Fallback to live ns lookup on admission if lister cannot find namespace

liggitt · k8s-publishing-bot · commit 7b74a6d61290 · 2025-11-19T17:39:14.000-05:00
Kubernetes-commit: 2664ad0c8383585776ab69b4f3ca1b5dc63600a5
diff --git a/pkg/admission/plugin/policy/generic/policy_matcher.go b/pkg/admission/plugin/policy/generic/policy_matcher.go
@@ -17,6 +17,7 @@ limitations under the License.
 package generic
 
 import (
+	"context"
 	"fmt"
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -41,8 +42,8 @@ type PolicyMatcher interface {
 	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding BindingAccessor) (bool, error)
 
 	// GetNamespace retrieves the Namespace resource by the given name. The name may be empty, in which case
-	// GetNamespace must return nil, nil
-	GetNamespace(name string) (*corev1.Namespace, error)
+	// GetNamespace must return nil, NotFound
+	GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error)
 }
 
 type matcher struct {
@@ -82,8 +83,8 @@ func (c *matcher) BindingMatches(a admission.Attributes, o admission.ObjectInter
 	return isMatch, err
 }
 
-func (c *matcher) GetNamespace(name string) (*corev1.Namespace, error) {
-	return c.Matcher.GetNamespace(name)
+func (c *matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) {
+	return c.Matcher.GetNamespace(ctx, name)
 }
 
 var _ matching.MatchCriteria = &matchCriteria{}
diff --git a/pkg/admission/plugin/policy/matching/matching.go b/pkg/admission/plugin/policy/matching/matching.go
@@ -17,6 +17,7 @@ limitations under the License.
 package matching
 
 import (
+	"context"
 	"fmt"
 
 	v1 "k8s.io/api/admissionregistration/v1"
@@ -44,8 +45,8 @@ type Matcher struct {
 	objectMatcher    *object.Matcher
 }
 
-func (m *Matcher) GetNamespace(name string) (*corev1.Namespace, error) {
-	return m.namespaceMatcher.GetNamespace(name)
+func (m *Matcher) GetNamespace(ctx context.Context, name string) (*corev1.Namespace, error) {
+	return m.namespaceMatcher.GetNamespace(ctx, name)
 }
 
 // NewMatcher initialize the matcher with dependencies requires
diff --git a/pkg/admission/plugin/policy/mutating/dispatcher.go b/pkg/admission/plugin/policy/mutating/dispatcher.go
@@ -122,8 +122,12 @@ func (d *dispatcher) dispatchInvocations(
 	// if it is cluster scoped, namespaceName will be empty
 	// Otherwise, get the Namespace resource.
 	if namespaceName != "" {
-		namespace, err = d.matcher.GetNamespace(namespaceName)
+		namespace, err = d.matcher.GetNamespace(ctx, namespaceName)
 		if err != nil {
+			var statusError *k8serrors.StatusError
+			if errors.As(err, &statusError) {
+				return nil, statusError
+			}
 			return nil, k8serrors.NewNotFound(schema.GroupResource{Group: "", Resource: "namespaces"}, namespaceName)
 		}
 	}
diff --git a/pkg/admission/plugin/policy/validating/admission_test.go b/pkg/admission/plugin/policy/validating/admission_test.go
@@ -269,7 +269,7 @@ func (f *fakeMatcher) ValidateInitialization() error {
 	return nil
 }
 
-func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) {
+func (f *fakeMatcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) {
 	return nil, nil
 }
 
diff --git a/pkg/admission/plugin/policy/validating/dispatcher.go b/pkg/admission/plugin/policy/validating/dispatcher.go
@@ -189,7 +189,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 			// if it is cluster scoped, namespaceName will be empty
 			// Otherwise, get the Namespace resource.
 			if namespaceName != "" {
-				namespace, err = c.matcher.GetNamespace(namespaceName)
+				namespace, err = c.matcher.GetNamespace(ctx, namespaceName)
 				if err != nil {
 					return err
 				}
diff --git a/pkg/admission/plugin/webhook/predicates/namespace/matcher.go b/pkg/admission/plugin/webhook/predicates/namespace/matcher.go
@@ -44,8 +44,13 @@ type Matcher struct {
 	Client          clientset.Interface
 }
 
-func (m *Matcher) GetNamespace(name string) (*v1.Namespace, error) {
-	return m.NamespaceLister.Get(name)
+func (m *Matcher) GetNamespace(ctx context.Context, name string) (*v1.Namespace, error) {
+	ns, err := m.NamespaceLister.Get(name)
+	if apierrors.IsNotFound(err) && len(name) > 0 {
+		// in case of latency in our caches, make a call direct to storage to verify that it truly exists or not
+		ns, err = m.Client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
+	}
+	return ns, err
 }
 
 // Validate checks if the Matcher has a NamespaceLister and Client.

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ limitations under the License.`
`17`	`17`	`package matching`
`18`	`18`
`19`	`19`	`import (`
	`20`	`+ "context"`
`20`	`21`	`"fmt"`
`21`	`22`
`22`	`23`	`v1 "k8s.io/api/admissionregistration/v1"`
`@@ -44,8 +45,8 @@ type Matcher struct {`
`44`	`45`	`objectMatcher *object.Matcher`
`45`	`46`	`}`
`46`	`47`
`47`		`-func (m Matcher) GetNamespace(name string) (corev1.Namespace, error) {`
`48`		`- return m.namespaceMatcher.GetNamespace(name)`
	`48`	`+func (m Matcher) GetNamespace(ctx context.Context, name string) (corev1.Namespace, error) {`
	`49`	`+ return m.namespaceMatcher.GetNamespace(ctx, name)`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`// NewMatcher initialize the matcher with dependencies requires`
Original file line number	Diff line number	Diff line change
`@@ -122,8 +122,12 @@ func (d *dispatcher) dispatchInvocations(`
`122`	`122`	`// if it is cluster scoped, namespaceName will be empty`
`123`	`123`	`// Otherwise, get the Namespace resource.`
`124`	`124`	`if namespaceName != "" {`
`125`		`- namespace, err = d.matcher.GetNamespace(namespaceName)`
	`125`	`+ namespace, err = d.matcher.GetNamespace(ctx, namespaceName)`
`126`	`126`	`if err != nil {`
	`127`	`+ var statusError *k8serrors.StatusError`
	`128`	`+ if errors.As(err, &statusError) {`
	`129`	`+ return nil, statusError`
	`130`	`+ }`
`127`	`131`	`return nil, k8serrors.NewNotFound(schema.GroupResource{Group: "", Resource: "namespaces"}, namespaceName)`
`128`	`132`	`}`
`129`	`133`	`}`
Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ func (f *fakeMatcher) ValidateInitialization() error {`
`269`	`269`	`return nil`
`270`	`270`	`}`
`271`	`271`
`272`		`-func (f fakeMatcher) GetNamespace(name string) (v1.Namespace, error) {`
	`272`	`+func (f fakeMatcher) GetNamespace(ctx context.Context, name string) (v1.Namespace, error) {`
`273`	`273`	`return nil, nil`
`274`	`274`	`}`
`275`	`275`
Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm`
`189`	`189`	`// if it is cluster scoped, namespaceName will be empty`
`190`	`190`	`// Otherwise, get the Namespace resource.`
`191`	`191`	`if namespaceName != "" {`
`192`		`- namespace, err = c.matcher.GetNamespace(namespaceName)`
	`192`	`+ namespace, err = c.matcher.GetNamespace(ctx, namespaceName)`
`193`	`193`	`if err != nil {`
`194`	`194`	`return err`
`195`	`195`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,13 @@ type Matcher struct {`
`44`	`44`	`Client clientset.Interface`
`45`	`45`	`}`
`46`	`46`
`47`		`-func (m Matcher) GetNamespace(name string) (v1.Namespace, error) {`
`48`		`- return m.NamespaceLister.Get(name)`
	`47`	`+func (m Matcher) GetNamespace(ctx context.Context, name string) (v1.Namespace, error) {`
	`48`	`+ ns, err := m.NamespaceLister.Get(name)`
	`49`	`+ if apierrors.IsNotFound(err) && len(name) > 0 {`
	`50`	`+ // in case of latency in our caches, make a call direct to storage to verify that it truly exists or not`
	`51`	`+ ns, err = m.Client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})`
	`52`	`+ }`
	`53`	`+ return ns, err`
`49`	`54`	`}`
`50`	`55`
`51`	`56`	`// Validate checks if the Matcher has a NamespaceLister and Client.`