refactor: overridden to affected policy map

controllers/authpolicy_authconfig.go

@@ -67,14 +67,14 @@ func (r *AuthPolicyReconciler) desiredAuthConfig(ctx context.Context, ap *api.Au
 
 	switch obj := targetNetworkObject.(type) {
 	case *gatewayapiv1.HTTPRoute:
-		ok, err := routeGatewayHasAuthOverrides(ctx, obj, r.Client())
+		keys, err := routeGatewayHasAuthOverrides(ctx, obj, r.Client())
 		if err != nil {
 			return nil, err
 		}
-		if ok {
+		if len(keys) != 0 {
 			logger.V(1).Info("targeted gateway has authpolicy with atomic overrides, skipping authorino authconfig for the HTTPRoute authpolicy")
 			utils.TagObjectToDelete(authConfig)
-			r.OverriddenPolicyMap.SetOverriddenPolicy(ap, []client.ObjectKey{})
+			r.AffectedPolicyMap.SetAffectedPolicy(ap, keys)
 			return authConfig, nil
 		}
 		route = obj
@@ -105,7 +105,14 @@ func (r *AuthPolicyReconciler) desiredAuthConfig(ctx context.Context, ap *api.Au
 		if len(rules) == 0 {
 			logger.V(1).Info("no httproutes attached to the targeted gateway, skipping authorino authconfig for the gateway authpolicy")
 			utils.TagObjectToDelete(authConfig)
-			r.OverriddenPolicyMap.SetOverriddenPolicy(ap, []client.ObjectKey{})
+			obj := targetNetworkObject.(*gatewayapiv1.Gateway)
+			gatewayWrapper := kuadrant.GatewayWrapper{Gateway: obj, Referrer: ap}
+			refs := gatewayWrapper.PolicyRefs()
+			filteredRef := utils.Filter(refs, func(key client.ObjectKey) bool {
+				return key != client.ObjectKeyFromObject(ap)
+			})
+
+			r.AffectedPolicyMap.SetAffectedPolicy(ap, filteredRef)
 			return authConfig, nil
 		}
 		route = &gatewayapiv1.HTTPRoute{
@@ -116,8 +123,8 @@ func (r *AuthPolicyReconciler) desiredAuthConfig(ctx context.Context, ap *api.Au
 		}
 	}
 
-	// AuthPolicy is not overridden if we still need to create an AuthConfig for it
-	r.OverriddenPolicyMap.RemoveOverriddenPolicy(ap)
+	// AuthPolicy is not Affected if we still need to create an AuthConfig for it
+	r.AffectedPolicyMap.RemoveAffectedPolicy(ap)
 
 	// hosts
 	authConfig.Spec.Hosts = hosts
@@ -186,14 +193,15 @@ func (r *AuthPolicyReconciler) desiredAuthConfig(ctx context.Context, ap *api.Au
 }
 
 // routeGatewayHasAuthOverrides return true when the gateway which a route is attached to has an attached authPolicy that defines atomic overrides
-func routeGatewayHasAuthOverrides(ctx context.Context, route *gatewayapiv1.HTTPRoute, c client.Client) (bool, error) {
+func routeGatewayHasAuthOverrides(ctx context.Context, route *gatewayapiv1.HTTPRoute, c client.Client) ([]client.ObjectKey, error) {
+	var overridingPolicyKeys []client.ObjectKey
 	for idx := range route.Spec.ParentRefs {
 		parentRef := route.Spec.ParentRefs[idx]
 		gw := &gatewayapiv1.Gateway{}
 		namespace := ptr.Deref(parentRef.Namespace, gatewayapiv1.Namespace(route.GetNamespace()))
 		err := c.Get(ctx, client.ObjectKey{Name: string(parentRef.Name), Namespace: string(namespace)}, gw)
 		if err != nil {
-			return false, err
+			return nil, err
 		}
 
 		annotation, ok := gw.GetAnnotations()[common.AuthPolicyBackRefAnnotation]
@@ -203,14 +211,14 @@ func routeGatewayHasAuthOverrides(ctx context.Context, route *gatewayapiv1.HTTPR
 		otherAP := &api.AuthPolicy{}
 		err = c.Get(ctx, utils.NamespacedNameToObjectKey(annotation, gw.Namespace), otherAP)
 		if err != nil {
-			return false, err
+			return nil, err
 		}
 
 		if otherAP.IsAtomicOverride() {
-			return true, nil
+			overridingPolicyKeys = append(overridingPolicyKeys, client.ObjectKeyFromObject(otherAP))
 		}
 	}
-	return false, nil
+	return overridingPolicyKeys, nil
 }
 
 // authConfigName returns the name of Authorino AuthConfig CR.

controllers/authpolicy_controller.go

@@ -26,8 +26,8 @@ const authPolicyFinalizer = "authpolicy.kuadrant.io/finalizer"
 type AuthPolicyReconciler struct {
 	*reconcilers.BaseReconciler
 	TargetRefReconciler reconcilers.TargetRefReconciler
-	// OverriddenPolicyMap tracks the overridden policies to report their status.
-	OverriddenPolicyMap *kuadrant.OverriddenPolicyMap
+	// AffectedPolicyMap tracks the affected policies to report their status.
+	AffectedPolicyMap *kuadrant.AffectedPolicyMap
 }
 
 //+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies,verbs=get;list;watch;create;update;patch;delete
@@ -72,7 +72,7 @@ func (r *AuthPolicyReconciler) Reconcile(eventCtx context.Context, req ctrl.Requ
 				if delResErr == nil {
 					delResErr = err
 				}
-				return r.reconcileStatus(ctx, ap, targetNetworkObject, kuadrant.NewErrTargetNotFound(ap.Kind(), ap.GetTargetRef(), delResErr))
+				return r.reconcileStatus(ctx, ap, kuadrant.NewErrTargetNotFound(ap.Kind(), ap.GetTargetRef(), delResErr))
 			}
 			return ctrl.Result{}, err
 		}
@@ -108,7 +108,7 @@ func (r *AuthPolicyReconciler) Reconcile(eventCtx context.Context, req ctrl.Requ
 	specErr := r.reconcileResources(ctx, ap, targetNetworkObject)
 
 	// reconcile authpolicy status
-	statusResult, statusErr := r.reconcileStatus(ctx, ap, targetNetworkObject, specErr)
+	statusResult, statusErr := r.reconcileStatus(ctx, ap, specErr)
 
 	if specErr != nil {
 		return ctrl.Result{}, specErr

controllers/authpolicy_status.go

@@ -13,20 +13,18 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
 	"github.com/kuadrant/kuadrant-operator/pkg/library/kuadrant"
-	"github.com/kuadrant/kuadrant-operator/pkg/library/utils"
 )
 
 // reconcileStatus makes sure status block of AuthPolicy is up-to-date.
-func (r *AuthPolicyReconciler) reconcileStatus(ctx context.Context, ap *api.AuthPolicy, targetNetworkObject client.Object, specErr error) (ctrl.Result, error) {
+func (r *AuthPolicyReconciler) reconcileStatus(ctx context.Context, ap *api.AuthPolicy, specErr error) (ctrl.Result, error) {
 	logger, _ := logr.FromContext(ctx)
 	logger.V(1).Info("Reconciling AuthPolicy status", "spec error", specErr)
 
-	newStatus := r.calculateStatus(ctx, ap, targetNetworkObject, specErr)
+	newStatus := r.calculateStatus(ctx, ap, specErr)
 
 	equalStatus := ap.Status.Equals(newStatus, logger)
 	logger.V(1).Info("Status", "status is different", !equalStatus)
@@ -58,7 +56,7 @@ func (r *AuthPolicyReconciler) reconcileStatus(ctx context.Context, ap *api.Auth
 	return ctrl.Result{}, nil
 }
 
-func (r *AuthPolicyReconciler) calculateStatus(ctx context.Context, ap *api.AuthPolicy, targetNetworkObject client.Object, specErr error) *api.AuthPolicyStatus {
+func (r *AuthPolicyReconciler) calculateStatus(ctx context.Context, ap *api.AuthPolicy, specErr error) *api.AuthPolicyStatus {
 	newStatus := &api.AuthPolicyStatus{
 		Conditions:         slices.Clone(ap.Status.Conditions),
 		ObservedGeneration: ap.Status.ObservedGeneration,
@@ -72,7 +70,7 @@ func (r *AuthPolicyReconciler) calculateStatus(ctx context.Context, ap *api.Auth
 		return newStatus
 	}
 
-	enforcedCond := r.enforcedCondition(ctx, ap, targetNetworkObject)
+	enforcedCond := r.enforcedCondition(ctx, ap)
 	meta.SetStatusCondition(&newStatus.Conditions, *enforcedCond)
 
 	return newStatus
@@ -84,16 +82,16 @@ func (r *AuthPolicyReconciler) acceptedCondition(policy kuadrant.Policy, specErr
 
 // enforcedCondition checks if the provided AuthPolicy is enforced, ensuring it is properly configured and applied based
 // on the status of the associated AuthConfig and Gateway.
-func (r *AuthPolicyReconciler) enforcedCondition(ctx context.Context, policy *api.AuthPolicy, targetNetworkObject client.Object) *metav1.Condition {
+func (r *AuthPolicyReconciler) enforcedCondition(ctx context.Context, policy *api.AuthPolicy) *metav1.Condition {
 	logger, _ := logr.FromContext(ctx)
 
-	// Check if the policy is overridden
+	// Check if the policy is Affected
 	// Note: This logic assumes synchronous processing, where computing the desired AuthConfig, marking the AuthPolicy
-	// as overridden, and calculating the Enforced condition happen sequentially.
+	// as Affected, and calculating the Enforced condition happen sequentially.
 	// Introducing a goroutine in this flow could break this assumption and lead to unexpected behavior.
-	if r.OverriddenPolicyMap.IsPolicyOverridden(policy) {
-		logger.V(1).Info("Gateway Policy is overridden")
-		return r.handleGatewayPolicyOverride(policy, targetNetworkObject)
+	if r.AffectedPolicyMap.IsPolicyAffected(policy) {
+		logger.V(1).Info("Gateway Policy is Affected")
+		return r.handleGatewayPolicyOverride(policy)
 	}
 
 	// Check if the AuthConfig is ready
@@ -129,15 +127,12 @@ func (r *AuthPolicyReconciler) isAuthConfigReady(ctx context.Context, policy *ap
 	return authConfig.Status.Ready(), nil
 }
 
-// handleGatewayPolicyOverride handles the case where the Gateway Policy is overridden by filtering policy references
+// handleGatewayPolicyOverride handles the case where the Gateway Policy is Affected by filtering policy references
 // and creating a corresponding error condition.
-func (r *AuthPolicyReconciler) handleGatewayPolicyOverride(policy *api.AuthPolicy, targetNetworkObject client.Object) *metav1.Condition {
-	obj := targetNetworkObject.(*gatewayapiv1.Gateway)
-	gatewayWrapper := kuadrant.GatewayWrapper{Gateway: obj, Referrer: policy}
-	refs := gatewayWrapper.PolicyRefs()
-	filteredRef := utils.Filter(refs, func(key client.ObjectKey) bool {
-		return key != client.ObjectKeyFromObject(policy)
-	})
-
-	return kuadrant.EnforcedCondition(policy, kuadrant.NewErrOverridden(policy.Kind(), filteredRef), false)
+func (r *AuthPolicyReconciler) handleGatewayPolicyOverride(policy *api.AuthPolicy) *metav1.Condition {
+	if !r.AffectedPolicyMap.IsPolicyOverridden(policy) {
+		return kuadrant.EnforcedCondition(policy, kuadrant.NewErrUnknown(policy.Kind(), errors.New("no free routes to enforce policy")), false) // Maybe this should be a standard condition rather than an unknown condition
+	}
+
+	return kuadrant.EnforcedCondition(policy, kuadrant.NewErrOverridden(policy.Kind(), r.AffectedPolicyMap.PolicyAffectedBy(policy)), false)
 }

controllers/ratelimitpolicy_controller.go

@@ -42,8 +42,8 @@ const rateLimitPolicyFinalizer = "ratelimitpolicy.kuadrant.io/finalizer"
 type RateLimitPolicyReconciler struct {
 	*reconcilers.BaseReconciler
 	TargetRefReconciler reconcilers.TargetRefReconciler
-	// OverriddenPolicyMap tracks the overridden policies to report their status.
-	OverriddenPolicyMap *kuadrant.OverriddenPolicyMap
+	// AffectedPolicyMap tracks the affected policies to report their status.
+	AffectedPolicyMap *kuadrant.AffectedPolicyMap
 }
 
 //+kubebuilder:rbac:groups=kuadrant.io,resources=ratelimitpolicies,verbs=get;list;watch;create;update;patch;delete

controllers/ratelimitpolicy_limits.go

@@ -150,21 +150,19 @@ func (r *RateLimitPolicyReconciler) applyOverrides(ctx context.Context, rlp *kua
 	if kuadrantgatewayapi.IsTargetRefGateway(rlp.GetTargetRef()) {
 		r.applyGatewayOverrides(logger, rlp, numUnTargetedRoutes, affectedPolicies)
 	} else {
-		r.applyRouteOverrides(logger, rlp, affectedPolicies)
+		affectedPolicies = r.applyRouteOverrides(logger, rlp, affectedPolicies)
 	}
 
 	// Reconcile status for affected policies
 	for _, policy := range affectedPolicies {
-		if policy.GetUID() != rlp.GetUID() {
-			p := policy.(*kuadrantv1beta2.RateLimitPolicy)
-			// Override is set -> affected policy is overridden by rlp
-			if kuadrantgatewayapi.IsTargetRefGateway(rlp.GetTargetRef()) && rlp.Spec.Overrides != nil {
-				r.OverriddenPolicyMap.SetOverriddenPolicy(p, []client.ObjectKey{client.ObjectKeyFromObject(rlp)})
-			}
-			_, err := r.reconcileStatus(ctx, p, nil)
-			if err != nil {
-				return err
-			}
+		p := policy.(*kuadrantv1beta2.RateLimitPolicy)
+		// Override is set -> affected policy is Affected by rlp
+		if kuadrantgatewayapi.IsTargetRefGateway(rlp.GetTargetRef()) && rlp.Spec.Overrides != nil {
+			r.AffectedPolicyMap.SetAffectedPolicy(p, []client.ObjectKey{client.ObjectKeyFromObject(rlp)})
+		}
+		_, err := r.reconcileStatus(ctx, p, nil)
+		if err != nil {
+			return err
 		}
 	}
 
@@ -190,27 +188,24 @@ func (r *RateLimitPolicyReconciler) getAffectedPoliciesInfo(rlp *kuadrantv1beta2
 	return affectedPolicies, numUnTargetedRoutes
 }
 
-// applyGatewayOverrides a Gateway RLP can be "overridden" is sense where every underlying route has their own policy
-// and the Gateway RLP does not specify an overrides section
+// applyGatewayOverrides a Gateway RLP is not affected if there is untargetted routes or affects other policies
+// Otherwise, it
 func (r *RateLimitPolicyReconciler) applyGatewayOverrides(logger logr.Logger, rlp *kuadrantv1beta2.RateLimitPolicy, numUnTargetedRoutes int, affectedPolicies []kuadrantgatewayapi.Policy) {
 	if rlp.Spec.Overrides == nil && numUnTargetedRoutes == 0 {
-		r.OverriddenPolicyMap.SetOverriddenPolicy(rlp, utils.Map(affectedPolicies, func(p kuadrantgatewayapi.Policy) client.ObjectKey {
+		r.AffectedPolicyMap.SetAffectedPolicy(rlp, utils.Map(affectedPolicies, func(p kuadrantgatewayapi.Policy) client.ObjectKey {
 			return client.ObjectKeyFromObject(p)
 		}))
 		logger.V(1).Info("policy has no free routes to enforce default policy")
 	} else if rlp.Spec.Overrides != nil && len(affectedPolicies) == 0 && numUnTargetedRoutes == 0 {
-		r.OverriddenPolicyMap.SetOverriddenPolicy(rlp, []client.ObjectKey{})
+		r.AffectedPolicyMap.SetAffectedPolicy(rlp, []client.ObjectKey{})
 		logger.V(1).Info("policy has no free routes to enforce override policy")
 	} else {
-		r.OverriddenPolicyMap.RemoveOverriddenPolicy(rlp)
+		r.AffectedPolicyMap.RemoveAffectedPolicy(rlp)
 	}
 }
 
-func (r *RateLimitPolicyReconciler) applyRouteOverrides(logger logr.Logger, rlp *kuadrantv1beta2.RateLimitPolicy, affectedPolicies []kuadrantgatewayapi.Policy) {
+func (r *RateLimitPolicyReconciler) applyRouteOverrides(logger logr.Logger, rlp *kuadrantv1beta2.RateLimitPolicy, affectedPolicies []kuadrantgatewayapi.Policy) []kuadrantgatewayapi.Policy {
 	filteredPolicies := utils.Filter(affectedPolicies, func(policy kuadrantgatewayapi.Policy) bool {
-		if policy.GetUID() == rlp.GetUID() {
-			return false
-		}
 		return kuadrantgatewayapi.IsTargetRefGateway(policy.GetTargetRef())
 	})
 
@@ -221,10 +216,13 @@ func (r *RateLimitPolicyReconciler) applyRouteOverrides(logger logr.Logger, rlp
 		if p.Spec.Overrides != nil {
 			rlp.Spec.CommonSpec().Limits = p.Spec.Overrides.Limits
 			logger.V(1).Info("applying overrides from parent policy", "parentPolicy", client.ObjectKeyFromObject(p))
-			r.OverriddenPolicyMap.SetOverriddenPolicy(rlp, []client.ObjectKey{client.ObjectKeyFromObject(p)})
+			r.AffectedPolicyMap.SetAffectedPolicy(rlp, []client.ObjectKey{client.ObjectKeyFromObject(p)})
+			break
 		}
-		r.OverriddenPolicyMap.RemoveOverriddenPolicy(rlp)
+		r.AffectedPolicyMap.RemoveAffectedPolicy(rlp)
 	}
+
+	return filteredPolicies
 }
 
 func (r *RateLimitPolicyReconciler) generateTopology(ctx context.Context) (*kuadrantgatewayapi.Topology, error) {

controllers/ratelimitpolicy_status.go

@@ -89,11 +89,11 @@ func (r *RateLimitPolicyReconciler) enforcedCondition(ctx context.Context, polic
 		return kuadrant.EnforcedCondition(policy, kuadrant.NewErrUnknown(policy.Kind(), errors.New("limitador is not ready")), false)
 	}
 
-	if r.OverriddenPolicyMap.IsPolicyOverridden(policy) {
-		if len(r.OverriddenPolicyMap.PolicyOverriddenBy(policy)) == 0 {
+	if r.AffectedPolicyMap.IsPolicyAffected(policy) {
+		if !r.AffectedPolicyMap.IsPolicyOverridden(policy) {
 			return kuadrant.EnforcedCondition(policy, kuadrant.NewErrUnknown(policy.Kind(), errors.New("no free routes to enforce policy")), false) // Maybe this should be a standard condition rather than an unknown condition
 		}
-		return kuadrant.EnforcedCondition(policy, kuadrant.NewErrOverridden(policy.Kind(), r.OverriddenPolicyMap.PolicyOverriddenBy(policy)), false)
+		return kuadrant.EnforcedCondition(policy, kuadrant.NewErrOverridden(policy.Kind(), r.AffectedPolicyMap.PolicyAffectedBy(policy)), false)
 	}
 
 	logger.V(1).Info("RateLimitPolicy is enforced")

controllers/suite_test.go

@@ -147,7 +147,7 @@ var _ = BeforeSuite(func() {
 	err = (&AuthPolicyReconciler{
 		BaseReconciler:      authPolicyBaseReconciler,
 		TargetRefReconciler: reconcilers.TargetRefReconciler{Client: mgr.GetClient()},
-		OverriddenPolicyMap: kuadrant.NewOverriddenPolicyMap(),
+		AffectedPolicyMap:   kuadrant.NewAffectedPolicyMap(),
 	}).SetupWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
@@ -160,7 +160,7 @@ var _ = BeforeSuite(func() {
 	err = (&RateLimitPolicyReconciler{
 		BaseReconciler:      rateLimitPolicyBaseReconciler,
 		TargetRefReconciler: reconcilers.TargetRefReconciler{Client: mgr.GetClient()},
-		OverriddenPolicyMap: kuadrant.NewOverriddenPolicyMap(),
+		AffectedPolicyMap:   kuadrant.NewAffectedPolicyMap(),
 	}).SetupWithManager(mgr)
 
 	Expect(err).NotTo(HaveOccurred())

main.go

@@ -154,7 +154,7 @@ func main() {
 	if err = (&controllers.RateLimitPolicyReconciler{
 		TargetRefReconciler: reconcilers.TargetRefReconciler{Client: mgr.GetClient()},
 		BaseReconciler:      rateLimitPolicyBaseReconciler,
-		OverriddenPolicyMap: kuadrant.NewOverriddenPolicyMap(),
+		AffectedPolicyMap:   kuadrant.NewAffectedPolicyMap(),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "RateLimitPolicy")
 		os.Exit(1)
@@ -169,7 +169,7 @@ func main() {
 	if err = (&controllers.AuthPolicyReconciler{
 		TargetRefReconciler: reconcilers.TargetRefReconciler{Client: mgr.GetClient()},
 		BaseReconciler:      authPolicyBaseReconciler,
-		OverriddenPolicyMap: kuadrant.NewOverriddenPolicyMap(),
+		AffectedPolicyMap:   kuadrant.NewAffectedPolicyMap(),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "AuthPolicy")
 		os.Exit(1)

pkg/library/kuadrant/apimachinery_status_conditions.go

@@ -22,19 +22,19 @@ const (
 	PolicyReasonUnknown    gatewayapiv1alpha2.PolicyConditionReason = "Unknown"
 )
 
-func NewOverriddenPolicyMap() *OverriddenPolicyMap {
-	return &OverriddenPolicyMap{
+func NewAffectedPolicyMap() *AffectedPolicyMap {
+	return &AffectedPolicyMap{
 		policies: make(map[types.UID][]client.ObjectKey),
 	}
 }
 
-type OverriddenPolicyMap struct {
+type AffectedPolicyMap struct {
 	policies map[types.UID][]client.ObjectKey
 	mu       sync.RWMutex
 }
 
-// SetOverriddenPolicy sets the provided Policy as overridden in the tracking map.
-func (o *OverriddenPolicyMap) SetOverriddenPolicy(p Policy, affectedBy []client.ObjectKey) {
+// SetAffectedPolicy sets the provided Policy as Affected in the tracking map.
+func (o *AffectedPolicyMap) SetAffectedPolicy(p Policy, affectedBy []client.ObjectKey) {
 	o.mu.Lock()
 	defer o.mu.Unlock()
 
@@ -44,21 +44,27 @@ func (o *OverriddenPolicyMap) SetOverriddenPolicy(p Policy, affectedBy []client.
 	o.policies[p.GetUID()] = affectedBy
 }
 
-// RemoveOverriddenPolicy removes the provided Policy from the tracking map of overridden policies.
-func (o *OverriddenPolicyMap) RemoveOverriddenPolicy(p Policy) {
+// RemoveAffectedPolicy removes the provided Policy from the tracking map of Affected policies.
+func (o *AffectedPolicyMap) RemoveAffectedPolicy(p Policy) {
 	o.mu.Lock()
 	defer o.mu.Unlock()
 
 	delete(o.policies, p.GetUID())
 }
 
-// IsPolicyOverridden checks if the provided Policy is overridden based on the tracking map maintained.
-func (o *OverriddenPolicyMap) IsPolicyOverridden(p Policy) bool {
+// IsPolicyAffected checks if the provided Policy is affected based on the tracking map maintained.
+func (o *AffectedPolicyMap) IsPolicyAffected(p Policy) bool {
 	return o.policies[p.GetUID()] != nil
 }
 
-// PolicyOverriddenBy returns the clients keys that a policy is overridden by
-func (o *OverriddenPolicyMap) PolicyOverriddenBy(p Policy) []client.ObjectKey {
+// IsPolicyOverridden checks if the provided Policy is affected based on the tracking map maintained.
+// It is overridden if there is policies affecting it
+func (o *AffectedPolicyMap) IsPolicyOverridden(p Policy) bool {
+	return o.IsPolicyAffected(p) && len(o.policies[p.GetUID()]) > 0
+}
+
+// PolicyAffectedBy returns the clients keys that a policy is Affected by
+func (o *AffectedPolicyMap) PolicyAffectedBy(p Policy) []client.ObjectKey {
 	return o.policies[p.GetUID()]
 }