rebase: update kubernetes to latest

updating the kubernetes release to the
latest in main go.mod

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/internal/generic/controller.go

@@ -40,7 +40,7 @@ var _ Controller[runtime.Object] = &controller[runtime.Object]{}
 
 type controller[T runtime.Object] struct {
 	informer Informer[T]
-	queue    workqueue.RateLimitingInterface
+	queue    workqueue.TypedRateLimitingInterface[string]
 
 	// Returns an error if there was a transient error during reconciliation
 	// and the object should be tried again later.
@@ -99,7 +99,10 @@ func (c *controller[T]) Run(ctx context.Context) error {
 	klog.Infof("starting %s", c.options.Name)
 	defer klog.Infof("stopping %s", c.options.Name)
 
-	c.queue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), c.options.Name)
+	c.queue = workqueue.NewTypedRateLimitingQueueWithConfig(
+		workqueue.DefaultTypedControllerRateLimiter[string](),
+		workqueue.TypedRateLimitingQueueConfig[string]{Name: c.options.Name},
+	)
 
 	// Forcefully shutdown workqueue. Drop any enqueued items.
 	// Important to do this in a `defer` at the start of `Run`.
@@ -219,7 +222,7 @@ func (c *controller[T]) runWorker() {
 		}
 
 		// We wrap this block in a func so we can defer c.workqueue.Done.
-		err := func(obj interface{}) error {
+		err := func(obj string) error {
 			// We call Done here so the workqueue knows we have finished
 			// processing this item. We also must remember to call Forget if we
 			// do not want this work item being re-queued. For example, we do
@@ -227,19 +230,6 @@ func (c *controller[T]) runWorker() {
 			// put back on the workqueue and attempted again after a back-off
 			// period.
 			defer c.queue.Done(obj)
-			var key string
-			var ok bool
-			// We expect strings to come off the workqueue. These are of the
-			// form namespace/name. We do this as the delayed nature of the
-			// workqueue means the items in the informer cache may actually be
-			// more up to date that when the item was initially put onto the
-			// workqueue.
-			if key, ok = obj.(string); !ok {
-				// How did an incorrectly formatted key get in the workqueue?
-				// Done is sufficient. (Forget resets rate limiter for the key,
-				// but the key is invalid so there is no point in doing that)
-				return fmt.Errorf("expected string in workqueue but got %#v", obj)
-			}
 			defer c.hasProcessed.Finished(key)
 
 			if err := c.reconcile(key); err != nil {

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/caching_authorizer.go

@@ -22,6 +22,8 @@ import (
 	"sort"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
@@ -58,6 +60,8 @@ var _ authorizer.Attributes = (interface {
 	GetAPIVersion() string
 	IsResourceRequest() bool
 	GetPath() string
+	GetFieldSelector() (fields.Requirements, error)
+	GetLabelSelector() (labels.Requirements, error)
 })(nil)
 
 // The user info accessors known to cache key construction. If this fails to compile, the cache
@@ -72,16 +76,31 @@ var _ user.Info = (interface {
 // Authorize returns an authorization decision by delegating to another Authorizer. If an equivalent
 // check has already been performed, a cached result is returned. Not safe for concurrent use.
 func (ca *cachingAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
-	serializableAttributes := authorizer.AttributesRecord{
-		Verb:            a.GetVerb(),
-		Namespace:       a.GetNamespace(),
-		APIGroup:        a.GetAPIGroup(),
-		APIVersion:      a.GetAPIVersion(),
-		Resource:        a.GetResource(),
-		Subresource:     a.GetSubresource(),
-		Name:            a.GetName(),
-		ResourceRequest: a.IsResourceRequest(),
-		Path:            a.GetPath(),
+	type SerializableAttributes struct {
+		authorizer.AttributesRecord
+		LabelSelector string
+	}
+
+	serializableAttributes := SerializableAttributes{
+		AttributesRecord: authorizer.AttributesRecord{
+			Verb:            a.GetVerb(),
+			Namespace:       a.GetNamespace(),
+			APIGroup:        a.GetAPIGroup(),
+			APIVersion:      a.GetAPIVersion(),
+			Resource:        a.GetResource(),
+			Subresource:     a.GetSubresource(),
+			Name:            a.GetName(),
+			ResourceRequest: a.IsResourceRequest(),
+			Path:            a.GetPath(),
+		},
+	}
+	// in the error case, we won't honor this field selector, so the cache doesn't need it.
+	if fieldSelector, err := a.GetFieldSelector(); len(fieldSelector) > 0 {
+		serializableAttributes.FieldSelectorRequirements, serializableAttributes.FieldSelectorParsingErr = fieldSelector, err
+	}
+	if labelSelector, _ := a.GetLabelSelector(); len(labelSelector) > 0 {
+		// the labels requirements have private elements so those don't help us serialize to a unique key
+		serializableAttributes.LabelSelector = labelSelector.String()
 	}
 
 	if u := a.GetUser(); u != nil {

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/dispatcher.go

@@ -223,7 +223,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 					switch decision.Action {
 					case ActionAdmit:
 						if decision.Evaluation == EvalError {
-							celmetrics.Metrics.ObserveAdmissionWithError(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
+							celmetrics.Metrics.ObserveAdmission(ctx, decision.Elapsed, definition.Name, binding.Name, ErrorType(&decision))
 						}
 					case ActionDeny:
 						for _, action := range binding.Spec.ValidationActions {
@@ -234,13 +234,13 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 									Binding:        binding,
 									PolicyDecision: decision,
 								})
-								celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
+								celmetrics.Metrics.ObserveRejection(ctx, decision.Elapsed, definition.Name, binding.Name, ErrorType(&decision))
 							case admissionregistrationv1.Audit:
 								publishValidationFailureAnnotation(binding, i, decision, versionedAttr)
-								celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
+								celmetrics.Metrics.ObserveAudit(ctx, decision.Elapsed, definition.Name, binding.Name, ErrorType(&decision))
 							case admissionregistrationv1.Warn:
 								warning.AddWarning(ctx, "", fmt.Sprintf("Validation failed for ValidatingAdmissionPolicy '%s' with binding '%s': %s", definition.Name, binding.Name, decision.Message))
-								celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, "active")
+								celmetrics.Metrics.ObserveWarn(ctx, decision.Elapsed, definition.Name, binding.Name, ErrorType(&decision))
 							}
 						}
 					default:
@@ -259,7 +259,7 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 						auditAnnotationCollector.add(auditAnnotation.Key, value)
 					case AuditAnnotationActionError:
 						// When failurePolicy=fail, audit annotation errors result in deny
-						deniedDecisions = append(deniedDecisions, policyDecisionWithMetadata{
+						d := policyDecisionWithMetadata{
 							Definition: definition,
 							Binding:    binding,
 							PolicyDecision: PolicyDecision{
@@ -268,8 +268,9 @@ func (c *dispatcher) Dispatch(ctx context.Context, a admission.Attributes, o adm
 								Message:    auditAnnotation.Error,
 								Elapsed:    auditAnnotation.Elapsed,
 							},
-						})
-						celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name, "active")
+						}
+						deniedDecisions = append(deniedDecisions, d)
+						celmetrics.Metrics.ObserveRejection(ctx, auditAnnotation.Elapsed, definition.Name, binding.Name, ErrorType(&d.PolicyDecision))
 					case AuditAnnotationActionExclude: // skip it
 					default:
 						return fmt.Errorf("unsupported AuditAnnotation Action: %s", auditAnnotation.Action)

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/errors.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validating
+
+import (
+	"strings"
+
+	celmetrics "k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics"
+)
+
+// ErrorType decodes the error to determine the error type
+// that the metrics understand.
+func ErrorType(decision *PolicyDecision) celmetrics.ValidationErrorType {
+	if decision.Evaluation == EvalAdmit {
+		return celmetrics.ValidationNoError
+	}
+	if strings.HasPrefix(decision.Message, "compilation") {
+		return celmetrics.ValidationCompileError
+	}
+	if strings.HasPrefix(decision.Message, "validation failed due to running out of cost budget") {
+		return celmetrics.ValidatingOutOfBudget
+	}
+	return celmetrics.ValidatingInvalidError
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/errors.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cel
+
+import (
+	"errors"
+
+	apiservercel "k8s.io/apiserver/pkg/cel"
+)
+
+// ErrorType decodes the error to determine the error type
+// that the metrics understand.
+func ErrorType(err error) ValidationErrorType {
+	if err == nil {
+		return ValidationNoError
+	}
+	if errors.Is(err, apiservercel.ErrCompilation) {
+		return ValidationCompileError
+	}
+	if errors.Is(err, apiservercel.ErrOutOfBudget) {
+		return ValidatingOutOfBudget
+	}
+	return ValidatingInvalidError
+}

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/metrics/metrics.go

@@ -29,6 +29,22 @@ const (
 	metricsSubsystem = "validating_admission_policy"
 )
 
+// ValidationErrorType defines different error types that happen to a validation expression
+type ValidationErrorType string
+
+const (
+	// ValidationCompileError indicates that the expression fails to compile.
+	ValidationCompileError ValidationErrorType = "compile_error"
+	// ValidatingInvalidError indicates that the expression fails due to internal
+	// errors that are out of the control of the user.
+	ValidatingInvalidError ValidationErrorType = "invalid_error"
+	// ValidatingOutOfBudget indicates that the expression fails due to running
+	// out of cost budget, or the budget cannot be obtained.
+	ValidatingOutOfBudget ValidationErrorType = "out_of_budget"
+	// ValidationNoError indicates that the expression returns without an error.
+	ValidationNoError ValidationErrorType = "no_error"
+)
+
 var (
 	// Metrics provides access to validation admission metrics.
 	Metrics = newValidationAdmissionMetrics()
@@ -36,9 +52,8 @@ var (
 
 // ValidatingAdmissionPolicyMetrics aggregates Prometheus metrics related to validation admission control.
 type ValidatingAdmissionPolicyMetrics struct {
-	policyCheck      *metrics.CounterVec
-	policyDefinition *metrics.CounterVec
-	policyLatency    *metrics.HistogramVec
+	policyCheck   *metrics.CounterVec
+	policyLatency *metrics.HistogramVec
 }
 
 func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics {
@@ -47,25 +62,16 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics {
 			Namespace:      metricsNamespace,
 			Subsystem:      metricsSubsystem,
 			Name:           "check_total",
-			Help:           "Validation admission policy check total, labeled by policy and further identified by binding, enforcement action taken, and state.",
-			StabilityLevel: metrics.ALPHA,
+			Help:           "Validation admission policy check total, labeled by policy and further identified by binding and enforcement action taken.",
+			StabilityLevel: metrics.BETA,
 		},
-		[]string{"policy", "policy_binding", "enforcement_action", "state"},
-	)
-	definition := metrics.NewCounterVec(&metrics.CounterOpts{
-		Namespace:      metricsNamespace,
-		Subsystem:      metricsSubsystem,
-		Name:           "definition_total",
-		Help:           "Validation admission policy count total, labeled by state and enforcement action.",
-		StabilityLevel: metrics.ALPHA,
-	},
-		[]string{"state", "enforcement_action"},
+		[]string{"policy", "policy_binding", "error_type", "enforcement_action"},
 	)
 	latency := metrics.NewHistogramVec(&metrics.HistogramOpts{
 		Namespace: metricsNamespace,
 		Subsystem: metricsSubsystem,
 		Name:      "check_duration_seconds",
-		Help:      "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding, state and enforcement action taken.",
+		Help:      "Validation admission latency for individual validation expressions in seconds, labeled by policy and further including binding and enforcement action taken.",
 		// the bucket distribution here is based oo the benchmark suite at
 		// github.com/DangerOnTheRanger/cel-benchmark performed on 16-core Intel Xeon
 		// the lowest bucket was based around the 180ns/op figure for BenchmarkAccess,
@@ -75,49 +81,42 @@ func newValidationAdmissionMetrics() *ValidatingAdmissionPolicyMetrics {
 		// around 760ms, so that bucket should only ever have the slowest CEL expressions
 		// in it
 		Buckets:        []float64{0.0000005, 0.001, 0.01, 0.1, 1.0},
-		StabilityLevel: metrics.ALPHA,
+		StabilityLevel: metrics.BETA,
 	},
-		[]string{"policy", "policy_binding", "enforcement_action", "state"},
+		[]string{"policy", "policy_binding", "error_type", "enforcement_action"},
 	)
 
 	legacyregistry.MustRegister(check)
-	legacyregistry.MustRegister(definition)
 	legacyregistry.MustRegister(latency)
-	return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyDefinition: definition, policyLatency: latency}
+	return &ValidatingAdmissionPolicyMetrics{policyCheck: check, policyLatency: latency}
 }
 
 // Reset resets all validation admission-related Prometheus metrics.
 func (m *ValidatingAdmissionPolicyMetrics) Reset() {
 	m.policyCheck.Reset()
-	m.policyDefinition.Reset()
 	m.policyLatency.Reset()
 }
 
-// ObserveDefinition observes a policy definition.
-func (m *ValidatingAdmissionPolicyMetrics) ObserveDefinition(ctx context.Context, state, enforcementAction string) {
-	m.policyDefinition.WithContext(ctx).WithLabelValues(state, enforcementAction).Inc()
-}
-
-// ObserveAdmissionWithError observes a policy validation error that was ignored due to failure policy.
-func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmissionWithError(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
-	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Inc()
-	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "allow", state).Observe(elapsed.Seconds())
+// ObserveAdmission observes a policy validation, with an optional error to indicate the error that may occur but ignored.
+func (m *ValidatingAdmissionPolicyMetrics) ObserveAdmission(ctx context.Context, elapsed time.Duration, policy, binding string, errorType ValidationErrorType) {
+	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "allow").Inc()
+	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "allow").Observe(elapsed.Seconds())
 }
 
 // ObserveRejection observes a policy validation error that was at least one of the reasons for a deny.
-func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
-	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Inc()
-	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "deny", state).Observe(elapsed.Seconds())
+func (m *ValidatingAdmissionPolicyMetrics) ObserveRejection(ctx context.Context, elapsed time.Duration, policy, binding string, errorType ValidationErrorType) {
+	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "deny").Inc()
+	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "deny").Observe(elapsed.Seconds())
 }
 
 // ObserveAudit observes a policy validation audit annotation was published for a validation failure.
-func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
-	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Inc()
-	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "audit", state).Observe(elapsed.Seconds())
+func (m *ValidatingAdmissionPolicyMetrics) ObserveAudit(ctx context.Context, elapsed time.Duration, policy, binding string, errorType ValidationErrorType) {
+	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "audit").Inc()
+	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "audit").Observe(elapsed.Seconds())
 }
 
 // ObserveWarn observes a policy validation warning was published for a validation failure.
-func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding, state string) {
-	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Inc()
-	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, "warn", state).Observe(elapsed.Seconds())
+func (m *ValidatingAdmissionPolicyMetrics) ObserveWarn(ctx context.Context, elapsed time.Duration, policy, binding string, errorType ValidationErrorType) {
+	m.policyCheck.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "warn").Inc()
+	m.policyLatency.WithContext(ctx).WithLabelValues(policy, binding, string(errorType), "warn").Observe(elapsed.Seconds())
 }

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/plugin.go

@@ -19,6 +19,7 @@ package validating
 import (
 	"context"
 	"io"
+	"sync"
 
 	v1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -44,24 +45,35 @@ const (
 )
 
 var (
-	compositionEnvTemplateWithStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv {
-		compositionEnvTemplateWithStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
-		if err != nil {
-			panic(err)
-		}
+	lazyCompositionEnvTemplateWithStrictCostInit sync.Once
+	lazyCompositionEnvTemplateWithStrictCost     *cel.CompositionEnv
 
-		return compositionEnvTemplateWithStrictCost
-	}()
-	compositionEnvTemplateWithoutStrictCost *cel.CompositionEnv = func() *cel.CompositionEnv {
-		compositionEnvTemplateWithoutStrictCost, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
-		if err != nil {
-			panic(err)
-		}
-
-		return compositionEnvTemplateWithoutStrictCost
-	}()
+	lazyCompositionEnvTemplateWithoutStrictCostInit sync.Once
+	lazyCompositionEnvTemplateWithoutStrictCost     *cel.CompositionEnv
 )
 
+func getCompositionEnvTemplateWithStrictCost() *cel.CompositionEnv {
+	lazyCompositionEnvTemplateWithStrictCostInit.Do(func() {
+		env, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true))
+		if err != nil {
+			panic(err)
+		}
+		lazyCompositionEnvTemplateWithStrictCost = env
+	})
+	return lazyCompositionEnvTemplateWithStrictCost
+}
+
+func getCompositionEnvTemplateWithoutStrictCost() *cel.CompositionEnv {
+	lazyCompositionEnvTemplateWithoutStrictCostInit.Do(func() {
+		env, err := cel.NewCompositionEnv(cel.VariablesTypeName, environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
+		if err != nil {
+			panic(err)
+		}
+		lazyCompositionEnvTemplateWithoutStrictCost = env
+	})
+	return lazyCompositionEnvTemplateWithoutStrictCost
+}
+
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(configFile io.Reader) (admission.Interface, error) {
@@ -131,9 +143,9 @@ func compilePolicy(policy *Policy) Validator {
 	matchConditions := policy.Spec.MatchConditions
 	var compositionEnvTemplate *cel.CompositionEnv
 	if strictCost {
-		compositionEnvTemplate = compositionEnvTemplateWithStrictCost
+		compositionEnvTemplate = getCompositionEnvTemplateWithStrictCost()
 	} else {
-		compositionEnvTemplate = compositionEnvTemplateWithoutStrictCost
+		compositionEnvTemplate = getCompositionEnvTemplateWithoutStrictCost()
 	}
 	filterCompiler := cel.NewCompositedCompilerFromTemplate(compositionEnvTemplate)
 	filterCompiler.CompileAndStoreVariables(convertv1beta1Variables(policy.Spec.Variables), optionalVars, environment.StoredExpressions)

vendor/k8s.io/apiserver/pkg/admission/plugin/policy/validating/validator.go

@@ -18,6 +18,7 @@ package validating
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -132,19 +133,14 @@ func (v *validator) Validate(ctx context.Context, matchedResource schema.GroupVe
 		}
 
 		var messageResult *cel.EvaluationResult
-		var messageError *apiservercel.Error
 		if len(messageResults) > i {
 			messageResult = &messageResults[i]
 		}
-		messageError, _ = err.(*apiservercel.Error)
 		if evalResult.Error != nil {
 			decision.Action = policyDecisionActionForError(f)
 			decision.Evaluation = EvalError
 			decision.Message = evalResult.Error.Error()
-		} else if messageError != nil &&
-			(messageError.Type == apiservercel.ErrorTypeInternal ||
-				(messageError.Type == apiservercel.ErrorTypeInvalid &&
-					strings.HasPrefix(messageError.Detail, "validation failed due to running out of cost budget"))) {
+		} else if errors.Is(err, apiservercel.ErrInternal) || errors.Is(err, apiservercel.ErrOutOfBudget) {
 			decision.Action = policyDecisionActionForError(f)
 			decision.Evaluation = EvalError
 			decision.Message = fmt.Sprintf("failed messageExpression: %s", err)