refactor: remove common package (#5750)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/background/common/resource.go

@@ -8,7 +8,7 @@ import (
 	logr "github.com/go-logr/logr"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/common"
+	retryutils "github.com/kyverno/kyverno/pkg/utils/retry"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -41,12 +41,12 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp
 
 	var resource *unstructured.Unstructured
 	var err error
-	retry := func() error {
+	retry := func(_ context.Context) error {
 		resource, err = get()
 		return err
 	}
 
-	f := common.RetryFunc(time.Second, 5*time.Second, retry, "failed to get resource", log.WithName("getResource"))
+	f := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, log.WithName("getResource"), "failed to get resource", retry)
 	if err := f(); err != nil {
 		return nil, err
 	}

pkg/background/generate/generate.go

@@ -19,7 +19,6 @@ import (
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	pkgcommon "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
@@ -30,6 +29,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
+	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"golang.org/x/exp/slices"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -157,7 +157,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
 	}
 
 	// 2 - Apply the generate policy on the resource
-	namespaceLabels := pkgcommon.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger)
+	namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger)
 	genResources, precreatedResource, err = c.applyGenerate(*resource, *ur, namespaceLabels)
 
 	if err != nil {

pkg/background/update_request_controller.go

@@ -3,6 +3,7 @@ package background
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@@ -16,12 +17,12 @@ import (
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	pkgCommon "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
+	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -349,7 +350,7 @@ func (c *controller) deletePolicy(obj interface{}) {
 		logger.V(4).Info("updating policy", "key", key)
 
 		// check if deleted policy is clone generate policy
-		generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger)
+		generatePolicyWithClone := c.processDeletePolicyForCloneGenerateRule(p, p.GetName())
 
 		// get the generated resource name from update request
 		selector := labels.SelectorFromSet(labels.Set(map[string]string{
@@ -480,3 +481,67 @@ func (c *controller) getPolicy(key string) (kyvernov1.PolicyInterface, error) {
 	}
 	return c.polLister.Policies(namespace).Get(name)
 }
+
+func (c *controller) processDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, pName string) bool {
+	generatePolicyWithClone := false
+	for _, rule := range policy.GetSpec().Rules {
+		clone, sync := rule.GetCloneSyncForGenerate()
+		if !(clone && sync) {
+			continue
+		}
+		logger.V(4).Info("generate policy with clone, remove policy name from label of source resource")
+		generatePolicyWithClone = true
+		var retryCount int
+		for retryCount < 5 {
+			err := c.updateSourceResource(policy.GetName(), rule)
+			if err != nil {
+				logger.Error(err, "failed to update generate source resource labels")
+				if apierrors.IsConflict(err) {
+					retryCount++
+				} else {
+					break
+				}
+			}
+			break
+		}
+	}
+
+	return generatePolicyWithClone
+}
+
+func (c *controller) updateSourceResource(pName string, rule kyvernov1.Rule) error {
+	obj, err := c.client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
+	if err != nil {
+		return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
+	}
+
+	var update bool
+	labels := obj.GetLabels()
+	update, labels = removePolicyFromLabels(pName, labels)
+	if !update {
+		return nil
+	}
+
+	obj.SetLabels(labels)
+	_, err = c.client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
+	return err
+}
+
+func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) {
+	if len(labels) == 0 {
+		return false, labels
+	}
+	if labels["generate.kyverno.io/clone-policy-name"] != "" {
+		policyNames := labels["generate.kyverno.io/clone-policy-name"]
+		if strings.Contains(policyNames, pName) {
+			desiredLabels := make(map[string]string, len(labels)-1)
+			for k, v := range labels {
+				if k != "generate.kyverno.io/clone-policy-name" {
+					desiredLabels[k] = v
+				}
+			}
+			return true, desiredLabels
+		}
+	}
+	return false, labels
+}

pkg/common/common.go

@@ -1,150 +0,0 @@
-package common
-
-import (
-	"context"
-	"encoding/json"
-	"strings"
-	"time"
-
-	"github.com/go-logr/logr"
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
-	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	enginutils "github.com/kyverno/kyverno/pkg/engine/utils"
-	"github.com/kyverno/kyverno/pkg/logging"
-	"github.com/pkg/errors"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	corev1listers "k8s.io/client-go/listers/core/v1"
-)
-
-// Policy Reporting Types
-const (
-	PolicyViolation = "POLICYVIOLATION"
-	PolicyReport    = "POLICYREPORT"
-)
-
-// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed
-func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string {
-	namespaceLabels := make(map[string]string)
-	if kind != "Namespace" && namespaceOfResource != "" {
-		namespaceObj, err := nsLister.Get(namespaceOfResource)
-		if err != nil {
-			logging.Error(err, "failed to get the namespace", "name", namespaceOfResource)
-			return namespaceLabels
-		}
-		return GetNamespaceLabels(namespaceObj, logger)
-	}
-	return namespaceLabels
-}
-
-// GetNamespaceLabels - from namespace obj
-func GetNamespaceLabels(namespaceObj *corev1.Namespace, logger logr.Logger) map[string]string {
-	namespaceObj.Kind = "Namespace"
-	namespaceRaw, err := json.Marshal(namespaceObj)
-	if err != nil {
-		logger.Error(err, "failed to marshal namespace")
-	}
-	namespaceUnstructured, err := enginutils.ConvertToUnstructured(namespaceRaw)
-	if err != nil {
-		logger.Error(err, "failed to convert object resource to unstructured format")
-	}
-	return namespaceUnstructured.GetLabels()
-}
-
-// RetryFunc allows retrying a function on error within a given timeout
-func RetryFunc(retryInterval, timeout time.Duration, run func() error, msg string, logger logr.Logger) func() error {
-	return func() error {
-		registerTimeout := time.After(timeout)
-		registerTicker := time.NewTicker(retryInterval)
-		defer registerTicker.Stop()
-		var err error
-
-	loop:
-		for {
-			select {
-			case <-registerTicker.C:
-				err = run()
-				if err != nil {
-					logger.V(3).Info(msg, "reason", err.Error())
-				} else {
-					break loop
-				}
-
-			case <-registerTimeout:
-				return errors.Wrap(err, "retry times out")
-			}
-		}
-		return nil
-	}
-}
-
-func ProcessDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, client dclient.Interface, kyvernoClient versioned.Interface, urlister kyvernov1beta1listers.UpdateRequestNamespaceLister, pName string, logger logr.Logger) bool {
-	generatePolicyWithClone := false
-	for _, rule := range policy.GetSpec().Rules {
-		clone, sync := rule.GetCloneSyncForGenerate()
-		if !(clone && sync) {
-			continue
-		}
-
-		logger.V(4).Info("generate policy with clone, remove policy name from label of source resource")
-		generatePolicyWithClone = true
-
-		var retryCount int
-		for retryCount < 5 {
-			err := updateSourceResource(policy.GetName(), rule, client, logger)
-			if err != nil {
-				logger.Error(err, "failed to update generate source resource labels")
-				if apierrors.IsConflict(err) {
-					retryCount++
-				} else {
-					break
-				}
-			}
-			break
-		}
-	}
-
-	return generatePolicyWithClone
-}
-
-func updateSourceResource(pName string, rule kyvernov1.Rule, client dclient.Interface, log logr.Logger) error {
-	obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
-	if err != nil {
-		return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
-	}
-
-	var update bool
-	labels := obj.GetLabels()
-	update, labels = removePolicyFromLabels(pName, labels)
-	if !update {
-		return nil
-	}
-
-	obj.SetLabels(labels)
-	_, err = client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
-	return err
-}
-
-func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) {
-	if len(labels) == 0 {
-		return false, labels
-	}
-
-	if labels["generate.kyverno.io/clone-policy-name"] != "" {
-		policyNames := labels["generate.kyverno.io/clone-policy-name"]
-		if strings.Contains(policyNames, pName) {
-			desiredLabels := make(map[string]string, len(labels)-1)
-			for k, v := range labels {
-				if k != "generate.kyverno.io/clone-policy-name" {
-					desiredLabels[k] = v
-				}
-			}
-
-			return true, desiredLabels
-		}
-	}
-
-	return false, labels
-}

pkg/controllers/certmanager/controller.go

@@ -5,11 +5,11 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/tls"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
+	retryutils "github.com/kyverno/kyverno/pkg/utils/retry"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -102,10 +102,10 @@ func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
 }
 
 func (c *controller) renewCertificates() error {
-	if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewCA, "failed to renew CA", logger)(); err != nil {
+	if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
 		return err
 	}
-	if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewTLS, "failed to renew TLS", logger)(); err != nil {
+	if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
 		return err
 	}
 	return nil

pkg/policy/existing.go

@@ -10,12 +10,12 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/autogen"
-	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	policyExecutionDuration "github.com/kyverno/kyverno/pkg/metrics/policyexecutionduration"
 	policyResults "github.com/kyverno/kyverno/pkg/metrics/policyresults"
+	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -80,7 +80,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour
 		logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.GetResourceVersion(), "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 	}
 
-	namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
+	namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
 	engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels)
 	engineResponses = append(engineResponses, engineResponse...)
 

pkg/tls/renewer.go

@@ -35,9 +35,9 @@ type CertValidator interface {
 
 type CertRenewer interface {
 	// RenewCA renews the CA certificate if needed
-	RenewCA() error
+	RenewCA(context.Context) error
 	// RenewTLS renews the TLS certificate if needed
-	RenewTLS() error
+	RenewTLS(context.Context) error
 }
 
 // certRenewer creates rootCA and pem pair to register
@@ -74,7 +74,7 @@ func NewCertRenewer(
 }
 
 // RenewCA renews the CA certificate if needed
-func (c *certRenewer) RenewCA() error {
+func (c *certRenewer) RenewCA(ctx context.Context) error {
 	secret, key, certs, err := c.decodeCASecret()
 	if err != nil && !apierrors.IsNotFound(err) {
 		logger.Error(err, "failed to read CA")
@@ -97,7 +97,7 @@ func (c *certRenewer) RenewCA() error {
 		return err
 	}
 	certs = append(certs, caCert)
-	if err := c.writeCASecret(caKey, certs...); err != nil {
+	if err := c.writeCASecret(ctx, caKey, certs...); err != nil {
 		logger.Error(err, "failed to write CA")
 		return err
 	}
@@ -106,7 +106,7 @@ func (c *certRenewer) RenewCA() error {
 }
 
 // RenewTLS renews the TLS certificate if needed
-func (c *certRenewer) RenewTLS() error {
+func (c *certRenewer) RenewTLS(ctx context.Context) error {
 	_, caKey, caCerts, err := c.decodeCASecret()
 	if err != nil {
 		logger.Error(err, "failed to read CA")
@@ -132,7 +132,7 @@ func (c *certRenewer) RenewTLS() error {
 		logger.Error(err, "failed to generate TLS")
 		return err
 	}
-	if err := c.writeTLSSecret(tlsKey, tlsCert); err != nil {
+	if err := c.writeTLSSecret(ctx, tlsKey, tlsCert); err != nil {
 		logger.Error(err, "failed to write TLS")
 		return err
 	}
@@ -203,7 +203,7 @@ func (c *certRenewer) decodeTLSSecret() (*corev1.Secret, *rsa.PrivateKey, *x509.
 	}
 }
 
-func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
+func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
 	logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace())
 	secret, err := c.getSecret(name)
 	if err != nil && !apierrors.IsNotFound(err) {
@@ -228,14 +228,14 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5
 		corev1.TLSPrivateKeyKey: privateKeyToPem(key),
 	}
 	if secret.ResourceVersion == "" {
-		if _, err := c.client.Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
+		if _, err := c.client.Create(ctx, secret, metav1.CreateOptions{}); err != nil {
 			logger.Error(err, "failed to update secret")
 			return err
 		} else {
 			logger.Info("secret created")
 		}
 	} else {
-		if _, err := c.client.Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
+		if _, err := c.client.Update(ctx, secret, metav1.UpdateOptions{}); err != nil {
 			logger.Error(err, "failed to update secret")
 			return err
 		} else {
@@ -246,11 +246,11 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5
 }
 
 // writeCASecret stores the CA cert in secret
-func (c *certRenewer) writeCASecret(key *rsa.PrivateKey, certs ...*x509.Certificate) error {
+func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
-	return c.writeSecret(GenerateRootCASecretName(), key, certs...)
+	return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...)
 }
 
 // writeTLSSecret Writes the pair of TLS certificate and key to the specified secret.
-func (c *certRenewer) writeTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate) error {
+func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error {
-	return c.writeSecret(GenerateTLSPairSecretName(), key, cert)
+	return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert)
 }

pkg/utils/engine/labels.go

@@ -0,0 +1,21 @@
+package engine
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/logging"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+)
+
+// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed
+func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string {
+	namespaceLabels := make(map[string]string)
+	if kind != "Namespace" && namespaceOfResource != "" {
+		namespaceObj, err := nsLister.Get(namespaceOfResource)
+		if err != nil {
+			logging.Error(err, "failed to get the namespace", "name", namespaceOfResource)
+			return namespaceLabels
+		}
+		return namespaceObj.DeepCopy().GetLabels()
+	}
+	return namespaceLabels
+}

pkg/utils/retry/retry.go

@@ -0,0 +1,32 @@
+package retry
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+)
+
+// RetryFunc allows retrying a function on error within a given timeout
+func RetryFunc(ctx context.Context, retryInterval, timeout time.Duration, logger logr.Logger, msg string, run func(context.Context) error) func() error {
+	return func() error {
+		ctx, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		registerTicker := time.NewTicker(retryInterval)
+		defer registerTicker.Stop()
+		var err error
+		for {
+			select {
+			case <-registerTicker.C:
+				if err = run(ctx); err != nil {
+					logger.V(3).Info(msg, "reason", err.Error())
+				} else {
+					return nil
+				}
+			case <-ctx.Done():
+				return errors.Wrap(err, "retry times out")
+			}
+		}
+	}
+}

pkg/webhooks/resource/generation/generation.go

@@ -14,7 +14,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/response"
@@ -22,6 +21,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/registryclient"
+	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
 	webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -91,7 +91,7 @@ func (h *generationHandler) Handle(
 			var rules []response.RuleResponse
 			policyContext := policyContext.WithPolicy(policy)
 			if request.Kind.Kind != "Namespace" && request.Namespace != "" {
-				policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
+				policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
 			}
 			engineResponse := engine.ApplyBackgroundChecks(h.rclient, policyContext)
 			for _, rule := range engineResponse.PolicyResponse.Rules {

pkg/webhooks/resource/handlers.go

@@ -12,7 +12,6 @@ import (
 	kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
 	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
@@ -23,6 +22,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/policycache"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
 	"github.com/kyverno/kyverno/pkg/webhooks"
 	"github.com/kyverno/kyverno/pkg/webhooks/resource/generation"
@@ -134,7 +134,7 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
 
 	namespaceLabels := make(map[string]string)
 	if request.Kind.Kind != "Namespace" && request.Namespace != "" {
-		namespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
+		namespaceLabels = engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
 	}
 
 	vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.rclient, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig)

pkg/webhooks/resource/mutation/mutation.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/event"
@@ -156,7 +155,7 @@ func (v *mutationHandler) applyMutations(
 
 func (h *mutationHandler) applyMutation(ctx context.Context, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) (*response.EngineResponse, [][]byte, error) {
 	if request.Kind.Kind != "Namespace" && request.Namespace != "" {
-		policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
+		policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
 	}
 
 	engineResponse := engine.Mutate(ctx, h.rclient, policyContext)