feat: generate VAPs from VPs (#12222)

* feat: generate VAPs from VPs

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix codegen

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

api/policies.kyverno.io/v1alpha1/policy_status.go

@@ -25,6 +25,14 @@ type PolicyStatus struct {
 
 	// +optional
 	Autogen AutogenStatus `json:"autogen"`
+
+	// Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not
+	// +optional
+	Generated bool `json:"generated"`
+
+	// Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+	// It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+	Message string `json:"message"`
 }
 
 // AutogenStatus contains autogen status information.

api/policies.kyverno.io/v1alpha1/validating_policy.go

@@ -54,6 +54,10 @@ func (s *ValidatingPolicy) GetStatus() *PolicyStatus {
 	return &s.Status
 }
 
+func (s *ValidatingPolicy) GetKind() string {
+	return s.Kind
+}
+
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 

charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -1314,11 +1314,22 @@ spec:
                   - type
                   type: object
                 type: array
+              generated:
+                description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  is generated from the policy or not
+                type: boolean
+              message:
+                description: |-
+                  Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+                type: string
               ready:
                 description: |-
                   The ready of a policy is a high-level summary of where the policy is in its lifecycle.
                   The conditions array, the reason and message fields contain more detail about the policy's status.
                 type: boolean
+            required:
+            - message
             type: object
         required:
         - spec

cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml

@@ -1308,11 +1308,22 @@ spec:
                   - type
                   type: object
                 type: array
+              generated:
+                description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  is generated from the policy or not
+                type: boolean
+              message:
+                description: |-
+                  Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+                type: string
               ready:
                 description: |-
                   The ready of a policy is a high-level summary of where the policy is in its lifecycle.
                   The conditions array, the reason and message fields contain more detail about the policy's status.
                 type: boolean
+            required:
+            - message
             type: object
         required:
         - spec

cmd/kyverno/main.go

@@ -289,6 +289,7 @@ func createrLeaderControllers(
 			kyvernoClient,
 			dynamicClient.Discovery(),
 			kyvernoInformer.Kyverno().V1().ClusterPolicies(),
+			kyvernoInformer.Policies().V1alpha1().ValidatingPolicies(),
 			kyvernoInformer.Kyverno().V2().PolicyExceptions(),
 			kubeInformer.Admissionregistration().V1().ValidatingAdmissionPolicies(),
 			kubeInformer.Admissionregistration().V1().ValidatingAdmissionPolicyBindings(),

config/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml

@@ -1290,11 +1290,22 @@ spec:
                   - type
                   type: object
                 type: array
+              generated:
+                description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  is generated from the policy or not
+                type: boolean
+              message:
+                description: |-
+                  Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+                type: string
               ready:
                 description: |-
                   The ready of a policy is a high-level summary of where the policy is in its lifecycle.
                   The conditions array, the reason and message fields contain more detail about the policy's status.
                 type: boolean
+            required:
+            - message
             type: object
         required:
         - spec

config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -1308,11 +1308,22 @@ spec:
                   - type
                   type: object
                 type: array
+              generated:
+                description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  is generated from the policy or not
+                type: boolean
+              message:
+                description: |-
+                  Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+                type: string
               ready:
                 description: |-
                   The ready of a policy is a high-level summary of where the policy is in its lifecycle.
                   The conditions array, the reason and message fields contain more detail about the policy's status.
                 type: boolean
+            required:
+            - message
             type: object
         required:
         - spec

config/install-latest-testing.yaml

@@ -49856,11 +49856,22 @@ spec:
                   - type
                   type: object
                 type: array
+              generated:
+                description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  is generated from the policy or not
+                type: boolean
+              message:
+                description: |-
+                  Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+                  It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+                type: string
               ready:
                 description: |-
                   The ready of a policy is a high-level summary of where the policy is in its lifecycle.
                   The conditions array, the reason and message fields contain more detail about the policy's status.
                 type: boolean
+            required:
+            - message
             type: object
         required:
         - spec

docs/user/crd/index.html

@@ -12134,6 +12134,30 @@ AutogenStatus
 <em>(Optional)</em>
 </td>
 </tr>
+<tr>
+<td>
+<code>generated</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>message</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />

pkg/admissionpolicy/builder.go

@@ -7,6 +7,7 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -17,90 +18,109 @@ import (
 func BuildValidatingAdmissionPolicy(
 	discoveryClient dclient.IDiscovery,
 	vap *admissionregistrationv1.ValidatingAdmissionPolicy,
-	cpol kyvernov1.PolicyInterface,
+	policy engineapi.GenericPolicy,
 	exceptions []kyvernov2.PolicyException,
 ) error {
+	var matchResources admissionregistrationv1.MatchResources
+	var matchConditions []admissionregistrationv1.MatchCondition
+	var paramKind *admissionregistrationv1.ParamKind
+	var validations []admissionregistrationv1.Validation
+	var auditAnnotations []admissionregistrationv1.AuditAnnotation
+	var variables []admissionregistrationv1.Variable
+
+	if cpol := policy.AsKyvernoPolicy(); cpol != nil {
+		// construct the rules
+		var matchRules, excludeRules []admissionregistrationv1.NamedRuleWithOperations
+
+		rule := cpol.GetSpec().Rules[0]
+
+		// convert the match block
+		match := rule.MatchResources
+		if !match.ResourceDescription.IsEmpty() {
+			if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription, true); err != nil {
+				return err
+			}
+		}
+
+		if match.Any != nil {
+			if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any, true); err != nil {
+				return err
+			}
+		}
+		if match.All != nil {
+			if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All, true); err != nil {
+				return err
+			}
+		}
+
+		// convert the exclude block
+		if exclude := rule.ExcludeResources; exclude != nil {
+			if !exclude.ResourceDescription.IsEmpty() {
+				if err := translateResource(discoveryClient, &matchResources, &excludeRules, exclude.ResourceDescription, false); err != nil {
+					return err
+				}
+			}
+
+			if exclude.Any != nil {
+				if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.Any, false); err != nil {
+					return err
+				}
+			}
+			if exclude.All != nil {
+				if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.All, false); err != nil {
+					return err
+				}
+			}
+		}
+
+		// convert the exceptions if exist
+		for _, exception := range exceptions {
+			match := exception.Spec.Match
+			if match.Any != nil {
+				if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.Any, false); err != nil {
+					return err
+				}
+			}
+
+			if match.All != nil {
+				if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.All, false); err != nil {
+					return err
+				}
+			}
+		}
+
+		matchConditions = rule.CELPreconditions
+		paramKind = rule.Validation.CEL.ParamKind
+		validations = rule.Validation.CEL.Expressions
+		auditAnnotations = rule.Validation.CEL.AuditAnnotations
+		variables = rule.Validation.CEL.Variables
+	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+		matchResources = *vpol.Spec.MatchConstraints
+		matchConditions = vpol.Spec.MatchConditions
+		paramKind = vpol.Spec.ParamKind
+		validations = vpol.Spec.Validations
+		auditAnnotations = vpol.Spec.AuditAnnotations
+		variables = vpol.Spec.Variables
+	}
+
 	// set owner reference
 	vap.OwnerReferences = []metav1.OwnerReference{
 		{
-			APIVersion: "kyverno.io/v1",
-			Kind:       cpol.GetKind(),
-			Name:       cpol.GetName(),
-			UID:        cpol.GetUID(),
+			APIVersion: policy.GetAPIVersion(),
+			Kind:       policy.GetKind(),
+			Name:       policy.GetName(),
+			UID:        policy.GetUID(),
 		},
 	}
-
-	// construct the rules
-	var matchResources admissionregistrationv1.MatchResources
-	var matchRules, excludeRules []admissionregistrationv1.NamedRuleWithOperations
-
-	rule := cpol.GetSpec().Rules[0]
-
-	// convert the match block
-	match := rule.MatchResources
-	if !match.ResourceDescription.IsEmpty() {
-		if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription, true); err != nil {
-			return err
-		}
-	}
-
-	if match.Any != nil {
-		if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any, true); err != nil {
-			return err
-		}
-	}
-	if match.All != nil {
-		if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All, true); err != nil {
-			return err
-		}
-	}
-
-	// convert the exclude block
-	if exclude := rule.ExcludeResources; exclude != nil {
-		if !exclude.ResourceDescription.IsEmpty() {
-			if err := translateResource(discoveryClient, &matchResources, &excludeRules, exclude.ResourceDescription, false); err != nil {
-				return err
-			}
-		}
-
-		if exclude.Any != nil {
-			if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.Any, false); err != nil {
-				return err
-			}
-		}
-		if exclude.All != nil {
-			if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.All, false); err != nil {
-				return err
-			}
-		}
-	}
-
-	// convert the exceptions if exist
-	for _, exception := range exceptions {
-		match := exception.Spec.Match
-		if match.Any != nil {
-			if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.Any, false); err != nil {
-				return err
-			}
-		}
-
-		if match.All != nil {
-			if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.All, false); err != nil {
-				return err
-			}
-		}
-	}
-
 	// set policy spec
 	vap.Spec = admissionregistrationv1.ValidatingAdmissionPolicySpec{
 		MatchConstraints: &matchResources,
-		ParamKind:        rule.Validation.CEL.ParamKind,
-		Variables:        rule.Validation.CEL.Variables,
-		Validations:      rule.Validation.CEL.Expressions,
-		AuditAnnotations: rule.Validation.CEL.AuditAnnotations,
-		MatchConditions:  rule.CELPreconditions,
+		ParamKind:        paramKind,
+		Variables:        variables,
+		Validations:      validations,
+		AuditAnnotations: auditAnnotations,
+		MatchConditions:  matchConditions,
 	}
-
 	// set labels
 	controllerutils.SetManagedByKyvernoLabel(vap)
 	return nil
@@ -109,46 +129,53 @@ func BuildValidatingAdmissionPolicy(
 // BuildValidatingAdmissionPolicyBinding is used to build a Kubernetes ValidatingAdmissionPolicyBinding from a Kyverno policy
 func BuildValidatingAdmissionPolicyBinding(
 	vapbinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding,
-	cpol kyvernov1.PolicyInterface,
+	policy engineapi.GenericPolicy,
 ) error {
+	var validationActions []admissionregistrationv1.ValidationAction
+	var paramRef *admissionregistrationv1.ParamRef
+	var policyName string
+
+	if cpol := policy.AsKyvernoPolicy(); cpol != nil {
+		rule := cpol.GetSpec().Rules[0]
+		validateAction := rule.Validation.FailureAction
+		if validateAction != nil {
+			if validateAction.Enforce() {
+				validationActions = append(validationActions, admissionregistrationv1.Deny)
+			} else if validateAction.Audit() {
+				validationActions = append(validationActions, admissionregistrationv1.Audit)
+				validationActions = append(validationActions, admissionregistrationv1.Warn)
+			}
+		} else {
+			validateAction := cpol.GetSpec().ValidationFailureAction
+			if validateAction.Enforce() {
+				validationActions = append(validationActions, admissionregistrationv1.Deny)
+			} else if validateAction.Audit() {
+				validationActions = append(validationActions, admissionregistrationv1.Audit)
+				validationActions = append(validationActions, admissionregistrationv1.Warn)
+			}
+		}
+		paramRef = rule.Validation.CEL.ParamRef
+		policyName = "cpol-" + cpol.GetName()
+	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+		validationActions = vpol.Spec.ValidationAction
+		policyName = "vpol-" + vpol.GetName()
+	}
+
 	// set owner reference
 	vapbinding.OwnerReferences = []metav1.OwnerReference{
 		{
-			APIVersion: "kyverno.io/v1",
-			Kind:       cpol.GetKind(),
-			Name:       cpol.GetName(),
-			UID:        cpol.GetUID(),
+			APIVersion: policy.GetAPIVersion(),
+			Kind:       policy.GetKind(),
+			Name:       policy.GetName(),
+			UID:        policy.GetUID(),
 		},
 	}
-
-	// set validation action for vap binding
-	var validationActions []admissionregistrationv1.ValidationAction
-	validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
-	if validateAction != nil {
-		if validateAction.Enforce() {
-			validationActions = append(validationActions, admissionregistrationv1.Deny)
-		} else if validateAction.Audit() {
-			validationActions = append(validationActions, admissionregistrationv1.Audit)
-			validationActions = append(validationActions, admissionregistrationv1.Warn)
-		}
-	} else {
-		validateAction := cpol.GetSpec().ValidationFailureAction
-		if validateAction.Enforce() {
-			validationActions = append(validationActions, admissionregistrationv1.Deny)
-		} else if validateAction.Audit() {
-			validationActions = append(validationActions, admissionregistrationv1.Audit)
-			validationActions = append(validationActions, admissionregistrationv1.Warn)
-		}
-	}
-
-	// set validating admission policy binding spec
-	rule := cpol.GetSpec().Rules[0]
+	// set binding spec
 	vapbinding.Spec = admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
-		PolicyName:        cpol.GetName(),
-		ParamRef:          rule.Validation.CEL.ParamRef,
+		PolicyName:        policyName,
+		ParamRef:          paramRef,
 		ValidationActions: validationActions,
 	}
-
 	// set labels
 	controllerutils.SetManagedByKyvernoLabel(vapbinding)
 	return nil

pkg/controllers/validatingadmissionpolicy-generate/controller.go

@@ -8,15 +8,19 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/admissionpolicy"
 	"github.com/kyverno/kyverno/pkg/auth/checker"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
+	policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+	policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/controllers"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/logging"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -25,7 +29,6 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"
 	admissionregistrationv1informers "k8s.io/client-go/informers/admissionregistration/v1"
 	"k8s.io/client-go/kubernetes"
 	admissionregistrationv1listers "k8s.io/client-go/listers/admissionregistration/v1"
@@ -48,6 +51,7 @@ type controller struct {
 
 	// listers
 	cpolLister       kyvernov1listers.ClusterPolicyLister
+	vpolLister       policiesv1alpha1listers.ValidatingPolicyLister
 	polexLister      kyvernov2listers.PolicyExceptionLister
 	vapLister        admissionregistrationv1listers.ValidatingAdmissionPolicyLister
 	vapbindingLister admissionregistrationv1listers.ValidatingAdmissionPolicyBindingLister
@@ -64,6 +68,7 @@ func NewController(
 	kyvernoClient versioned.Interface,
 	discoveryClient dclient.IDiscovery,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
+	vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
 	polexInformer kyvernov2informers.PolicyExceptionInformer,
 	vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
 	vapbindingInformer admissionregistrationv1informers.ValidatingAdmissionPolicyBindingInformer,
@@ -79,6 +84,7 @@ func NewController(
 		kyvernoClient:    kyvernoClient,
 		discoveryClient:  discoveryClient,
 		cpolLister:       cpolInformer.Lister(),
+		vpolLister:       vpolInformer.Lister(),
 		polexLister:      polexInformer.Lister(),
 		vapLister:        vapInformer.Lister(),
 		vapbindingLister: vapbindingInformer.Lister(),
@@ -92,17 +98,22 @@ func NewController(
 		logger.Error(err, "failed to register event handlers")
 	}
 
+	// Set up an event handler for when validating policies change
+	if _, err := controllerutils.AddEventHandlersT(vpolInformer.Informer(), c.addVP, c.updateVP, c.deleteVP); err != nil {
+		logger.Error(err, "failed to register event handlers")
+	}
+
 	// Set up an event handler for when policy exceptions change
 	if _, err := controllerutils.AddEventHandlersT(polexInformer.Informer(), c.addException, c.updateException, c.deleteException); err != nil {
 		logger.Error(err, "failed to register event handlers")
 	}
 
-	// Set up an event handler for when validating admission policies change
+	// Set up an event handler for when ValidatingAdmissionPolicies change
 	if _, err := controllerutils.AddEventHandlersT(vapInformer.Informer(), c.addVAP, c.updateVAP, c.deleteVAP); err != nil {
 		logger.Error(err, "failed to register event handlers")
 	}
 
-	// Set up an event handler for when validating admission policy bindings change
+	// Set up an event handler for when ValidatingAdmissionPolicyBindings change
 	if _, err := controllerutils.AddEventHandlersT(vapbindingInformer.Informer(), c.addVAPbinding, c.updateVAPbinding, c.deleteVAPbinding); err != nil {
 		logger.Error(err, "failed to register event handlers")
 	}
@@ -114,6 +125,35 @@ func (c *controller) Run(ctx context.Context, workers int) {
 	controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile)
 }
 
+func (c *controller) addVP(obj *policiesv1alpha1.ValidatingPolicy) {
+	logger.V(2).Info("validating policy created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
+	c.enqueueVP(obj)
+}
+
+func (c *controller) updateVP(old, obj *policiesv1alpha1.ValidatingPolicy) {
+	if datautils.DeepEqual(old.GetSpec(), obj.GetSpec()) {
+		return
+	}
+	logger.V(2).Info("validating policy updated", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
+	c.enqueueVP(obj)
+}
+
+func (c *controller) deleteVP(obj *policiesv1alpha1.ValidatingPolicy) {
+	vpol := kubeutils.GetObjectWithTombstone(obj).(*policiesv1alpha1.ValidatingPolicy)
+
+	logger.V(2).Info("validating policy deleted", "uid", vpol.GetUID(), "kind", vpol.GetKind(), "name", vpol.GetName())
+	c.enqueueVP(obj)
+}
+
+func (c *controller) enqueueVP(obj *policiesv1alpha1.ValidatingPolicy) {
+	key, err := cache.MetaNamespaceKeyFunc(obj)
+	if err != nil {
+		logger.Error(err, "failed to extract policy name")
+		return
+	}
+	c.queue.Add("ValidatingPolicy/" + key)
+}
+
 func (c *controller) addPolicy(obj kyvernov1.PolicyInterface) {
 	logger.V(2).Info("policy created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
 	c.enqueuePolicy(obj)
@@ -148,7 +188,7 @@ func (c *controller) enqueuePolicy(obj kyvernov1.PolicyInterface) {
 		logger.Error(err, "failed to extract policy name")
 		return
 	}
-	c.queue.Add(key)
+	c.queue.Add("ClusterPolicy/" + key)
 }
 
 func (c *controller) addException(obj *kyvernov2.PolicyException) {
@@ -214,6 +254,12 @@ func (c *controller) enqueueVAP(v *admissionregistrationv1.ValidatingAdmissionPo
 				return
 			}
 			c.enqueuePolicy(cpol)
+		} else if v.OwnerReferences[0].Kind == "ValidatingPolicy" {
+			vpol, err := c.vpolLister.Get(v.OwnerReferences[0].Name)
+			if err != nil {
+				return
+			}
+			c.enqueueVP(vpol)
 		}
 	}
 }
@@ -241,119 +287,104 @@ func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1.ValidatingAdm
 				return
 			}
 			c.enqueuePolicy(cpol)
+		} else if vb.OwnerReferences[0].Kind == "ValidatingPolicy" {
+			vpol, err := c.vpolLister.Get(vb.OwnerReferences[0].Name)
+			if err != nil {
+				return
+			}
+			c.enqueueVP(vpol)
 		}
 	}
 }
 
-func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, error) {
-	cpolicy, err := c.cpolLister.Get(name)
-	if err != nil {
-		return nil, err
-	}
-	return cpolicy, nil
-}
-
-func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1.ValidatingAdmissionPolicy, error) {
-	vap, err := c.vapLister.Get(name)
-	if err != nil {
-		return nil, err
-	}
-	return vap, nil
-}
-
-func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, error) {
-	vapbinding, err := c.vapbindingLister.Get(name)
-	if err != nil {
-		return nil, err
-	}
-	return vapbinding, nil
-}
-
-// getExceptions get exceptions that match both the policy and the rule if exists.
-func (c *controller) getExceptions(policyName, rule string) ([]kyvernov2.PolicyException, error) {
-	var exceptions []kyvernov2.PolicyException
-	polexs, err := c.polexLister.List(labels.Everything())
-	if err != nil {
-		return nil, err
-	}
-	for _, polex := range polexs {
-		if polex.Contains(policyName, rule) {
-			exceptions = append(exceptions, *polex)
-		}
-	}
-	return exceptions, nil
-}
-
-func constructVapBindingName(vapName string) string {
-	return vapName + "-binding"
-}
-
 func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
-	policy, err := c.getClusterPolicy(name)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
+	var policy engineapi.GenericPolicy
+	var exceptions []kyvernov2.PolicyException
+	var err error
+	var vapName string
+
+	polType := strings.Split(key, "/")[0]
+	if polType == "ClusterPolicy" {
+		cpol, err := c.getClusterPolicy(name)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return nil
+			}
+			logger.Error(err, "unable to get the policy from policy informer")
+			return err
+		}
+		spec := cpol.GetSpec()
+		if !spec.HasValidate() {
 			return nil
 		}
-		logger.Error(err, "unable to get the policy from policy informer")
-		return err
+		policy = engineapi.NewKyvernoPolicy(cpol)
+		vapName = "cpol-" + policy.GetName()
+	} else {
+		vpol, err := c.getValidatingPolicy(name)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return nil
+			}
+			logger.Error(err, "unable to get the policy from policy informer")
+			return err
+		}
+		policy = engineapi.NewValidatingPolicy(vpol)
+		vapName = "vpol-" + policy.GetName()
 	}
 
-	spec := policy.GetSpec()
-	if !spec.HasValidate() {
-		return nil
-	}
-
-	// check if the controller has the required permissions to generate validating admission policies.
+	// check if the controller has the required permissions to generate ValidatingAdmissionPolicies.
 	if !admissionpolicy.HasValidatingAdmissionPolicyPermission(c.checker) {
 		logger.V(2).Info("insufficient permissions to generate ValidatingAdmissionPolicies")
-		c.updateClusterPolicyStatus(ctx, *policy, false, "insufficient permissions to generate ValidatingAdmissionPolicies")
+		c.updatePolicyStatus(ctx, policy, false, "insufficient permissions to generate ValidatingAdmissionPolicies")
 		return nil
 	}
-
-	// check if the controller has the required permissions to generate validating admission policy bindings.
+	// check if the controller has the required permissions to generate ValidatingAdmissionPolicyBindings.
 	if !admissionpolicy.HasValidatingAdmissionPolicyBindingPermission(c.checker) {
 		logger.V(2).Info("insufficient permissions to generate ValidatingAdmissionPolicyBindings")
-		c.updateClusterPolicyStatus(ctx, *policy, false, "insufficient permissions to generate ValidatingAdmissionPolicyBindings")
+		c.updatePolicyStatus(ctx, policy, false, "insufficient permissions to generate ValidatingAdmissionPolicyBindings")
 		return nil
 	}
 
-	vapName := policy.GetName()
 	vapBindingName := constructVapBindingName(vapName)
-
+	// get the ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding if exists.
 	observedVAP, vapErr := c.getValidatingAdmissionPolicy(vapName)
 	observedVAPbinding, vapBindingErr := c.getValidatingAdmissionPolicyBinding(vapBindingName)
 
-	exceptions, err := c.getExceptions(name, spec.Rules[0].Name)
-	if err != nil {
-		return err
-	}
-
-	if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
-		// delete the ValidatingAdmissionPolicy if exist
-		if vapErr == nil {
-			err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
-			if err != nil {
-				return err
-			}
-		}
-		// delete the ValidatingAdmissionPolicyBinding if exist
-		if vapBindingErr == nil {
-			err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
-			if err != nil {
-				return err
-			}
+	// in case of clusterpolicies, check if we can generate a VAP from it.
+	if polType == "ClusterPolicy" {
+		spec := policy.AsKyvernoPolicy().GetSpec()
+		exceptions, err = c.getExceptions(name, spec.Rules[0].Name)
+		if err != nil {
+			return err
 		}
 
-		if msg == "" {
-			msg = "skip generating ValidatingAdmissionPolicy: a policy exception is configured."
+		if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
+			// delete the ValidatingAdmissionPolicy if exist
+			if vapErr == nil {
+				err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
+				if err != nil {
+					return err
+				}
+			}
+			// delete the ValidatingAdmissionPolicyBinding if exist
+			if vapBindingErr == nil {
+				err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
+				if err != nil {
+					return err
+				}
+			}
+
+			if msg == "" {
+				msg = "skip generating ValidatingAdmissionPolicy: a policy exception is configured."
+			}
+			c.updatePolicyStatus(ctx, policy, false, msg)
+			return nil
 		}
-		c.updateClusterPolicyStatus(ctx, *policy, false, msg)
-		return nil
 	}
 
 	if vapErr != nil {
 		if !apierrors.IsNotFound(vapErr) {
-			c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
+			c.updatePolicyStatus(ctx, policy, false, vapErr.Error())
 			return vapErr
 		}
 		observedVAP = &admissionregistrationv1.ValidatingAdmissionPolicy{
@@ -362,10 +393,9 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 			},
 		}
 	}
-
 	if vapBindingErr != nil {
 		if !apierrors.IsNotFound(vapBindingErr) {
-			c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
+			c.updatePolicyStatus(ctx, policy, false, vapBindingErr.Error())
 			return vapBindingErr
 		}
 		observedVAPbinding = &admissionregistrationv1.ValidatingAdmissionPolicyBinding{
@@ -378,16 +408,16 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 	if observedVAP.ResourceVersion == "" {
 		err := admissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observedVAP, policy, exceptions)
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 		_, err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 	} else {
-		_, err = controllerutils.Update(
+		_, err := controllerutils.Update(
 			ctx,
 			observedVAP,
 			c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies(),
@@ -395,7 +425,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 				return admissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observed, policy, exceptions)
 			})
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 	}
@@ -403,16 +433,16 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 	if observedVAPbinding.ResourceVersion == "" {
 		err := admissionpolicy.BuildValidatingAdmissionPolicyBinding(observedVAPbinding, policy)
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 		_, err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 	} else {
-		_, err = controllerutils.Update(
+		_, err := controllerutils.Update(
 			ctx,
 			observedVAPbinding,
 			c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings(),
@@ -420,23 +450,33 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 				return admissionpolicy.BuildValidatingAdmissionPolicyBinding(observed, policy)
 			})
 		if err != nil {
-			c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+			c.updatePolicyStatus(ctx, policy, false, err.Error())
 			return err
 		}
 	}
 
-	c.updateClusterPolicyStatus(ctx, *policy, true, "")
+	c.updatePolicyStatus(ctx, policy, true, "")
 	// generate events
 	e := event.NewValidatingAdmissionPolicyEvent(policy, observedVAP.Name, observedVAPbinding.Name)
 	c.eventGen.Add(e...)
 	return nil
 }
 
-func (c *controller) updateClusterPolicyStatus(ctx context.Context, cpol kyvernov1.ClusterPolicy, generated bool, msg string) {
-	latest := cpol.DeepCopy()
-	latest.Status.ValidatingAdmissionPolicy.Generated = generated
-	latest.Status.ValidatingAdmissionPolicy.Message = msg
+func (c *controller) updatePolicyStatus(ctx context.Context, policy engineapi.GenericPolicy, generated bool, msg string) {
+	if pol := policy.AsKyvernoPolicy(); pol != nil {
+		cpol := pol.(*kyvernov1.ClusterPolicy)
+		latest := cpol.DeepCopy()
+		latest.Status.ValidatingAdmissionPolicy.Generated = generated
+		latest.Status.ValidatingAdmissionPolicy.Message = msg
 
-	new, _ := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
-	logging.V(3).Info("updated kyverno policy status", "name", cpol.GetName(), "status", new.Status)
+		new, _ := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		logging.V(3).Info("updated cluster policy status", "name", cpol.GetName(), "status", new.Status)
+	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+		latest := vpol.DeepCopy()
+		latest.Status.Generated = generated
+		latest.Status.Message = msg
+
+		new, _ := c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		logging.V(3).Info("updated validating policy status", "name", vpol.GetName(), "status", new.Status)
+	}
 }

pkg/controllers/validatingadmissionpolicy-generate/utils.go

@@ -0,0 +1,64 @@
+package validatingadmissionpolicygenerate
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+// getClusterPolicy gets the Kyverno ClusterPolicy
+func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, error) {
+	cpolicy, err := c.cpolLister.Get(name)
+	if err != nil {
+		return nil, err
+	}
+	return cpolicy, nil
+}
+
+// getClusterPolicy gets the Kyverno ValidatingPolicy
+func (c *controller) getValidatingPolicy(name string) (*policiesv1alpha1.ValidatingPolicy, error) {
+	vpol, err := c.vpolLister.Get(name)
+	if err != nil {
+		return nil, err
+	}
+	return vpol, nil
+}
+
+// getValidatingAdmissionPolicy gets the Kubernetes ValidatingAdmissionPolicy
+func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1.ValidatingAdmissionPolicy, error) {
+	vap, err := c.vapLister.Get(name)
+	if err != nil {
+		return nil, err
+	}
+	return vap, nil
+}
+
+// getValidatingAdmissionPolicyBinding gets the Kubernetes ValidatingAdmissionPolicyBinding
+func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, error) {
+	vapbinding, err := c.vapbindingLister.Get(name)
+	if err != nil {
+		return nil, err
+	}
+	return vapbinding, nil
+}
+
+// getExceptions get PolicyExceptions that match both the ClusterPolicy and the rule if exists.
+func (c *controller) getExceptions(policyName, rule string) ([]kyvernov2.PolicyException, error) {
+	var exceptions []kyvernov2.PolicyException
+	polexs, err := c.polexLister.List(labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+	for _, polex := range polexs {
+		if polex.Contains(policyName, rule) {
+			exceptions = append(exceptions, *polex)
+		}
+	}
+	return exceptions, nil
+}
+
+func constructVapBindingName(vapName string) string {
+	return vapName + "-binding"
+}

pkg/event/events.go

@@ -335,10 +335,10 @@ func NewCleanupPolicyEvent(policy kyvernov2.CleanupPolicyInterface, resource uns
 	}
 }
 
-func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName, vapBindingName string) []Info {
+func NewValidatingAdmissionPolicyEvent(policy engineapi.GenericPolicy, vapName, vapBindingName string) []Info {
 	regarding := corev1.ObjectReference{
 		// TODO: iirc it's not safe to assume api version is set
-		APIVersion: "kyverno.io/v1",
+		APIVersion: policy.GetAPIVersion(),
 		Kind:       policy.GetKind(),
 		Name:       policy.GetName(),
 		Namespace:  policy.GetNamespace(),

pkg/validation/policy/validate.go

@@ -20,6 +20,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/admissionpolicy"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/engine/variables/operator"
@@ -473,7 +474,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
 				Name: policy.GetName(),
 			},
 		}
-		err = admissionpolicy.BuildValidatingAdmissionPolicy(client.Discovery(), vap, policy, nil)
+		genericPolicy := engineapi.NewKyvernoPolicy(policy)
+		err = admissionpolicy.BuildValidatingAdmissionPolicy(client.Discovery(), vap, genericPolicy, nil)
 		if err != nil {
 			return nil, err
 		}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: block-ephemeral-containers
+  name: cpol-block-ephemeral-containers
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml

@@ -3,12 +3,12 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: block-ephemeral-containers-binding
+  name: cpol-block-ephemeral-containers-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: block-ephemeral-containers
 spec:
-  policyName: block-ephemeral-containers
+  policyName: cpol-block-ephemeral-containers
   validationActions:
   - Deny

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml

@@ -44,4 +44,4 @@ spec:
           ($error != null): true
           # This check ensures the contents of stderr are exactly as shown.  
           (trim_space($stderr)): |-
-            The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'deny-exec-by-namespace-name' with binding 'deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.
+            The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'cpol-deny-exec-by-namespace-name' with binding 'cpol-deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: deny-exec-by-namespace-name
+  name: cpol-deny-exec-by-namespace-name
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml

@@ -3,12 +3,12 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: deny-exec-by-namespace-name-binding
+  name: cpol-deny-exec-by-namespace-name-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: deny-exec-by-namespace-name
 spec:
-  policyName: deny-exec-by-namespace-name
+  policyName: cpol-deny-exec-by-namespace-name
   validationActions:
   - Deny

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t9
+  name: cpol-disallow-host-path-t9
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t9-binding
+  name: cpol-disallow-host-path-t9-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t9
 spec:
-  policyName: disallow-host-path-t9
+  policyName: cpol-disallow-host-path-t9
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t16
+  name: cpol-disallow-host-path-t16
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t16-binding
+  name: cpol-disallow-host-path-t16-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t16
 spec:
-  policyName: disallow-host-path-t16
+  policyName: cpol-disallow-host-path-t16
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t14
+  name: cpol-disallow-host-path-t14
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t14-binding
+  name: cpol-disallow-host-path-t14-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t14
 spec:
-  policyName: disallow-host-path-t14
+  policyName: cpol-disallow-host-path-t14
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t15
+  name: cpol-disallow-host-path-t15
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t15-binding
+  name: cpol-disallow-host-path-t15-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t15
 spec:
-  policyName: disallow-host-path-t15
+  policyName: cpol-disallow-host-path-t15
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t13
+  name: cpol-disallow-host-path-t13
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t13-binding
+  name: cpol-disallow-host-path-t13-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t13
 spec:
-  policyName: disallow-host-path-t13
+  policyName: cpol-disallow-host-path-t13
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t8
+  name: cpol-disallow-host-path-t8
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t8-binding
+  name: cpol-disallow-host-path-t8-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t8
 spec:
-  policyName: disallow-host-path-t8
+  policyName: cpol-disallow-host-path-t8
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t7
+  name: cpol-disallow-host-path-t7
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t7-binding
+  name: cpol-disallow-host-path-t7-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t7
 spec:
-  policyName: disallow-host-path-t7
+  policyName: cpol-disallow-host-path-t7
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-4
+  name: cpol-check-label-app-4
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-4-binding
+  name: cpol-check-label-app-4-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: check-label-app-4
 spec:
-  policyName: check-label-app-4
+  policyName: cpol-check-label-app-4
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app5
+  name: cpol-check-label-app5
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml

@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app5-binding
+  name: cpol-check-label-app5-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: check-label-app5
 spec:
-  policyName: check-label-app5
+  policyName: cpol-check-label-app5
   validationActions:
   - Audit
   - Warn

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app4
+  name: cpol-check-label-app4
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app4-binding
+  name: cpol-check-label-app4-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: check-label-app4
 spec:
-  policyName: check-label-app4
+  policyName: cpol-check-label-app4
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t4
+  name: cpol-disallow-host-path-t4
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t4-binding
+  name: cpol-disallow-host-path-t4-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path-t4
 spec:
-  policyName: disallow-host-path-t4
+  policyName: cpol-disallow-host-path-t4
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path
 spec:
-  policyName: disallow-host-path
+  policyName: cpol-disallow-host-path
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path
 spec:
-  policyName: disallow-host-path
+  policyName: cpol-disallow-host-path
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml

@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml

@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
   ownerReferences:
   - apiVersion: kyverno.io/v1
     kind: ClusterPolicy
     name: disallow-host-path
 spec:
-  policyName: disallow-host-path
+  policyName: cpol-disallow-host-path
   validationActions: [Audit, Warn]

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t12
+  name: cpol-disallow-host-path-t12
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t12-binding
+  name: cpol-disallow-host-path-t12-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t13
+  name: cpol-disallow-host-path-t13
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t13-binding
+  name: cpol-disallow-host-path-t13-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-3
+  name: cpol-check-label-app-3
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-3-binding
+  name: cpol-check-label-app-3-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-5
+  name: cpol-check-label-app-5
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-5-binding
+  name: cpol-check-label-app-5-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t1
+  name: cpol-disallow-host-path-t1
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t1-binding
+  name: cpol-disallow-host-path-t1-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t2
+  name: cpol-disallow-host-path-t2
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t2-binding
+  name: cpol-disallow-host-path-t2-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t17
+  name: cpol-disallow-host-path-t17
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t17-binding
+  name: cpol-disallow-host-path-t17-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t10
+  name: cpol-disallow-host-path-t10
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t10-binding
+  name: cpol-disallow-host-path-t10-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app2
+  name: cpol-check-label-app2
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app2-binding
+  name: cpol-check-label-app2-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app1
+  name: cpol-check-label-app1
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app1-binding
+  name: cpol-check-label-app1-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t3
+  name: cpol-disallow-host-path-t3
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t3-binding
+  name: cpol-disallow-host-path-t3-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t5
+  name: cpol-disallow-host-path-t5
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t5-binding
+  name: cpol-disallow-host-path-t5-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t6
+  name: cpol-disallow-host-path-t6
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-t6-binding
+  name: cpol-disallow-host-path-t6-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-latest-tag
+  name: cpol-disallow-latest-tag
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-latest-tag-binding
+  name: cpol-disallow-latest-tag-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app
+  name: cpol-check-label-app
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app-binding
+  name: cpol-check-label-app-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: require-ns-purpose-label
+  name: cpol-require-ns-purpose-label
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: require-ns-purpose-label-binding
+  name: cpol-require-ns-purpose-label-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app1
+  name: cpol-check-label-app1
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: check-label-app1-binding
+  name: cpol-check-label-app1-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicy.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path
+  name: cpol-disallow-host-path
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicybinding.yaml

@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kyverno
-  name: disallow-host-path-binding
+  name: cpol-disallow-host-path-binding
 spec: {}

test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/chainsaw-test.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: check-deployment-labels
+spec:
+  steps:
+  - name: create policy
+    try:
+    - create:
+        file: policy.yaml
+    - sleep:
+        duration: 10s
+  - name: check validatingadmissionpolicy
+    try:
+    - assert:
+        file: validatingadmissionpolicy.yaml
+  - name: check validatingadmissionpolicybinding
+    try:
+    - assert:
+        file: validatingadmissionpolicy.yaml

test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-deployment-labels
+spec:
+  validationActions:
+    - Audit
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [apps]
+      apiVersions: [v1]
+      operations:  [CREATE, UPDATE]
+      resources:   [deployments]
+  variables:
+    - name: environment
+      expression: >-
+        has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'
+  validations:
+    - expression: >-
+        variables.environment == true
+      message: >-
+        Deployment labels must be env=prod

test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicy.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: vpol-check-deployment-labels
+  ownerReferences:
+  - apiVersion: policies.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    name: check-deployment-labels
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - deployments
+  variables:
+  - expression: has(object.metadata.labels) && 'env' in object.metadata.labels &&
+      object.metadata.labels['env'] == 'prod'
+    name: environment
+  validations:
+  - expression: variables.environment == true
+    message: Deployment labels must be env=prod

test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicybinding.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: vpol-check-deployment-labels-binding
+  ownerReferences:
+  - apiVersion: policies.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    name: check-deployment-labels
+spec:
+  policyName: vpol-check-deployment-labels
+  validationActions:
+  - Audit