refactor permissions package and preflight check

to allow configuring whether it uses SelfSubjectAccessReview or SelfSubjectRulesReview to determine if a user has the appropriate permissions. Defaults to SelfSubjectAccessReview for backwards compatibility Signed-off-by: everettraven <[email protected]>
carvel-dev · Apr 17, 2024 · cb68443 · cb68443
1 parent deefc9a
commit cb68443
Show file tree

Hide file tree

Showing 97 changed files with 14,506 additions and 45 deletions.
diff --git a/go.mod b/go.mod
@@ -22,8 +22,10 @@ require (
 	k8s.io/api v0.29.3
 	k8s.io/apiextensions-apiserver v0.29.3
 	k8s.io/apimachinery v0.29.3
+	k8s.io/apiserver v0.29.3
 	k8s.io/client-go v0.29.3
 	k8s.io/component-helpers v0.29.3
+	k8s.io/kubernetes v1.29.4
 	sigs.k8s.io/yaml v1.4.0
 )
 

diff --git a/go.sum b/go.sum
@@ -22,9 +22,17 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/aws/aws-lambda-go v1.26.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@@ -205,6 +213,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -254,12 +264,20 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
+github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -516,14 +534,20 @@ k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO
 k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc=
 k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
 k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
+k8s.io/apiserver v0.29.3 h1:xR7ELlJ/BZSr2n4CnD3lfA4gzFivh0wwfNfz9L0WZcE=
+k8s.io/apiserver v0.29.3/go.mod h1:hrvXlwfRulbMbBgmWRQlFru2b/JySDpmzvQwwk4GUOs=
 k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
 k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
+k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo=
+k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio=
 k8s.io/component-helpers v0.29.3 h1:1dqZswuZgT2ZMixYeORyCUOAApXxgsvjVSgfoUT+P4o=
 k8s.io/component-helpers v0.29.3/go.mod h1:yiDqbRQrnQY+sPju/bL7EkwDJb6LVOots53uZNMZBos=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/kubernetes v1.29.4 h1:n4VCbX9cUhxHI+zw+m2iZlzT73/mrEJBHIMeauh9g4U=
+k8s.io/kubernetes v1.29.4/go.mod h1:28sDhcb87LX5z3GWAKYmLrhrifxi4W9bEWua4DRTIvk=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

diff --git a/pkg/kapp/permissions/basic.go b/pkg/kapp/permissions/basic.go
@@ -9,24 +9,23 @@ import (
 	ctlres "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/resources"
 	authv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 )
 
 // BasicValidator is a basic validator useful for
 // validating basic CRUD permissions for resources. It has no knowledge
 // of how to handle permission evaluation for specific
 // GroupVersionKinds
 type BasicValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*BasicValidator)(nil)
 
-func NewBasicValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *BasicValidator {
+func NewBasicValidator(pv PermissionValidator, mapper meta.RESTMapper) *BasicValidator {
 	return &BasicValidator{
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -36,7 +35,7 @@ func (bv *BasicValidator) Validate(ctx context.Context, res ctlres.Resource, ver
 		return err
 	}
 
-	return ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+	return bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 		Group:     mapping.Resource.Group,
 		Version:   mapping.Resource.Version,
 		Resource:  mapping.Resource.Resource,

diff --git a/pkg/kapp/permissions/binding.go b/pkg/kapp/permissions/binding.go
@@ -12,7 +12,6 @@ import (
 	authv1 "k8s.io/api/authorization/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	"k8s.io/component-helpers/auth/rbac/validation"
 )
@@ -21,18 +20,18 @@ import (
 // for validating permissions required to CRUD
 // Kubernetes (Cluster)RoleBinding resources
 type BindingValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	rbacClient rbacv1client.RbacV1Interface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	rbacClient          rbacv1client.RbacV1Interface
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*BindingValidator)(nil)
 
-func NewBindingValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator {
+func NewBindingValidator(pv PermissionValidator, rbacClient rbacv1client.RbacV1Interface, mapper meta.RESTMapper) *BindingValidator {
 	return &BindingValidator{
-		rbacClient: rbacClient,
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		rbacClient:          rbacClient,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -47,7 +46,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 		// do early validation on create / update to see if a user has
 		// the "bind" permissions which allows them to perform
 		// privilege escalation and create any (Cluster)Role
-		err := ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		err := bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -63,7 +62,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 		}
 
 		// Check if user has permissions to even create/update the resource
-		err = ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		err = bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -98,7 +97,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 				if len(subrule.ResourceNames) > 0 {
 					resourceName = subrule.ResourceNames[0]
 				}
-				err := ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+				err := bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 					Group:     subrule.APIGroups[0],
 					Resource:  subrule.Resources[0],
 					Namespace: res.Namespace(),
@@ -116,7 +115,7 @@ func (bv *BindingValidator) Validate(ctx context.Context, res ctlres.Resource, v
 			return errors.Join(append([]error{baseErr}, errorSet...)...)
 		}
 	default:
-		return ValidatePermissions(ctx, bv.ssarClient, &authv1.ResourceAttributes{
+		return bv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,

diff --git a/pkg/kapp/permissions/preflight.go b/pkg/kapp/permissions/preflight.go
@@ -5,7 +5,9 @@ package permissions
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 
 	cmdcore "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/cmd/core"
 	ctldgraph "github.com/vmware-tanzu/carvel-kapp/pkg/kapp/diffgraph"
@@ -20,12 +22,25 @@ import (
 type Preflight struct {
 	depsFactory cmdcore.DepsFactory
 	enabled     bool
+	config      *PreflightConfig
+}
+
+const (
+	PermissionValidatorTypeSelfSubjectAccessReview = "SelfSubjectAccessReview"
+	PermissionValidatorTypeSelfSubjectRulesReview  = "SelfSubjectRulesReviews"
+)
+
+type PreflightConfig struct {
+	PermissionValidatorType string `json:"permissionValidatorResource"`
 }
 
 func NewPreflight(depsFactory cmdcore.DepsFactory, enabled bool) preflight.Check {
 	return &Preflight{
 		depsFactory: depsFactory,
 		enabled:     enabled,
+		config: &PreflightConfig{
+			PermissionValidatorType: PermissionValidatorTypeSelfSubjectAccessReview,
+		},
 	}
 }
 
@@ -37,7 +52,27 @@ func (p *Preflight) SetEnabled(enabled bool) {
 	p.enabled = enabled
 }
 
-func (p *Preflight) SetConfig(_ preflight.CheckConfig) error {
+func (p *Preflight) SetConfig(cfg preflight.CheckConfig) error {
+	pCfg := &PreflightConfig{}
+	cfgBytes, err := json.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("converting CheckConfig to bytes: %w", err)
+	}
+
+	err = json.Unmarshal(cfgBytes, pCfg)
+	if err != nil {
+		return fmt.Errorf("parsing permissions preflight config: %w", err)
+	}
+
+	switch pCfg.PermissionValidatorType {
+	case PermissionValidatorTypeSelfSubjectAccessReview:
+	case PermissionValidatorTypeSelfSubjectRulesReview:
+	// Default to using SelfSubjectAccessReview
+	case "":
+		pCfg.PermissionValidatorType = PermissionValidatorTypeSelfSubjectAccessReview
+	default:
+		return fmt.Errorf("unknown permissionValidatorType %q", pCfg.PermissionValidatorType)
+	}
 	return nil
 }
 
@@ -52,9 +87,17 @@ func (p *Preflight) Run(ctx context.Context, changeGraph *ctldgraph.ChangeGraph)
 		return err
 	}
 
-	roleValidator := NewRoleValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), mapper)
-	bindingValidator := NewBindingValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), client.RbacV1(), mapper)
-	basicValidator := NewBasicValidator(client.AuthorizationV1().SelfSubjectAccessReviews(), mapper)
+	var permissionValidator PermissionValidator
+	switch p.config.PermissionValidatorType {
+	case PermissionValidatorTypeSelfSubjectAccessReview:
+		permissionValidator = NewSelfSubjectAccessReviewValidator(client.AuthorizationV1().SelfSubjectAccessReviews())
+	case PermissionValidatorTypeSelfSubjectRulesReview:
+		permissionValidator = NewSelfSubjectRulesReviewValidator(client.AuthorizationV1().SelfSubjectRulesReviews())
+	}
+
+	roleValidator := NewRoleValidator(permissionValidator, mapper)
+	bindingValidator := NewBindingValidator(permissionValidator, client.RbacV1(), mapper)
+	basicValidator := NewBasicValidator(permissionValidator, mapper)
 
 	validator := NewCompositeValidator(basicValidator, map[schema.GroupVersionKind]Validator{
 		rbacv1.SchemeGroupVersion.WithKind("Role"):               roleValidator,

diff --git a/pkg/kapp/permissions/role.go b/pkg/kapp/permissions/role.go
@@ -12,24 +12,23 @@ import (
 	authv1 "k8s.io/api/authorization/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
-	authv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	"k8s.io/component-helpers/auth/rbac/validation"
 )
 
 // RoleValidator is a Validator implementation
 // for validating permissions required to CRUD
 // Kubernetes (Cluster)Role resources
 type RoleValidator struct {
-	ssarClient authv1client.SelfSubjectAccessReviewInterface
-	mapper     meta.RESTMapper
+	permissionValidator PermissionValidator
+	mapper              meta.RESTMapper
 }
 
 var _ Validator = (*RoleValidator)(nil)
 
-func NewRoleValidator(ssarClient authv1client.SelfSubjectAccessReviewInterface, mapper meta.RESTMapper) *RoleValidator {
+func NewRoleValidator(pv PermissionValidator, mapper meta.RESTMapper) *RoleValidator {
 	return &RoleValidator{
-		ssarClient: ssarClient,
-		mapper:     mapper,
+		permissionValidator: pv,
+		mapper:              mapper,
 	}
 }
 
@@ -44,7 +43,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 		// do early validation on create / update to see if a user has
 		// the "escalate" permissions which allows them to perform
 		// privilege escalation and create any (Cluster)Role
-		err := ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		err := rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -60,7 +59,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 		}
 
 		// Check if user has permissions to even create/update the resource
-		err = ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		err = rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,
@@ -92,7 +91,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 				if len(subrule.ResourceNames) > 0 {
 					resourceName = subrule.ResourceNames[0]
 				}
-				err := ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+				err := rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 					Group:     subrule.APIGroups[0],
 					Resource:  subrule.Resources[0],
 					Namespace: res.Namespace(),
@@ -110,7 +109,7 @@ func (rv *RoleValidator) Validate(ctx context.Context, res ctlres.Resource, verb
 			return errors.Join(append([]error{baseErr}, errorSet...)...)
 		}
 	default:
-		return ValidatePermissions(ctx, rv.ssarClient, &authv1.ResourceAttributes{
+		return rv.permissionValidator.ValidatePermissions(ctx, &authv1.ResourceAttributes{
 			Group:     mapping.Resource.Group,
 			Version:   mapping.Resource.Version,
 			Resource:  mapping.Resource.Resource,