ihcsim

// Evaluate runs a compiled CEL admission plugin expression using the provided activation and CEL
// runtime cost budget.
func (a *evaluationActivation) Evaluate(ctx context.Context, compositionCtx CompositionContext, compilationResult CompilationResult, remainingBudget int64) (EvaluationResult, int64, error) {
    	// ...
    	t1 := time.Now()
	evalResult, evalDetails, err := compilationResult.Program.ContextEval(ctx, a)
	// budget may be spent due to lazy evaluation of composited variables
	if compositionCtx != nil {
		compositionCost := compositionCtx.GetAndResetCost()
		if compositionCost > remainingBudget {

ihcsim

// ForInput evaluates the compiled CEL expressions converting them into CELEvaluations
// errors per evaluation are returned on the Evaluation object
// runtimeCELCostBudget was added for testing purpose only. Callers should always use const RuntimeCELCostBudget from k8s.io/apiserver/pkg/apis/cel/config.go as input.
func (c *condition) ForInput(ctx context.Context, versionedAttr *admission.VersionedAttributes, request *admissionv1.AdmissionRequest, inputs OptionalVariableBindings, namespace *v1.Namespace, runtimeCELCostBudget int64) ([]EvaluationResult, int64, error) {
    // ...
    	remainingBudget := runtimeCELCostBudget
	for i, compilationResult := range c.compilationResults {
		evaluations[i], remainingBudget, err = activation.Evaluate(ctx, compositionCtx, compilationResult, remainingBudget)
		if err != nil {
			return nil, -1, err

ihcsim

func (v *validator) Validate(ctx context.Context, matchedResource schema.GroupVersionResource, versionedAttr *admission.VersionedAttributes, versionedParams runtime.Object, namespace *corev1.Namespace, runtimeCELCostBudget int64, authz authorizer.Authorizer) ValidateResult {
    // ...    
    evalResults, remainingBudget, err := v.validationFilter.ForInput(ctx, versionedAttr, admissionRequest, optionalVars, ns, runtimeCELCostBudget)
    if err != nil {
        return ValidateResult{
            Decisions: []PolicyDecision{
                {
                    Action:     policyDecisionActionForError(f),
                    Evaluation: EvalError,
                    Message:    err.Error(),

ihcsim

// Dispatch implements generic.Dispatcher.
func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces, hooks []PolicyHook) error {
    // ...
    validationResults = append(validationResults,
        hook.Evaluator.Validate(
            ctx,
            matchResource,
            versionedAttr,
            p,
            namespace,

ihcsim

// Plugin is an implementation of admission.Interface.
type Policy = v1.ValidatingAdmissionPolicy
type PolicyBinding = v1.ValidatingAdmissionPolicyBinding
type PolicyEvaluator = Validator
type PolicyHook = generic.PolicyHook[*Policy, *PolicyBinding, PolicyEvaluator]

ihcsim

// Validate makes an admission decision based on the request attributes.
func (a *Plugin) Validate(ctx context.Context, attr admission.Attributes, o admission.ObjectInterfaces) error {
    return a.Plugin.Dispatch(ctx, attr, o)
}

ihcsim

func Register(plugins *admission.Plugins) {
    plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
        return NewPlugin(configFile), nil
    })
}

ihcsim

// Check preforms the type check against the given policy, and format the result
// as []ExpressionWarning that is ready to be set in policy.Status
// The result is nil if type checking returns no warning.
// The policy object is NOT mutated. The caller should update Status accordingly
func (c *TypeChecker) Check(policy *v1.ValidatingAdmissionPolicy) []v1.ExpressionWarning {
    // ...
    for i, v := range policy.Spec.Validations {
        results := c.CheckExpression(ctx, v.Expression)
        if len(results) != 0 {
            warnings = append(warnings, v1.ExpressionWarning{

ihcsim

func (c *Controller) reconcile(ctx context.Context, policy *v1.ValidatingAdmissionPolicy) error {
    if policy == nil {
        return nil
    }
    if policy.Generation <= policy.Status.ObservedGeneration {
        return nil
    }
    warnings := c.typeChecker.Check(policy)
    // ...
}

ihcsim

func startValidatingAdmissionPolicyStatusController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
    // ...
    c, err := validatingadmissionpolicystatus.NewController(
        controllerContext.InformerFactory.Admissionregistration().V1().ValidatingAdmissionPolicies(),
        controllerContext.ClientBuilder.ClientOrDie(names.ValidatingAdmissionPolicyStatusController).AdmissionregistrationV1().ValidatingAdmissionPolicies(),
        typeChecker,
    )

    go c.Run(ctx, int(controllerContext.ComponentConfig.ValidatingAdmissionPolicyStatusController.ConcurrentPolicySyncs))
    return nil, true, err