PodSecurity: avoid double parsing policy from namespace labels

benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          224           225           +0.40%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   237           234           -1.31%
BenchmarkVerifyPod/enforce-privileged_pod-12                        259           245           -5.26%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 261           254           -2.72%
BenchmarkVerifyPod/enforce-baseline_pod-12                          2967          2850          -3.94%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   252           255           +0.87%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3244          3125          -3.67%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 258           261           +0.97%
BenchmarkVerifyPod/warn-baseline_pod-12                             2956          2841          -3.89%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3034          2913          -3.99%
BenchmarkVerifyPod/warn-restricted_pod-12                           3276          3176          -3.05%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3302          3157          -4.39%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5159          5132          -0.52%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4208          4069          -3.30%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4336          4252          -1.94%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4436          4316          -2.71%

staging/src/k8s.io/pod-security-admission/admission/admission.go

@@ -319,8 +319,8 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
 		klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
 		return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
 	}
-	nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
-	if nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
+	nsPolicy, nsPolicyErr := a.PolicyToEvaluate(namespace.Labels)
+	if nsPolicyErr == nil && nsPolicy.Enforce.Level == api.LevelPrivileged && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
 		return sharedAllowedResponse()
 	}
 
@@ -350,7 +350,7 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
 			return sharedAllowedResponse()
 		}
 	}
-	return a.EvaluatePod(ctx, attrs.GetNamespace(), &pod.ObjectMeta, &pod.Spec, true)
+	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, &pod.ObjectMeta, &pod.Spec, true)
 }
 
 // ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace.
@@ -371,8 +371,8 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
 		klog.ErrorS(err, "failed to fetch pod namespace", "namespace", attrs.GetNamespace())
 		return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", attrs.GetNamespace()))
 	}
-	nsPolicy, _ := a.PolicyToEvaluate(namespace.Labels)
-	if nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
+	nsPolicy, nsPolicyErr := a.PolicyToEvaluate(namespace.Labels)
+	if nsPolicyErr == nil && nsPolicy.Warn.Level == api.LevelPrivileged && nsPolicy.Audit.Level == api.LevelPrivileged {
 		return sharedAllowedResponse()
 	}
 
@@ -390,29 +390,22 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
 		// if a controller with an optional pod spec does not contain a pod spec, skip validation
 		return sharedAllowedResponse()
 	}
-	return a.EvaluatePod(ctx, attrs.GetNamespace(), podMetadata, podSpec, false)
+	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, podMetadata, podSpec, false)
 }
 
-// EvaluatePod looks up the policy for the pods namespace, and checks it against the given pod(-like) object.
+// EvaluatePod evaluates the given policy against the given pod(-like) object.
 // The enforce policy is only checked if enforce=true.
 // The returned response may be shared between evaluations and must not be mutated.
-func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
+func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
 	// short-circuit on exempt runtimeclass
 	if a.exemptRuntimeClass(podSpec.RuntimeClassName) {
 		return sharedAllowedResponse()
 	}
 
-	namespace, err := a.NamespaceGetter.GetNamespace(ctx, namespaceName)
-	if err != nil {
-		klog.ErrorS(err, "failed to fetch pod namespace", "namespace", namespaceName)
-		return internalErrorResponse(fmt.Sprintf("failed to lookup namespace %s", namespaceName))
-	}
-
 	auditAnnotations := map[string]string{}
-	nsPolicy, err := a.PolicyToEvaluate(namespace.Labels)
-	if err != nil {
-		klog.V(2).InfoS("failed to parse PodSecurity namespace labels", "err", err)
-		auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", err)
+	if nsPolicyErr != nil {
+		klog.V(2).InfoS("failed to parse PodSecurity namespace labels", "err", nsPolicyErr)
+		auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", nsPolicyErr)
 	}
 	// TODO: log nsPolicy evaluation with context (op, resource, namespace, name) for the request.