Remove resourceCache from engine (#3013)

* update log messages Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove resourceCache from the background controller when: - register resource scope - list resources per namespace Signed-off-by: ShutingZhao <shuting@nirmata.com> * - use client call for configmap lookup; - remove resourceCache from policy controller, webhook server and generate controller Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-05 15:37:19 +00:00 · 2022-01-18 20:59:35 +08:00 · 2022-01-18 20:59:35 +08:00 · b6447e0649
commit b6447e0649
parent 8ea7a62cad
17 changed files with 32 additions and 127 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -312,7 +312,6 @@ func main() {
 		prgen,
 		kubeInformer.Core().V1().Namespaces(),
 		log.Log.WithName("PolicyController"),
 		rCache,
 		policyControllerResyncPeriod,
 		promConfig,
 	)
@ -337,7 +336,6 @@ func main() {
 		kubedynamicInformer,
 		log.Log.WithName("GenerateController"),
 		configData,
 		rCache,
 	)
 	if err != nil {
 		setupLog.Error(err, "Failed to create generate controller")
@ -375,7 +373,6 @@ func main() {
 		kubeInformer.Core().V1().Namespaces(),
 		log.Log.WithName("ValidateAuditHandler"),
 		configData,
 		rCache,
 		client,
 		promConfig,
 	)
@ -471,7 +468,6 @@ func main() {
 		cleanUp,
 		log.Log.WithName("WebhookServer"),
 		openAPIController,
 		rCache,
 		grc,
 		promConfig,
 	)
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@ -70,7 +70,6 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
 	oldResource := policyContext.OldResource
 	admissionInfo := policyContext.AdmissionInfo
 	ctx := policyContext.JSONContext
 	resCache := policyContext.ResourceCache
 	excludeGroupRole := policyContext.ExcludeGroupRole
 	namespaceLabels := policyContext.NamespaceLabels
@ -98,7 +97,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
 	policyContext.JSONContext.Checkpoint()
 	defer policyContext.JSONContext.Restore()
-	if err = LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil {
+	if err = LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil {
 		logger.V(4).Info("cannot add external data to the context", "reason", err.Error())
 		return nil
 	}
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -60,7 +60,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
 		policyContext.JSONContext.Restore()
-		if err := LoadContext(logger, rule.Context, policyContext.ResourceCache, policyContext, rule.Name); err != nil {
+		if err := LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil {
 			appendError(resp, rule, fmt.Sprintf("failed to load context: %s", err.Error()), response.RuleStatusError)
 			continue
 		}
--- a/pkg/engine/jsonContext.go
+++ b/pkg/engine/jsonContext.go
@ -2,7 +2,6 @@ package engine
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@ -11,17 +10,14 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
 	pkgcommon "github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/kyverno/store"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"k8s.io/client-go/dynamic/dynamiclister"
 )
 // LoadContext - Fetches and adds external data to the Context.
-func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resCache resourcecache.ResourceCache, ctx *PolicyContext, ruleName string) error {
+func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx *PolicyContext, ruleName string) error {
 	if len(contextEntries) == 0 {
 		return nil
 	}
@ -49,18 +45,9 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resC
 			}
 		}
 	} else {
 		// get GVR Cache for "configmaps"
 		// can get cache for other resources if the informers are enabled in resource cache
 		gvrC, ok := resCache.GetGVRCache("ConfigMap")
 		if !ok {
 			return errors.New("configmaps GVR Cache not found")
 		}
 		lister := gvrC.Lister()
 		for _, entry := range contextEntries {
 			if entry.ConfigMap != nil {
-				if err := loadConfigMap(logger, entry, lister, ctx.JSONContext); err != nil {
+				if err := loadConfigMap(logger, entry, ctx); err != nil {
 					return err
 				}
 			} else if entry.APICall != nil {
@ -286,13 +273,13 @@ func loadResource(ctx *PolicyContext, p *APIPath) ([]byte, error) {
 	return r.MarshalJSON()
 }
-func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, ctx *context.Context) error {
+func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) error {
-	data, err := fetchConfigMap(logger, entry, lister, ctx)
+	data, err := fetchConfigMap(logger, entry, ctx)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve config map for context entry %s: %v", entry.Name, err)
 	}
-	err = ctx.AddJSON(data)
+	err = ctx.JSONContext.AddJSON(data)
 	if err != nil {
 		return fmt.Errorf("failed to add config map for context entry %s: %v", entry.Name, err)
 	}
@ -300,15 +287,15 @@ func loadConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynami
 	return nil
 }
-func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynamiclister.Lister, jsonContext *context.Context) ([]byte, error) {
+func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) ([]byte, error) {
 	contextData := make(map[string]interface{})
-	name, err := variables.SubstituteAll(logger, jsonContext, entry.ConfigMap.Name)
+	name, err := variables.SubstituteAll(logger, ctx.JSONContext, entry.ConfigMap.Name)
 	if err != nil {
 		return nil, fmt.Errorf("failed to substitute variables in context %s configMap.name %s: %v", entry.Name, entry.ConfigMap.Name, err)
 	}
-	namespace, err := variables.SubstituteAll(logger, jsonContext, entry.ConfigMap.Namespace)
+	namespace, err := variables.SubstituteAll(logger, ctx.JSONContext, entry.ConfigMap.Namespace)
 	if err != nil {
 		return nil, fmt.Errorf("failed to substitute variables in context %s configMap.namespace %s: %v", entry.Name, entry.ConfigMap.Namespace, err)
 	}
@ -317,10 +304,9 @@ func fetchConfigMap(logger logr.Logger, entry kyverno.ContextEntry, lister dynam
 		namespace = "default"
 	}
-	key := fmt.Sprintf("%s/%s", namespace, name)
+	obj, err := ctx.Client.GetResource("v1", "ConfigMap", namespace.(string), name.(string))
 	obj, err := lister.Get(key)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read configmap %s/%s from cache: %v", namespace, name, err)
+		return nil, fmt.Errorf("failed to get configmap %s/%s : %v", namespace, name, err)
 	}
 	unstructuredObj := obj.DeepCopy().Object
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -35,7 +35,6 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	ctx := policyContext.JSONContext
 	var name []string
 	resCache := policyContext.ResourceCache
 	logger := log.Log.WithName("EngineMutate").WithValues("policy", policy.Name, "kind", patchedResource.GetKind(),
 		"namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
@ -78,7 +77,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 			logger.Error(err, "failed to query resource object")
 		}
-		if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil {
+		if err := LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil {
 			if _, ok := err.(gojmespath.NotFoundError); ok {
 				logger.V(3).Info("failed to load context", "reason", err.Error())
 			} else {
@ -144,7 +143,7 @@ func mutateForEach(rule *kyverno.Rule, ctx *PolicyContext, resource unstructured
 	allPatches := make([][]byte, 0)
 	for _, foreach := range foreachList {
-		if err := LoadContext(logger, rule.Context, ctx.ResourceCache, ctx, rule.Name); err != nil {
+		if err := LoadContext(logger, rule.Context, ctx, rule.Name); err != nil {
 			logger.Error(err, "failed to load context")
 			return ruleError(rule, utils.Mutation, "failed to load context", err), resource
 		}
@ -202,7 +201,7 @@ func mutateElements(name string, foreach *kyverno.ForEachMutation, ctx *PolicyCo
 			return mutateError(err, fmt.Sprintf("failed to add element to mutate.foreach[%d].context", i))
 		}
-		if err := LoadContext(logger, foreach.Context, ctx.ResourceCache, ctx, name); err != nil {
+		if err := LoadContext(logger, foreach.Context, ctx, name); err != nil {
 			return mutateError(err, fmt.Sprintf("failed to load to mutate.foreach[%d].context", i))
 		}
--- a/pkg/engine/policyContext.go
+++ b/pkg/engine/policyContext.go
@ -4,7 +4,6 @@ import (
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@ -34,9 +33,6 @@ type PolicyContext struct {
 	ExcludeResourceFunc func(kind, namespace, name string) bool
 	// ResourceCache provides listers to resources. Currently Supports Configmap
 	ResourceCache resourcecache.ResourceCache
 	// JSONContext is the variable context
 	JSONContext *context.Context
@ -53,7 +49,6 @@ func (pc *PolicyContext) Copy() *PolicyContext {
 		Client:              pc.Client,
 		ExcludeGroupRole:    pc.ExcludeGroupRole,
 		ExcludeResourceFunc: pc.ExcludeResourceFunc,
 		ResourceCache:       pc.ResourceCache,
 		JSONContext:         pc.JSONContext,
 		NamespaceLabels:     pc.NamespaceLabels,
 	}
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -307,7 +307,7 @@ func addElementToContext(ctx *PolicyContext, e interface{}, elementIndex int, el
 }
 func (v *validator) loadContext() error {
-	if err := LoadContext(v.log, v.contextEntries, v.ctx.ResourceCache, v.ctx, v.rule.Name); err != nil {
+	if err := LoadContext(v.log, v.contextEntries, v.ctx, v.rule.Name); err != nil {
 		if _, ok := err.(gojmespath.NotFoundError); ok {
 			v.log.V(3).Info("failed to load context", "reason", err.Error())
 		} else {
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@ -194,7 +194,6 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 		AdmissionInfo:       gr.Spec.Context.UserRequestInfo,
 		ExcludeGroupRole:    c.Config.GetExcludeGroupRole(),
 		ExcludeResourceFunc: c.Config.ToFilter,
 		ResourceCache:       c.resCache,
 		JSONContext:         ctx,
 		NamespaceLabels:     namespaceLabels,
 		Client:              c.client,
@ -256,7 +255,6 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine.
 	policy := policyContext.Policy
 	resource := policyContext.NewResource
 	resCache := policyContext.ResourceCache
 	jsonContext := policyContext.JSONContext
 	// To manage existing resources, we compare the creation time for the default resource to be generated and policy creation time
@ -284,7 +282,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine.
 		}
 		// add configmap json data to context
-		if err := engine.LoadContext(log, rule.Context, resCache, policyContext, rule.Name); err != nil {
+		if err := engine.LoadContext(log, rule.Context, policyContext, rule.Name); err != nil {
 			log.Error(err, "cannot add configmaps to context")
 			return nil, processExisting, err
 		}
--- a/pkg/generate/generate_controller.go
+++ b/pkg/generate/generate_controller.go
@ -15,7 +15,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	dclient "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@ -68,8 +67,7 @@ type Controller struct {
 	nsInformer informers.GenericInformer
 	log        logr.Logger
-	Config   config.Interface
+	Config config.Interface
 	resCache resourcecache.ResourceCache
 }
 //NewController returns an instance of the Generate-Request Controller
@ -83,7 +81,6 @@ func NewController(
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
 	log logr.Logger,
 	dynamicConfig config.Interface,
 	resourceCache resourcecache.ResourceCache,
 ) (*Controller, error) {
 	c := Controller{
@ -95,7 +92,6 @@ func NewController(
 		dynamicInformer: dynamicInformer,
 		log:             log,
 		Config:          dynamicConfig,
 		resCache:        resourceCache,
 	}
 	c.statusControl = StatusControl{client: kyvernoClient}
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@ -14,14 +14,13 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"github.com/kyverno/kyverno/pkg/utils"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 // applyPolicy applies policy on a resource
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured,
-	logger logr.Logger, excludeGroupRole []string, resCache resourcecache.ResourceCache,
+	logger logr.Logger, excludeGroupRole []string,
 	client *client.Client, namespaceLabels map[string]string) (responses []*response.EngineResponse) {
 	startTime := time.Now()
@ -54,7 +53,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		logger.Error(err, "unable to add image info to variables context")
 	}
-	engineResponseMutation, err = mutation(policy, resource, logger, resCache, ctx, namespaceLabels)
+	engineResponseMutation, err = mutation(policy, resource, logger, ctx, namespaceLabels)
 	if err != nil {
 		logger.Error(err, "failed to process mutation rule")
 	}
@ -63,7 +62,6 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		Policy:           policy,
 		NewResource:      resource,
 		ExcludeGroupRole: excludeGroupRole,
 		ResourceCache:    resCache,
 		JSONContext:      ctx,
 		Client:           client,
 		NamespaceLabels:  namespaceLabels,
@ -75,12 +73,11 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	return engineResponses
 }
-func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, log logr.Logger, resCache resourcecache.ResourceCache, jsonContext *context.Context, namespaceLabels map[string]string) (*response.EngineResponse, error) {
+func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, log logr.Logger, jsonContext *context.Context, namespaceLabels map[string]string) (*response.EngineResponse, error) {
 	policyContext := &engine.PolicyContext{
 		Policy:          policy,
 		NewResource:     resource,
 		ResourceCache:   resCache,
 		JSONContext:     jsonContext,
 		NamespaceLabels: namespaceLabels,
 	}
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@ -144,32 +144,6 @@ func GetAllNamespaces(nslister listerv1.NamespaceLister, log logr.Logger) []stri
 }
 func (pc *PolicyController) getResourceList(kind, namespace string, labelSelector *metav1.LabelSelector, log logr.Logger) interface{} {
 	list, err := func() (list []*unstructured.Unstructured, err error) {
 		var selector labels.Selector
 		if labelSelector == nil {
 			selector = labels.Everything()
 		} else {
 			if selector, err = metav1.LabelSelectorAsSelector(labelSelector); err != nil {
 				return nil, err
 			}
 		}
 		genericCache, _ := pc.resCache.GetGVRCache(kind)
 		if namespace != "" {
 			list, err = genericCache.NamespacedLister(namespace).List(selector)
 		} else {
 			list, err = genericCache.Lister().List(selector)
 		}
 		return list, err
 	}()
 	if err != nil {
 		log.V(3).Info("failed to list resource using lister, try to query from the API server", "err", err.Error())
 	} else {
 		return list
 	}
 	resourceList, err := pc.client.ListResource("", kind, namespace, labelSelector)
 	if err != nil {
 		log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace)
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -2,7 +2,6 @@ package policy
 import (
 	"errors"
 	"fmt"
 	"sync"
 	"time"
@ -34,17 +33,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 	}
 }
 func (pc *PolicyController) registerResource(gvk string) (err error) {
 	genericCache, ok := pc.resCache.GetGVRCache(gvk)
 	if !ok {
 		if genericCache, err = pc.resCache.CreateGVKInformer(gvk); err != nil {
 			return fmt.Errorf("failed to create informer for %s: %v", gvk, err)
 		}
 	}
 	pc.rm.RegisterScope(gvk, genericCache.IsNamespaced())
 	return nil
 }
 func (pc *PolicyController) applyAndReportPerNamespace(policy *kyverno.ClusterPolicy, kind string, ns string, rule kyverno.Rule, logger logr.Logger, metricAlreadyRegistered *bool) {
 	rMap := pc.getResourcesPerNamespace(kind, ns, rule, logger)
 	excludeAutoGenResources(*policy, rMap, logger)
@ -90,7 +78,7 @@ func (pc *PolicyController) applyPolicy(policy *kyverno.ClusterPolicy, resource
 	}
 	namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger)
-	engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.resCache, pc.client, namespaceLabels)
+	engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, namespaceLabels)
 	engineResponses = append(engineResponses, engineResponse...)
 	// post-processing, register the resource as processed
@ -217,11 +205,13 @@ func (pc *PolicyController) processExistingKinds(kind []string, policy *kyverno.
 		logger = logger.WithValues("rule", rule.Name, "kind", k)
 		namespaced, err := pc.rm.GetScope(k)
 		if err != nil {
-			if err := pc.registerResource(k); err != nil {
+			resourceSchema, _, err := pc.client.DiscoveryClient.FindResource("", k)
 			if err != nil {
 				logger.Error(err, "failed to find resource", "kind", k)
 				continue
 			}
-			namespaced, _ = pc.rm.GetScope(k)
+			namespaced = resourceSchema.Namespaced
 			pc.rm.RegisterScope(k, namespaced)
 		}
 		// this tracker would help to ensure that even for multiple namespaces, duplicate metric are not generated
@ -231,6 +221,7 @@ func (pc *PolicyController) processExistingKinds(kind []string, policy *kyverno.
 			pc.applyAndReportPerNamespace(policy, k, "", rule, logger.WithValues("kind", k), &metricRegisteredTracker)
 			continue
 		}
 		namespaces := pc.getNamespacesForRule(&rule, logger.WithValues("kind", k))
 		for _, ns := range namespaces {
 			// for kind: Policy, consider only the namespace which the policy belongs to.
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -89,7 +89,7 @@ func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, erro
 			return "", err
 		}
 		if !ok {
-			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
 		}
 	} else {
 		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
@ -109,7 +109,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
 		}
 		// UPDATE
 		ok, err = authCheck.CanIUpdate(kind, namespace)
@ -118,7 +118,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
 		}
 		// GET
 		ok, err = authCheck.CanIGet(kind, namespace)
@ -127,7 +127,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
 		}
 		// DELETE
@ -137,7 +137,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
 			return err
 		}
 		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
 		}
 	} else {
--- a/pkg/policy/policy_controller.go
+++ b/pkg/policy/policy_controller.go
@ -23,7 +23,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	pm "github.com/kyverno/kyverno/pkg/policymutation"
 	"github.com/kyverno/kyverno/pkg/policyreport"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"github.com/kyverno/kyverno/pkg/utils"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -82,12 +81,6 @@ type PolicyController struct {
 	// npListerSynced returns true if the namespace policy store has been synced at least once
 	npListerSynced cache.InformerSynced
 	// pvListerSynced returns true if the cluster policy violation store has been synced at least once
 	cpvListerSynced cache.InformerSynced
 	// pvListerSynced returns true if the policy violation store has been synced at least once
 	nspvListerSynced cache.InformerSynced
 	// nsListerSynced returns true if the namespace store has been synced at least once
 	nsListerSynced cache.InformerSynced
@ -105,9 +98,6 @@ type PolicyController struct {
 	policyReportEraser policyreport.PolicyReportEraser
 	// resCache - controls creation and fetching of resource informer cache
 	resCache resourcecache.ResourceCache
 	reconcilePeriod time.Duration
 	log logr.Logger
@ -129,7 +119,6 @@ func NewPolicyController(
 	policyReportEraser policyreport.PolicyReportEraser,
 	namespaces informers.NamespaceInformer,
 	log logr.Logger,
 	resCache resourcecache.ResourceCache,
 	reconcilePeriod time.Duration,
 	promConfig *metrics.PromConfig) (*PolicyController, error) {
@ -153,7 +142,6 @@ func NewPolicyController(
 		configHandler:      configHandler,
 		prGenerator:        prGenerator,
 		policyReportEraser: policyReportEraser,
 		resCache:           resCache,
 		reconcilePeriod:    reconcilePeriod,
 		promConfig:         promConfig,
 		log:                log,
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@ -73,7 +73,6 @@ func (ws *WebhookServer) handleGenerate(
 			AdmissionInfo:       userRequestInfo,
 			ExcludeGroupRole:    dynamicConfig.GetExcludeGroupRole(),
 			ExcludeResourceFunc: ws.configHandler.ToFilter,
 			ResourceCache:       ws.resCache,
 			JSONContext:         ctx,
 			Client:              ws.client,
 		}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -29,7 +29,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/kyverno/kyverno/pkg/policycache"
 	"github.com/kyverno/kyverno/pkg/policyreport"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	tlsutils "github.com/kyverno/kyverno/pkg/tls"
 	"github.com/kyverno/kyverno/pkg/userinfo"
 	"github.com/kyverno/kyverno/pkg/utils"
@ -122,9 +121,6 @@ type WebhookServer struct {
 	openAPIController *openapi.Controller
 	// resCache - controls creation and fetching of resource informer cache
 	resCache resourcecache.ResourceCache
 	grController *generate.Controller
 	promConfig *metrics.PromConfig
@ -154,7 +150,6 @@ func NewWebhookServer(
 	cleanUp chan<- struct{},
 	log logr.Logger,
 	openAPIController *openapi.Controller,
 	resCache resourcecache.ResourceCache,
 	grc *generate.Controller,
 	promConfig *metrics.PromConfig,
 ) (*WebhookServer, error) {
@ -200,7 +195,6 @@ func NewWebhookServer(
 		auditHandler:      auditHandler,
 		log:               log,
 		openAPIController: openAPIController,
 		resCache:          resCache,
 		promConfig:        promConfig,
 	}
@ -385,7 +379,6 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
 		AdmissionInfo:       userRequestInfo,
 		ExcludeGroupRole:    ws.configHandler.GetExcludeGroupRole(),
 		ExcludeResourceFunc: ws.configHandler.ToFilter,
 		ResourceCache:       ws.resCache,
 		JSONContext:         ctx,
 		Client:              ws.client,
 	}
@ -551,7 +544,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		AdmissionInfo:       userRequestInfo,
 		ExcludeGroupRole:    ws.configHandler.GetExcludeGroupRole(),
 		ExcludeResourceFunc: ws.configHandler.ToFilter,
 		ResourceCache:       ws.resCache,
 		JSONContext:         ctx,
 		Client:              ws.client,
 	}
--- a/pkg/webhooks/validate_audit.go
+++ b/pkg/webhooks/validate_audit.go
@ -19,7 +19,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/policycache"
 	"github.com/kyverno/kyverno/pkg/policyreport"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"github.com/kyverno/kyverno/pkg/userinfo"
 	"k8s.io/api/admission/v1beta1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@ -62,7 +61,6 @@ type auditHandler struct {
 	log           logr.Logger
 	configHandler config.Interface
 	resCache      resourcecache.ResourceCache
 	promConfig    *metrics.PromConfig
 }
@ -75,7 +73,6 @@ func NewValidateAuditHandler(pCache policycache.Interface,
 	namespaces informers.NamespaceInformer,
 	log logr.Logger,
 	dynamicConfig config.Interface,
 	resCache resourcecache.ResourceCache,
 	client *client.Client,
 	promConfig *metrics.PromConfig) AuditHandler {
@ -92,7 +89,6 @@ func NewValidateAuditHandler(pCache policycache.Interface,
 		log:            log,
 		prGenerator:    prGenerator,
 		configHandler:  dynamicConfig,
 		resCache:       resCache,
 		client:         client,
 		promConfig:     promConfig,
 	}
@ -195,7 +191,6 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
 		AdmissionInfo:       userRequestInfo,
 		ExcludeGroupRole:    h.configHandler.GetExcludeGroupRole(),
 		ExcludeResourceFunc: h.configHandler.ToFilter,
 		ResourceCache:       h.resCache,
 		JSONContext:         ctx,
 		Client:              h.client,
 	}