remove RBACInfo check (#5015)

2025-03-31 03:45:17 +00:00 · 2022-10-17 20:17:06 +05:30 · 2022-10-17 20:17:06 +05:30 · f5748b1e70
commit f5748b1e70
parent cb0410dcf1
1 changed files with 4 additions and 64 deletions
--- a/pkg/webhooks/utils/policy_context_builder.go
+++ b/pkg/webhooks/utils/policy_context_builder.go
@ -1,12 +1,8 @@
 package utils

 import (
-	"encoding/json"
-	"strings"
-
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
@ -22,60 +18,6 @@ type PolicyContextBuilder interface {
 	Build(*admissionv1.AdmissionRequest, ...kyvernov1.PolicyInterface) (*engine.PolicyContext, error)
 }

-func checkForRBACInfo(rule kyvernov1.Rule) bool {
-	if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 {
-		return true
-	}
-	if len(rule.MatchResources.All) > 0 {
-		for _, rf := range rule.MatchResources.All {
-			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
-				return true
-			}
-		}
-	}
-	if len(rule.MatchResources.Any) > 0 {
-		for _, rf := range rule.MatchResources.Any {
-			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
-				return true
-			}
-		}
-	}
-	if len(rule.ExcludeResources.All) > 0 {
-		for _, rf := range rule.ExcludeResources.All {
-			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
-				return true
-			}
-		}
-	}
-	if len(rule.ExcludeResources.Any) > 0 {
-		for _, rf := range rule.ExcludeResources.Any {
-			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
-				return true
-			}
-		}
-	}
-
-	if bytes, err := json.Marshal(rule); err != nil {
-		return false
-	} else {
-		if strings.Contains(string(bytes), "request.roles") || strings.Contains(string(bytes), "request.clusterRoles") {
-			return true
-		}
-	}
-	return false
-}
-
-func containsRBACInfo(policies ...kyvernov1.PolicyInterface) bool {
-	for _, policy := range policies {
-		for _, rule := range autogen.ComputeRules(policy) {
-			if checkForRBACInfo(rule) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
 func newVariablesContext(request *admissionv1.AdmissionRequest, userRequestInfo *kyvernov1beta1.RequestInfo) (enginectx.Interface, error) {
 	ctx := enginectx.NewContext()
 	if err := ctx.AddRequest(request); err != nil {
@ -112,15 +54,13 @@ func NewPolicyContextBuilder(
 }

 func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest, policies ...kyvernov1.PolicyInterface) (*engine.PolicyContext, error) {
+	var err error
 	userRequestInfo := kyvernov1beta1.RequestInfo{
 		AdmissionUserInfo: *request.UserInfo.DeepCopy(),
 	}
-	if containsRBACInfo(policies...) {
-		var err error
-		userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to fetch RBAC information for request")
-		}
+	userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to fetch RBAC information for request")
 	}
 	ctx, err := newVariablesContext(request, &userRequestInfo)
 	if err != nil {