filteredRules)
 		return true, filteredPolicy
 	}
-
 	return false, nil
 }