From 70dca741cf6d499661b0dfeadf94021f98ffb843 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:27:29 +0000 Subject: [PATCH 1/2] Initial plan From 766764e3a92f63c2e87358bbc2d5369c7378ada0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 19 Feb 2026 14:30:41 +0000 Subject: [PATCH 2/2] evaluator: extract common namespace selector logic into shared helper Co-authored-by: zemanlx <18702153+zemanlx@users.noreply.github.com> --- internal/evaluator/evaluator.go | 56 +++++++++++++-------------------- 1 file changed, 21 insertions(+), 35 deletions(-) diff --git a/internal/evaluator/evaluator.go b/internal/evaluator/evaluator.go index fc526de..aab347d 100644 --- a/internal/evaluator/evaluator.go +++ b/internal/evaluator/evaluator.go @@ -776,19 +776,18 @@ func (e *Evaluator) EvaluateValidating( //nolint:cyclop // Complexity is inheren }, nil } -// matchesNamespaceSelector checks if the namespace object's labels match the binding's namespace selector. -// Returns true if the selector matches (policy should be evaluated), false otherwise. -func (e *Evaluator) matchesNamespaceSelector( - binding *admissionregv1.ValidatingAdmissionPolicyBinding, +// matchesNamespaceSelectorByLabelSelector checks if the namespace object's labels match the given label selector. +// Returns true if the selector is nil, empty, or matches the namespace labels. +func matchesNamespaceSelectorByLabelSelector( + labelSelector *metav1.LabelSelector, namespaceObj *unstructured.Unstructured, ) (bool, error) { - // No binding or no matchResources means match all - if binding == nil || binding.Spec.MatchResources == nil || binding.Spec.MatchResources.NamespaceSelector == nil { + if labelSelector == nil { return true, nil } // Convert LabelSelector to labels.Selector - selector, err := metav1.LabelSelectorAsSelector(binding.Spec.MatchResources.NamespaceSelector) + selector, err := metav1.LabelSelectorAsSelector(labelSelector) if err != nil { return false, fmt.Errorf("parse namespace selector: %w", err) } @@ -803,45 +802,32 @@ func (e *Evaluator) matchesNamespaceSelector( return true, nil } - // Get labels from namespace object - nsLabels := labels.Set(namespaceObj.GetLabels()) - // Check if namespace labels match the selector - return selector.Matches(nsLabels), nil + return selector.Matches(labels.Set(namespaceObj.GetLabels())), nil } -// matchesNamespaceSelectorV1Beta1 checks if the namespace object's labels match the binding's namespace selector. +// matchesNamespaceSelector checks if the namespace object's labels match the binding's namespace selector. // Returns true if the selector matches (policy should be evaluated), false otherwise. -func (e *Evaluator) matchesNamespaceSelectorV1Beta1( - binding *admissionv1beta1.MutatingAdmissionPolicyBinding, +func (e *Evaluator) matchesNamespaceSelector( + binding *admissionregv1.ValidatingAdmissionPolicyBinding, namespaceObj *unstructured.Unstructured, ) (bool, error) { - // No binding or no matchResources means match all - if binding == nil || binding.Spec.MatchResources == nil || binding.Spec.MatchResources.NamespaceSelector == nil { + if binding == nil || binding.Spec.MatchResources == nil { return true, nil } + return matchesNamespaceSelectorByLabelSelector(binding.Spec.MatchResources.NamespaceSelector, namespaceObj) +} - // Convert LabelSelector to labels.Selector - selector, err := metav1.LabelSelectorAsSelector(binding.Spec.MatchResources.NamespaceSelector) - if err != nil { - return false, fmt.Errorf("parse namespace selector: %w", err) - } - - // Empty selector matches everything - if selector.Empty() { - return true, nil - } - - // No namespace object provided - can't evaluate selector - if namespaceObj == nil { +// matchesNamespaceSelectorV1Beta1 checks if the namespace object's labels match the binding's namespace selector. +// Returns true if the selector matches (policy should be evaluated), false otherwise. +func (e *Evaluator) matchesNamespaceSelectorV1Beta1( + binding *admissionv1beta1.MutatingAdmissionPolicyBinding, + namespaceObj *unstructured.Unstructured, +) (bool, error) { + if binding == nil || binding.Spec.MatchResources == nil { return true, nil } - - // Get labels from namespace object - nsLabels := labels.Set(namespaceObj.GetLabels()) - - // Check if namespace labels match the selector - return selector.Matches(nsLabels), nil + return matchesNamespaceSelectorByLabelSelector(binding.Spec.MatchResources.NamespaceSelector, namespaceObj) } // evaluateMatchConditions evaluates all match conditions and returns true if all match.