From 0c8e8c1212b65f4ae31d38b8768618b66c7884a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Fri, 18 Mar 2022 16:18:32 +0100
Subject: [PATCH] feat: move GetRules() at the policy level (#3420)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
---
 api/kyverno/v1/clusterpolicy_types.go         |  5 +++++
 api/kyverno/v1/policy_types.go                |  5 +++++
 api/kyverno/v1/rule_test.go                   |  4 ++--
 api/kyverno/v1/spec_types.go                  |  1 +
 pkg/autogen/autogen.go                        |  4 ++--
 pkg/autogen/autogen_test.go                   | 14 ++++++-------
 pkg/compatibility/add_labels.go               |  2 +-
 pkg/engine/forceMutate.go                     |  2 +-
 pkg/engine/generation.go                      |  2 +-
 pkg/engine/imageVerify.go                     |  2 +-
 .../mutate/patch/strategicMergePatch_test.go  |  2 +-
 pkg/engine/mutation.go                        |  2 +-
 pkg/engine/utils_test.go                      |  2 +-
 pkg/engine/validation.go                      |  2 +-
 pkg/generate/cleanup/controller.go            |  2 +-
 pkg/generate/generate.go                      |  2 +-
 pkg/generate/generate_controller.go           |  2 +-
 pkg/kyverno/common/common.go                  | 18 ++++++++---------
 pkg/kyverno/common/fetch.go                   |  4 ++--
 pkg/kyverno/test/test_command.go              |  2 +-
 pkg/metrics/policyruleinfo/policyRuleInfo.go  |  8 ++++----
 pkg/openapi/validation.go                     |  2 +-
 pkg/policy/background.go                      |  2 +-
 pkg/policy/existing.go                        |  2 +-
 pkg/policy/policy_controller.go               | 10 +++++-----
 pkg/policy/validate.go                        |  4 ++--
 pkg/policycache/cache.go                      |  4 ++--
 pkg/policycache/cache_test.go                 | 20 +++++++++----------
 pkg/policymutation/policymutation.go          |  2 +-
 pkg/utils/json.go                             |  2 +-
 pkg/webhookconfig/configmanager.go            |  6 +++---
 pkg/webhooks/common.go                        |  2 +-
 pkg/webhooks/generation.go                    |  2 +-
 33 files changed, 78 insertions(+), 67 deletions(-)

diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go
index 5e14dbe1dc..bf39d676f4 100644
--- a/api/kyverno/v1/clusterpolicy_types.go
+++ b/api/kyverno/v1/clusterpolicy_types.go
@@ -30,6 +30,11 @@ type ClusterPolicy struct {
 	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
 }
 
+// GetRules returns the policy rules
+func (p *ClusterPolicy) GetRules() []Rule {
+	return p.Spec.GetRules()
+}
+
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go
index e5a4e9c904..b8c5c814b0 100755
--- a/api/kyverno/v1/policy_types.go
+++ b/api/kyverno/v1/policy_types.go
@@ -31,6 +31,11 @@ type Policy struct {
 	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
 }
 
+// GetRules returns the policy rules
+func (p *Policy) GetRules() []Rule {
+	return p.Spec.GetRules()
+}
+
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *Policy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
diff --git a/api/kyverno/v1/rule_test.go b/api/kyverno/v1/rule_test.go
index 691101aaff..920815eb40 100644
--- a/api/kyverno/v1/rule_test.go
+++ b/api/kyverno/v1/rule_test.go
@@ -88,7 +88,7 @@ func Test_Validate_RuleType_MultipleRule(t *testing.T) {
 	var policy *ClusterPolicy
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		path := field.NewPath("dummy")
 		errs := rule.Validate(path)
 		assert.Assert(t, len(errs) != 0)
@@ -143,7 +143,7 @@ func Test_Validate_RuleType_SingleRule(t *testing.T) {
 	var policy *ClusterPolicy
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		path := field.NewPath("dummy")
 		errs := rule.Validate(path)
 		assert.Assert(t, len(errs) == 0)
diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go
index 4a600fde87..6d75f097d1 100644
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@@ -48,6 +48,7 @@ type Spec struct {
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 }
 
+// GetRules returns the spec rules
 func (s *Spec) GetRules() []Rule {
 	return s.Rules
 }
diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go
index 1b7995d94b..872709b8ea 100644
--- a/pkg/autogen/autogen.go
+++ b/pkg/autogen/autogen.go
@@ -30,7 +30,7 @@ const (
 // - otherwise it returns all pod controllers
 func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, controllers string) {
 	var needAutogen bool
-	rules := spec.GetRules()
+	rules := spec.Rules
 	for _, rule := range rules {
 		match := rule.MatchResources
 		exclude := rule.ExcludeResources
@@ -166,7 +166,7 @@ func GetControllers(meta metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger)
 
 // GenerateRulePatches generates rule for podControllers based on scenario A and C
 func GenerateRulePatches(spec *kyverno.Spec, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
-	rules := spec.GetRules()
+	rules := spec.Rules
 	insertIdx := len(rules)
 
 	ruleMap := createRuleMap(rules)
diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go
index b353126574..31c8c0ef62 100644
--- a/pkg/autogen/autogen_test.go
+++ b/pkg/autogen/autogen_test.go
@@ -260,7 +260,7 @@ func Test_Any(t *testing.T) {
 	}
 
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
@@ -298,7 +298,7 @@ func Test_All(t *testing.T) {
 	}
 
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
@@ -336,7 +336,7 @@ func Test_Exclude(t *testing.T) {
 	}
 
 	policy := policies[0]
-	policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+	policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
@@ -400,7 +400,7 @@ func Test_ForEachPod(t *testing.T) {
 	}
 
 	policy := policies[0]
-	policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+	policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
@@ -439,10 +439,10 @@ func Test_CronJob_hasExclude(t *testing.T) {
 		kyverno.PodControllersAnnotation: controllers,
 	})
 
-	rule := policy.Spec.GetRules()[0].DeepCopy()
+	rule := policy.GetRules()[0].DeepCopy()
 	rule.ExcludeResources.Kinds = []string{"Pod"}
 	rule.ExcludeResources.Namespaces = []string{"test"}
-	policy.Spec.GetRules()[0] = *rule
+	policy.GetRules()[0] = *rule
 
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, controllers, log.Log)
 	if len(errs) != 0 {
@@ -529,7 +529,7 @@ func Test_Deny(t *testing.T) {
 	}
 
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
diff --git a/pkg/compatibility/add_labels.go b/pkg/compatibility/add_labels.go
index 7ecd377d89..ea913d86cf 100644
--- a/pkg/compatibility/add_labels.go
+++ b/pkg/compatibility/add_labels.go
@@ -94,7 +94,7 @@ func AddCloneLabel(client *dclient.Client, pInformer kyvernoinformer.ClusterPoli
 	}
 
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			if rule.HasGenerate() {
 				clone := rule.Generation.Clone
 				if clone.Name != "" {
diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go
index a7101db229..36eefda6db 100644
--- a/pkg/engine/forceMutate.go
+++ b/pkg/engine/forceMutate.go
@@ -19,7 +19,7 @@ func ForceMutate(ctx *context.Context, policy kyverno.ClusterPolicy, resource un
 		"namespace", resource.GetNamespace(), "name", resource.GetName())
 
 	patchedResource := resource
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasMutate() {
 			continue
 		}
diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 7eca4f7310..b4a9f1d3bf 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -48,7 +48,7 @@ func filterRules(policyContext *PolicyContext, startTime time.Time) *response.En
 		return resp
 	}
 
-	for _, rule := range policyContext.Policy.Spec.GetRules() {
+	for _, rule := range policyContext.Policy.GetRules() {
 		if ruleResp := filterRule(rule, policyContext); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go
index 7834652048..8d7964931b 100644
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@@ -48,7 +48,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
 		}
 	}
 
-	rules := policyContext.Policy.Spec.GetRules()
+	rules := policyContext.Policy.GetRules()
 	for i := range rules {
 		rule := &rules[i]
 		if len(rule.VerifyImages) == 0 {
diff --git a/pkg/engine/mutate/patch/strategicMergePatch_test.go b/pkg/engine/mutate/patch/strategicMergePatch_test.go
index a8fc68687a..75ab141a92 100644
--- a/pkg/engine/mutate/patch/strategicMergePatch_test.go
+++ b/pkg/engine/mutate/patch/strategicMergePatch_test.go
@@ -242,7 +242,7 @@ func Test_PolicyDeserilize(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	overlayPatches := policy.Spec.GetRules()[0].Mutation.GetPatchStrategicMerge()
+	overlayPatches := policy.GetRules()[0].Mutation.GetPatchStrategicMerge()
 	patchString, err := json.Marshal(overlayPatches)
 	assert.NilError(t, err)
 
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 188764e279..3b663405ae 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -39,7 +39,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 
 	var err error
 
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasMutate() {
 			continue
 		}
diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go
index 77b0ba824c..56e1a85dac 100644
--- a/pkg/engine/utils_test.go
+++ b/pkg/engine/utils_test.go
@@ -897,7 +897,7 @@ func TestMatchesResourceDescription(t *testing.T) {
 		}
 		resource, _ := utils.ConvertToUnstructured(tc.Resource)
 
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo, []string{}, nil, "")
 			if err != nil {
 				if !tc.areErrorsExpected {
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index a7657a3a31..fbea84969b 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -87,7 +87,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
 	ctx.JSONContext.Checkpoint()
 	defer ctx.JSONContext.Restore()
 
-	rules := ctx.Policy.Spec.GetRules()
+	rules := ctx.Policy.GetRules()
 	for i := range rules {
 		rule := &rules[i]
 		if !rule.HasValidate() {
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index aff7c83d69..28d01e243e 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -141,7 +141,7 @@ func (c *Controller) deletePolicy(obj interface{}) {
 	// clean up the GR
 	// Get the corresponding GR
 	// get the list of GR for the current Policy version
-	rules := p.Spec.GetRules()
+	rules := p.GetRules()
 
 	generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, c.client, p.GetName(), logger)
 
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index 1795e08cf3..79cadad5f7 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -259,7 +259,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine.
 	// To manage existing resources, we compare the creation time for the default resource to be generated and policy creation time
 
 	ruleNameToProcessingTime := make(map[string]time.Duration)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		var err error
 		if !rule.HasGenerate() {
 			continue
diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go
index acc2199106..cda96cf584 100644
--- a/pkg/generate/generate_controller.go
+++ b/pkg/generate/generate_controller.go
@@ -258,7 +258,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 	}
 
 	var policyHasGenerate bool
-	for _, rule := range curP.Spec.GetRules() {
+	for _, rule := range curP.GetRules() {
 		if rule.HasGenerate() {
 			policyHasGenerate = true
 		}
diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go
index f8ea06e062..dac4d534cb 100644
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@@ -471,7 +471,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 
 	policyWithNamespaceSelector := false
 OuterLoop:
-	for _, p := range policy.Spec.GetRules() {
+	for _, p := range policy.GetRules() {
 		if p.MatchResources.ResourceDescription.NamespaceSelector != nil ||
 			p.ExcludeResources.ResourceDescription.NamespaceSelector != nil {
 			policyWithNamespaceSelector = true
@@ -573,7 +573,7 @@ OuterLoop:
 	}
 
 	var policyHasValidate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasValidate() {
 			policyHasValidate = true
 		}
@@ -591,7 +591,7 @@ OuterLoop:
 	}
 
 	var policyHasGenerate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasGenerate() {
 			policyHasGenerate = true
 		}
@@ -768,7 +768,7 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str
 func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool) policyreport.Info {
 	var violatedRules []v1.ViolatedRule
 	printCount := 0
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		if !policyRule.HasValidate() {
 			continue
@@ -849,7 +849,7 @@ func buildPVInfo(er *response.EngineResponse, violatedRules []v1.ViolatedRule) p
 
 func processGenerateEngineResponse(policy *v1.ClusterPolicy, generateResponse *response.EngineResponse, resPath string, rc *ResultCounts) {
 	printCount := 0
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		for i, genResponseRule := range generateResponse.PolicyResponse.Rules {
 			if policyRule.Name == genResponseRule.Name {
@@ -877,7 +877,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string
 	storePolicies := make([]store.Policy, 0)
 	for _, policy := range mutatedPolicies {
 		storeRules := make([]store.Rule, 0)
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			contextVal := make(map[string]string)
 			if len(rule.Context) != 0 {
 				for _, contextVar := range rule.Context {
@@ -909,7 +909,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string
 
 func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *response.EngineResponse, resPath string, rc *ResultCounts, mutateLogPath string, stdin bool, mutateLogPathIsDir bool, resourceName string, printPatchResource bool) error {
 	var policyHasMutate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasMutate() {
 			policyHasMutate = true
 		}
@@ -920,7 +920,7 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo
 
 	printCount := 0
 	printMutatedRes := false
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		for i, mutateResponseRule := range mutateResponse.PolicyResponse.Rules {
 			if policyRule.Name == mutateResponseRule.Name {
@@ -1019,7 +1019,7 @@ func CheckVariableForPolicy(valuesMap map[string]map[string]Resource, globalValM
 
 func GetKindsFromPolicy(policy *v1.ClusterPolicy) map[string]struct{} {
 	var kindOnwhichPolicyIsApplied = make(map[string]struct{})
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 			kindOnwhichPolicyIsApplied[kind] = struct{}{}
 		}
diff --git a/pkg/kyverno/common/fetch.go b/pkg/kyverno/common/fetch.go
index a400aa7bdb..e50b4df55f 100644
--- a/pkg/kyverno/common/fetch.go
+++ b/pkg/kyverno/common/fetch.go
@@ -31,7 +31,7 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 	var resourceTypes []string
 
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			resourceTypesInRule := GetKindsFromRule(rule)
 			for resourceKind := range resourceTypesInRule {
 				resourceTypesMap[resourceKind] = true
@@ -120,7 +120,7 @@ func GetResourcesWithTest(fs billy.Filesystem, policies []*v1.ClusterPolicy, res
 	var resourceTypesMap = make(map[string]bool)
 	var resourceTypes []string
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			for _, kind := range rule.MatchResources.Kinds {
 				resourceTypesMap[kind] = true
 			}
diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go
index 0f8349cc7c..e0e041a0ba 100644
--- a/pkg/kyverno/test/test_command.go
+++ b/pkg/kyverno/test/test_command.go
@@ -789,7 +789,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool,
 	for _, p := range filteredPolicies {
 		var filteredRules = []v1.Rule{}
 
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			for _, res := range values.Results {
 				if rule.Name == res.Rule {
 					filteredRules = append(filteredRules, rule)
diff --git a/pkg/metrics/policyruleinfo/policyRuleInfo.go b/pkg/metrics/policyruleinfo/policyRuleInfo.go
index a376faaa59..3f13b940d0 100644
--- a/pkg/metrics/policyruleinfo/policyRuleInfo.go
+++ b/pkg/metrics/policyruleinfo/policyRuleInfo.go
@@ -73,7 +73,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 		policyName := inputPolicy.ObjectMeta.Name
 		ready := inputPolicy.Status.Ready
 		// registering the metrics on a per-rule basis
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			ruleName := rule.Name
 			ruleType := metrics.ParseRuleType(rule)
 
@@ -93,7 +93,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 		policyName := inputPolicy.ObjectMeta.Name
 		ready := inputPolicy.Status.Ready
 		// registering the metrics on a per-rule basis
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			ruleName := rule.Name
 			ruleType := metrics.ParseRuleType(rule)
 
@@ -110,7 +110,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 func (pc PromConfig) RemovePolicy(policy interface{}) error {
 	switch inputPolicy := policy.(type) {
 	case *kyverno.ClusterPolicy:
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
 			if err != nil {
 				return err
@@ -129,7 +129,7 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error {
 		}
 		return nil
 	case *kyverno.Policy:
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
 			if err != nil {
 				return err
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index b3cedabd9c..e0e5d5b3f8 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -138,7 +138,7 @@ func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured,
 // ValidatePolicyMutation ...
 func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasMutate() {
 			for _, kind := range rule.MatchResources.Kinds {
 				kindToRules[kind] = append(kindToRules[common.GetFormatedKind(kind)], rule)
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 040511efb6..f3373d1573 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -19,7 +19,7 @@ func containsUserVariables(policy *kyverno.ClusterPolicy, vars [][]string) error
 			return fmt.Errorf("variable %s is not allowed", s[0])
 		}
 	}
-	rules := policy.Spec.GetRules()
+	rules := policy.GetRules()
 	for idx := range rules {
 		if err := hasUserMatchExclude(idx, &rules[idx]); err != nil {
 			return err
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index e41e4fc7cf..cc21121a95 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -23,7 +23,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 	// Parse through all the resources drops the cache after configured rebuild time
 	pc.rm.Drop()
 
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasValidate() && !rule.HasVerifyImages() {
 			continue
 		}
diff --git a/pkg/policy/policy_controller.go b/pkg/policy/policy_controller.go
index 2355641262..8cc9905069 100644
--- a/pkg/policy/policy_controller.go
+++ b/pkg/policy/policy_controller.go
@@ -274,7 +274,7 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 	// we process policies that are not set of background processing
 	// as we need to clean up GRs when a policy is deleted
 	// skip generate policies with clone
-	rules := p.Spec.GetRules()
+	rules := p.GetRules()
 
 	generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, pc.client, p.GetName(), logger)
 
@@ -380,11 +380,11 @@ func (pc *PolicyController) deleteNsPolicy(obj interface{}) {
 
 func (pc *PolicyController) enqueueRCRDeletedRule(old, cur *kyverno.ClusterPolicy) {
 	curRule := make(map[string]bool)
-	for _, rule := range cur.Spec.GetRules() {
+	for _, rule := range cur.GetRules() {
 		curRule[rule.Name] = true
 	}
 
-	for _, rule := range old.Spec.GetRules() {
+	for _, rule := range old.GetRules() {
 		if !curRule[rule.Name] {
 			pc.prGenerator.Add(policyreport.Info{
 				PolicyName: cur.GetName(),
@@ -569,7 +569,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool {
 	var podRuleName []string
 	ruleCount := 1
 	if canApplyAutoGen, _ := autogen.CanAutoGen(&policy.Spec, log); canApplyAutoGen {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			podRuleName = append(podRuleName, rule.Name)
 		}
 	}
@@ -596,7 +596,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool {
 			}
 		}
 
-		if len(policy.Spec.GetRules()) != (ruleCount * len(podRuleName)) {
+		if len(policy.GetRules()) != (ruleCount * len(podRuleName)) {
 			return true
 		}
 	}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index eadcf66938..c8a4b7e9a3 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -127,7 +127,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 			clusterResources = append(clusterResources, k)
 		}
 	}
-	rules := policy.Spec.GetRules()
+	rules := policy.GetRules()
 	rulesPath := specPath.Child("rules")
 	for i, rule := range rules {
 		rulePath := rulesPath.Index(i)
@@ -385,7 +385,7 @@ func ValidateVariables(p *kyverno.ClusterPolicy, backgroundMode bool) error {
 
 // hasInvalidVariables - checks for unexpected variables in the policy
 func hasInvalidVariables(policy *kyverno.ClusterPolicy, background bool) error {
-	for _, r := range policy.Spec.GetRules() {
+	for _, r := range policy.GetRules() {
 		ruleCopy := r.DeepCopy()
 
 		if err := ruleForbiddenSectionsHaveVariables(ruleCopy); err != nil {
diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go
index 26df86e6ba..561bd51145 100644
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@@ -124,7 +124,7 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) {
 		pName = pSpace + "/" + pName
 	}
 
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 
 		if len(rule.MatchResources.Any) > 0 {
 			for _, rmr := range rule.MatchResources.Any {
@@ -230,7 +230,7 @@ func (m *pMap) remove(policy *kyverno.ClusterPolicy) {
 		pName = pSpace + "/" + pName
 	}
 
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if len(rule.MatchResources.Any) > 0 {
 			for _, rmr := range rule.MatchResources.Any {
 				removeCacheHelper(rmr, m, pName)
diff --git a/pkg/policycache/cache_test.go b/pkg/policycache/cache_test.go
index ccdcbd3606..36e6d03922 100644
--- a/pkg/policycache/cache_test.go
+++ b/pkg/policycache/cache_test.go
@@ -49,7 +49,7 @@ func Test_All(t *testing.T) {
 	policy := newPolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			// get
@@ -82,7 +82,7 @@ func Test_Add_Duplicate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			mutate := pCache.get(Mutate, kind, "")
@@ -111,7 +111,7 @@ func Test_Add_Validate_Audit(t *testing.T) {
 	policy.Spec.ValidationFailureAction = "audit"
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			validateEnforce := pCache.get(ValidateEnforce, kind, "")
@@ -930,7 +930,7 @@ func Test_Ns_All(t *testing.T) {
 	//add
 	pCache.Add(policy)
 	nspace := policy.GetNamespace()
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			// get
@@ -963,7 +963,7 @@ func Test_Ns_Add_Duplicate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	nspace := policy.GetNamespace()
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			mutate := pCache.get(Mutate, kind, nspace)
@@ -992,7 +992,7 @@ func Test_Ns_Add_Validate_Audit(t *testing.T) {
 	policy.Spec.ValidationFailureAction = "audit"
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
@@ -1031,7 +1031,7 @@ func Test_GVk_Cache(t *testing.T) {
 	policy := newGVKPolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			generate := pCache.get(Generate, kind, "")
@@ -1065,7 +1065,7 @@ func Test_Add_Validate_Enforce(t *testing.T) {
 	nspace := policy.GetNamespace()
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
 			if len(validateEnforce) != 1 {
@@ -1100,7 +1100,7 @@ func Test_Mutate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			// get
@@ -1117,7 +1117,7 @@ func Test_Generate_Policy(t *testing.T) {
 	policy := newgenratePolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 
 			// get
diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go
index 005f90d5b7..17af444c17 100644
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@@ -65,7 +65,7 @@ func GenerateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, autogenIntern
 
 func checkForGVKFormatPatch(policy *kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	patches = make([][]byte, 0)
-	for i, rule := range policy.Spec.GetRules() {
+	for i, rule := range policy.GetRules() {
 		patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)), rule.MatchResources.Kinds, log)
 		if err == nil && patchByte != nil {
 			patches = append(patches, patchByte)
diff --git a/pkg/utils/json.go b/pkg/utils/json.go
index 81a97e66e4..d7eeaba328 100644
--- a/pkg/utils/json.go
+++ b/pkg/utils/json.go
@@ -31,7 +31,7 @@ func JoinPatches(patches [][]byte) []byte {
 // TODO This needs to be removed. A simpler way to encode and decode Policy is needed.
 func MarshalPolicy(policy v1.ClusterPolicy) []byte {
 	var rules []interface{}
-	policyRules := policy.Spec.GetRules()
+	policyRules := policy.GetRules()
 	rulesRaw, _ := json.Marshal(policyRules)
 	_ = json.Unmarshal(rulesRaw, &rules)
 	for i, r := range rules {
diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go
index 90d1d50e88..13fd0ed9d3 100644
--- a/pkg/webhookconfig/configmanager.go
+++ b/pkg/webhookconfig/configmanager.go
@@ -700,7 +700,7 @@ func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy, statu
 // mergeWebhook merges the matching kinds of the policy to webhook.rule
 func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.ClusterPolicy, updateValidate bool) {
 	matchedGVK := make([]string, 0)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		// matching kinds in generate policies need to be added to both webhook
 		if rule.HasGenerate() {
 			matchedGVK = append(matchedGVK, rule.MatchKinds()...)
@@ -811,7 +811,7 @@ func webhookKey(webhookKind, failurePolicy string) string {
 
 func hasWildcard(policy interface{}) bool {
 	if p, ok := policy.(*kyverno.ClusterPolicy); ok {
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") {
 				return true
 			}
@@ -819,7 +819,7 @@ func hasWildcard(policy interface{}) bool {
 	}
 
 	if p, ok := policy.(*kyverno.Policy); ok {
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") {
 				return true
 			}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 4d919e4cb3..2b7793d085 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -143,7 +143,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
 func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
 	for _, policySlice := range policies {
 		for _, policy := range policySlice {
-			for _, rule := range policy.Spec.GetRules() {
+			for _, rule := range policy.GetRules() {
 				if checkForRBACInfo(rule) {
 					return true
 				}
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 2b7a8039b3..82c2b08cef 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -234,7 +234,7 @@ func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.Adm
 		return
 	}
 
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.Generation.Kind == targetSourceKind && rule.Generation.Name == targetSourceName {
 			updatedRule, err := getGeneratedByResource(newRes, resLabels, ws.client, rule, logger)
 			if err != nil {