rebase: bump k8s.io/kubernetes from 1.26.2 to 1.27.2

Bumps [k8s.io/kubernetes](https://github.com/kubernetes/kubernetes) from 1.26.2 to 1.27.2. - [Release notes](https://github.com/kubernetes/kubernetes/releases) - [Commits](https://github.com/kubernetes/kubernetes/compare/v1.26.2...v1.27.2) --- updated-dependencies: - dependency-name: k8s.io/kubernetes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 10:33:35 +00:00 · 2023-05-29 21:03:29 +00:00
parent 0e79135419
commit 07b05616a0
1072 changed files with 208716 additions and 198880 deletions
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/OWNERS
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/OWNERS
@ -0,0 +1,10 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - jpbetz
+  - cici37
+  - alexzielenski
+reviewers:
+  - jpbetz
+  - cici37
+  - alexzielenski
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission.go
@ -0,0 +1,189 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apiserver/pkg/features"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/component-base/featuregate"
+
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/initializer"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+)
+
+////////////////////////////////////////////////////////////////////////////////
+// Plugin Definition
+////////////////////////////////////////////////////////////////////////////////
+
+// Definition for CEL admission plugin. This is the entry point into the
+// CEL admission control system.
+//
+// Each plugin is asked to validate every object update.
+
+const (
+	// PluginName indicates the name of admission plug-in
+	PluginName = "ValidatingAdmissionPolicy"
+)
+
+// Register registers a plugin
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+		return NewPlugin()
+	})
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// Plugin Initialization & Dependency Injection
+////////////////////////////////////////////////////////////////////////////////
+
+type celAdmissionPlugin struct {
+	*admission.Handler
+	evaluator CELPolicyEvaluator
+
+	inspectedFeatureGates bool
+	enabled               bool
+
+	// Injected Dependencies
+	informerFactory informers.SharedInformerFactory
+	client          kubernetes.Interface
+	restMapper      meta.RESTMapper
+	dynamicClient   dynamic.Interface
+	stopCh          <-chan struct{}
+}
+
+var _ initializer.WantsExternalKubeInformerFactory = &celAdmissionPlugin{}
+var _ initializer.WantsExternalKubeClientSet = &celAdmissionPlugin{}
+var _ initializer.WantsRESTMapper = &celAdmissionPlugin{}
+var _ initializer.WantsDynamicClient = &celAdmissionPlugin{}
+var _ initializer.WantsDrainedNotification = &celAdmissionPlugin{}
+
+var _ admission.InitializationValidator = &celAdmissionPlugin{}
+var _ admission.ValidationInterface = &celAdmissionPlugin{}
+
+func NewPlugin() (admission.Interface, error) {
+	return &celAdmissionPlugin{
+		Handler: admission.NewHandler(admission.Connect, admission.Create, admission.Delete, admission.Update),
+	}, nil
+}
+
+func (c *celAdmissionPlugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
+	c.informerFactory = f
+}
+
+func (c *celAdmissionPlugin) SetExternalKubeClientSet(client kubernetes.Interface) {
+	c.client = client
+}
+
+func (c *celAdmissionPlugin) SetRESTMapper(mapper meta.RESTMapper) {
+	c.restMapper = mapper
+}
+
+func (c *celAdmissionPlugin) SetDynamicClient(client dynamic.Interface) {
+	c.dynamicClient = client
+}
+
+func (c *celAdmissionPlugin) SetDrainedNotification(stopCh <-chan struct{}) {
+	c.stopCh = stopCh
+}
+
+func (c *celAdmissionPlugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
+	if featureGates.Enabled(features.ValidatingAdmissionPolicy) {
+		c.enabled = true
+	}
+	c.inspectedFeatureGates = true
+}
+
+// ValidateInitialization - once clientset and informer factory are provided, creates and starts the admission controller
+func (c *celAdmissionPlugin) ValidateInitialization() error {
+	if !c.inspectedFeatureGates {
+		return fmt.Errorf("%s did not see feature gates", PluginName)
+	}
+	if !c.enabled {
+		return nil
+	}
+	if c.informerFactory == nil {
+		return errors.New("missing informer factory")
+	}
+	if c.client == nil {
+		return errors.New("missing kubernetes client")
+	}
+	if c.restMapper == nil {
+		return errors.New("missing rest mapper")
+	}
+	if c.dynamicClient == nil {
+		return errors.New("missing dynamic client")
+	}
+	if c.stopCh == nil {
+		return errors.New("missing stop channel")
+	}
+	c.evaluator = NewAdmissionController(c.informerFactory, c.client, c.restMapper, c.dynamicClient)
+	if err := c.evaluator.ValidateInitialization(); err != nil {
+		return err
+	}
+
+	c.SetReadyFunc(c.evaluator.HasSynced)
+	go c.evaluator.Run(c.stopCh)
+	return nil
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// admission.ValidationInterface
+////////////////////////////////////////////////////////////////////////////////
+
+func (c *celAdmissionPlugin) Handles(operation admission.Operation) bool {
+	return true
+}
+
+func (c *celAdmissionPlugin) Validate(
+	ctx context.Context,
+	a admission.Attributes,
+	o admission.ObjectInterfaces,
+) (err error) {
+	if !c.enabled {
+		return nil
+	}
+
+	// isPolicyResource determines if an admission.Attributes object is describing
+	// the admission of a ValidatingAdmissionPolicy or a ValidatingAdmissionPolicyBinding
+	if isPolicyResource(a) {
+		return
+	}
+
+	if !c.WaitForReady() {
+		return admission.NewForbidden(a, fmt.Errorf("not yet ready to handle request"))
+	}
+
+	return c.evaluator.Validate(ctx, a, o)
+}
+
+func isPolicyResource(attr admission.Attributes) bool {
+	gvk := attr.GetResource()
+	if gvk.Group == "admissionregistration.k8s.io" {
+		if gvk.Resource == "validatingadmissionpolicies" || gvk.Resource == "validatingadmissionpolicybindings" {
+			return true
+		}
+	}
+	return false
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/compiler.go
@ -0,0 +1,231 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"sync"
+
+	"github.com/google/cel-go/cel"
+
+	apiservercel "k8s.io/apiserver/pkg/cel"
+	"k8s.io/apiserver/pkg/cel/library"
+)
+
+const (
+	ObjectVarName    = "object"
+	OldObjectVarName = "oldObject"
+	ParamsVarName    = "params"
+	RequestVarName   = "request"
+
+	checkFrequency = 100
+)
+
+type envs struct {
+	noParams   *cel.Env
+	withParams *cel.Env
+}
+
+var (
+	initEnvsOnce sync.Once
+	initEnvs     *envs
+	initEnvsErr  error
+)
+
+func getEnvs() (*envs, error) {
+	initEnvsOnce.Do(func() {
+		base, err := buildBaseEnv()
+		if err != nil {
+			initEnvsErr = err
+			return
+		}
+		noParams, err := buildNoParamsEnv(base)
+		if err != nil {
+			initEnvsErr = err
+			return
+		}
+		withParams, err := buildWithParamsEnv(noParams)
+		if err != nil {
+			initEnvsErr = err
+			return
+		}
+		initEnvs = &envs{noParams: noParams, withParams: withParams}
+	})
+	return initEnvs, initEnvsErr
+}
+
+// This is a similar code as in k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel/compilation.go
+// If any changes are made here, consider to make the same changes there as well.
+func buildBaseEnv() (*cel.Env, error) {
+	var opts []cel.EnvOption
+	opts = append(opts, cel.HomogeneousAggregateLiterals())
+	// Validate function declarations once during base env initialization,
+	// so they don't need to be evaluated each time a CEL rule is compiled.
+	// This is a relatively expensive operation.
+	opts = append(opts, cel.EagerlyValidateDeclarations(true), cel.DefaultUTCTimeZone(true))
+	opts = append(opts, library.ExtensionLibs...)
+
+	return cel.NewEnv(opts...)
+}
+
+func buildNoParamsEnv(baseEnv *cel.Env) (*cel.Env, error) {
+	var propDecls []cel.EnvOption
+	reg := apiservercel.NewRegistry(baseEnv)
+
+	requestType := buildRequestType()
+	rt, err := apiservercel.NewRuleTypes(requestType.TypeName(), requestType, reg)
+	if err != nil {
+		return nil, err
+	}
+	if rt == nil {
+		return nil, nil
+	}
+	opts, err := rt.EnvOptions(baseEnv.TypeProvider())
+	if err != nil {
+		return nil, err
+	}
+	propDecls = append(propDecls, cel.Variable(ObjectVarName, cel.DynType))
+	propDecls = append(propDecls, cel.Variable(OldObjectVarName, cel.DynType))
+	propDecls = append(propDecls, cel.Variable(RequestVarName, requestType.CelType()))
+
+	opts = append(opts, propDecls...)
+	env, err := baseEnv.Extend(opts...)
+	if err != nil {
+		return nil, err
+	}
+	return env, nil
+}
+
+func buildWithParamsEnv(noParams *cel.Env) (*cel.Env, error) {
+	return noParams.Extend(cel.Variable(ParamsVarName, cel.DynType))
+}
+
+// buildRequestType generates a DeclType for AdmissionRequest. This may be replaced with a utility that
+// converts the native type definition to apiservercel.DeclType once such a utility becomes available.
+// The 'uid' field is omitted since it is not needed for in-process admission review.
+// The 'object' and 'oldObject' fields are omitted since they are exposed as root level CEL variables.
+func buildRequestType() *apiservercel.DeclType {
+	field := func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField {
+		return apiservercel.NewDeclField(name, declType, required, nil, nil)
+	}
+	fields := func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField {
+		result := make(map[string]*apiservercel.DeclField, len(fields))
+		for _, f := range fields {
+			result[f.Name] = f
+		}
+		return result
+	}
+	gvkType := apiservercel.NewObjectType("kubernetes.GroupVersionKind", fields(
+		field("group", apiservercel.StringType, true),
+		field("version", apiservercel.StringType, true),
+		field("kind", apiservercel.StringType, true),
+	))
+	gvrType := apiservercel.NewObjectType("kubernetes.GroupVersionResource", fields(
+		field("group", apiservercel.StringType, true),
+		field("version", apiservercel.StringType, true),
+		field("resource", apiservercel.StringType, true),
+	))
+	userInfoType := apiservercel.NewObjectType("kubernetes.UserInfo", fields(
+		field("username", apiservercel.StringType, false),
+		field("uid", apiservercel.StringType, false),
+		field("groups", apiservercel.NewListType(apiservercel.StringType, -1), false),
+		field("extra", apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewListType(apiservercel.StringType, -1), -1), false),
+	))
+	return apiservercel.NewObjectType("kubernetes.AdmissionRequest", fields(
+		field("kind", gvkType, true),
+		field("resource", gvrType, true),
+		field("subResource", apiservercel.StringType, false),
+		field("requestKind", gvkType, true),
+		field("requestResource", gvrType, true),
+		field("requestSubResource", apiservercel.StringType, false),
+		field("name", apiservercel.StringType, true),
+		field("namespace", apiservercel.StringType, false),
+		field("operation", apiservercel.StringType, true),
+		field("userInfo", userInfoType, true),
+		field("dryRun", apiservercel.BoolType, false),
+		field("options", apiservercel.DynType, false),
+	))
+}
+
+// CompilationResult represents a compiled ValidatingAdmissionPolicy validation expression.
+type CompilationResult struct {
+	Program cel.Program
+	Error   *apiservercel.Error
+}
+
+// CompileValidatingPolicyExpression returns a compiled vaalidating policy CEL expression.
+func CompileValidatingPolicyExpression(validationExpression string, hasParams bool) CompilationResult {
+	var env *cel.Env
+	envs, err := getEnvs()
+	if err != nil {
+		return CompilationResult{
+			Error: &apiservercel.Error{
+				Type:   apiservercel.ErrorTypeInternal,
+				Detail: "compiler initialization failed: " + err.Error(),
+			},
+		}
+	}
+	if hasParams {
+		env = envs.withParams
+	} else {
+		env = envs.noParams
+	}
+
+	ast, issues := env.Compile(validationExpression)
+	if issues != nil {
+		return CompilationResult{
+			Error: &apiservercel.Error{
+				Type:   apiservercel.ErrorTypeInvalid,
+				Detail: "compilation failed: " + issues.String(),
+			},
+		}
+	}
+	if ast.OutputType() != cel.BoolType {
+		return CompilationResult{
+			Error: &apiservercel.Error{
+				Type:   apiservercel.ErrorTypeInvalid,
+				Detail: "cel expression must evaluate to a bool",
+			},
+		}
+	}
+
+	_, err = cel.AstToCheckedExpr(ast)
+	if err != nil {
+		// should be impossible since env.Compile returned no issues
+		return CompilationResult{
+			Error: &apiservercel.Error{
+				Type:   apiservercel.ErrorTypeInternal,
+				Detail: "unexpected compilation error: " + err.Error(),
+			},
+		}
+	}
+	prog, err := env.Program(ast,
+		cel.EvalOptions(cel.OptOptimize),
+		cel.OptimizeRegex(library.ExtensionLibRegexOptimizations...),
+		cel.InterruptCheckFrequency(checkFrequency),
+	)
+	if err != nil {
+		return CompilationResult{
+			Error: &apiservercel.Error{
+				Type:   apiservercel.ErrorTypeInvalid,
+				Detail: "program instantiation failed: " + err.Error(),
+			},
+		}
+	}
+	return CompilationResult{
+		Program: prog,
+	}
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller.go
@ -0,0 +1,406 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"sync/atomic"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching"
+
+	"k8s.io/api/admissionregistration/v1alpha1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/admission"
+	celmetrics "k8s.io/apiserver/pkg/admission/cel"
+	"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+)
+
+var _ CELPolicyEvaluator = &celAdmissionController{}
+
+// celAdmissionController is the top-level controller for admission control using CEL
+// it is responsible for watching policy definitions, bindings, and config param CRDs
+type celAdmissionController struct {
+	// Context under which the controller runs
+	runningContext context.Context
+
+	policyDefinitionsController generic.Controller[*v1alpha1.ValidatingAdmissionPolicy]
+	policyBindingController     generic.Controller[*v1alpha1.ValidatingAdmissionPolicyBinding]
+
+	// dynamicclient used to create informers to watch the param crd types
+	dynamicClient dynamic.Interface
+	restMapper    meta.RESTMapper
+
+	// Provided to the policy's Compile function as an injected dependency to
+	// assist with compiling its expressions to CEL
+	validatorCompiler ValidatorCompiler
+
+	// Lock which protects:
+	//	- definitionInfo
+	//  - bindingInfos
+	//  - paramCRDControllers
+	//  - definitionsToBindings
+	// All other fields should be assumed constant
+	mutex sync.RWMutex
+
+	// controller and metadata
+	paramsCRDControllers map[v1alpha1.ParamKind]*paramInfo
+
+	// Index for each definition namespace/name, contains all binding
+	// namespace/names known to exist for that definition
+	definitionInfo map[namespacedName]*definitionInfo
+
+	// Index for each bindings namespace/name. Contains compiled templates
+	// for the binding depending on the policy/param combination.
+	bindingInfos map[namespacedName]*bindingInfo
+
+	// Map from namespace/name of a definition to a set of namespace/name
+	// of bindings which depend on it.
+	// All keys must have at least one dependent binding
+	// All binding names MUST exist as a key bindingInfos
+	definitionsToBindings map[namespacedName]sets.Set[namespacedName]
+}
+
+// namespaceName is used as a key in definitionInfo and bindingInfos
+type namespacedName struct {
+	namespace, name string
+}
+
+type definitionInfo struct {
+	// Error about the state of the definition's configuration and the cluster
+	// preventing its enforcement or compilation.
+	// Reset every reconciliation
+	configurationError error
+
+	// Last value seen by this controller to be used in policy enforcement
+	// May not be nil
+	lastReconciledValue *v1alpha1.ValidatingAdmissionPolicy
+}
+
+type bindingInfo struct {
+	// Compiled CEL expression turned into an validator
+	validator atomic.Pointer[Validator]
+
+	// Last value seen by this controller to be used in policy enforcement
+	// May not be nil
+	lastReconciledValue *v1alpha1.ValidatingAdmissionPolicyBinding
+}
+
+type paramInfo struct {
+	// Controller which is watching this param CRD
+	controller generic.Controller[*unstructured.Unstructured]
+
+	// Function to call to stop the informer and clean up the controller
+	stop func()
+
+	// Policy Definitions which refer to this param CRD
+	dependentDefinitions sets.Set[namespacedName]
+}
+
+func NewAdmissionController(
+	// Injected Dependencies
+	informerFactory informers.SharedInformerFactory,
+	client kubernetes.Interface,
+	restMapper meta.RESTMapper,
+	dynamicClient dynamic.Interface,
+) CELPolicyEvaluator {
+	matcher := matching.NewMatcher(informerFactory.Core().V1().Namespaces().Lister(), client)
+	validatorCompiler := &CELValidatorCompiler{
+		Matcher: matcher,
+	}
+	c := &celAdmissionController{
+		definitionInfo:        make(map[namespacedName]*definitionInfo),
+		bindingInfos:          make(map[namespacedName]*bindingInfo),
+		paramsCRDControllers:  make(map[v1alpha1.ParamKind]*paramInfo),
+		definitionsToBindings: make(map[namespacedName]sets.Set[namespacedName]),
+		dynamicClient:         dynamicClient,
+		validatorCompiler:     validatorCompiler,
+		restMapper:            restMapper,
+	}
+
+	c.policyDefinitionsController = generic.NewController(
+		generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicy](
+			informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies().Informer()),
+		c.reconcilePolicyDefinition,
+		generic.ControllerOptions{
+			Workers: 1,
+			Name:    "cel-policy-definitions",
+		},
+	)
+	c.policyBindingController = generic.NewController(
+		generic.NewInformer[*v1alpha1.ValidatingAdmissionPolicyBinding](
+			informerFactory.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings().Informer()),
+		c.reconcilePolicyBinding,
+		generic.ControllerOptions{
+			Workers: 1,
+			Name:    "cel-policy-bindings",
+		},
+	)
+	return c
+}
+
+func (c *celAdmissionController) Run(stopCh <-chan struct{}) {
+	if c.runningContext != nil {
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	c.runningContext = ctx
+	defer func() {
+		c.runningContext = nil
+	}()
+
+	wg := sync.WaitGroup{}
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		c.policyDefinitionsController.Run(ctx)
+	}()
+
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		c.policyBindingController.Run(ctx)
+	}()
+
+	<-stopCh
+	cancel()
+	wg.Wait()
+}
+
+func (c *celAdmissionController) Validate(
+	ctx context.Context,
+	a admission.Attributes,
+	o admission.ObjectInterfaces,
+) (err error) {
+	c.mutex.RLock()
+	defer c.mutex.RUnlock()
+
+	var deniedDecisions []policyDecisionWithMetadata
+
+	addConfigError := func(err error, definition *v1alpha1.ValidatingAdmissionPolicy, binding *v1alpha1.ValidatingAdmissionPolicyBinding) {
+		// we always default the FailurePolicy if it is unset and validate it in API level
+		var policy v1alpha1.FailurePolicyType
+		if definition.Spec.FailurePolicy == nil {
+			policy = v1alpha1.Fail
+		} else {
+			policy = *definition.Spec.FailurePolicy
+		}
+
+		// apply FailurePolicy specified in ValidatingAdmissionPolicy, the default would be Fail
+		switch policy {
+		case v1alpha1.Ignore:
+			// TODO: add metrics for ignored error here
+			return
+		case v1alpha1.Fail:
+			var message string
+			if binding == nil {
+				message = fmt.Errorf("failed to configure policy: %w", err).Error()
+			} else {
+				message = fmt.Errorf("failed to configure binding: %w", err).Error()
+			}
+			deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
+				policyDecision: policyDecision{
+					action:  actionDeny,
+					message: message,
+				},
+				definition: definition,
+				binding:    binding,
+			})
+		default:
+			deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
+				policyDecision: policyDecision{
+					action:  actionDeny,
+					message: fmt.Errorf("unrecognized failure policy: '%v'", policy).Error(),
+				},
+				definition: definition,
+				binding:    binding,
+			})
+		}
+	}
+	for definitionNamespacedName, definitionInfo := range c.definitionInfo {
+		definition := definitionInfo.lastReconciledValue
+		matches, matchKind, err := c.validatorCompiler.DefinitionMatches(a, o, definition)
+		if err != nil {
+			// Configuration error.
+			addConfigError(err, definition, nil)
+			continue
+		}
+		if !matches {
+			// Policy definition does not match request
+			continue
+		} else if definitionInfo.configurationError != nil {
+			// Configuration error.
+			addConfigError(definitionInfo.configurationError, definition, nil)
+			continue
+		}
+
+		dependentBindings := c.definitionsToBindings[definitionNamespacedName]
+		if len(dependentBindings) == 0 {
+			continue
+		}
+
+		for namespacedBindingName := range dependentBindings {
+			// If the key is inside dependentBindings, there is guaranteed to
+			// be a bindingInfo for it
+			bindingInfo := c.bindingInfos[namespacedBindingName]
+			binding := bindingInfo.lastReconciledValue
+			matches, err := c.validatorCompiler.BindingMatches(a, o, binding)
+			if err != nil {
+				// Configuration error.
+				addConfigError(err, definition, binding)
+				continue
+			}
+			if !matches {
+				continue
+			}
+
+			var param *unstructured.Unstructured
+
+			// If definition has paramKind, paramRef is required in binding.
+			// If definition has no paramKind, paramRef set in binding will be ignored.
+			paramKind := definition.Spec.ParamKind
+			paramRef := binding.Spec.ParamRef
+			if paramKind != nil && paramRef != nil {
+
+				// Find the params referred by the binding by looking its name up
+				// in our informer for its CRD
+				paramInfo, ok := c.paramsCRDControllers[*paramKind]
+				if !ok {
+					addConfigError(fmt.Errorf("paramKind kind `%v` not known",
+						paramKind.String()), definition, binding)
+					continue
+				}
+
+				// If the param informer for this admission policy has not yet
+				// had time to perform an initial listing, don't attempt to use
+				// it.
+				//!TOOD(alexzielenski): add a wait for a very short amount of
+				// time for the cache to sync
+				if !paramInfo.controller.HasSynced() {
+					addConfigError(fmt.Errorf("paramKind kind `%v` not yet synced to use for admission",
+						paramKind.String()), definition, binding)
+					continue
+				}
+
+				if len(paramRef.Namespace) == 0 {
+					param, err = paramInfo.controller.Informer().Get(paramRef.Name)
+				} else {
+					param, err = paramInfo.controller.Informer().Namespaced(paramRef.Namespace).Get(paramRef.Name)
+				}
+
+				if err != nil {
+					// Apply failure policy
+					addConfigError(err, definition, binding)
+
+					if k8serrors.IsInvalid(err) {
+						// Param mis-configured
+						// require to set paramRef.namespace for namespaced resource and unset paramRef.namespace for cluster scoped resource
+						continue
+					} else if k8serrors.IsNotFound(err) {
+						// Param not yet available. User may need to wait a bit
+						// before being able to use it for validation.
+						continue
+					}
+
+					// There was a bad internal error
+					utilruntime.HandleError(err)
+					continue
+				}
+			}
+
+			validator := bindingInfo.validator.Load()
+			if validator == nil {
+				// Compile policy definition using binding
+				newValidator := c.validatorCompiler.Compile(definition)
+				validator = &newValidator
+
+				bindingInfo.validator.Store(validator)
+			}
+
+			decisions, err := (*validator).Validate(a, o, param, matchKind)
+			if err != nil {
+				// runtime error. Apply failure policy
+				wrappedError := fmt.Errorf("failed to evaluate CEL expression: %w", err)
+				addConfigError(wrappedError, definition, binding)
+				continue
+			}
+
+			for _, decision := range decisions {
+				switch decision.action {
+				case actionAdmit:
+					if decision.evaluation == evalError {
+						celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.elapsed, definition.Name, binding.Name, "active")
+					}
+				case actionDeny:
+					deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
+						definition:     definition,
+						binding:        binding,
+						policyDecision: decision,
+					})
+					celmetrics.Metrics.ObserveRejection(ctx, decision.elapsed, definition.Name, binding.Name, "active")
+				default:
+					return fmt.Errorf("unrecognized evaluation decision '%s' for ValidatingAdmissionPolicyBinding '%s' with ValidatingAdmissionPolicy '%s'",
+						decision.action, binding.Name, definition.Name)
+				}
+			}
+		}
+	}
+
+	if len(deniedDecisions) > 0 {
+		// TODO: refactor admission.NewForbidden so the name extraction is reusable but the code/reason is customizable
+		var message string
+		deniedDecision := deniedDecisions[0]
+		if deniedDecision.binding != nil {
+			message = fmt.Sprintf("ValidatingAdmissionPolicy '%s' with binding '%s' denied request: %s", deniedDecision.definition.Name, deniedDecision.binding.Name, deniedDecision.message)
+		} else {
+			message = fmt.Sprintf("ValidatingAdmissionPolicy '%s' denied request: %s", deniedDecision.definition.Name, deniedDecision.message)
+		}
+		err := admission.NewForbidden(a, errors.New(message)).(*k8serrors.StatusError)
+		reason := deniedDecision.reason
+		if len(reason) == 0 {
+			reason = metav1.StatusReasonInvalid
+		}
+		err.ErrStatus.Reason = reason
+		err.ErrStatus.Code = reasonToCode(reason)
+		err.ErrStatus.Details.Causes = append(err.ErrStatus.Details.Causes, metav1.StatusCause{Message: message})
+		return err
+	}
+	return nil
+}
+
+func (c *celAdmissionController) HasSynced() bool {
+	return c.policyBindingController.HasSynced() &&
+		c.policyDefinitionsController.HasSynced()
+}
+
+func (c *celAdmissionController) ValidateInitialization() error {
+	return c.validatorCompiler.ValidateInitialization()
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/controller_reconcile.go
@ -0,0 +1,233 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"k8s.io/api/admissionregistration/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	celmetrics "k8s.io/apiserver/pkg/admission/cel"
+	"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic"
+	"k8s.io/client-go/dynamic/dynamicinformer"
+	"k8s.io/client-go/tools/cache"
+)
+
+func (c *celAdmissionController) reconcilePolicyDefinition(namespace, name string, definition *v1alpha1.ValidatingAdmissionPolicy) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	// Namespace for policydefinition is empty.
+	nn := getNamespaceName(namespace, name)
+	info, ok := c.definitionInfo[nn]
+	if !ok {
+		info = &definitionInfo{}
+		c.definitionInfo[nn] = info
+		// TODO(DangerOnTheRanger): add support for "warn" being a valid enforcementAction
+		celmetrics.Metrics.ObserveDefinition(context.TODO(), "active", "deny")
+	}
+
+	var paramSource *v1alpha1.ParamKind
+	if definition != nil {
+		paramSource = definition.Spec.ParamKind
+	}
+
+	// If param source has changed, remove definition as dependent of old params
+	// If there are no more dependents of old param, stop and clean up controller
+	if info.lastReconciledValue != nil && info.lastReconciledValue.Spec.ParamKind != nil {
+		oldParamSource := *info.lastReconciledValue.Spec.ParamKind
+
+		// If we are:
+		//	- switching from having a param to not having a param (includes deletion)
+		//	- or from having a param to a different one
+		// we remove dependency on the controller.
+		if paramSource == nil || *paramSource != oldParamSource {
+			if oldParamInfo, ok := c.paramsCRDControllers[oldParamSource]; ok {
+				oldParamInfo.dependentDefinitions.Delete(nn)
+				if len(oldParamInfo.dependentDefinitions) == 0 {
+					oldParamInfo.stop()
+					delete(c.paramsCRDControllers, oldParamSource)
+				}
+			}
+		}
+	}
+
+	// Reset all previously compiled evaluators in case something relevant in
+	// definition has changed.
+	for key := range c.definitionsToBindings[nn] {
+		bindingInfo := c.bindingInfos[key]
+		bindingInfo.validator.Store(nil)
+		c.bindingInfos[key] = bindingInfo
+	}
+
+	if definition == nil {
+		delete(c.definitionInfo, nn)
+		return nil
+	}
+
+	// Update definition info
+	info.lastReconciledValue = definition
+	info.configurationError = nil
+
+	if paramSource == nil {
+		// Skip setting up controller for empty param type
+		return nil
+	}
+
+	// find GVR for params
+	// Parse param source into a GVK
+
+	paramSourceGV, err := schema.ParseGroupVersion(paramSource.APIVersion)
+	if err != nil {
+		// Failed to resolve. Return error so we retry again (rate limited)
+		// Save a record of this definition with an evaluator that unconditionally
+		info.configurationError = fmt.Errorf("failed to parse apiVersion of paramKind '%v' with error: %w", paramSource.String(), err)
+
+		// Return nil, since this error cannot be resolved by waiting more time
+		return nil
+	}
+
+	paramsGVR, err := c.restMapper.RESTMapping(schema.GroupKind{
+		Group: paramSourceGV.Group,
+		Kind:  paramSource.Kind,
+	}, paramSourceGV.Version)
+
+	if err != nil {
+		// Failed to resolve. Return error so we retry again (rate limited)
+		// Save a record of this definition with an evaluator that unconditionally
+		//
+		info.configurationError = fmt.Errorf("failed to find resource referenced by paramKind: '%v'", paramSourceGV.WithKind(paramSource.Kind))
+		return info.configurationError
+	}
+
+	if info, ok := c.paramsCRDControllers[*paramSource]; ok {
+		// If a param controller is already active for this paramsource, make
+		// sure it is tracking this policy's dependency upon it
+		info.dependentDefinitions.Insert(nn)
+
+	} else {
+		instanceContext, instanceCancel := context.WithCancel(c.runningContext)
+
+		// Watch for new instances of this policy
+		informer := dynamicinformer.NewFilteredDynamicInformer(
+			c.dynamicClient,
+			paramsGVR.Resource,
+			corev1.NamespaceAll,
+			30*time.Second,
+			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+			nil,
+		)
+
+		controller := generic.NewController(
+			generic.NewInformer[*unstructured.Unstructured](informer.Informer()),
+			c.reconcileParams,
+			generic.ControllerOptions{
+				Workers: 1,
+				Name:    paramSource.String() + "-controller",
+			},
+		)
+
+		c.paramsCRDControllers[*paramSource] = &paramInfo{
+			controller:           controller,
+			stop:                 instanceCancel,
+			dependentDefinitions: sets.New(nn),
+		}
+
+		go informer.Informer().Run(instanceContext.Done())
+		go controller.Run(instanceContext)
+	}
+
+	return nil
+}
+
+func (c *celAdmissionController) reconcilePolicyBinding(namespace, name string, binding *v1alpha1.ValidatingAdmissionPolicyBinding) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	// Namespace for PolicyBinding is empty. In the future a namespaced binding
+	// may be added
+	// https://github.com/kubernetes/enhancements/blob/bf5c3c81ea2081d60c1dc7c832faa98479e06209/keps/sig-api-machinery/3488-cel-admission-control/README.md?plain=1#L1042
+	nn := getNamespaceName(namespace, name)
+	info, ok := c.bindingInfos[nn]
+	if !ok {
+		info = &bindingInfo{}
+		c.bindingInfos[nn] = info
+	}
+
+	var oldNamespacedDefinitionName namespacedName
+	if info.lastReconciledValue != nil {
+		// All validating policies are cluster-scoped so have empty namespace
+		oldNamespacedDefinitionName = getNamespaceName("", info.lastReconciledValue.Spec.PolicyName)
+	}
+
+	var namespacedDefinitionName namespacedName
+	if binding != nil {
+		// All validating policies are cluster-scoped so have empty namespace
+		namespacedDefinitionName = getNamespaceName("", binding.Spec.PolicyName)
+	}
+
+	// Remove record of binding from old definition if the referred policy
+	// has changed
+	if oldNamespacedDefinitionName != namespacedDefinitionName {
+		if dependentBindings, ok := c.definitionsToBindings[oldNamespacedDefinitionName]; ok {
+			dependentBindings.Delete(nn)
+
+			// if there are no more dependent bindings, remove knowledge of the
+			// definition altogether
+			if len(dependentBindings) == 0 {
+				delete(c.definitionsToBindings, oldNamespacedDefinitionName)
+			}
+		}
+	}
+
+	if binding == nil {
+		delete(c.bindingInfos, nn)
+		return nil
+	}
+
+	// Add record of binding to new definition
+	if dependentBindings, ok := c.definitionsToBindings[namespacedDefinitionName]; ok {
+		dependentBindings.Insert(nn)
+	} else {
+		c.definitionsToBindings[namespacedDefinitionName] = sets.New(nn)
+	}
+
+	// Remove compiled template for old binding
+	info.validator.Store(nil)
+	info.lastReconciledValue = binding
+	return nil
+}
+
+func (c *celAdmissionController) reconcileParams(namespace, name string, params *unstructured.Unstructured) error {
+	// Do nothing.
+	// When we add informational type checking we will need to compile in the
+	// reconcile loops instead of lazily so we can add compiler errors / type
+	// checker errors to the status of the resources.
+	return nil
+}
+
+func getNamespaceName(namespace, name string) namespacedName {
+	return namespacedName{
+		namespace: namespace,
+		name:      name,
+	}
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/initializer.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/initializer.go
@ -0,0 +1,30 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"context"
+	"k8s.io/apiserver/pkg/admission"
+)
+
+type CELPolicyEvaluator interface {
+	admission.InitializationValidator
+
+	Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error
+	HasSynced() bool
+	Run(stopCh <-chan struct{})
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go
@ -0,0 +1,50 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/admission"
+)
+
+// Validator defines the func used to validate the cel expressions
+// matchKind provides the GroupVersionKind that the object should be
+// validated by CEL expressions as.
+type Validator interface {
+	Validate(a admission.Attributes, o admission.ObjectInterfaces, versionedParams runtime.Object, matchKind schema.GroupVersionKind) ([]policyDecision, error)
+}
+
+// ValidatorCompiler is Dependency Injected into the PolicyDefinition's `Compile`
+// function to assist with converting types and values to/from CEL-typed values.
+type ValidatorCompiler interface {
+	admission.InitializationValidator
+
+	// Matches says whether this policy definition matches the provided admission
+	// resource request
+	DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error)
+
+	// Matches says whether this policy definition matches the provided admission
+	// resource request
+	BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error)
+
+	// Compile is used for the cel expression compilation
+	Compile(
+		policy *v1alpha1.ValidatingAdmissionPolicy,
+	) Validator
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/controller.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/controller.go
@ -0,0 +1,272 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+)
+
+var _ Controller[runtime.Object] = &controller[runtime.Object]{}
+
+type controller[T runtime.Object] struct {
+	informer Informer[T]
+	queue    workqueue.RateLimitingInterface
+
+	// Returns an error if there was a transient error during reconciliation
+	// and the object should be tried again later.
+	reconciler func(namespace, name string, newObj T) error
+
+	options ControllerOptions
+}
+
+type ControllerOptions struct {
+	Name    string
+	Workers uint
+}
+
+func (c *controller[T]) Informer() Informer[T] {
+	return c.informer
+}
+
+func NewController[T runtime.Object](
+	informer Informer[T],
+	reconciler func(namepace, name string, newObj T) error,
+	options ControllerOptions,
+) Controller[T] {
+	if options.Workers == 0 {
+		options.Workers = 2
+	}
+
+	if len(options.Name) == 0 {
+		options.Name = fmt.Sprintf("%T-controller", *new(T))
+	}
+
+	return &controller[T]{
+		options:    options,
+		informer:   informer,
+		reconciler: reconciler,
+		queue:      nil,
+	}
+}
+
+// Runs the controller and returns an error explaining why running was stopped.
+// Reconciliation ends as soon as the context completes. If there are events
+// waiting to be processed at that itme, they will be dropped.
+func (c *controller[T]) Run(ctx context.Context) error {
+	klog.Infof("starting %s", c.options.Name)
+	defer klog.Infof("stopping %s", c.options.Name)
+
+	c.queue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), c.options.Name)
+
+	// Forcefully shutdown workqueue. Drop any enqueued items.
+	// Important to do this in a `defer` at the start of `Run`.
+	// Otherwise, if there are any early returns without calling this, we
+	// would never shut down the workqueue
+	defer c.queue.ShutDown()
+
+	enqueue := func(obj interface{}) {
+		var key string
+		var err error
+		if key, err = cache.DeletionHandlingMetaNamespaceKeyFunc(obj); err != nil {
+			utilruntime.HandleError(err)
+			return
+		}
+		c.queue.Add(key)
+	}
+
+	registration, err := c.informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			enqueue(obj)
+		},
+		UpdateFunc: func(oldObj, newObj interface{}) {
+			oldMeta, err1 := meta.Accessor(oldObj)
+			newMeta, err2 := meta.Accessor(newObj)
+
+			if err1 != nil || err2 != nil {
+				if err1 != nil {
+					utilruntime.HandleError(err1)
+				}
+
+				if err2 != nil {
+					utilruntime.HandleError(err2)
+				}
+				return
+			} else if oldMeta.GetResourceVersion() == newMeta.GetResourceVersion() {
+				if len(oldMeta.GetResourceVersion()) == 0 {
+					klog.Warningf("%v throwing out update with empty RV. this is likely to happen if a test did not supply a resource version on an updated object", c.options.Name)
+				}
+				return
+			}
+
+			enqueue(newObj)
+		},
+		DeleteFunc: func(obj interface{}) {
+			// Enqueue
+			enqueue(obj)
+		},
+	})
+
+	// Error might be raised if informer was started and stopped already
+	if err != nil {
+		return err
+	}
+
+	// Make sure event handler is removed from informer in case return early from
+	// an error
+	defer func() {
+		// Remove event handler and Handle Error here. Error should only be raised
+		// for improper usage of event handler API.
+		if err := c.informer.RemoveEventHandler(registration); err != nil {
+			utilruntime.HandleError(err)
+		}
+	}()
+
+	// Wait for initial cache list to complete before beginning to reconcile
+	// objects.
+	if !cache.WaitForNamedCacheSync(c.options.Name, ctx.Done(), c.informer.HasSynced) {
+		// ctx cancelled during cache sync. return early
+		err := ctx.Err()
+		if err == nil {
+			// if context wasnt cancelled then the sync failed for another reason
+			err = errors.New("cache sync failed")
+		}
+		return err
+	}
+
+	waitGroup := sync.WaitGroup{}
+
+	for i := uint(0); i < c.options.Workers; i++ {
+		waitGroup.Add(1)
+		go func() {
+			wait.Until(c.runWorker, time.Second, ctx.Done())
+			waitGroup.Done()
+		}()
+	}
+
+	klog.Infof("Started %v workers for %v", c.options.Workers, c.options.Name)
+
+	// Wait for context cancel.
+	<-ctx.Done()
+
+	// Forcefully shutdown workqueue. Drop any enqueued items.
+	c.queue.ShutDown()
+
+	// Workqueue shutdown signals for workers to stop. Wait for all workers to
+	// clean up
+	waitGroup.Wait()
+
+	// Only way for workers to ever stop is for caller to cancel the context
+	return ctx.Err()
+}
+
+func (c *controller[T]) HasSynced() bool {
+	return c.informer.HasSynced()
+}
+
+func (c *controller[T]) runWorker() {
+	for {
+		key, shutdown := c.queue.Get()
+		if shutdown {
+			return
+		}
+
+		// We wrap this block in a func so we can defer c.workqueue.Done.
+		err := func(obj interface{}) error {
+			// We call Done here so the workqueue knows we have finished
+			// processing this item. We also must remember to call Forget if we
+			// do not want this work item being re-queued. For example, we do
+			// not call Forget if a transient error occurs, instead the item is
+			// put back on the workqueue and attempted again after a back-off
+			// period.
+			defer c.queue.Done(obj)
+			var key string
+			var ok bool
+			// We expect strings to come off the workqueue. These are of the
+			// form namespace/name. We do this as the delayed nature of the
+			// workqueue means the items in the informer cache may actually be
+			// more up to date that when the item was initially put onto the
+			// workqueue.
+			if key, ok = obj.(string); !ok {
+				// How did an incorrectly formatted key get in the workqueue?
+				// Done is sufficient. (Forget resets rate limiter for the key,
+				// but the key is invalid so there is no point in doing that)
+				return fmt.Errorf("expected string in workqueue but got %#v", obj)
+			}
+
+			if err := c.reconcile(key); err != nil {
+				// Put the item back on the workqueue to handle any transient errors.
+				c.queue.AddRateLimited(key)
+				return fmt.Errorf("error syncing '%s': %s, requeuing", key, err.Error())
+			}
+			// Finally, if no error occurs we Forget this item so it is allowed
+			// to be re-enqueued without a long rate limit
+			c.queue.Forget(obj)
+			klog.V(4).Infof("syncAdmissionPolicy(%q)", key)
+			return nil
+		}(key)
+
+		if err != nil {
+			utilruntime.HandleError(err)
+		}
+	}
+}
+
+func (c *controller[T]) reconcile(key string) error {
+	var newObj T
+	var err error
+	var namespace string
+	var name string
+	var lister NamespacedLister[T]
+
+	// Convert the namespace/name string into a distinct namespace and name
+	namespace, name, err = cache.SplitMetaNamespaceKey(key)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("invalid resource key: %s", key))
+		return nil
+	}
+
+	if len(namespace) > 0 {
+		lister = c.informer.Namespaced(namespace)
+	} else {
+		lister = c.informer
+	}
+
+	newObj, err = lister.Get(name)
+	if err != nil {
+		if !kerrors.IsNotFound(err) {
+			return err
+		}
+
+		// Deleted object. Inform reconciler with empty
+	}
+
+	return c.reconciler(namespace, name, newObj)
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/doc.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/doc.go
@ -0,0 +1,29 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package generic contains a typed wrapper over cache SharedIndexInformer
+// and Lister (maybe eventually should have a home there?)
+//
+// This interface is being experimented with as an easier way to write controllers
+// with a bit less boilerplate.
+//
+// Informer/Lister classes are thin wrappers providing a type-safe interface
+// over regular interface{}-based Informers/Listers
+//
+// Controller[T] provides a reusable way to reconcile objects out of an informer
+// using the tried and true controller design pattern found all over k8s
+// codebase based upon syncFunc/reconcile
+package generic
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/informer.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/informer.go
@ -0,0 +1,36 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+)
+
+var _ Informer[runtime.Object] = informer[runtime.Object]{}
+
+type informer[T runtime.Object] struct {
+	cache.SharedIndexInformer
+	lister[T]
+}
+
+func NewInformer[T runtime.Object](informe cache.SharedIndexInformer) Informer[T] {
+	return informer[T]{
+		SharedIndexInformer: informe,
+		lister:              NewLister[T](informe.GetIndexer()),
+	}
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/interface.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/interface.go
@ -0,0 +1,62 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+)
+
+type Controller[T runtime.Object] interface {
+	// Meant to be run inside a goroutine
+	// Waits for and reacts to changes in whatever type the controller
+	// is concerned with.
+	//
+	// Returns an error always non-nil explaining why the worker stopped
+	Run(ctx context.Context) error
+
+	// Retrieves the informer used to back this controller
+	Informer() Informer[T]
+
+	// Returns true if the informer cache has synced, and all the objects from
+	// the initial list have been reconciled at least once.
+	HasSynced() bool
+}
+
+type NamespacedLister[T any] interface {
+	// List lists all ValidationRuleSets in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []T, err error)
+	// Get retrieves the ValidationRuleSet from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (T, error)
+}
+
+type Informer[T any] interface {
+	cache.SharedIndexInformer
+	Lister[T]
+}
+
+// Lister[T] helps list Ts.
+// All objects returned here must be treated as read-only.
+type Lister[T any] interface {
+	NamespacedLister[T]
+	Namespaced(namespace string) NamespacedLister[T]
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/lister.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/internal/generic/lister.go
@ -0,0 +1,100 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generic
+
+import (
+	"fmt"
+	"net/http"
+
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+)
+
+var _ Lister[runtime.Object] = lister[runtime.Object]{}
+
+type namespacedLister[T runtime.Object] struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+func (w namespacedLister[T]) List(selector labels.Selector) (ret []T, err error) {
+	err = cache.ListAllByNamespace(w.indexer, w.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(T))
+	})
+	return ret, err
+}
+
+func (w namespacedLister[T]) Get(name string) (T, error) {
+	var result T
+
+	obj, exists, err := w.indexer.GetByKey(w.namespace + "/" + name)
+	if err != nil {
+		return result, err
+	}
+	if !exists {
+		return result, &kerrors.StatusError{ErrStatus: metav1.Status{
+			Status:  metav1.StatusFailure,
+			Code:    http.StatusNotFound,
+			Reason:  metav1.StatusReasonNotFound,
+			Message: fmt.Sprintf("%s not found", name),
+		}}
+	}
+	result = obj.(T)
+	return result, nil
+}
+
+type lister[T runtime.Object] struct {
+	indexer cache.Indexer
+}
+
+func (w lister[T]) List(selector labels.Selector) (ret []T, err error) {
+	err = cache.ListAll(w.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(T))
+	})
+	return ret, err
+}
+
+func (w lister[T]) Get(name string) (T, error) {
+	var result T
+
+	obj, exists, err := w.indexer.GetByKey(name)
+	if err != nil {
+		return result, err
+	}
+	if !exists {
+		// kerrors.StatusNotFound requires a GroupResource we cannot provide
+		return result, &kerrors.StatusError{ErrStatus: metav1.Status{
+			Status:  metav1.StatusFailure,
+			Code:    http.StatusNotFound,
+			Reason:  metav1.StatusReasonNotFound,
+			Message: fmt.Sprintf("%s not found", name),
+		}}
+	}
+	result = obj.(T)
+	return result, nil
+}
+
+func (w lister[T]) Namespaced(namespace string) NamespacedLister[T] {
+	return namespacedLister[T]{namespace: namespace, indexer: w.indexer}
+}
+
+func NewLister[T runtime.Object](indexer cache.Indexer) lister[T] {
+	return lister[T]{indexer: indexer}
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching/matching.go
@ -0,0 +1,192 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package matching
+
+import (
+	"fmt"
+
+	v1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/client-go/kubernetes"
+	listersv1 "k8s.io/client-go/listers/core/v1"
+
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/namespace"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/object"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/predicates/rules"
+)
+
+type MatchCriteria interface {
+	namespace.NamespaceSelectorProvider
+	object.ObjectSelectorProvider
+
+	GetMatchResources() v1alpha1.MatchResources
+}
+
+// Matcher decides if a request matches against matchCriteria
+type Matcher struct {
+	namespaceMatcher *namespace.Matcher
+	objectMatcher    *object.Matcher
+}
+
+// NewMatcher initialize the matcher with dependencies requires
+func NewMatcher(
+	namespaceLister listersv1.NamespaceLister,
+	client kubernetes.Interface,
+) *Matcher {
+	return &Matcher{
+		namespaceMatcher: &namespace.Matcher{
+			NamespaceLister: namespaceLister,
+			Client:          client,
+		},
+		objectMatcher: &object.Matcher{},
+	}
+}
+
+// ValidateInitialization verify if the matcher is ready before use
+func (m *Matcher) ValidateInitialization() error {
+	if err := m.namespaceMatcher.Validate(); err != nil {
+		return fmt.Errorf("namespaceMatcher is not properly setup: %v", err)
+	}
+	return nil
+}
+
+func (m *Matcher) Matches(attr admission.Attributes, o admission.ObjectInterfaces, criteria MatchCriteria) (bool, schema.GroupVersionKind, error) {
+	matches, matchNsErr := m.namespaceMatcher.MatchNamespaceSelector(criteria, attr)
+	// Should not return an error here for policy which do not apply to the request, even if err is an unexpected scenario.
+	if !matches && matchNsErr == nil {
+		return false, schema.GroupVersionKind{}, nil
+	}
+
+	matches, matchObjErr := m.objectMatcher.MatchObjectSelector(criteria, attr)
+	// Should not return an error here for policy which do not apply to the request, even if err is an unexpected scenario.
+	if !matches && matchObjErr == nil {
+		return false, schema.GroupVersionKind{}, nil
+	}
+
+	matchResources := criteria.GetMatchResources()
+	matchPolicy := matchResources.MatchPolicy
+	if isExcluded, _, err := matchesResourceRules(matchResources.ExcludeResourceRules, matchPolicy, attr, o); isExcluded || err != nil {
+		return false, schema.GroupVersionKind{}, err
+	}
+
+	var (
+		isMatch   bool
+		matchKind schema.GroupVersionKind
+		matchErr  error
+	)
+	if len(matchResources.ResourceRules) == 0 {
+		isMatch = true
+		matchKind = attr.GetKind()
+	} else {
+		isMatch, matchKind, matchErr = matchesResourceRules(matchResources.ResourceRules, matchPolicy, attr, o)
+	}
+	if matchErr != nil {
+		return false, schema.GroupVersionKind{}, matchErr
+	}
+	if !isMatch {
+		return false, schema.GroupVersionKind{}, nil
+	}
+
+	// now that we know this applies to this request otherwise, if there were selector errors, return them
+	if matchNsErr != nil {
+		return false, schema.GroupVersionKind{}, matchNsErr
+	}
+	if matchObjErr != nil {
+		return false, schema.GroupVersionKind{}, matchObjErr
+	}
+
+	return true, matchKind, nil
+}
+
+func matchesResourceRules(namedRules []v1alpha1.NamedRuleWithOperations, matchPolicy *v1alpha1.MatchPolicyType, attr admission.Attributes, o admission.ObjectInterfaces) (bool, schema.GroupVersionKind, error) {
+	matchKind := attr.GetKind()
+	for _, namedRule := range namedRules {
+		rule := v1.RuleWithOperations(namedRule.RuleWithOperations)
+		ruleMatcher := rules.Matcher{
+			Rule: rule,
+			Attr: attr,
+		}
+		if !ruleMatcher.Matches() {
+			continue
+		}
+		// an empty name list always matches
+		if len(namedRule.ResourceNames) == 0 {
+			return true, matchKind, nil
+		}
+		// TODO: GetName() can return an empty string if the user is relying on
+		// the API server to generate the name... figure out what to do for this edge case
+		name := attr.GetName()
+		for _, matchedName := range namedRule.ResourceNames {
+			if name == matchedName {
+				return true, matchKind, nil
+			}
+		}
+	}
+
+	// if match policy is undefined or exact, don't perform fuzzy matching
+	// note that defaulting to fuzzy matching is set by the API
+	if matchPolicy == nil || *matchPolicy == v1alpha1.Exact {
+		return false, schema.GroupVersionKind{}, nil
+	}
+
+	attrWithOverride := &attrWithResourceOverride{Attributes: attr}
+	equivalents := o.GetEquivalentResourceMapper().EquivalentResourcesFor(attr.GetResource(), attr.GetSubresource())
+	for _, namedRule := range namedRules {
+		for _, equivalent := range equivalents {
+			if equivalent == attr.GetResource() {
+				// we have already checked the original resource
+				continue
+			}
+			attrWithOverride.resource = equivalent
+			rule := v1.RuleWithOperations(namedRule.RuleWithOperations)
+			m := rules.Matcher{
+				Rule: rule,
+				Attr: attrWithOverride,
+			}
+			if !m.Matches() {
+				continue
+			}
+			matchKind = o.GetEquivalentResourceMapper().KindFor(equivalent, attr.GetSubresource())
+			if matchKind.Empty() {
+				return false, schema.GroupVersionKind{}, fmt.Errorf("unable to convert to %v: unknown kind", equivalent)
+			}
+			// an empty name list always matches
+			if len(namedRule.ResourceNames) == 0 {
+				return true, matchKind, nil
+			}
+
+			// TODO: GetName() can return an empty string if the user is relying on
+			// the API server to generate the name... figure out what to do for this edge case
+			name := attr.GetName()
+			for _, matchedName := range namedRule.ResourceNames {
+				if name == matchedName {
+					return true, matchKind, nil
+				}
+			}
+		}
+	}
+	return false, schema.GroupVersionKind{}, nil
+}
+
+type attrWithResourceOverride struct {
+	admission.Attributes
+	resource schema.GroupVersionResource
+}
+
+func (a *attrWithResourceOverride) GetResource() schema.GroupVersionResource { return a.resource }
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/policy_decision.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/policy_decision.go
@ -0,0 +1,70 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"net/http"
+	"time"
+
+	"k8s.io/api/admissionregistration/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type policyDecisionAction string
+
+const (
+	actionAdmit policyDecisionAction = "admit"
+	actionDeny  policyDecisionAction = "deny"
+)
+
+type policyDecisionEvaluation string
+
+const (
+	evalAdmit policyDecisionEvaluation = "admit"
+	evalError policyDecisionEvaluation = "error"
+	evalDeny  policyDecisionEvaluation = "deny"
+)
+
+type policyDecision struct {
+	action     policyDecisionAction
+	evaluation policyDecisionEvaluation
+	message    string
+	reason     metav1.StatusReason
+	elapsed    time.Duration
+}
+
+type policyDecisionWithMetadata struct {
+	policyDecision
+	definition *v1alpha1.ValidatingAdmissionPolicy
+	binding    *v1alpha1.ValidatingAdmissionPolicyBinding
+}
+
+func reasonToCode(r metav1.StatusReason) int32 {
+	switch r {
+	case metav1.StatusReasonForbidden:
+		return http.StatusForbidden
+	case metav1.StatusReasonUnauthorized:
+		return http.StatusUnauthorized
+	case metav1.StatusReasonRequestEntityTooLarge:
+		return http.StatusRequestEntityTooLarge
+	case metav1.StatusReasonInvalid:
+		return http.StatusUnprocessableEntity
+	default:
+		// It should not reach here since we only allow above reason to be set from API level
+		return http.StatusUnprocessableEntity
+	}
+}
--- a/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
+++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator.go
@ -0,0 +1,318 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validatingadmissionpolicy
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+
+	celtypes "github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/interpreter"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/api/admissionregistration/v1alpha1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/matching"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/generic"
+)
+
+var _ ValidatorCompiler = &CELValidatorCompiler{}
+var _ matching.MatchCriteria = &matchCriteria{}
+
+type matchCriteria struct {
+	constraints *v1alpha1.MatchResources
+}
+
+// GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector
+func (m *matchCriteria) GetParsedNamespaceSelector() (labels.Selector, error) {
+	return metav1.LabelSelectorAsSelector(m.constraints.NamespaceSelector)
+}
+
+// GetParsedObjectSelector returns the converted LabelSelector which implements labels.Selector
+func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) {
+	return metav1.LabelSelectorAsSelector(m.constraints.ObjectSelector)
+}
+
+// GetMatchResources returns the matchConstraints
+func (m *matchCriteria) GetMatchResources() v1alpha1.MatchResources {
+	return *m.constraints
+}
+
+// CELValidatorCompiler implement the interface ValidatorCompiler.
+type CELValidatorCompiler struct {
+	Matcher *matching.Matcher
+}
+
+// DefinitionMatches returns whether this ValidatingAdmissionPolicy matches the provided admission resource request
+func (c *CELValidatorCompiler) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition *v1alpha1.ValidatingAdmissionPolicy) (bool, schema.GroupVersionKind, error) {
+	criteria := matchCriteria{constraints: definition.Spec.MatchConstraints}
+	return c.Matcher.Matches(a, o, &criteria)
+}
+
+// BindingMatches returns whether this ValidatingAdmissionPolicyBinding matches the provided admission resource request
+func (c *CELValidatorCompiler) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding *v1alpha1.ValidatingAdmissionPolicyBinding) (bool, error) {
+	if binding.Spec.MatchResources == nil {
+		return true, nil
+	}
+	criteria := matchCriteria{constraints: binding.Spec.MatchResources}
+	isMatch, _, err := c.Matcher.Matches(a, o, &criteria)
+	return isMatch, err
+}
+
+// ValidateInitialization checks if Matcher is initialized.
+func (c *CELValidatorCompiler) ValidateInitialization() error {
+	return c.Matcher.ValidateInitialization()
+}
+
+type validationActivation struct {
+	object, oldObject, params, request interface{}
+}
+
+// ResolveName returns a value from the activation by qualified name, or false if the name
+// could not be found.
+func (a *validationActivation) ResolveName(name string) (interface{}, bool) {
+	switch name {
+	case ObjectVarName:
+		return a.object, true
+	case OldObjectVarName:
+		return a.oldObject, true
+	case ParamsVarName:
+		return a.params, true
+	case RequestVarName:
+		return a.request, true
+	default:
+		return nil, false
+	}
+}
+
+// Parent returns the parent of the current activation, may be nil.
+// If non-nil, the parent will be searched during resolve calls.
+func (a *validationActivation) Parent() interpreter.Activation {
+	return nil
+}
+
+// Compile compiles the cel expression defined in ValidatingAdmissionPolicy
+func (c *CELValidatorCompiler) Compile(p *v1alpha1.ValidatingAdmissionPolicy) Validator {
+	if len(p.Spec.Validations) == 0 {
+		return nil
+	}
+	hasParam := false
+	if p.Spec.ParamKind != nil {
+		hasParam = true
+	}
+	compilationResults := make([]CompilationResult, len(p.Spec.Validations))
+	for i, validation := range p.Spec.Validations {
+		compilationResults[i] = CompileValidatingPolicyExpression(validation.Expression, hasParam)
+	}
+	return &CELValidator{policy: p, compilationResults: compilationResults}
+}
+
+// CELValidator implements the Validator interface
+type CELValidator struct {
+	policy             *v1alpha1.ValidatingAdmissionPolicy
+	compilationResults []CompilationResult
+}
+
+func convertObjectToUnstructured(obj interface{}) (*unstructured.Unstructured, error) {
+	if obj == nil || reflect.ValueOf(obj).IsNil() {
+		return &unstructured.Unstructured{Object: nil}, nil
+	}
+	ret, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+	if err != nil {
+		return nil, err
+	}
+	return &unstructured.Unstructured{Object: ret}, nil
+}
+
+func objectToResolveVal(r runtime.Object) (interface{}, error) {
+	if r == nil || reflect.ValueOf(r).IsNil() {
+		return nil, nil
+	}
+	v, err := convertObjectToUnstructured(r)
+	if err != nil {
+		return nil, err
+	}
+	return v.Object, nil
+}
+
+func policyDecisionActionForError(f v1alpha1.FailurePolicyType) policyDecisionAction {
+	if f == v1alpha1.Ignore {
+		return actionAdmit
+	}
+	return actionDeny
+}
+
+// Validate validates all cel expressions in Validator and returns a PolicyDecision for each CEL expression or returns an error.
+// An error will be returned if failed to convert the object/oldObject/params/request to unstructured.
+// Each PolicyDecision will have a decision and a message.
+// policyDecision.message will be empty if the decision is allowed and no error met.
+func (v *CELValidator) Validate(a admission.Attributes, o admission.ObjectInterfaces, versionedParams runtime.Object, matchKind schema.GroupVersionKind) ([]policyDecision, error) {
+	// TODO: replace unstructured with ref.Val for CEL variables when native type support is available
+
+	decisions := make([]policyDecision, len(v.compilationResults))
+	var err error
+	versionedAttr, err := generic.NewVersionedAttributes(a, matchKind, o)
+	if err != nil {
+		return nil, err
+	}
+	oldObjectVal, err := objectToResolveVal(versionedAttr.VersionedOldObject)
+	if err != nil {
+		return nil, err
+	}
+	objectVal, err := objectToResolveVal(versionedAttr.VersionedObject)
+	if err != nil {
+		return nil, err
+	}
+	paramsVal, err := objectToResolveVal(versionedParams)
+	if err != nil {
+		return nil, err
+	}
+	request := createAdmissionRequest(versionedAttr.Attributes)
+	requestVal, err := convertObjectToUnstructured(request)
+	if err != nil {
+		return nil, err
+	}
+	va := &validationActivation{
+		object:    objectVal,
+		oldObject: oldObjectVal,
+		params:    paramsVal,
+		request:   requestVal.Object,
+	}
+
+	var f v1alpha1.FailurePolicyType
+	if v.policy.Spec.FailurePolicy == nil {
+		f = v1alpha1.Fail
+	} else {
+		f = *v.policy.Spec.FailurePolicy
+	}
+
+	for i, compilationResult := range v.compilationResults {
+		validation := v.policy.Spec.Validations[i]
+
+		var policyDecision = &decisions[i]
+
+		if compilationResult.Error != nil {
+			policyDecision.action = policyDecisionActionForError(f)
+			policyDecision.evaluation = evalError
+			policyDecision.message = fmt.Sprintf("compilation error: %v", compilationResult.Error)
+			continue
+		}
+		if compilationResult.Program == nil {
+			policyDecision.action = policyDecisionActionForError(f)
+			policyDecision.evaluation = evalError
+			policyDecision.message = "unexpected internal error compiling expression"
+			continue
+		}
+		t1 := time.Now()
+		evalResult, _, err := compilationResult.Program.Eval(va)
+		elapsed := time.Since(t1)
+		policyDecision.elapsed = elapsed
+		if err != nil {
+			policyDecision.action = policyDecisionActionForError(f)
+			policyDecision.evaluation = evalError
+			policyDecision.message = fmt.Sprintf("expression '%v' resulted in error: %v", v.policy.Spec.Validations[i].Expression, err)
+		} else if evalResult != celtypes.True {
+			policyDecision.action = actionDeny
+			if validation.Reason == nil {
+				policyDecision.reason = metav1.StatusReasonInvalid
+			} else {
+				policyDecision.reason = *validation.Reason
+			}
+			if len(validation.Message) > 0 {
+				policyDecision.message = strings.TrimSpace(validation.Message)
+			} else {
+				policyDecision.message = fmt.Sprintf("failed expression: %v", strings.TrimSpace(validation.Expression))
+			}
+
+		} else {
+			policyDecision.action = actionAdmit
+			policyDecision.evaluation = evalAdmit
+		}
+	}
+
+	return decisions, nil
+}
+
+func createAdmissionRequest(attr admission.Attributes) *admissionv1.AdmissionRequest {
+	// FIXME: how to get resource GVK, GVR and subresource?
+	gvk := attr.GetKind()
+	gvr := attr.GetResource()
+	subresource := attr.GetSubresource()
+
+	requestGVK := attr.GetKind()
+	requestGVR := attr.GetResource()
+	requestSubResource := attr.GetSubresource()
+
+	aUserInfo := attr.GetUserInfo()
+	var userInfo authenticationv1.UserInfo
+	if aUserInfo != nil {
+		userInfo = authenticationv1.UserInfo{
+			Extra:    make(map[string]authenticationv1.ExtraValue),
+			Groups:   aUserInfo.GetGroups(),
+			UID:      aUserInfo.GetUID(),
+			Username: aUserInfo.GetName(),
+		}
+		// Convert the extra information in the user object
+		for key, val := range aUserInfo.GetExtra() {
+			userInfo.Extra[key] = authenticationv1.ExtraValue(val)
+		}
+	}
+
+	dryRun := attr.IsDryRun()
+
+	return &admissionv1.AdmissionRequest{
+		Kind: metav1.GroupVersionKind{
+			Group:   gvk.Group,
+			Kind:    gvk.Kind,
+			Version: gvk.Version,
+		},
+		Resource: metav1.GroupVersionResource{
+			Group:    gvr.Group,
+			Resource: gvr.Resource,
+			Version:  gvr.Version,
+		},
+		SubResource: subresource,
+		RequestKind: &metav1.GroupVersionKind{
+			Group:   requestGVK.Group,
+			Kind:    requestGVK.Kind,
+			Version: requestGVK.Version,
+		},
+		RequestResource: &metav1.GroupVersionResource{
+			Group:    requestGVR.Group,
+			Resource: requestGVR.Resource,
+			Version:  requestGVR.Version,
+		},
+		RequestSubResource: requestSubResource,
+		Name:               attr.GetName(),
+		Namespace:          attr.GetNamespace(),
+		Operation:          admissionv1.Operation(attr.GetOperation()),
+		UserInfo:           userInfo,
+		// Leave Object and OldObject unset since we don't provide access to them via request
+		DryRun: &dryRun,
+		Options: runtime.RawExtension{
+			Object: attr.GetOperationOptions(),
+		},
+	}
+}