diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 2daadb08a9..54c3806713 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -94,7 +94,7 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 
 		if rule.Validation.Deny != nil {
 			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
-			if rule.Validation.Deny.AllRequests || !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
 				ruleResp := response.RuleResponse{
 					Name:    rule.Name,
 					Type:    utils.Validation.String(),
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 04741669ea..dd8f336406 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -55,9 +55,9 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
 
-		if doesMatchAndExcludeConflict(rule) {
-			return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
-		}
+		//if doesMatchAndExcludeConflict(rule) {
+		//	return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
+		//}
 
 		// validate rule actions
 		// - Mutate
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 0e3fd35847..af489ddd8c 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -262,11 +262,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	if err != nil {
 		logger.Error(err, "failed to load incoming request in context")
 	}
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
@@ -360,11 +355,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 	if err != nil {
 		logger.Error(err, "failed to load incoming request in context")
 	}
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {