bugfix: avoid NPE possibility by making composition environment global

2025-08-02 00:07:50 +00:00 · 2024-01-29 13:45:27 -08:00 · 2024-01-29 13:45:27 -08:00 · 3094395fa7
commit 3094395fa7
parent 18fbc48b01
2 changed files with 26 additions and 12 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition.go
@ -54,13 +54,22 @@ func NewCompositedCompiler(envSet *environment.EnvSet) (*CompositedCompiler, err
 	if err != nil {
 		return nil, err
 	}
-	compiler := NewCompiler(compositionContext.EnvSet)
-	filterCompiler := NewFilterCompiler(compositionContext.EnvSet)
+	return NewCompositedCompilerFromTemplate(compositionContext), nil
+}
+
+func NewCompositedCompilerFromTemplate(context *CompositionEnv) *CompositedCompiler {
+	context = &CompositionEnv{
+		MapType:           context.MapType,
+		EnvSet:            context.EnvSet,
+		CompiledVariables: map[string]CompilationResult{},
+	}
+	compiler := NewCompiler(context.EnvSet)
+	filterCompiler := NewFilterCompiler(context.EnvSet)
 	return &CompositedCompiler{
 		Compiler:       compiler,
 		FilterCompiler: filterCompiler,
-		CompositionEnv: compositionContext,
-	}, nil
+		CompositionEnv: context,
+	}
 }

 func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) {
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go
@ -23,7 +23,6 @@ import (
 	v1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
@ -44,6 +43,17 @@ const (
 	PluginName = "ValidatingAdmissionPolicy"
 )

+var (
+	compositionEnvTemplate *cel.CompositionEnv = func() *cel.CompositionEnv {
+		compositionEnvTemplate, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+		if err != nil {
+			panic(err)
+		}
+
+		return compositionEnvTemplate
+	}()
+)
+
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
@ -110,13 +120,8 @@ func compilePolicy(policy *Policy) Validator {
 	var matcher matchconditions.Matcher = nil
 	matchConditions := policy.Spec.MatchConditions

-	filterCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
-	if err == nil {
-		filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)
-	} else {
-		//!TODO: return a validator that always fails with internal error?
-		utilruntime.HandleError(err)
-	}
+	filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate)
+	filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)

 	if len(matchConditions) > 0 {
 		matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))