feat: move GetRules() at the policy level (#3420)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-03-18 16:18:32 +01:00 · 2022-03-18 16:18:32 +01:00 · 0c8e8c1212
commit 0c8e8c1212
parent 30261b5235
33 changed files with 78 additions and 67 deletions
--- a/api/kyverno/v1/clusterpolicy_types.go
+++ b/api/kyverno/v1/clusterpolicy_types.go
@ -30,6 +30,11 @@ type ClusterPolicy struct {
 	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
 }
 // GetRules returns the policy rules
 func (p *ClusterPolicy) GetRules() []Rule {
 	return p.Spec.GetRules()
 }
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
--- a/api/kyverno/v1/policy_types.go
+++ b/api/kyverno/v1/policy_types.go
@ -31,6 +31,11 @@ type Policy struct {
 	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
 }
 // GetRules returns the policy rules
 func (p *Policy) GetRules() []Rule {
 	return p.Spec.GetRules()
 }
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *Policy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
--- a/api/kyverno/v1/rule_test.go
+++ b/api/kyverno/v1/rule_test.go
@ -88,7 +88,7 @@ func Test_Validate_RuleType_MultipleRule(t *testing.T) {
 	var policy *ClusterPolicy
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		path := field.NewPath("dummy")
 		errs := rule.Validate(path)
 		assert.Assert(t, len(errs) != 0)
@ -143,7 +143,7 @@ func Test_Validate_RuleType_SingleRule(t *testing.T) {
 	var policy *ClusterPolicy
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		path := field.NewPath("dummy")
 		errs := rule.Validate(path)
 		assert.Assert(t, len(errs) == 0)
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@ -48,6 +48,7 @@ type Spec struct {
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 }
 // GetRules returns the spec rules
 func (s *Spec) GetRules() []Rule {
 	return s.Rules
 }
--- a/pkg/autogen/autogen.go
+++ b/pkg/autogen/autogen.go
@ -30,7 +30,7 @@ const (
 // - otherwise it returns all pod controllers
 func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, controllers string) {
 	var needAutogen bool
-	rules := spec.GetRules()
+	rules := spec.Rules
 	for _, rule := range rules {
 		match := rule.MatchResources
 		exclude := rule.ExcludeResources
@ -166,7 +166,7 @@ func GetControllers(meta metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger)
 // GenerateRulePatches generates rule for podControllers based on scenario A and C
 func GenerateRulePatches(spec *kyverno.Spec, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
-	rules := spec.GetRules()
+	rules := spec.Rules
 	insertIdx := len(rules)
 	ruleMap := createRuleMap(rules)
--- a/pkg/autogen/autogen_test.go
+++ b/pkg/autogen/autogen_test.go
@ -260,7 +260,7 @@ func Test_Any(t *testing.T) {
 	}
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
@ -298,7 +298,7 @@ func Test_All(t *testing.T) {
 	}
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
@ -336,7 +336,7 @@ func Test_Exclude(t *testing.T) {
 	}
 	policy := policies[0]
-	policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+	policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
@ -400,7 +400,7 @@ func Test_ForEachPod(t *testing.T) {
 	}
 	policy := policies[0]
-	policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
+	policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log)
 	if len(errs) != 0 {
@ -439,10 +439,10 @@ func Test_CronJob_hasExclude(t *testing.T) {
 		kyverno.PodControllersAnnotation: controllers,
 	})
-	rule := policy.Spec.GetRules()[0].DeepCopy()
+	rule := policy.GetRules()[0].DeepCopy()
 	rule.ExcludeResources.Kinds = []string{"Pod"}
 	rule.ExcludeResources.Namespaces = []string{"test"}
-	policy.Spec.GetRules()[0] = *rule
+	policy.GetRules()[0] = *rule
 	rulePatches, errs := GenerateRulePatches(&policy.Spec, controllers, log.Log)
 	if len(errs) != 0 {
@ -529,7 +529,7 @@ func Test_Deny(t *testing.T) {
 	}
 	policy := policies[0]
-	policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
+	policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{
 		{
 			ResourceDescription: kyverno.ResourceDescription{
 				Kinds: []string{"Pod"},
--- a/pkg/compatibility/add_labels.go
+++ b/pkg/compatibility/add_labels.go
@ -94,7 +94,7 @@ func AddCloneLabel(client *dclient.Client, pInformer kyvernoinformer.ClusterPoli
 	}
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			if rule.HasGenerate() {
 				clone := rule.Generation.Clone
 				if clone.Name != "" {
--- a/pkg/engine/forceMutate.go
+++ b/pkg/engine/forceMutate.go
@ -19,7 +19,7 @@ func ForceMutate(ctx *context.Context, policy kyverno.ClusterPolicy, resource un
 		"namespace", resource.GetNamespace(), "name", resource.GetName())
 	patchedResource := resource
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasMutate() {
 			continue
 		}
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@ -48,7 +48,7 @@ func filterRules(policyContext *PolicyContext, startTime time.Time) *response.En
 		return resp
 	}
-	for _, rule := range policyContext.Policy.Spec.GetRules() {
+	for _, rule := range policyContext.Policy.GetRules() {
 		if ruleResp := filterRule(rule, policyContext); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -48,7 +48,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
 		}
 	}
-	rules := policyContext.Policy.Spec.GetRules()
+	rules := policyContext.Policy.GetRules()
 	for i := range rules {
 		rule := &rules[i]
 		if len(rule.VerifyImages) == 0 {
--- a/pkg/engine/mutate/patch/strategicMergePatch_test.go
+++ b/pkg/engine/mutate/patch/strategicMergePatch_test.go
@ -242,7 +242,7 @@ func Test_PolicyDeserilize(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
-	overlayPatches := policy.Spec.GetRules()[0].Mutation.GetPatchStrategicMerge()
+	overlayPatches := policy.GetRules()[0].Mutation.GetPatchStrategicMerge()
 	patchString, err := json.Marshal(overlayPatches)
 	assert.NilError(t, err)
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -39,7 +39,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
 	var err error
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasMutate() {
 			continue
 		}
--- a/pkg/engine/utils_test.go
+++ b/pkg/engine/utils_test.go
@ -897,7 +897,7 @@ func TestMatchesResourceDescription(t *testing.T) {
 		}
 		resource, _ := utils.ConvertToUnstructured(tc.Resource)
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo, []string{}, nil, "")
 			if err != nil {
 				if !tc.areErrorsExpected {
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -87,7 +87,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
 	ctx.JSONContext.Checkpoint()
 	defer ctx.JSONContext.Restore()
-	rules := ctx.Policy.Spec.GetRules()
+	rules := ctx.Policy.GetRules()
 	for i := range rules {
 		rule := &rules[i]
 		if !rule.HasValidate() {
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@ -141,7 +141,7 @@ func (c *Controller) deletePolicy(obj interface{}) {
 	// clean up the GR
 	// Get the corresponding GR
 	// get the list of GR for the current Policy version
-	rules := p.Spec.GetRules()
+	rules := p.GetRules()
 	generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, c.client, p.GetName(), logger)
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@ -259,7 +259,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine.
 	// To manage existing resources, we compare the creation time for the default resource to be generated and policy creation time
 	ruleNameToProcessingTime := make(map[string]time.Duration)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		var err error
 		if !rule.HasGenerate() {
 			continue
--- a/pkg/generate/generate_controller.go
+++ b/pkg/generate/generate_controller.go
@ -258,7 +258,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 	}
 	var policyHasGenerate bool
-	for _, rule := range curP.Spec.GetRules() {
+	for _, rule := range curP.GetRules() {
 		if rule.HasGenerate() {
 			policyHasGenerate = true
 		}
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@ -471,7 +471,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 	policyWithNamespaceSelector := false
 OuterLoop:
-	for _, p := range policy.Spec.GetRules() {
+	for _, p := range policy.GetRules() {
 		if p.MatchResources.ResourceDescription.NamespaceSelector != nil ||
 			p.ExcludeResources.ResourceDescription.NamespaceSelector != nil {
 			policyWithNamespaceSelector = true
@ -573,7 +573,7 @@ OuterLoop:
 	}
 	var policyHasValidate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasValidate() {
 			policyHasValidate = true
 		}
@ -591,7 +591,7 @@ OuterLoop:
 	}
 	var policyHasGenerate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasGenerate() {
 			policyHasGenerate = true
 		}
@ -768,7 +768,7 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str
 func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool) policyreport.Info {
 	var violatedRules []v1.ViolatedRule
 	printCount := 0
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		if !policyRule.HasValidate() {
 			continue
@ -849,7 +849,7 @@ func buildPVInfo(er *response.EngineResponse, violatedRules []v1.ViolatedRule) p
 func processGenerateEngineResponse(policy *v1.ClusterPolicy, generateResponse *response.EngineResponse, resPath string, rc *ResultCounts) {
 	printCount := 0
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		for i, genResponseRule := range generateResponse.PolicyResponse.Rules {
 			if policyRule.Name == genResponseRule.Name {
@ -877,7 +877,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string
 	storePolicies := make([]store.Policy, 0)
 	for _, policy := range mutatedPolicies {
 		storeRules := make([]store.Rule, 0)
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			contextVal := make(map[string]string)
 			if len(rule.Context) != 0 {
 				for _, contextVar := range rule.Context {
@ -909,7 +909,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string
 func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *response.EngineResponse, resPath string, rc *ResultCounts, mutateLogPath string, stdin bool, mutateLogPathIsDir bool, resourceName string, printPatchResource bool) error {
 	var policyHasMutate bool
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasMutate() {
 			policyHasMutate = true
 		}
@ -920,7 +920,7 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo
 	printCount := 0
 	printMutatedRes := false
-	for _, policyRule := range policy.Spec.GetRules() {
+	for _, policyRule := range policy.GetRules() {
 		ruleFoundInEngineResponse := false
 		for i, mutateResponseRule := range mutateResponse.PolicyResponse.Rules {
 			if policyRule.Name == mutateResponseRule.Name {
@ -1019,7 +1019,7 @@ func CheckVariableForPolicy(valuesMap map[string]map[string]Resource, globalValM
 func GetKindsFromPolicy(policy *v1.ClusterPolicy) map[string]struct{} {
 	var kindOnwhichPolicyIsApplied = make(map[string]struct{})
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 			kindOnwhichPolicyIsApplied[kind] = struct{}{}
 		}
--- a/pkg/kyverno/common/fetch.go
+++ b/pkg/kyverno/common/fetch.go
@ -31,7 +31,7 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 	var resourceTypes []string
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			resourceTypesInRule := GetKindsFromRule(rule)
 			for resourceKind := range resourceTypesInRule {
 				resourceTypesMap[resourceKind] = true
@ -120,7 +120,7 @@ func GetResourcesWithTest(fs billy.Filesystem, policies []*v1.ClusterPolicy, res
 	var resourceTypesMap = make(map[string]bool)
 	var resourceTypes []string
 	for _, policy := range policies {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			for _, kind := range rule.MatchResources.Kinds {
 				resourceTypesMap[kind] = true
 			}
--- a/pkg/kyverno/test/test_command.go
+++ b/pkg/kyverno/test/test_command.go
@ -789,7 +789,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool,
 	for _, p := range filteredPolicies {
 		var filteredRules = []v1.Rule{}
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			for _, res := range values.Results {
 				if rule.Name == res.Rule {
 					filteredRules = append(filteredRules, rule)
--- a/pkg/metrics/policyruleinfo/policyRuleInfo.go
+++ b/pkg/metrics/policyruleinfo/policyRuleInfo.go
@ -73,7 +73,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 		policyName := inputPolicy.ObjectMeta.Name
 		ready := inputPolicy.Status.Ready
 		// registering the metrics on a per-rule basis
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			ruleName := rule.Name
 			ruleType := metrics.ParseRuleType(rule)
@ -93,7 +93,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 		policyName := inputPolicy.ObjectMeta.Name
 		ready := inputPolicy.Status.Ready
 		// registering the metrics on a per-rule basis
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			ruleName := rule.Name
 			ruleType := metrics.ParseRuleType(rule)
@ -110,7 +110,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error {
 func (pc PromConfig) RemovePolicy(policy interface{}) error {
 	switch inputPolicy := policy.(type) {
 	case *kyverno.ClusterPolicy:
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
 			if err != nil {
 				return err
@ -129,7 +129,7 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error {
 		}
 		return nil
 	case *kyverno.Policy:
-		for _, rule := range inputPolicy.Spec.GetRules() {
+		for _, rule := range inputPolicy.GetRules() {
 			policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
 			if err != nil {
 				return err
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@ -138,7 +138,7 @@ func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured,
 // ValidatePolicyMutation ...
 func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.HasMutate() {
 			for _, kind := range rule.MatchResources.Kinds {
 				kindToRules[kind] = append(kindToRules[common.GetFormatedKind(kind)], rule)
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@ -19,7 +19,7 @@ func containsUserVariables(policy *kyverno.ClusterPolicy, vars [][]string) error
 			return fmt.Errorf("variable %s is not allowed", s[0])
 		}
 	}
-	rules := policy.Spec.GetRules()
+	rules := policy.GetRules()
 	for idx := range rules {
 		if err := hasUserMatchExclude(idx, &rules[idx]); err != nil {
 			return err
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -23,7 +23,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 	// Parse through all the resources drops the cache after configured rebuild time
 	pc.rm.Drop()
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if !rule.HasValidate() && !rule.HasVerifyImages() {
 			continue
 		}
--- a/pkg/policy/policy_controller.go
+++ b/pkg/policy/policy_controller.go
@ -274,7 +274,7 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 	// we process policies that are not set of background processing
 	// as we need to clean up GRs when a policy is deleted
 	// skip generate policies with clone
-	rules := p.Spec.GetRules()
+	rules := p.GetRules()
 	generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, pc.client, p.GetName(), logger)
@ -380,11 +380,11 @@ func (pc *PolicyController) deleteNsPolicy(obj interface{}) {
 func (pc *PolicyController) enqueueRCRDeletedRule(old, cur *kyverno.ClusterPolicy) {
 	curRule := make(map[string]bool)
-	for _, rule := range cur.Spec.GetRules() {
+	for _, rule := range cur.GetRules() {
 		curRule[rule.Name] = true
 	}
-	for _, rule := range old.Spec.GetRules() {
+	for _, rule := range old.GetRules() {
 		if !curRule[rule.Name] {
 			pc.prGenerator.Add(policyreport.Info{
 				PolicyName: cur.GetName(),
@ -569,7 +569,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool {
 	var podRuleName []string
 	ruleCount := 1
 	if canApplyAutoGen, _ := autogen.CanAutoGen(&policy.Spec, log); canApplyAutoGen {
-		for _, rule := range policy.Spec.GetRules() {
+		for _, rule := range policy.GetRules() {
 			podRuleName = append(podRuleName, rule.Name)
 		}
 	}
@ -596,7 +596,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool {
 			}
 		}
-		if len(policy.Spec.GetRules()) != (ruleCount * len(podRuleName)) {
+		if len(policy.GetRules()) != (ruleCount * len(podRuleName)) {
 			return true
 		}
 	}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -127,7 +127,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 			clusterResources = append(clusterResources, k)
 		}
 	}
-	rules := policy.Spec.GetRules()
+	rules := policy.GetRules()
 	rulesPath := specPath.Child("rules")
 	for i, rule := range rules {
 		rulePath := rulesPath.Index(i)
@ -385,7 +385,7 @@ func ValidateVariables(p *kyverno.ClusterPolicy, backgroundMode bool) error {
 // hasInvalidVariables - checks for unexpected variables in the policy
 func hasInvalidVariables(policy *kyverno.ClusterPolicy, background bool) error {
-	for _, r := range policy.Spec.GetRules() {
+	for _, r := range policy.GetRules() {
 		ruleCopy := r.DeepCopy()
 		if err := ruleForbiddenSectionsHaveVariables(ruleCopy); err != nil {
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@ -124,7 +124,7 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) {
 		pName = pSpace + "/" + pName
 	}
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if len(rule.MatchResources.Any) > 0 {
 			for _, rmr := range rule.MatchResources.Any {
@ -230,7 +230,7 @@ func (m *pMap) remove(policy *kyverno.ClusterPolicy) {
 		pName = pSpace + "/" + pName
 	}
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if len(rule.MatchResources.Any) > 0 {
 			for _, rmr := range rule.MatchResources.Any {
 				removeCacheHelper(rmr, m, pName)
--- a/pkg/policycache/cache_test.go
+++ b/pkg/policycache/cache_test.go
@ -49,7 +49,7 @@ func Test_All(t *testing.T) {
 	policy := newPolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			// get
@ -82,7 +82,7 @@ func Test_Add_Duplicate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			mutate := pCache.get(Mutate, kind, "")
@ -111,7 +111,7 @@ func Test_Add_Validate_Audit(t *testing.T) {
 	policy.Spec.ValidationFailureAction = "audit"
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			validateEnforce := pCache.get(ValidateEnforce, kind, "")
@ -930,7 +930,7 @@ func Test_Ns_All(t *testing.T) {
 	//add
 	pCache.Add(policy)
 	nspace := policy.GetNamespace()
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			// get
@ -963,7 +963,7 @@ func Test_Ns_Add_Duplicate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	nspace := policy.GetNamespace()
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			mutate := pCache.get(Mutate, kind, nspace)
@ -992,7 +992,7 @@ func Test_Ns_Add_Validate_Audit(t *testing.T) {
 	policy.Spec.ValidationFailureAction = "audit"
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
@ -1031,7 +1031,7 @@ func Test_GVk_Cache(t *testing.T) {
 	policy := newGVKPolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			generate := pCache.get(Generate, kind, "")
@ -1065,7 +1065,7 @@ func Test_Add_Validate_Enforce(t *testing.T) {
 	nspace := policy.GetNamespace()
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
 			if len(validateEnforce) != 1 {
@ -1100,7 +1100,7 @@ func Test_Mutate_Policy(t *testing.T) {
 	pCache.Add(policy)
 	pCache.Add(policy)
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			// get
@ -1117,7 +1117,7 @@ func Test_Generate_Policy(t *testing.T) {
 	policy := newgenratePolicy(t)
 	//add
 	pCache.Add(policy)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		for _, kind := range rule.MatchResources.Kinds {
 			// get
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@ -65,7 +65,7 @@ func GenerateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, autogenIntern
 func checkForGVKFormatPatch(policy *kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	patches = make([][]byte, 0)
-	for i, rule := range policy.Spec.GetRules() {
+	for i, rule := range policy.GetRules() {
 		patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)), rule.MatchResources.Kinds, log)
 		if err == nil && patchByte != nil {
 			patches = append(patches, patchByte)
--- a/pkg/utils/json.go
+++ b/pkg/utils/json.go
@ -31,7 +31,7 @@ func JoinPatches(patches [][]byte) []byte {
 // TODO This needs to be removed. A simpler way to encode and decode Policy is needed.
 func MarshalPolicy(policy v1.ClusterPolicy) []byte {
 	var rules []interface{}
-	policyRules := policy.Spec.GetRules()
+	policyRules := policy.GetRules()
 	rulesRaw, _ := json.Marshal(policyRules)
 	_ = json.Unmarshal(rulesRaw, &rules)
 	for i, r := range rules {
--- a/pkg/webhookconfig/configmanager.go
+++ b/pkg/webhookconfig/configmanager.go
@ -700,7 +700,7 @@ func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy, statu
 // mergeWebhook merges the matching kinds of the policy to webhook.rule
 func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.ClusterPolicy, updateValidate bool) {
 	matchedGVK := make([]string, 0)
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		// matching kinds in generate policies need to be added to both webhook
 		if rule.HasGenerate() {
 			matchedGVK = append(matchedGVK, rule.MatchKinds()...)
@ -811,7 +811,7 @@ func webhookKey(webhookKind, failurePolicy string) string {
 func hasWildcard(policy interface{}) bool {
 	if p, ok := policy.(*kyverno.ClusterPolicy); ok {
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") {
 				return true
 			}
@ -819,7 +819,7 @@ func hasWildcard(policy interface{}) bool {
 	}
 	if p, ok := policy.(*kyverno.Policy); ok {
-		for _, rule := range p.Spec.GetRules() {
+		for _, rule := range p.GetRules() {
 			if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") {
 				return true
 			}
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -143,7 +143,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
 func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
 	for _, policySlice := range policies {
 		for _, policy := range policySlice {
-			for _, rule := range policy.Spec.GetRules() {
+			for _, rule := range policy.GetRules() {
 				if checkForRBACInfo(rule) {
 					return true
 				}
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@ -234,7 +234,7 @@ func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.Adm
 		return
 	}
-	for _, rule := range policy.Spec.GetRules() {
+	for _, rule := range policy.GetRules() {
 		if rule.Generation.Kind == targetSourceKind && rule.Generation.Name == targetSourceName {
 			updatedRule, err := getGeneratedByResource(newRes, resLabels, ws.client, rule, logger)
 			if err != nil {