fix: cleanup controller context from #7597 (#7672)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

charts/kyverno/templates/cleanup-controller/clusterrole.yaml

@@ -45,6 +45,14 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - batch
     resources:

cmd/cleanup-controller/handlers/cleanup/handlers.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
@@ -12,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
@@ -35,6 +37,7 @@ type handlers struct {
 	cpolLister kyvernov2alpha1listers.ClusterCleanupPolicyLister
 	polLister  kyvernov2alpha1listers.CleanupPolicyLister
 	nsLister   corev1listers.NamespaceLister
+	cmResolver engineapi.ConfigmapResolver
 	recorder   record.EventRecorder
 	jp         jmespath.Interface
 	metrics    cleanupMetrics
@@ -73,6 +76,7 @@ func New(
 	cpolLister kyvernov2alpha1listers.ClusterCleanupPolicyLister,
 	polLister kyvernov2alpha1listers.CleanupPolicyLister,
 	nsLister corev1listers.NamespaceLister,
+	cmResolver engineapi.ConfigmapResolver,
 	jp jmespath.Interface,
 ) *handlers {
 	return &handlers{
@@ -80,6 +84,7 @@ func New(
 		cpolLister: cpolLister,
 		polLister:  polLister,
 		nsLister:   nsLister,
+		cmResolver: cmResolver,
 		recorder:   event.NewRecorder(event.CleanupController, client.GetEventsInterface()),
 		metrics:    newCleanupMetrics(logger),
 		jp:         jp,
@@ -114,21 +119,11 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
 	debug := logger.V(4)
 	var errs []error
 	enginectx := enginecontext.NewContext(h.jp)
-
+	factory := factories.DefaultContextLoaderFactory(h.cmResolver)
-	if spec.Context != nil {
+	loader := factory(nil, kyvernov1.Rule{})
-		for _, entry := range spec.Context {
+	if err := loader.Load(ctx, h.jp, h.client, nil, spec.Context, enginectx); err != nil {
-			if entry.APICall != nil {
+		return err
-				if err := engineapi.LoadAPIData(ctx, h.jp, logger, entry, enginectx, h.client); err != nil {
-					return err
-				}
-			} else if entry.Variable != nil {
-				if err := engineapi.LoadVariable(logger, h.jp, entry, enginectx); err != nil {
-					return err
-				}
-			}
-		}
 	}
-
 	for kind := range kinds {
 		commonLabels := []attribute.KeyValue{
 			attribute.String("policy_type", policy.GetKind()),

cmd/cleanup-controller/main.go

@@ -66,6 +66,7 @@ func main() {
 		internal.WithLeaderElection(),
 		internal.WithKyvernoClient(),
 		internal.WithKyvernoDynamicClient(),
+		internal.WithConfigMapCaching(),
 		internal.WithFlagSets(flagset),
 	)
 	// parse flags
@@ -197,7 +198,16 @@ func main() {
 	}
 	// create handlers
 	admissionHandlers := admissionhandlers.New(setup.KyvernoDynamicClient)
-	cleanupHandlers := cleanuphandlers.New(setup.Logger.WithName("cleanup-handler"), setup.KyvernoDynamicClient, cpolLister, polLister, nsLister, setup.Jp)
+	cmResolver := internal.NewConfigMapResolver(ctx, setup.Logger, setup.KubeClient, resyncPeriod)
+	cleanupHandlers := cleanuphandlers.New(
+		setup.Logger.WithName("cleanup-handler"),
+		setup.KyvernoDynamicClient,
+		cpolLister,
+		polLister,
+		nsLister,
+		cmResolver,
+		setup.Jp,
+	)
 	// create server
 	server := NewServer(
 		func() ([]byte, []byte, error) {

config/install-latest-testing.yaml

@@ -37891,6 +37891,14 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - batch
     resources: