From 9c70729f69610d23ad33181e76bf880ccbc3224f Mon Sep 17 00:00:00 2001
From: David Grove <groved@us.ibm.com>
Date: Sat, 7 Feb 2026 11:56:39 -0500
Subject: [PATCH] Protect kindToResourceCache with RWMutex

Fixes #384
---
 internal/webhook/appwrapper_webhook.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/webhook/appwrapper_webhook.go b/internal/webhook/appwrapper_webhook.go
index bd4fce7..39ae9db 100644
--- a/internal/webhook/appwrapper_webhook.go
+++ b/internal/webhook/appwrapper_webhook.go
@@ -20,6 +20,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"sync"
 
 	authv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -56,6 +57,7 @@ var (
 type rbacACSupport struct {
 	discoveryClient       *discovery.DiscoveryClient
 	subjectAccessReviewer authClientv1.SubjectAccessReviewInterface
+	cacheMutex            sync.RWMutex
 	kindToResourceCache   map[string]string
 }
 
@@ -281,16 +283,21 @@ func (w *appWrapperWebhook) validateAppWrapperUpdate(old *awv1beta2.AppWrapper,
 }
 
 func (w *appWrapperWebhook) lookupResource(gvk *schema.GroupVersionKind) string {
+	w.rbacACSupport.cacheMutex.RLock()
 	if known, ok := w.rbacACSupport.kindToResourceCache[gvk.String()]; ok {
+		w.rbacACSupport.cacheMutex.RUnlock()
 		return known
 	}
+	w.rbacACSupport.cacheMutex.RUnlock()
 	resources, err := w.rbacACSupport.discoveryClient.ServerResourcesForGroupVersion(gvk.GroupVersion().String())
 	if err != nil {
 		return "*"
 	}
 	for _, r := range resources.APIResources {
 		if r.Kind == gvk.Kind {
+			w.rbacACSupport.cacheMutex.Lock()
 			w.rbacACSupport.kindToResourceCache[gvk.String()] = r.Name
+			w.rbacACSupport.cacheMutex.Unlock()
 			return r.Name
 		}
 	}