bugfix: avoid NPE possibility by making composition environment global

staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/composition.go

@@ -54,13 +54,22 @@ func NewCompositedCompiler(envSet *environment.EnvSet) (*CompositedCompiler, err
 	if err != nil {
 		return nil, err
 	}
-	compiler := NewCompiler(compositionContext.EnvSet)
+	return NewCompositedCompilerFromTemplate(compositionContext), nil
-	filterCompiler := NewFilterCompiler(compositionContext.EnvSet)
+}
+
+func NewCompositedCompilerFromTemplate(context *CompositionEnv) *CompositedCompiler {
+	context = &CompositionEnv{
+		MapType:           context.MapType,
+		EnvSet:            context.EnvSet,
+		CompiledVariables: map[string]CompilationResult{},
+	}
+	compiler := NewCompiler(context.EnvSet)
+	filterCompiler := NewFilterCompiler(context.EnvSet)
 	return &CompositedCompiler{
 		Compiler:       compiler,
 		FilterCompiler: filterCompiler,
-		CompositionEnv: compositionContext,
+		CompositionEnv: context,
-	}, nil
+	}
 }
 
 func (c *CompositedCompiler) CompileAndStoreVariables(variables []NamedExpressionAccessor, options OptionalVariableDeclarations, mode environment.Type) {

staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go

@@ -23,7 +23,6 @@ import (
 	v1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
@@ -44,6 +43,17 @@ const (
 	PluginName = "ValidatingAdmissionPolicy"
 )
 
+var (
+	compositionEnvTemplate *cel.CompositionEnv = func() *cel.CompositionEnv {
+		compositionEnvTemplate, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+		if err != nil {
+			panic(err)
+		}
+
+		return compositionEnvTemplate
+	}()
+)
+
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
@@ -110,13 +120,8 @@ func compilePolicy(policy *Policy) Validator {
 	var matcher matchconditions.Matcher = nil
 	matchConditions := policy.Spec.MatchConditions
 
-	filterCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
+	filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate)
-	if err == nil {
+	filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)
-		filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)
-	} else {
-		//!TODO: return a validator that always fails with internal error?
-		utilruntime.HandleError(err)
-	}
 
 	if len(matchConditions) > 0 {
 		matchExpressionAccessors := make([]cel.ExpressionAccessor, len(matchConditions))