pepr 0.42.1 → 0.42.3

package/src/lib/controller/index.ts

@@ -5,13 +5,13 @@ import express, { NextFunction } from "express";
 import fs from "fs";
 import https from "https";
 
-import { Capability } from "../capability";
+import { Capability } from "../core/capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../telemetry/logger";
 import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
-import { ModuleConfig, isWatchMode } from "../module";
-import { mutateProcessor } from "../mutate-processor";
-import { validateProcessor } from "../validate-processor";
+import { ModuleConfig, isWatchMode } from "../core/module";
+import { mutateProcessor } from "../processors/mutate-processor";
+import { validateProcessor } from "../processors/validate-processor";
 import { StoreController } from "./store";
 import { AdmissionRequest } from "../types";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";

package/src/lib/controller/store.ts

@@ -5,10 +5,10 @@ import { Operation } from "fast-json-patch";
 import { K8s } from "kubernetes-fluent-client";
 import { startsWith } from "ramda";
 
-import { Capability } from "../capability";
+import { Capability } from "../core/capability";
 import { Store } from "../k8s";
 import Log, { redactedPatch, redactedStore } from "../telemetry/logger";
-import { DataOp, DataSender, DataStore, Storage } from "../storage";
+import { DataOp, DataSender, DataStore, Storage } from "../core/storage";
 import { fillStoreCache, sendUpdatesAndFlushCache } from "./storeCache";
 
 const namespace = "pepr-system";

package/src/lib/controller/storeCache.ts

@@ -1,11 +1,15 @@
-import { DataOp } from "../storage";
+import { DataOp } from "../core/storage";
 import Log from "../telemetry/logger";
 import { K8s } from "kubernetes-fluent-client";
 import { Store } from "../k8s";
 import { StatusCodes } from "http-status-codes";
 import { Operation } from "fast-json-patch";
 
-export const sendUpdatesAndFlushCache = async (cache: Record<string, Operation>, namespace: string, name: string) => {
+export const sendUpdatesAndFlushCache = async (
+  cache: Record<string, Operation>,
+  namespace: string,
+  name: string,
+): Promise<Record<string, Operation>> => {
   const indexes = Object.keys(cache);
   const payload = Object.values(cache);
 

package/src/lib/{capability.ts → core/capability.ts}

@@ -3,11 +3,11 @@
 
 import { GenericClass, GroupVersionKind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import { pickBy } from "ramda";
-import Log from "./telemetry/logger";
+import Log from "../telemetry/logger";
 import { isBuildMode, isDevMode, isWatchMode } from "./module";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
-import { Event } from "./enums";
+import { Event } from "../enums";
 import {
   Binding,
   BindingFilter,
@@ -22,8 +22,8 @@ import {
   FinalizeAction,
   FinalizeActionChain,
   WhenSelector,
-} from "./types";
-import { addFinalizer } from "./finalizer";
+} from "../types";
+import { addFinalizer } from "../finalizer";
 
 const registerAdmission = isBuildMode() || !isWatchMode();
 const registerWatch = isBuildMode() || isWatchMode() || isDevMode();

package/src/lib/{module.ts → core/module.ts}

@@ -2,12 +2,12 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 import { clone } from "ramda";
 import { Capability } from "./capability";
-import { Controller } from "./controller";
-import { ValidateError } from "./errors";
-import { MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
-import { CapabilityExport, AdmissionRequest } from "./types";
-import { setupWatch } from "./watch-processor";
-import { Log } from "../lib";
+import { Controller } from "../controller";
+import { ValidateError } from "../errors";
+import { MutateResponse, ValidateResponse, WebhookIgnore } from "../k8s";
+import { CapabilityExport, AdmissionRequest } from "../types";
+import { setupWatch } from "../processors/watch-processor";
+import { Log } from "../../lib";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 /** Custom Labels Type for package.json */
@@ -58,12 +58,12 @@ export type PeprModuleOptions = {
 };
 
 // Track if this is a watch mode controller
-export const isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
+export const isWatchMode = (): boolean => process.env.PEPR_WATCH_MODE === "true";
 
 // Track if Pepr is running in build mode
-export const isBuildMode = () => process.env.PEPR_MODE === "build";
+export const isBuildMode = (): boolean => process.env.PEPR_MODE === "build";
 
-export const isDevMode = () => process.env.PEPR_MODE === "dev";
+export const isDevMode = (): boolean => process.env.PEPR_MODE === "dev";
 
 export class PeprModule {
   #controller!: Controller;
@@ -135,7 +135,7 @@ export class PeprModule {
    *
    * @param port
    */
-  start = (port = 3000) => {
+  start = (port = 3000): void => {
     this.#controller.startServer(port);
   };
 }

package/src/lib/{queue.ts → core/queue.ts}

@@ -3,7 +3,7 @@
 import { KubernetesObject } from "@kubernetes/client-node";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { randomBytes } from "node:crypto";
-import Log from "./telemetry/logger";
+import Log from "../telemetry/logger";
 
 type WatchCallback = (obj: KubernetesObject, phase: WatchPhase) => Promise<void>;
 

package/src/lib/deploymentChecks.ts

@@ -4,7 +4,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "./telemetry/logger";
 
 // returns true if all deployments are ready, false otherwise
-export async function checkDeploymentStatus(namespace: string) {
+export async function checkDeploymentStatus(namespace: string): Promise<boolean> {
   const deployments = await K8s(kind.Deployment).InNamespace(namespace).Get();
   let status = false;
   let readyCount = 0;
@@ -29,7 +29,7 @@ export async function checkDeploymentStatus(namespace: string) {
 }
 
 // wait for all deployments in the pepr-system namespace to be ready
-export async function namespaceDeploymentsReady(namespace: string = "pepr-system") {
+export async function namespaceDeploymentsReady(namespace: string = "pepr-system"): Promise<true | undefined> {
   Log.info(`Checking ${namespace} deployments status...`);
   let ready = false;
   while (!ready) {

package/src/lib/errors.ts

@@ -1,19 +1,14 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-export const Errors = {
-  audit: "audit",
-  ignore: "ignore",
-  reject: "reject",
-};
-
-export const ErrorList = Object.values(Errors);
+import { OnError } from "../cli/init/enums";
 
+export const ErrorList = Object.values(OnError) as string[];
 /**
  * Validate the error or throw an error
  * @param error
  */
-export function ValidateError(error = "") {
+export function ValidateError(error: string = ""): void {
   if (!ErrorList.includes(error)) {
     throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
   }

package/src/lib/filesystemService.ts

@@ -3,7 +3,7 @@
 
 import { promises } from "fs";
 
-export async function createDirectoryIfNotExists(path: string) {
+export async function createDirectoryIfNotExists(path: string): Promise<void> {
   try {
     await promises.access(path);
   } catch (error) {

package/src/lib/filter/adjudicators/adjudicators.ts

@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { Event, Operation } from "../../enums";
-import { AdmissionRequest, Binding } from "../../types";
+import { AdmissionRequest, Binding, FinalizeAction, WatchLogAction, MutateAction, ValidateAction } from "../../types";
 import {
   __,
   allPass,
@@ -19,7 +19,7 @@ import {
   nthArg,
   pipe,
 } from "ramda";
-import { KubernetesObject } from "kubernetes-fluent-client";
+import { GenericClass, KubernetesObject } from "kubernetes-fluent-client";
 
 /*
   Naming scheme:
@@ -77,6 +77,7 @@ export const carriedNamespace = pipe(
   (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.metadata?.namespace,
   defaultTo(""),
 );
+
 export const carriesNamespace = pipe(carriedNamespace, equals(""), not);
 
 export const carriedAnnotations = pipe(
@@ -144,7 +145,7 @@ export const definesVersion = pipe(definedVersion, equals(""), not);
 export const definedKind = pipe((binding): string => binding?.kind?.kind, defaultTo(""));
 export const definesKind = pipe(definedKind, equals(""), not);
 
-export const definedCategory = (binding: Partial<Binding>) => {
+export const definedCategory = (binding: Partial<Binding>): string => {
   // Ordering matters, finalize is a "watch"
   // prettier-ignore
   return binding.isFinalize ? "Finalize" :
@@ -153,8 +154,15 @@ export const definedCategory = (binding: Partial<Binding>) => {
     binding.isValidate ? "Validate" :
     "";
 };
-
-export const definedCallback = (binding: Partial<Binding>) => {
+export type DefinedCallbackReturnType =
+  | FinalizeAction<GenericClass, InstanceType<GenericClass>>
+  | WatchLogAction<GenericClass, InstanceType<GenericClass>>
+  | MutateAction<GenericClass, InstanceType<GenericClass>>
+  | ValidateAction<GenericClass, InstanceType<GenericClass>>
+  | null
+  | undefined;
+
+export const definedCallback = (binding: Partial<Binding>): DefinedCallbackReturnType => {
   // Ordering matters, finalize is a "watch"
   // prettier-ignore
   return binding.isFinalize ? binding.finalizeCallback :
@@ -241,10 +249,21 @@ export const mismatchedLabels = allPass([
   pipe((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject))),
 ]);
 
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be uncarryable
+ */
 export const uncarryableNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
-  pipe(nthArg(1), carriesNamespace),
-  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), not),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return true;
+  }, not),
 ]);
 
 export const missingCarriableNamespace = allPass([
@@ -256,10 +275,22 @@ export const missingCarriableNamespace = allPass([
   ),
 ]);
 
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be ignored
+ */
 export const carriesIgnoredNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
-  pipe(nthArg(1), carriesNamespace),
-  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject))),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+
+    return false;
+  }),
 ]);
 
 export const unbindableNamespaces = allPass([

package/src/lib/filter/filter.ts

@@ -3,48 +3,55 @@
 
 import { AdmissionRequest, Binding } from "../types";
 import { Operation } from "../enums";
+import { KubernetesObject } from "kubernetes-fluent-client";
 import {
-  carriesIgnoredNamespace,
+  carriedAnnotations,
+  carriedLabels,
   carriedName,
-  definedEvent,
-  declaredOperation,
-  definedName,
-  definedGroup,
+  carriedNamespace,
+  carriesIgnoredNamespace,
   declaredGroup,
-  definedVersion,
+  declaredKind,
+  declaredOperation,
   declaredVersion,
+  definedAnnotations,
+  definedEvent,
+  definedGroup,
   definedKind,
-  declaredKind,
-  definedNamespaces,
-  carriedNamespace,
   definedLabels,
-  carriedLabels,
-  definedAnnotations,
-  carriedAnnotations,
-  definedNamespaceRegexes,
+  definedName,
   definedNameRegex,
+  definedNamespaceRegexes,
+  definedNamespaces,
+  definedVersion,
   misboundDeleteWithDeletionTimestamp,
-  mismatchedDeletionTimestamp,
+  misboundNamespace,
   mismatchedAnnotations,
+  mismatchedDeletionTimestamp,
+  mismatchedEvent,
+  mismatchedGroup,
+  mismatchedKind,
   mismatchedLabels,
   mismatchedName,
   mismatchedNameRegex,
   mismatchedNamespace,
   mismatchedNamespaceRegex,
-  mismatchedEvent,
-  mismatchedGroup,
   mismatchedVersion,
-  mismatchedKind,
   missingCarriableNamespace,
   unbindableNamespaces,
   uncarryableNamespace,
 } from "./adjudicators/adjudicators";
 
+type AdjudicationResult = string | null;
+type Adjudicator = () => AdjudicationResult;
+
 /**
- * shouldSkipRequest determines if a request should be skipped based on the binding filters.
+ * shouldSkipRequest determines if an admission request should be skipped based on the binding filters.
  *
  * @param binding the action binding
  * @param req the incoming request
+ * @param capabilityNamespaces the namespaces allowed by capability
+ * @param ignoredNamespaces the namespaces ignored by module config
  * @returns
  */
 export function shouldSkipRequest(
@@ -53,99 +60,185 @@ export function shouldSkipRequest(
   capabilityNamespaces: string[],
   ignoredNamespaces?: string[],
 ): string {
-  const prefix = "Ignoring Admission Callback:";
   const obj = (req.operation === Operation.DELETE ? req.oldObject : req.object)!;
+  const prefix = "Ignoring Admission Callback:";
 
-  // prettier-ignore
-  return (
-    misboundDeleteWithDeletionTimestamp(binding) ?
-      `${prefix} Cannot use deletionTimestamp filter on a DELETE operation.` :
-
-    mismatchedDeletionTimestamp(binding, obj) ?
-      `${prefix} Binding defines deletionTimestamp but Object does not carry it.` :
-
-    mismatchedEvent(binding, req) ?
-      (
-        `${prefix} Binding defines event '${definedEvent(binding)}' but ` +
-        `Request declares '${declaredOperation(req)}'.`
-      ) :
-
-    mismatchedName(binding, obj) ?
-      `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` :
-
-    mismatchedGroup(binding, req) ?
-      (
-        `${prefix} Binding defines group '${definedGroup(binding)}' but ` +
-        `Request declares '${declaredGroup(req)}'.`
-      ) :
-
-    mismatchedVersion(binding, req) ?
-      (
-        `${prefix} Binding defines version '${definedVersion(binding)}' but ` +
-        `Request declares '${declaredVersion(req)}'.`
-      ) :
-
-    mismatchedKind(binding, req) ?
-      (
-        `${prefix} Binding defines kind '${definedKind(binding)}' but ` +
-        `Request declares '${declaredKind(req)}'.`
-      ) :
-
-    unbindableNamespaces(capabilityNamespaces, binding) ?
-      (
-        `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} ` +
-        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-      ) :
-
-    uncarryableNamespace(capabilityNamespaces, obj) ?
-      (
-        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
-        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-      ) :
-
-    mismatchedNamespace(binding, obj) ?
-      (
-        `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' ` +
-        `but Object carries '${carriedNamespace(obj)}'.`
-      ) :
-
-    mismatchedLabels(binding, obj) ?
-      (
-        `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' ` +
-        `but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
-      ) :
-
-    mismatchedAnnotations(binding, obj) ?
-      (
-        `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' ` +
-        `but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
-      ) :
-
-    mismatchedNamespaceRegex(binding, obj) ?
-      (
-        `${prefix} Binding defines namespace regexes ` +
-        `'${JSON.stringify(definedNamespaceRegexes(binding))}' ` +
-        `but Object carries '${carriedNamespace(obj)}'.`
-      ) :
-
-    mismatchedNameRegex(binding, obj) ?
-      (
-        `${prefix} Binding defines name regex '${definedNameRegex(binding)}' ` +
-        `but Object carries '${carriedName(obj)}'.`
-      ) :
-
-    carriesIgnoredNamespace(ignoredNamespaces, obj) ?
-      (
-        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
-        `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
-      ) :
-
-    missingCarriableNamespace(capabilityNamespaces, obj) ? 
-      (
-        `${prefix} Object does not carry a namespace ` +
-        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-      ) :
-
-    ""
-  );
+  const adjudicators: Adjudicator[] = [
+    (): AdjudicationResult => adjudicateMisboundDeleteWithDeletionTimestamp(binding),
+    (): AdjudicationResult => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedEvent(binding, req),
+    (): AdjudicationResult => adjudicateMismatchedName(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedGroup(binding, req),
+    (): AdjudicationResult => adjudicateMismatchedVersion(binding, req),
+    (): AdjudicationResult => adjudicateMismatchedKind(binding, req),
+    (): AdjudicationResult => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    (): AdjudicationResult => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    (): AdjudicationResult => adjudicateMismatchedNamespace(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedLabels(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedAnnotations(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedNamespaceRegex(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedNameRegex(binding, obj),
+    (): AdjudicationResult => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    (): AdjudicationResult => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj),
+  ];
+
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
+    }
+  }
+
+  return "";
+}
+
+/**
+ * filterNoMatchReason determines whether a callback should be skipped after
+ *  receiving an update event from the API server, based on the binding filters.
+ *
+ * @param binding the action binding
+ * @param kubernetesObject the incoming kubernetes object
+ * @param capabilityNamespaces the namespaces allowed by capability
+ * @param ignoredNamespaces the namespaces ignored by module config
+ */
+export function filterNoMatchReason(
+  binding: Binding,
+  obj: Partial<KubernetesObject>,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): string {
+  const prefix = "Ignoring Watch Callback:";
+
+  const adjudicators: Adjudicator[] = [
+    (): AdjudicationResult => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedName(binding, obj),
+    (): AdjudicationResult => adjudicateMisboundNamespace(binding),
+    (): AdjudicationResult => adjudicateMismatchedLabels(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedAnnotations(binding, obj),
+    (): AdjudicationResult => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    (): AdjudicationResult => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    (): AdjudicationResult => adjudicateMismatchedNamespace(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedNamespaceRegex(binding, obj),
+    (): AdjudicationResult => adjudicateMismatchedNameRegex(binding, obj),
+    (): AdjudicationResult => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    (): AdjudicationResult => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj),
+  ];
+
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
+    }
+  }
+
+  return "";
+}
+
+export function adjudicateMisboundNamespace(binding: Binding): AdjudicationResult {
+  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
+}
+
+export function adjudicateMisboundDeleteWithDeletionTimestamp(binding: Binding): AdjudicationResult {
+  return misboundDeleteWithDeletionTimestamp(binding)
+    ? "Cannot use deletionTimestamp filter on a DELETE operation."
+    : null;
+}
+
+export function adjudicateMismatchedDeletionTimestamp(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedDeletionTimestamp(binding, obj)
+    ? "Binding defines deletionTimestamp but Object does not carry it."
+    : null;
+}
+
+export function adjudicateMismatchedEvent(binding: Binding, req: AdmissionRequest): AdjudicationResult {
+  return mismatchedEvent(binding, req)
+    ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedName(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedName(binding, obj)
+    ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedGroup(binding: Binding, req: AdmissionRequest): AdjudicationResult {
+  return mismatchedGroup(binding, req)
+    ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedVersion(binding: Binding, req: AdmissionRequest): AdjudicationResult {
+  return mismatchedVersion(binding, req)
+    ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedKind(binding: Binding, req: AdmissionRequest): AdjudicationResult {
+  return mismatchedKind(binding, req)
+    ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.`
+    : null;
+}
+
+export function adjudicateUnbindableNamespaces(capabilityNamespaces: string[], binding: Binding): AdjudicationResult {
+  return unbindableNamespaces(capabilityNamespaces, binding)
+    ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateUncarryableNamespace(
+  capabilityNamespaces: string[],
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return uncarryableNamespace(capabilityNamespaces, obj)
+    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNamespace(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedNamespace(binding, obj)
+    ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedLabels(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedLabels(binding, obj)
+    ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
+    : null;
+}
+
+export function adjudicateMismatchedAnnotations(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedAnnotations(binding, obj)
+    ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNamespaceRegex(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedNamespaceRegex(binding, obj)
+    ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNameRegex(binding: Binding, obj: KubernetesObject): AdjudicationResult {
+  return mismatchedNameRegex(binding, obj)
+    ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.`
+    : null;
+}
+
+export function adjudicateCarriesIgnoredNamespace(
+  ignoredNamespaces: string[] | undefined,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return carriesIgnoredNamespace(ignoredNamespaces, obj)
+    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateMissingCarriableNamespace(
+  capabilityNamespaces: string[],
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return missingCarriableNamespace(capabilityNamespaces, obj)
+    ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
 }

package/src/lib/finalizer.ts

@@ -7,7 +7,7 @@ import { Binding, DeepPartial } from "./types";
 import { Operation } from "./enums";
 import { PeprMutateRequest } from "./mutate-request";
 
-export function addFinalizer<K extends KubernetesObject>(request: PeprMutateRequest<K>) {
+export function addFinalizer<K extends KubernetesObject>(request: PeprMutateRequest<K>): void {
   // if a DELETE is being processed, don't add a finalizer
   if (request.Request.operation === Operation.DELETE) {
     return;
@@ -28,7 +28,7 @@ export function addFinalizer<K extends KubernetesObject>(request: PeprMutateRequ
   request.Merge({ metadata: { finalizers } } as DeepPartial<K>);
 }
 
-export async function removeFinalizer(binding: Binding, obj: KubernetesObject) {
+export async function removeFinalizer(binding: Binding, obj: KubernetesObject): Promise<void> {
   const peprFinal = "pepr.dev/finalizer";
   const meta = obj.metadata!;
   const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;