feat(controller): disable cache CLI flag

In previous commits a divergence between the kube-builder markers to
define permissions and final Helm chart RBAC files have been detected.
And tests in place did not detect this issue. The reason we hadn't
spotted this before is that  the missing get verb was being masked
because list/watch populates the controller-runtime client cache.
Therefore, Get() calls never reach the API server and RBAC is never
evaluated for that verb. Other verbs (create, update, delete, patch)
always hit the API server and would be caught. list/watch would crash
the controller since the informer cache can't start.

To allow e2e tests to spot this a new flag is added to the controller to
configure the Kubernetes client to disable cache. Therefore, all the
request goes directly to the control plane validationg the RBAC rules.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Github Copilot

Author: jvanz

charts/kubewarden-controller/templates/deployment.yaml

@@ -55,6 +55,9 @@ spec:
         - --always-accept-admission-reviews-on-deployments-namespace
         {{- end }}
         - --zap-log-level={{ .Values.logLevel }}
+        {{- if .Values.disableClientCache }}
+        - --disable-client-cache
+        {{- end }}
        {{- if .Values.mTLS.enable }}
         - --client-ca-configmap-name={{ .Values.mTLS.configMapName }}
        {{- end }}

charts/kubewarden-controller/values.yaml

@@ -153,6 +153,11 @@ preDeleteHook:
 alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
 # Verbosity of logging. Can be one of 'debug', 'info', 'error'.
 logLevel: info
+# Disable the controller-runtime client cache so that all calls go directly to
+# the API server. This is used on tests to ensures RBAC is fully evaluated for
+# every read operation, including the "get" verb which would otherwise be
+# silently served from cache. Should only be enabled in test environments.
+disableClientCache: false
 # open-telemetry options
 telemetry:
   # Kubewarden controller telemetry configuration allow two OpenTelemetry

cmd/controller/main.go

@@ -29,18 +29,15 @@ import (
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	k8spoliciesv1 "k8s.io/api/policy/v1"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	"k8s.io/apimachinery/pkg/fields"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -74,6 +71,13 @@ type ManagerOptions struct {
 	EnableMutualTLS      bool
 	MetricsAddr          string
 	ProbeAddr            string
+	// DisableClientCache forces all calls to bypass the controller-runtime
+	// informer cache and go directly to the API server. This ensures RBAC is
+	// evaluated for every read operation, including the "get" verb which would
+	// otherwise be silently served from cache even if the permission is missing.
+	// Should only be enabled in test/debug environments as it increases API
+	// server load.
+	DisableClientCache bool
 }
 
 type Configuration struct {
@@ -135,6 +139,8 @@ func main() {
 		"image-pull-secrets",
 		"",
 		"Comma-separated list of Secret names to use as imagePullSecrets on every policy-server Deployment. The secrets must exist in the deployments namespace.")
+	flag.BoolVar(&mgrOpts.DisableClientCache, "disable-client-cache", false,
+		"Disable the controller-runtime client cache for all resource types. Should only be used in test environments.")
 
 	opts := zap.Options{}
 	opts.BindFlags(flag.CommandLine)
@@ -218,10 +224,6 @@ func main() {
 }
 
 func setupManager(mgrOpts ManagerOptions) (ctrl.Manager, error) {
-	namespaceSelector := cache.ByObject{
-		Field: fields.ParseSelectorOrDie("metadata.namespace=" + mgrOpts.DeploymentsNamespace),
-	}
-
 	clientCAName := ""
 	if mgrOpts.EnableMutualTLS {
 		// The WebhookServer shares the same CertDir for both the server
@@ -231,52 +233,32 @@ func setupManager(mgrOpts ManagerOptions) (ctrl.Manager, error) {
 		clientCAName = filepath.Join("client-ca", constants.ClientCACert)
 	}
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	mgrOptions := ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
 			BindAddress: mgrOpts.MetricsAddr,
 		},
 		HealthProbeBindAddress: mgrOpts.ProbeAddr,
 		LeaderElection:         mgrOpts.EnableLeaderElection,
 		LeaderElectionID:       "a4ddbf36.kubewarden.io",
-		// Warning: the manager creates a client, which then uses Watches to monitor
-		// certain resources. By default, the client is not going to be namespaced,
-		// it will be able to watch resources across the entire cluster. This is of
-		// course constrained by the RBAC rules applied to the ServiceAccount that
-		// runs the controller.
-		// *However*, even when accessing a resource inside a specific Namespace,
-		// the default behavior of the cache is to create a Watch that is not namespaced;
-		// hence requires the privilege to access all the resources of that type inside
-		// of the cluster. That can cause runtime error if the ServiceAccount lacking
-		// this privilege.
-		// For example, when we access a secret inside the `kubewarden`
-		// namespace, the cache will create a Watch against Secrets, that will require
-		// privileged to access ALL the secrets of the cluster.
-		//
-		// To be able to have stricter RBAC rules, we need to instruct the cache to
-		// only watch objects inside of the namespace where the controller is running.
-		// That applies ONLY to the namespaced resources that we know the controller
-		// is going to own inside of a specific namespace.
-		// For example, Secret resources are going to be defined by the controller
-		// only inside of the `kubewarden` namespace; hence their watch can be namespaced.
-		// On the other hand, AdmissionPolicy resources are namespaced, but the controller
-		// requires to access them across all the namespaces of the cluster; hence the
-		// cache must not be namespaced.
-		Cache: cache.Options{
-			ByObject: map[client.Object]cache.ByObject{
-				&appsv1.ReplicaSet{}:                 namespaceSelector,
-				&corev1.Secret{}:                     namespaceSelector,
-				&corev1.Pod{}:                        namespaceSelector,
-				&corev1.Service{}:                    namespaceSelector,
-				&k8spoliciesv1.PodDisruptionBudget{}: namespaceSelector,
-				&corev1.ConfigMap{}:                  namespaceSelector,
-				&appsv1.Deployment{}:                 namespaceSelector,
-			},
-		},
+		Cache:                  controller.NamespacedCacheOptions(mgrOpts.DeploymentsNamespace),
 		WebhookServer: webhook.NewServer(webhook.Options{
 			ClientCAName: clientCAName,
 		}),
-	})
+	}
+
+	if mgrOpts.DisableClientCache {
+		// Override the client so that every call goes directly to the API
+		// server, bypassing the informer cache. This ensures RBAC is fully evaluated
+		// for all verbs including "get", which would otherwise be silently served from
+		// the cache even if the permission is missing in the production RBAC roles.
+		mgrOptions.NewClient = func(config *rest.Config, options client.Options) (client.Client, error) {
+			options.Cache = nil
+			return client.New(config, options)
+		}
+	}
+
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), mgrOptions)
 	if err != nil {
 		return mgr, fmt.Errorf("failed to setup manager: %w", err)
 	}

e2e/main_test.go

@@ -69,6 +69,7 @@ func TestMain(m *testing.M) {
 					"--set", "auditScanner.image.tag=dev",
 					"--set", "logLevel=debug",
 					"--set", "auditScanner.logLevel=debug",
+					"--set", "disableClientCache=true",
 				),
 			)
 			if err != nil {

internal/controller/manager_options.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	k8spoliciesv1 "k8s.io/api/policy/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// NamespacedCacheOptions returns cache.Options that restrict LIST/WATCH for
+// namespace-scoped resources the controller manages exclusively within
+// deploymentsNamespace. Without this restriction, controller-runtime creates
+// cluster-wide watches, which require privileges the production ServiceAccount
+// does not have.
+//
+// Only resources the controller owns within a single namespace are listed here.
+// Resources like AdmissionPolicy that the controller accesses across all
+// namespaces must NOT be restricted, so they are intentionally omitted.
+func NamespacedCacheOptions(deploymentsNamespace string) cache.Options {
+	namespaceSelector := cache.ByObject{
+		Field: fields.ParseSelectorOrDie("metadata.namespace=" + deploymentsNamespace),
+	}
+	return cache.Options{
+		ByObject: map[client.Object]cache.ByObject{
+			&appsv1.ReplicaSet{}:                 namespaceSelector,
+			&corev1.Secret{}:                     namespaceSelector,
+			&corev1.Pod{}:                        namespaceSelector,
+			&corev1.Service{}:                    namespaceSelector,
+			&k8spoliciesv1.PodDisruptionBudget{}: namespaceSelector,
+			&corev1.ConfigMap{}:                  namespaceSelector,
+			&appsv1.Deployment{}:                 namespaceSelector,
+		},
+	}
+}

internal/controller/suite_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2021.
+Copyright 2026.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.