Validators logic fix

This PR fixes the logic in the permitted group Validators. If a permitted groups is not found, the webhook will log it but will not raise and error and continue running on the rest of the groups

internal/common/validators.go

@@ -3,6 +3,7 @@ package common
 import (
 	"context"
 	"fmt"
+	"k8s.io/apimachinery/pkg/api/errors"
 	"net/http"
 	"os"
 	"slices"
@@ -24,7 +25,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-const PERMITTEDGROUPLABEL = "PERMITTED_GROUPS"
+const PermittedGroups = "PERMITTED_GROUPS"
 
 // ValidateNamespaceExist validates that a namespace exists.
 func ValidateNamespaceExist(ns *objectcontext.ObjectContext) admission.Response {
@@ -209,16 +210,20 @@ func CheckGroup(ctx context.Context, user, groupName string, k8sClient client.Cl
 func ValidatePermittedGroups(ctx context.Context, user string, k8sClient client.Client) (bool, error) {
 	logger := log.FromContext(ctx)
 
-	permittedGroups, found := os.LookupEnv(PERMITTEDGROUPLABEL)
+	permittedGroups, found := os.LookupEnv(PermittedGroups)
 	if !found {
 		logger.Info("no permitted groups found")
 	} else {
 		permittedGroupsSlice := strings.Split(permittedGroups, ",")
 		for _, groupName := range permittedGroupsSlice {
 			inGroup, err := CheckGroup(ctx, user, groupName, k8sClient)
 			if err != nil {
-				logger.Info(fmt.Sprintf("group %s not found", groupName))
-				return false, nil
+				if errors.IsNotFound(err) {
+					logger.Info(fmt.Sprintf("group %s not found", groupName))
+				} else {
+					logger.Error(err, "failed checking if user in group")
+					return false, nil
+				}
 			}
 			if inGroup {
 				logger.Info(fmt.Sprintf("user %s found in group %s", user, groupName))