Add configuration to permissions pre-flight check to use `SelfSubject…

…AccessReview` or `SelfSubjectRulesReview` (#931)
carvel-dev · May 9, 2024 · 2d0b7ed · 2d0b7ed
1 parent e61c869
commit 2d0b7ed
Show file tree

Hide file tree

Showing 113 changed files with 16,049 additions and 303 deletions.
diff --git a/go.mod b/go.mod
@@ -22,10 +22,12 @@ require (
 	golang.org/x/net v0.25.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.30.0
-	k8s.io/apiextensions-apiserver v0.29.3
+	k8s.io/apiextensions-apiserver v0.30.0
 	k8s.io/apimachinery v0.30.0
+	k8s.io/apiserver v0.30.0
 	k8s.io/client-go v0.30.0
 	k8s.io/component-helpers v0.29.3
+	k8s.io/kubernetes v1.30.0
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/yaml v1.4.0
 )

diff --git a/go.sum b/go.sum
@@ -22,9 +22,17 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/aws/aws-lambda-go v1.26.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -205,6 +213,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -254,12 +264,20 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -512,18 +530,24 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
 k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
-k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI=
-k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc=
+k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs=
+k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y=
 k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
 k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.0 h1:QCec+U72tMQ+9tR6A0sMBB5Vh6ImCEkoKkTDRABWq6M=
+k8s.io/apiserver v0.30.0/go.mod h1:smOIBq8t0MbKZi7O7SyIpjPsiKJ8qa+llcFCluKyqiY=
 k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
 k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
+k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o=
+k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ=
 k8s.io/component-helpers v0.29.3 h1:1dqZswuZgT2ZMixYeORyCUOAApXxgsvjVSgfoUT+P4o=
 k8s.io/component-helpers v0.29.3/go.mod h1:yiDqbRQrnQY+sPju/bL7EkwDJb6LVOots53uZNMZBos=
 k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/kubernetes v1.30.0 h1:u3Yw8rNlo2NDSGaDpoxoHXLPQnEu1tfqHATKOJe94HY=
+k8s.io/kubernetes v1.30.0/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

diff --git a/pkg/kapp/permissions/basic.go b/pkg/kapp/permissions/basic.go
@@ -9,24 +9,23 @@ import (
 	ctlres "carvel.dev/kapp/pkg/kapp/resources"
 	authv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 )
 
 // BasicValidator is a basic validator useful for
 // validating basic CRUD permissions for resources. It has no knowledge
 // of how to handle permission evaluation for specific
 // GroupVersionKinds
 type BasicValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*BasicValidator)(nil)
 
-func NewBasicValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *BasicValidator {
+func NewBasicValidator(pv PermissionValidator, mapper meta.RESTMapper) *BasicValidator {
 	return &BasicValidator{
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -36,7 +35,7 @@ func (bv *BasicValidator) Validate(ctx context.Context, res ctlres.Resource, ver
 		return err
 	}
 
-	return ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+	return bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 		Group:     mapping.Resource.Group,
 		Version:   mapping.Resource.Version,
 		Resource:  mapping.Resource.Resource,

diff --git a/pkg/kapp/permissions/binding.go b/pkg/kapp/permissions/binding.go
@@ -12,7 +12,6 @@ import (
 	authv1 "k8s.io/api/authorization/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	"k8s.io/component-helpers/auth/rbac/validation"
 )
@@ -21,18 +20,18 @@ import (
 // for validating permissions required to CRUD
 // Kubernetes (Cluster)RoleBinding resources
 type BindingValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	rbacClient rbacv1client.RbacV1Interface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	rbacClient          rbacv1client.RbacV1Interface
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*BindingValidator)(nil)
 
-func NewBindingValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator {
+func NewBindingValidator(pv PermissionValidator, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator {
 	return &BindingValidator{
-		rbacClient: rbacClient,
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		rbacClient:          rbacClient,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -47,7 +46,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 		// do early validation on create / update to see if a user has
 		// the "bind" permissions which allows them to perform
 		// privilege escalation and create any (Cluster)Role
-		err := ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		err := bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -63,7 +62,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 		}
 
 		// Check if user has permissions to even create/update the resource
-		err = ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		err = bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -98,7 +97,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 				if len(subrule.ResourceNames) > 0 {
 					resourceName = subrule.ResourceNames[0]
 				}
-				err := ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+				err := bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 					Group:     subrule.APIGroups[0],
 					Resource:  subrule.Resources[0],
 					Namespace: res.Namespace(),
@@ -116,7 +115,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 			return errors.Join(append([]error{baseErr}, errorSet...)...)
 		}
 	default:
-		return ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		return bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,

diff --git a/pkg/kapp/permissions/preflight.go b/pkg/kapp/permissions/preflight.go
@@ -5,7 +5,9 @@ package permissions
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 
 	cmdcore "carvel.dev/kapp/pkg/kapp/cmd/core"
 	ctldgraph "carvel.dev/kapp/pkg/kapp/diffgraph"
@@ -20,12 +22,25 @@ import (
 type Preflight struct {
 	depsFactory cmdcore.DepsFactory
 	enabled     bool
+	config      *PreflightConfig
+}
+
+const (
+	PermissionValidatorTypeSelfSubjectAccessReview = "SelfSubjectAccessReview"
+	PermissionValidatorTypeSelfSubjectRulesReview  = "SelfSubjectRulesReview"
+)
+
+type PreflightConfig struct {
+	PermissionValidatorResource string `json:"permissionValidatorResource"`
 }
 
 func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check {
 	return &Preflight{
 		depsFactory: depsFactory,
 		enabled:     enabled,
+		config: &PreflightConfig{
+			PermissionValidatorResource: PermissionValidatorTypeSelfSubjectAccessReview,
+		},
 	}
 }
 
@@ -37,7 +52,27 @@ func (p *Preflight) SetEnabled(enabled bool) {
 	p.enabled = enabled
 }
 
-func (p *Preflight) SetConfig(_ preflight.CheckConfig) error {
+func (p *Preflight) SetConfig(cfg preflight.CheckConfig) error {
+	pCfg := &PreflightConfig{}
+	cfgBytes, err := json.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("converting CheckConfig to bytes: %w", err)
+	}
+
+	err = json.Unmarshal(cfgBytes, pCfg)
+	if err != nil {
+		return fmt.Errorf("parsing permissions preflight config: %w", err)
+	}
+
+	switch pCfg.PermissionValidatorResource {
+	// Valid, do nothing
+	case PermissionValidatorTypeSelfSubjectAccessReview, PermissionValidatorTypeSelfSubjectRulesReview:
+	// Default to using SelfSubjectAccessReview
+	case "":
+		pCfg.PermissionValidatorResource = PermissionValidatorTypeSelfSubjectAccessReview
+	default:
+		return fmt.Errorf("unknown permissionValidatorType %q", pCfg.PermissionValidatorResource)
+	}
 	return nil
 }
 
@@ -52,9 +87,17 @@ func (p *Preflight) Run(ctx context.Context, changeGraph *ctldgraph.ChangeGraph)
 		return err
 	}
 
-	roleValidator := NewRoleValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), mapper)
-	bindingValidator := NewBindingValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), client.RbacV1(), mapper)
-	basicValidator := NewBasicValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), mapper)
+	var permissionValidator PermissionValidator
+	switch p.config.PermissionValidatorResource {
+	case PermissionValidatorTypeSelfSubjectAccessReview:
+		permissionValidator = NewSelfSubjectAccessReviewValidator(client.AuthorizationV1().SelfSubjectAccessReviews())
+	case PermissionValidatorTypeSelfSubjectRulesReview:
+		permissionValidator = NewSelfSubjectRulesReviewValidator(client.AuthorizationV1().SelfSubjectRulesReviews())
+	}
+
+	roleValidator := NewRoleValidator(permissionValidator, mapper)
+	bindingValidator := NewBindingValidator(permissionValidator, client.RbacV1(), mapper)
+	basicValidator := NewBasicValidator(permissionValidator, mapper)
 
 	validator := NewCompositeValidator(basicValidator, map[schema.GroupVersionKind]Validator{
 		rbacv1.SchemeGroupVersion.WithKind("Role"):               roleValidator,

diff --git a/pkg/kapp/permissions/role.go b/pkg/kapp/permissions/role.go
@@ -12,24 +12,23 @@ import (
 	authv1 "k8s.io/api/authorization/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	"k8s.io/component-helpers/auth/rbac/validation"
 )
 
 // RoleValidator is a Validator implementation
 // for validating permissions required to CRUD
 // Kubernetes (Cluster)Role resources
 type RoleValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*RoleValidator)(nil)
 
-func NewRoleValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *RoleValidator {
+func NewRoleValidator(pv PermissionValidator, mapper meta.RESTMapper) *RoleValidator {
 	return &RoleValidator{
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -44,7 +43,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 		// do early validation on create / update to see if a user has
 		// the "escalate" permissions which allows them to perform
 		// privilege escalation and create any (Cluster)Role
-		err := ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		err := rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -60,7 +59,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 		}
 
 		// Check if user has permissions to even create/update the resource
-		err = ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		err = rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -92,7 +91,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 				if len(subrule.ResourceNames) > 0 {
 					resourceName = subrule.ResourceNames[0]
 				}
-				err := ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+				err := rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 					Group:     subrule.APIGroups[0],
 					Resource:  subrule.Resources[0],
 					Namespace: res.Namespace(),
@@ -110,7 +109,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 			return errors.Join(append([]error{baseErr}, errorSet...)...)
 		}
 	default:
-		return ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		return rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,