Merge pull request #371 from fabriziosestito/fix/get-policy-by-namespace

fix: correct logic for retrieving cluster admission policies targeting a specific namespace
kubewarden · Sep 17, 2024 · 06e3c5e · 06e3c5e
2 parents 0a5436b + 4710db8
commit 06e3c5e
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 102 deletions.
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
@@ -58,7 +58,7 @@ For each namespace, the code invokes the `ScanNamespace` method.
 
 > **Important:** this part of the code is parallelized. The number of parallel policies to be evaluated is configured with the `--parallel-namespaces` flag.
 
-The code uses the `GetPoliciesForANamespace` method
+The code uses the `GetPoliciesByNamespace` method
 to build a map with the Kubernetes resource as key, and the policies targeting that resource as value.
 This map is similar to the one created for the cluster-wide resources. However, in this case, the types of policies associated with a Kubernetes
 resource could be both `ClusterAdmissionPolicy` and `NamespaceAdmissionPolicy`.

diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.23.0
 
 require (
 	github.com/google/uuid v1.6.0
-	github.com/kubewarden/kubewarden-controller v1.17.0-rc2
+	github.com/kubewarden/kubewarden-controller v1.17.0-rc2.0.20240917061215-5c7cf92af031
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
@@ -60,23 +60,23 @@ require (
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
 	golang.org/x/oauth2 v0.22.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.31.0 // indirect
-	k8s.io/apiserver v0.31.0 // indirect
-	k8s.io/component-base v0.31.0 // indirect
+	k8s.io/apiserver v0.31.1 // indirect
+	k8s.io/component-base v0.31.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240620174524-b456828f718b // indirect
 	k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 // indirect

diff --git a/go.sum b/go.sum
@@ -308,8 +308,8 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubewarden/kubewarden-controller v1.17.0-rc2 h1:283rnN6wI8w18fx2kJWMVFhBpgzEh9jF4NibU5a8pOU=
-github.com/kubewarden/kubewarden-controller v1.17.0-rc2/go.mod h1:RexOswos6WeLaQwoF8pdyDaL7kw4Ae2nFDmgBfJy85g=
+github.com/kubewarden/kubewarden-controller v1.17.0-rc2.0.20240917061215-5c7cf92af031 h1:mnHzr+IJMhTUdMGM/LpYRf1njOLHmjYUffWQ+O6+Bpc=
+github.com/kubewarden/kubewarden-controller v1.17.0-rc2.0.20240917061215-5c7cf92af031/go.mod h1:A5wSmXoDqKfvVgZ5haXzR+0RJTI1bMDPywOwPx2gPEE=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -533,8 +533,8 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -592,19 +592,19 @@ golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
+golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -694,10 +694,10 @@ google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo=
-google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
+google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -755,32 +755,26 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
 k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
-k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo=
-k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE=
 k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU=
 k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI=
 k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M=
 k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk=
 k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk=
 k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc=
-k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U=
 k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg=
-k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY=
-k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk=
+k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c=
+k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM=
 k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
 k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
-k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8=
-k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU=
 k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0=
 k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg=
 k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
 k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14=
-k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs=
-k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo=
+k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8=
+k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=

diff --git a/internal/policies/client.go b/internal/policies/client.go
@@ -13,6 +13,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -60,113 +61,97 @@ func NewClient(client client.Client, kubewardenNamespace string, policyServerURL
 	}, nil
 }
 
-// GetPoliciesForANamespace gets all the auditable policies for a given namespace.
-func (f *Client) GetPoliciesForANamespace(ctx context.Context, namespace string) (*Policies, error) {
-	namespacePolicies, err := f.findNamespacesForAllClusterAdmissionPolicies(ctx)
+// GetPoliciesByNamespace gets all the auditable policies for a given namespace.
+func (f *Client) GetPoliciesByNamespace(ctx context.Context, namespace string) (*Policies, error) {
+	var policies []policiesv1.Policy
+
+	clusterAdmissionPolicies, err := f.findClusterAdmissionPoliciesByNamespace(ctx, namespace)
 	if err != nil {
-		return nil, fmt.Errorf("can't get ClusterAdmissionPolicies: %w", err)
+		return nil, fmt.Errorf("cannot get ClusterAdmissionPolicies: %w", err)
+	}
+	for _, policy := range clusterAdmissionPolicies {
+		policies = append(policies, &policy)
 	}
-	admissionPolicies, err := f.getAdmissionPolicies(ctx, namespace)
+
+	admissionPolicies, err := f.listAdmissionPolicies(ctx, namespace)
 	if err != nil {
-		return nil, fmt.Errorf("can't get AdmissionPolicies: %w", err)
+		return nil, fmt.Errorf("cannot get AdmissionPolicies: %w", err)
 	}
 	for _, policy := range admissionPolicies {
-		namespacePolicies[namespace] = append(namespacePolicies[namespace], &policy)
+		policies = append(policies, &policy)
 	}
 
-	return f.groupPoliciesByGVR(ctx, namespacePolicies[namespace], true)
-}
-
-func (f *Client) getClusterAdmissionPolicies(ctx context.Context) ([]policiesv1.ClusterAdmissionPolicy, error) {
-	policies := &policiesv1.ClusterAdmissionPolicyList{}
-	err := f.client.List(ctx, policies)
-	if err != nil {
-		return []policiesv1.ClusterAdmissionPolicy{}, err
-	}
-	return policies.Items, nil
+	return f.groupPoliciesByGVR(ctx, policies, true)
 }
 
 // GetClusterWidePolicies returns all the auditable cluster-wide policies.
 func (f *Client) GetClusterWidePolicies(ctx context.Context) (*Policies, error) {
-	clusterAdmissionPolicies, err := f.getClusterAdmissionPolicies(ctx)
+	var policies []policiesv1.Policy
+
+	clusterAdmissionPolicies, err := f.listClusterAdmissionPolicies(ctx)
 	if err != nil {
 		return nil, err
 	}
-	policies := []policiesv1.Policy{}
 	for _, policy := range clusterAdmissionPolicies {
 		policies = append(policies, &policy)
 	}
 
 	return f.groupPoliciesByGVR(ctx, policies, false)
 }
 
-// initializes map with an entry for all namespaces with an empty policies array as value.
-func (f *Client) initNamespacePoliciesMap(ctx context.Context) (map[string][]policiesv1.Policy, error) {
-	namespacePolicies := make(map[string][]policiesv1.Policy)
-	namespaceList := &corev1.NamespaceList{}
-	err := f.client.List(ctx, namespaceList, &client.ListOptions{})
+// findNamespacesForAllClusterAdmissionPolicies returns all the ClusterAdmissionPolicies that evaluate resources in the given namespace.
+func (f *Client) findClusterAdmissionPoliciesByNamespace(ctx context.Context, namespace string) ([]policiesv1.ClusterAdmissionPolicy, error) {
+	var namespaceObj corev1.Namespace
+	err := f.client.Get(ctx, client.ObjectKey{Name: namespace}, &namespaceObj)
 	if err != nil {
-		return nil, fmt.Errorf("can't list namespaces: %w", err)
-	}
-	for _, namespace := range namespaceList.Items {
-		namespacePolicies[namespace.Name] = []policiesv1.Policy{}
+		return nil, fmt.Errorf("cannot get namespace %s: %w", namespace, err)
 	}
 
-	return namespacePolicies, nil
-}
-
-// returns a map with an entry per each namespace. Key is the namespace name, and value is an array of ClusterAdmissionPolicies
-// that will evaluate resources within this namespace.
-func (f *Client) findNamespacesForAllClusterAdmissionPolicies(ctx context.Context) (map[string][]policiesv1.Policy, error) {
-	namespacePolicies, err := f.initNamespacePoliciesMap(ctx)
+	clusterAdmissionPolicies, err := f.listClusterAdmissionPolicies(ctx)
 	if err != nil {
 		return nil, err
 	}
-	policies := &policiesv1.ClusterAdmissionPolicyList{}
-	err = f.client.List(ctx, policies, &client.ListOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("can't list ClusterAdmissionPolicies: %w", err)
-	}
 
-	for _, policy := range policies.Items {
-		namespaces, err := f.findNamespacesForClusterAdmissionPolicy(ctx, policy)
-		if err != nil {
-			return nil, fmt.Errorf("can't find namespaces for ClusterAdmissionPolicy %s: %w", policy.Name, err)
-		}
-		for _, namespace := range namespaces {
-			namespacePolicies[namespace.Name] = append(namespacePolicies[namespace.Name], &policy)
+	var result []policiesv1.ClusterAdmissionPolicy
+
+	for _, policy := range clusterAdmissionPolicies {
+		if policy.GetNamespaceSelector() != nil {
+			labelSelector, err := metav1.LabelSelectorAsSelector(policy.GetNamespaceSelector())
+			if err != nil {
+				return nil, fmt.Errorf("cannot parse label selector, ClusterAdmissionPolicy %s: %w", policy.Name, err)
+			}
+			if labelSelector.Matches(labels.Set(namespaceObj.Labels)) {
+				result = append(result, policy)
+			}
+		} else {
+			result = append(result, policy)
 		}
 	}
 
-	return namespacePolicies, nil
+	return result, nil
 }
 
-// finds all namespaces where this ClusterAdmissionPolicy will evaluate resources. It uses the namespaceSelector field to filter the namespaces.
-func (f *Client) findNamespacesForClusterAdmissionPolicy(ctx context.Context, policy policiesv1.ClusterAdmissionPolicy) ([]corev1.Namespace, error) {
-	namespaceList := &corev1.NamespaceList{}
-	labelSelector, err := metav1.LabelSelectorAsSelector(policy.GetUpdatedNamespaceSelector(f.kubewardenNamespace))
-	if err != nil {
-		return nil, err
-	}
-	opts := client.ListOptions{
-		LabelSelector: labelSelector,
-	}
-	err = f.client.List(ctx, namespaceList, &opts)
+// listClusterAdmissionPolicies returns all the ClusterAdmissionPolicies in the cluster.
+func (f *Client) listClusterAdmissionPolicies(ctx context.Context) ([]policiesv1.ClusterAdmissionPolicy, error) {
+	var clusterAdmissionPolicyList policiesv1.ClusterAdmissionPolicyList
+
+	err := f.client.List(ctx, &clusterAdmissionPolicyList)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("cannot list ClusterAdmissionPolicies: %w", err)
 	}
 
-	return namespaceList.Items, nil
+	return clusterAdmissionPolicyList.Items, nil
 }
 
-func (f *Client) getAdmissionPolicies(ctx context.Context, namespace string) ([]policiesv1.AdmissionPolicy, error) {
-	policies := &policiesv1.AdmissionPolicyList{}
-	err := f.client.List(ctx, policies, &client.ListOptions{Namespace: namespace})
+// listAdmissionPolicies returns all the AdmissionPolicies in the given namespace.
+func (f *Client) listAdmissionPolicies(ctx context.Context, namespace string) ([]policiesv1.AdmissionPolicy, error) {
+	var admissionPolicyList policiesv1.AdmissionPolicyList
+	err := f.client.List(ctx, &admissionPolicyList, &client.ListOptions{Namespace: namespace})
 	if err != nil {
 		return nil, err
 	}
 
-	return policies.Items, nil
+	return admissionPolicyList.Items, nil
 }
 
 // groupPoliciesByGVRAndLabelSelectorg groups policies by GVR.

diff --git a/internal/policies/client_test.go b/internal/policies/client_test.go
@@ -15,7 +15,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func TestGetPoliciesForANamespace(t *testing.T) {
+func TestGetPoliciesByNamespace(t *testing.T) {
 	namespace := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test",
@@ -204,7 +204,7 @@ func TestGetPoliciesForANamespace(t *testing.T) {
 	policiesClient, err := NewClient(client, "kubewarden", "")
 	require.NoError(t, err)
 
-	policies, err := policiesClient.GetPoliciesForANamespace(context.Background(), "test")
+	policies, err := policiesClient.GetPoliciesByNamespace(context.Background(), "test")
 	require.NoError(t, err)
 
 	expectedPolicies := &Policies{

diff --git a/internal/scanner/scanner.go b/internal/scanner/scanner.go
@@ -138,7 +138,7 @@ func (s *Scanner) ScanNamespace(ctx context.Context, nsName, runUID string) erro
 	if err != nil {
 		return err
 	}
-	policies, err := s.policiesClient.GetPoliciesForANamespace(ctx, nsName)
+	policies, err := s.policiesClient.GetPoliciesByNamespace(ctx, nsName)
 	if err != nil {
 		log.Error().Err(err).Str("namespace", nsName).Msg("failed to obtain auditable policies")
 		return err