fix(controller): fix e2e failures when running with --disable-client-cache

Two reconciler bugs were exposed when options.Cache is nil: List calls
for ReplicaSets and Pods in isPolicyUniquelyReachable had no explicit
namespace, becoming cluster-wide requests that the service account is
not allowed to make (403). In getPolicies, MatchingFields with a custom
field index key is forwarded to the API server as an unsupported CRD
field selector (400). Only error check silently swallowed the failure,
leaving policy lists empty and policies stuck in pending forever.

Fix isPolicyUniquelyReachable by adding client.InNamespace to both List
calls. Fix getPolicies by adding a CacheDisabled bool to
PolicyServerReconciler: when true, a new getPoliciesWithoutCache method
lists all objects and filters by Spec.PolicyServer in Go; when false, the
existing MatchingFields path is used unchanged (error check fixed to plain
if err != nil).

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Github copilot

Author: jvanz

cmd/controller/main.go

@@ -195,6 +195,7 @@ func main() {
 		mgrOpts.DeploymentsNamespace,
 		config,
 		otelConfiguration,
+		mgrOpts.DisableClientCache,
 	); err != nil {
 		setupLog.Error(err, "unable to create controllers")
 		retcode = 1
@@ -252,6 +253,8 @@ func setupManager(mgrOpts ManagerOptions) (ctrl.Manager, error) {
 		// server, bypassing the informer cache. This ensures RBAC is fully evaluated
 		// for all verbs including "get", which would otherwise be silently served from
 		// the cache even if the permission is missing in the production RBAC roles.
+		// Should only be enabled in test/debug environments as it increases API
+		// server load.
 		mgrOptions.NewClient = func(config *rest.Config, options client.Options) (client.Client, error) {
 			options.Cache = nil
 			return client.New(config, options)
@@ -279,6 +282,7 @@ func setupReconcilers(mgr ctrl.Manager,
 	deploymentsNamespace string,
 	config Configuration,
 	otelConfiguration controller.TelemetryConfiguration,
+	disableClientCache bool,
 ) error {
 	if err := (&controller.PolicyServerReconciler{
 		Client:               mgr.GetClient(),
@@ -289,6 +293,7 @@ func setupReconcilers(mgr ctrl.Manager,
 		TelemetryConfiguration:                             otelConfiguration,
 		ClientCAConfigMapName:                              config.ClientCAConfigMapName,
 		ImagePullSecrets:                                   config.ImagePullSecrets,
+		CacheDisabled:                                      disableClientCache,
 	}).SetupWithManager(mgr); err != nil {
 		return errors.Join(errors.New("unable to create PolicyServer controller"), err)
 	}

internal/controller/policy_subreconciler.go

@@ -226,7 +226,9 @@ func (r *policySubReconciler) isPolicyUniquelyReachable(ctx context.Context, pol
 	}
 
 	replicaSets := appsv1.ReplicaSetList{}
-	if err = r.List(ctx, &replicaSets, client.MatchingLabels{constants.PolicyServerLabelKey: policyServerDeployment.Labels[constants.PolicyServerLabelKey]}); err != nil {
+	if err = r.List(ctx, &replicaSets,
+		client.InNamespace(policyServerDeployment.Namespace),
+		client.MatchingLabels{constants.PolicyServerLabelKey: policyServerDeployment.Labels[constants.PolicyServerLabelKey]}); err != nil {
 		return false
 	}
 	podTemplateHash := ""
@@ -240,7 +242,9 @@ func (r *policySubReconciler) isPolicyUniquelyReachable(ctx context.Context, pol
 		return false
 	}
 	pods := corev1.PodList{}
-	if err = r.List(ctx, &pods, client.MatchingLabels{constants.PolicyServerLabelKey: policyServerDeployment.Labels[constants.PolicyServerLabelKey]}); err != nil {
+	if err = r.List(ctx, &pods,
+		client.InNamespace(policyServerDeployment.Namespace),
+		client.MatchingLabels{constants.PolicyServerLabelKey: policyServerDeployment.Labels[constants.PolicyServerLabelKey]}); err != nil {
 		return false
 	}
 	if len(pods.Items) == 0 {

internal/controller/policyserver_controller.go

@@ -67,6 +67,11 @@ type PolicyServerReconciler struct {
 	// policy-server Deployment, sourced from the controller's own
 	// --image-pull-secrets flag.
 	ImagePullSecrets []corev1.LocalObjectReference
+	// CacheDisabled signals that the controller is running without the
+	// informer cache (--disable-client-cache). When true, getPolicies uses a
+	// plain list+filter instead of MatchingFields, which relies on in-memory
+	// field indexes that only work through the cache.
+	CacheDisabled bool
 }
 
 // TelemetryConfiguration is a struct that contains the configuration for the
@@ -311,35 +316,34 @@ func (r *PolicyServerReconciler) enqueueClusterAdmissionPolicyGroup(_ context.Co
 	}
 }
 
-// getPolicies returns all admission policies, cluster admission policy,
-// admission policies groups and cluster admission policy groups bound to the
+// getPolicies returns all admission policies, cluster admission policies,
+// admission policy groups and cluster admission policy groups bound to the
 // given policyServer.
+// When the informer cache is disabled it falls back to listing all objects and
+// filtering client-side, because MatchingFields relies on in-memory field
+// indexes that are only populated through the cache.
 func (r *PolicyServerReconciler) getPolicies(ctx context.Context, policyServer *policiesv1.PolicyServer) ([]policiesv1.Policy, error) {
+	if r.CacheDisabled {
+		return r.getPoliciesWithoutCache(ctx, policyServer)
+	}
+
 	var clusterAdmissionPolicies policiesv1.ClusterAdmissionPolicyList
-	err := r.Client.List(ctx, &clusterAdmissionPolicies, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name})
-	if err != nil && apierrors.IsNotFound(err) {
-		err = fmt.Errorf("failed obtaining ClusterAdmissionPolicies: %w", err)
-		return nil, err
+	if err := r.Client.List(ctx, &clusterAdmissionPolicies, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name}); err != nil {
+		return nil, fmt.Errorf("failed obtaining ClusterAdmissionPolicies: %w", err)
 	}
 	var admissionPolicies policiesv1.AdmissionPolicyList
-	err = r.Client.List(ctx, &admissionPolicies, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name})
-	if err != nil && apierrors.IsNotFound(err) {
-		err = fmt.Errorf("failed obtaining AdmissionPolicies: %w", err)
-		return nil, err
+	if err := r.Client.List(ctx, &admissionPolicies, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name}); err != nil {
+		return nil, fmt.Errorf("failed obtaining AdmissionPolicies: %w", err)
 	}
 
 	var admissionPolicyGroupList policiesv1.AdmissionPolicyGroupList
-	err = r.Client.List(ctx, &admissionPolicyGroupList, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name})
-	if err != nil && apierrors.IsNotFound(err) {
-		err = fmt.Errorf("failed obtaining AdmissionPolicyGroups: %w", err)
-		return nil, err
+	if err := r.Client.List(ctx, &admissionPolicyGroupList, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name}); err != nil {
+		return nil, fmt.Errorf("failed obtaining AdmissionPolicyGroups: %w", err)
 	}
 
 	var clusterAdmissionPolicyGroupList policiesv1.ClusterAdmissionPolicyGroupList
-	err = r.Client.List(ctx, &clusterAdmissionPolicyGroupList, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name})
-	if err != nil && apierrors.IsNotFound(err) {
-		err = fmt.Errorf("failed obtaining ClusterAdmissionPolicyGroups: %w", err)
-		return nil, err
+	if err := r.Client.List(ctx, &clusterAdmissionPolicyGroupList, client.MatchingFields{constants.PolicyServerIndexKey: policyServer.Name}); err != nil {
+		return nil, fmt.Errorf("failed obtaining ClusterAdmissionPolicyGroups: %w", err)
 	}
 
 	policies := make([]policiesv1.Policy, 0)
@@ -358,6 +362,54 @@ func (r *PolicyServerReconciler) getPolicies(ctx context.Context, policyServer *
 	return policies, nil
 }
 
+// getPoliciesWithoutCache lists all policy objects and filters them client-side.
+// Used when the informer cache is disabled and MatchingFields would be forwarded
+// to the API server as an unsupported CRD field selector.
+func (r *PolicyServerReconciler) getPoliciesWithoutCache(ctx context.Context, policyServer *policiesv1.PolicyServer) ([]policiesv1.Policy, error) {
+	var clusterAdmissionPolicies policiesv1.ClusterAdmissionPolicyList
+	if err := r.Client.List(ctx, &clusterAdmissionPolicies); err != nil {
+		return nil, fmt.Errorf("failed obtaining ClusterAdmissionPolicies: %w", err)
+	}
+
+	var admissionPolicies policiesv1.AdmissionPolicyList
+	if err := r.Client.List(ctx, &admissionPolicies); err != nil {
+		return nil, fmt.Errorf("failed obtaining AdmissionPolicies: %w", err)
+	}
+
+	var admissionPolicyGroupList policiesv1.AdmissionPolicyGroupList
+	if err := r.Client.List(ctx, &admissionPolicyGroupList); err != nil {
+		return nil, fmt.Errorf("failed obtaining AdmissionPolicyGroups: %w", err)
+	}
+
+	var clusterAdmissionPolicyGroupList policiesv1.ClusterAdmissionPolicyGroupList
+	if err := r.Client.List(ctx, &clusterAdmissionPolicyGroupList); err != nil {
+		return nil, fmt.Errorf("failed obtaining ClusterAdmissionPolicyGroups: %w", err)
+	}
+
+	policies := make([]policiesv1.Policy, 0)
+	for _, policy := range clusterAdmissionPolicies.Items {
+		if policy.Spec.PolicyServer == policyServer.Name {
+			policies = append(policies, policy.DeepCopy())
+		}
+	}
+	for _, policy := range admissionPolicies.Items {
+		if policy.Spec.PolicyServer == policyServer.Name {
+			policies = append(policies, policy.DeepCopy())
+		}
+	}
+	for _, policy := range admissionPolicyGroupList.Items {
+		if policy.Spec.PolicyServer == policyServer.Name {
+			policies = append(policies, policy.DeepCopy())
+		}
+	}
+	for _, policy := range clusterAdmissionPolicyGroupList.Items {
+		if policy.Spec.PolicyServer == policyServer.Name {
+			policies = append(policies, policy.DeepCopy())
+		}
+	}
+	return policies, nil
+}
+
 func (r *PolicyServerReconciler) reconcileDeletion(ctx context.Context, policyServer *policiesv1.PolicyServer, policies []policiesv1.Policy) (ctrl.Result, error) {
 	if len(policies) != 0 {
 		// There are still policies scheduled on the PolicyServer, we have to