wip

Signed-off-by: Fabrizio Sestito <[email protected]>

cmd/main.go

@@ -217,6 +217,21 @@ func setupManager(deploymentsNamespace string, metricsAddr string, probeAddr str
 			},
 		},
 	})
+
+	mgr.GetFieldIndexer().IndexField(context.TODO(), &policiesv1.ClusterAdmissionPolicy{}, "metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.ClusterAdmissionPolicy)
+		return []string{string(policy.UID)}
+	})
+
+	mgr.GetFieldIndexer().IndexField(context.TODO(), &policiesv1.AdmissionPolicyGroup{}, "metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.AdmissionPolicyGroup)
+		return []string{string(policy.UID)}
+	})
+
+	mgr.GetFieldIndexer().IndexField(context.TODO(), &policiesv1.ClusterAdmissionPolicyGroup{}, "metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.ClusterAdmissionPolicyGroup)
+		return []string{string(policy.UID)}
+	})
 	return mgr, err
 }
 

go.mod

@@ -71,10 +71,13 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/k0kubun/pp v3.0.1+incompatible // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect

go.sum

@@ -116,6 +116,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/k0kubun/pp v3.0.1+incompatible h1:3tqvf7QgUnZ5tXO6pNAZlrvHgl6DvifjDrd9g2S9Z40=
+github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
@@ -130,6 +132,10 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
@@ -320,6 +326,7 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

internal/constants/constants.go

@@ -49,11 +49,7 @@ const (
 	OptelInjectAnnotation = "sidecar.opentelemetry.io/inject"
 
 	// Webhook Configurations.
-	WebhookConfigurationPolicyScopeLabelKey          = "kubewardenPolicyScope"
-	WebhookConfigurationPolicyNameAnnotationKey      = "kubewardenPolicyName"
-	WebhookConfigurationPolicyNamespaceAnnotationKey = "kubewardenPolicyNamespace"
-	WebhookConfigurationPolicyGroupAnnotationKey     = "kubewardenPolicyGroup"
-	True                                             = "true"
+	WebhookConfigurationPolicyUIDAnnotationKey = "kubewarden.io/policy-uid"
 
 	// Scope.
 	NamespacePolicyScope = "namespace"

internal/controller/admissionpolicy_controller.go

@@ -24,13 +24,15 @@ import (
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	policiesv1 "github.com/kubewarden/kubewarden-controller/api/policies/v1"
+	"github.com/kubewarden/kubewarden-controller/internal/constants"
 )
 
 // Warning: this controller is deployed by a helm chart which has its own
@@ -75,7 +77,17 @@ func (r *AdmissionPolicyReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		r.FeatureGateAdmissionWebhookMatchConditions,
 	}
 
-	err := ctrl.NewControllerManagedBy(mgr).
+	// Add a field indexer to index the UID of the AdmissionPolicy.
+	// This is needed to efficiently find a policy by UID in the webhook configuration watch handlers.
+	err := mgr.GetFieldIndexer().IndexField(context.Background(), &policiesv1.AdmissionPolicy{}, ".metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.AdmissionPolicy)
+		return []string{string(policy.UID)}
+	})
+	if err != nil {
+		return errors.Join(errors.New("failed setting up field indexer"), err)
+	}
+
+	err = ctrl.NewControllerManagedBy(mgr).
 		For(&policiesv1.AdmissionPolicy{}).
 		Watches(
 			&corev1.Pod{},
@@ -101,6 +113,35 @@ func (r *AdmissionPolicyReconciler) findAdmissionPoliciesForPod(ctx context.Cont
 	return findPoliciesForPod(ctx, r.Client, object)
 }
 
-func (r *AdmissionPolicyReconciler) findAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findPolicyForWebhookConfiguration(webhookConfiguration, false, r.Log)
+func (r *AdmissionPolicyReconciler) findAdmissionPolicyForWebhookConfiguration(ctx context.Context, webhookConfiguration client.Object) []reconcile.Request {
+	if !hasKubewardenLabel(webhookConfiguration.GetLabels()) {
+		return []reconcile.Request{}
+	}
+
+	policyUID, exists := webhookConfiguration.GetAnnotations()[constants.WebhookConfigurationPolicyUIDAnnotationKey]
+	if !exists {
+		return []reconcile.Request{}
+	}
+
+	var admissionPolicyList policiesv1.AdmissionPolicyList
+	options := &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(".metadata.uid", policyUID),
+	}
+	err := r.List(ctx, &admissionPolicyList, options)
+	if err != nil {
+		return []reconcile.Request{}
+	}
+	if len(admissionPolicyList.Items) == 0 {
+		return []reconcile.Request{}
+	}
+	admissionPolicy := admissionPolicyList.Items[0]
+
+	return []reconcile.Request{
+		{
+			NamespacedName: client.ObjectKey{
+				Name:      admissionPolicy.GetName(),
+				Namespace: admissionPolicy.GetNamespace(),
+			},
+		},
+	}
 }

internal/controller/admissionpolicy_controller_test.go

@@ -84,9 +84,7 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() {
 				}
 
 				Expect(validatingWebhookConfiguration.Labels[constants.PartOfLabelKey]).To(Equal(constants.PartOfLabelValue))
-				Expect(validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey]).To(Equal(constants.NamespacePolicyScope))
-				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNameAnnotationKey]).To(Equal(policyName))
-				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey]).To(Equal(policyNamespace))
+				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyUIDAnnotationKey]).To(Equal(policy.GetUID()))
 				Expect(validatingWebhookConfiguration.Webhooks).To(HaveLen(1))
 				Expect(validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name).To(Equal("policy-server-" + policyServerName))
 				Expect(validatingWebhookConfiguration.Webhooks[0].MatchConditions).To(HaveLen(1))
@@ -114,9 +112,7 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() {
 
 			By("changing the ValidatingWebhookConfiguration")
 			delete(validatingWebhookConfiguration.Labels, constants.PartOfLabelKey)
-			validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey] = newName("scope")
-			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyNameAnnotationKey)
-			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey] = newName("namespace")
+			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyUIDAnnotationKey)
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name = newName("service")
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.CABundle = []byte("invalid")
 			Expect(
@@ -210,9 +206,7 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() {
 				}
 
 				Expect(mutatingWebhookConfiguration.Labels[constants.PartOfLabelKey]).To(Equal(constants.PartOfLabelValue))
-				Expect(mutatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey]).To(Equal(constants.NamespacePolicyScope))
-				Expect(mutatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNameAnnotationKey]).To(Equal(policyName))
-				Expect(mutatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey]).To(Equal(policyNamespace))
+				Expect(mutatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyUIDAnnotationKey]).To(Equal(policyName))
 				Expect(mutatingWebhookConfiguration.Webhooks).To(HaveLen(1))
 				Expect(mutatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name).To(Equal("policy-server-" + policyServerName))
 				Expect(mutatingWebhookConfiguration.Webhooks[0].MatchConditions).To(HaveLen(1))
@@ -240,9 +234,7 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() {
 
 			By("changing the MutatingWebhookConfiguration")
 			delete(mutatingWebhookConfiguration.Labels, constants.PartOfLabelKey)
-			mutatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey] = newName("scope")
-			delete(mutatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyNameAnnotationKey)
-			mutatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey] = newName("namespace")
+			delete(mutatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyUIDAnnotationKey)
 			mutatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name = newName("service")
 			mutatingWebhookConfiguration.Webhooks[0].ClientConfig.CABundle = []byte("invalid")
 			Expect(

internal/controller/admissionpolicygroup_controller.go

@@ -24,13 +24,15 @@ import (
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	policiesv1 "github.com/kubewarden/kubewarden-controller/api/policies/v1"
+	"github.com/kubewarden/kubewarden-controller/internal/constants"
 )
 
 // Warning: this controller is deployed by a helm chart which has its own
@@ -75,7 +77,17 @@ func (r *AdmissionPolicyGroupReconciler) SetupWithManager(mgr ctrl.Manager) erro
 		r.FeatureGateAdmissionWebhookMatchConditions,
 	}
 
-	err := ctrl.NewControllerManagedBy(mgr).
+	// Add a field indexer to index the UID of the AdmissionPolicyGroup.
+	// This is needed to efficiently find a policy by UID in the webhook configuration watch handlers.
+	err := mgr.GetFieldIndexer().IndexField(context.Background(), &policiesv1.AdmissionPolicyGroup{}, ".metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.AdmissionPolicyGroup)
+		return []string{string(policy.UID)}
+	})
+	if err != nil {
+		return errors.Join(errors.New("failed setting up field indexer"), err)
+	}
+
+	err = ctrl.NewControllerManagedBy(mgr).
 		For(&policiesv1.AdmissionPolicyGroup{}).
 		Watches(
 			&corev1.Pod{},
@@ -97,6 +109,35 @@ func (r *AdmissionPolicyGroupReconciler) findAdmissionPoliciesForPod(ctx context
 	return findPoliciesForPod(ctx, r.Client, object)
 }
 
-func (r *AdmissionPolicyGroupReconciler) findAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findPolicyForWebhookConfiguration(webhookConfiguration, true, r.Log)
+func (r *AdmissionPolicyGroupReconciler) findAdmissionPolicyForWebhookConfiguration(ctx context.Context, webhookConfiguration client.Object) []reconcile.Request {
+	if !hasKubewardenLabel(webhookConfiguration.GetLabels()) {
+		return []reconcile.Request{}
+	}
+
+	policyUID, exists := webhookConfiguration.GetAnnotations()[constants.WebhookConfigurationPolicyUIDAnnotationKey]
+	if !exists {
+		return []reconcile.Request{}
+	}
+
+	var admissionPolicyGroupList policiesv1.AdmissionPolicyGroupList
+	options := &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(".metadata.uid", policyUID),
+	}
+	err := r.List(ctx, &admissionPolicyGroupList, options)
+	if err != nil {
+		return []reconcile.Request{}
+	}
+	if len(admissionPolicyGroupList.Items) == 0 {
+		return []reconcile.Request{}
+	}
+	admissionPolicyGroup := admissionPolicyGroupList.Items[0]
+
+	return []reconcile.Request{
+		{
+			NamespacedName: client.ObjectKey{
+				Name:      admissionPolicyGroup.GetName(),
+				Namespace: admissionPolicyGroup.GetNamespace(),
+			},
+		},
+	}
 }

internal/controller/admissionpolicygroup_controller_test.go

@@ -83,10 +83,7 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func(
 				}
 
 				Expect(validatingWebhookConfiguration.Labels[constants.PartOfLabelKey]).To(Equal(constants.PartOfLabelValue))
-				Expect(validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey]).To(Equal(constants.NamespacePolicyScope))
-				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey]).To(Equal(constants.True))
-				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNameAnnotationKey]).To(Equal(policyName))
-				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey]).To(Equal(policyNamespace))
+				Expect(validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyUIDAnnotationKey]).To(Equal(policyNamespace))
 				Expect(validatingWebhookConfiguration.Webhooks).To(HaveLen(1))
 				Expect(validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name).To(Equal("policy-server-" + policyServerName))
 				Expect(validatingWebhookConfiguration.Webhooks[0].MatchConditions).To(HaveLen(1))
@@ -114,10 +111,7 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func(
 
 			By("changing the ValidatingWebhookConfiguration")
 			delete(validatingWebhookConfiguration.Labels, constants.PartOfLabelKey)
-			validatingWebhookConfiguration.Labels[constants.WebhookConfigurationPolicyScopeLabelKey] = newName("scope")
-			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyGroupAnnotationKey] = "false"
-			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyNameAnnotationKey)
-			validatingWebhookConfiguration.Annotations[constants.WebhookConfigurationPolicyNamespaceAnnotationKey] = newName("namespace")
+			delete(validatingWebhookConfiguration.Annotations, constants.WebhookConfigurationPolicyUIDAnnotationKey)
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.Service.Name = newName("service")
 			validatingWebhookConfiguration.Webhooks[0].ClientConfig.CABundle = []byte("invalid")
 			Expect(

internal/controller/clusteradmissionpolicy_controller.go

@@ -24,13 +24,15 @@ import (
 
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	policiesv1 "github.com/kubewarden/kubewarden-controller/api/policies/v1"
+	"github.com/kubewarden/kubewarden-controller/internal/constants"
 )
 
 // Warning: this controller is deployed by a helm chart which has its own
@@ -75,7 +77,17 @@ func (r *ClusterAdmissionPolicyReconciler) SetupWithManager(mgr ctrl.Manager) er
 		r.FeatureGateAdmissionWebhookMatchConditions,
 	}
 
-	err := ctrl.NewControllerManagedBy(mgr).
+	// Add a field indexer to index the UID of the ClusterAdmissionPolicy.
+	// This is needed to efficiently find a policy by UID in the webhook configuration watch handlers.
+	err := mgr.GetFieldIndexer().IndexField(context.Background(), &policiesv1.ClusterAdmissionPolicy{}, ".metadata.uid", func(rawObj client.Object) []string {
+		policy := rawObj.(*policiesv1.ClusterAdmissionPolicy)
+		return []string{string(policy.UID)}
+	})
+	if err != nil {
+		return errors.Join(errors.New("failed setting up field indexer"), err)
+	}
+
+	err = ctrl.NewControllerManagedBy(mgr).
 		For(&policiesv1.ClusterAdmissionPolicy{}).
 		Watches(
 			&corev1.Pod{},
@@ -100,6 +112,34 @@ func (r *ClusterAdmissionPolicyReconciler) findClusterAdmissionPoliciesForPod(ct
 	return findClusterPoliciesForPod(ctx, r.Client, object)
 }
 
-func (r *ClusterAdmissionPolicyReconciler) findClusterAdmissionPolicyForWebhookConfiguration(_ context.Context, webhookConfiguration client.Object) []reconcile.Request {
-	return findClusterPolicyForWebhookConfiguration(webhookConfiguration, false, r.Log)
+func (r *ClusterAdmissionPolicyReconciler) findClusterAdmissionPolicyForWebhookConfiguration(ctx context.Context, webhookConfiguration client.Object) []reconcile.Request {
+	if !hasKubewardenLabel(webhookConfiguration.GetLabels()) {
+		return []reconcile.Request{}
+	}
+
+	policyUID, exists := webhookConfiguration.GetAnnotations()[constants.WebhookConfigurationPolicyUIDAnnotationKey]
+	if !exists {
+		return []reconcile.Request{}
+	}
+
+	var clusterAdmissionPolicyList policiesv1.ClusterAdmissionPolicyList
+	options := &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(".metadata.uid", policyUID),
+	}
+	err := r.List(ctx, &clusterAdmissionPolicyList, options)
+	if err != nil {
+		return []reconcile.Request{}
+	}
+	if len(clusterAdmissionPolicyList.Items) == 0 {
+		return []reconcile.Request{}
+	}
+	clusterAdmissionPolicy := clusterAdmissionPolicyList.Items[0]
+
+	return []reconcile.Request{
+		{
+			NamespacedName: client.ObjectKey{
+				Name: clusterAdmissionPolicy.GetName(),
+			},
+		},
+	}
 }