chore: use v2 clients for policy exceptions (#10530)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-06-24 23:36:55 +07:00 · 2024-06-24 23:36:55 +07:00 · 94d9bbe73f
commit 94d9bbe73f
parent e892a0531e
31 changed files with 105 additions and 102 deletions
--- a/api/kyverno/v2/policy_exception_types.go
+++ b/api/kyverno/v2/policy_exception_types.go
@ -101,6 +101,11 @@ func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)
 	for i, e := range p.Exceptions {
 		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
 	}
 	podSecuityPath := path.Child("podSecurity")
 	for i, p := range p.PodSecurity {
 		errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
 	}
 	return errs
 }
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@ -13,7 +13,6 @@ import (
 	"github.com/go-git/go-billy/v5/memfs"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
@ -167,7 +166,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
 	if err != nil {
 		return rc, resources1, skipInvalidPolicies, responses1, err
 	}
-	var exceptions []*kyvernov2beta1.PolicyException
+	var exceptions []*kyvernov2.PolicyException
 	if c.inlineExceptions {
 		exceptions = exception.SelectFrom(resources)
 	} else {
@ -260,7 +259,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 	vars *variables.Variables,
 	policies []kyvernov1.PolicyInterface,
 	resources []*unstructured.Unstructured,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 	skipInvalidPolicies *SkippedInvalidPolicies,
 	dClient dclient.Interface,
 	userInfo *kyvernov2.RequestInfo,
--- a/cmd/cli/kubectl-kyverno/exception/load.go
+++ b/cmd/cli/kubectl-kyverno/exception/load.go
@ -21,8 +21,8 @@ var (
 	exceptionV2      = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
 )
-func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) {
+func Load(paths ...string) ([]*kyvernov2.PolicyException, error) {
-	var out []*kyvernov2beta1.PolicyException
+	var out []*kyvernov2.PolicyException
 	for _, path := range paths {
 		bytes, err := os.ReadFile(filepath.Clean(path))
 		if err != nil {
@ -37,12 +37,12 @@ func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) {
 	return out, nil
 }
-func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
+func load(content []byte) ([]*kyvernov2.PolicyException, error) {
 	documents, err := yamlutils.SplitDocuments(content)
 	if err != nil {
 		return nil, err
 	}
-	var exceptions []*kyvernov2beta1.PolicyException
+	var exceptions []*kyvernov2.PolicyException
 	crds, err := data.Crds()
 	if err != nil {
 		return nil, err
@ -60,7 +60,7 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
 		}
 		switch gvk {
 		case exceptionV2beta1, exceptionV2:
-			exception, err := convert.To[kyvernov2beta1.PolicyException](untyped)
+			exception, err := convert.To[kyvernov2.PolicyException](untyped)
 			if err != nil {
 				return nil, err
 			}
@ -72,12 +72,12 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
 	return exceptions, nil
 }
-func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2beta1.PolicyException {
+func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2.PolicyException {
-	var exceptions []*kyvernov2beta1.PolicyException
+	var exceptions []*kyvernov2.PolicyException
 	for _, resource := range resources {
 		switch resource.GroupVersionKind() {
 		case exceptionV2beta1, exceptionV2:
-			exception, err := convert.To[kyvernov2beta1.PolicyException](*resource)
+			exception, err := convert.To[kyvernov2.PolicyException](*resource)
 			if err == nil {
 				exceptions = append(exceptions, exception)
 			}
--- a/cmd/cli/kubectl-kyverno/processor/exceptions.go
+++ b/cmd/cli/kubectl-kyverno/processor/exceptions.go
@ -1,16 +1,16 @@
 package processor
 import (
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"k8s.io/apimachinery/pkg/labels"
 )
 type policyExceptionLister struct {
-	exceptions []*kyvernov2beta1.PolicyException
+	exceptions []*kyvernov2.PolicyException
 }
-func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2beta1.PolicyException, error) {
+func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2.PolicyException, error) {
-	var out []*kyvernov2beta1.PolicyException
+	var out []*kyvernov2.PolicyException
 	for _, exception := range l.exceptions {
 		exceptionLabels := labels.Set(exception.GetLabels())
 		if selector.Matches(exceptionLabels) {
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -11,7 +11,6 @@ import (
 	json_patch "github.com/evanphx/json-patch/v5"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/store"
@ -40,7 +39,7 @@ type PolicyProcessor struct {
 	Store                     *store.Store
 	Policies                  []kyvernov1.PolicyInterface
 	Resource                  unstructured.Unstructured
-	PolicyExceptions          []*kyvernov2beta1.PolicyException
+	PolicyExceptions          []*kyvernov2.PolicyException
 	MutateLogPath             string
 	MutateLogPathIsDir        bool
 	Variables                 *variables.Variables
--- a/cmd/internal/engine.go
+++ b/cmd/internal/engine.go
@ -68,7 +68,7 @@ func NewExceptionSelector(
 	polexCache := exceptioncontroller.NewController(
 		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
 		kyvernoInformer.Kyverno().V1().Policies(),
-		kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(),
+		kyvernoInformer.Kyverno().V2().PolicyExceptions(),
 		exceptionNamespace,
 	)
 	polexController := NewController(
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -221,7 +221,7 @@ func createrLeaderControllers(
 			kyvernoClient,
 			dynamicClient.Discovery(),
 			kyvernoInformer.Kyverno().V1().ClusterPolicies(),
-			kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(),
+			kyvernoInformer.Kyverno().V2().PolicyExceptions(),
 			kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
 			kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings(),
 			eventGenerator,
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@ -76,7 +76,7 @@ func createReportControllers(
 		vapBindingInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings()
 	}
 	kyvernoV1 := kyvernoInformer.Kyverno().V1()
-	kyvernoV2beta1 := kyvernoInformer.Kyverno().V2beta1()
+	kyvernoV2 := kyvernoInformer.Kyverno().V2()
 	if backgroundScan || admissionReports {
 		resourceReportController := resourcereportcontroller.NewController(
 			client,
@ -114,7 +114,7 @@ func createReportControllers(
 				metadataFactory,
 				kyvernoV1.Policies(),
 				kyvernoV1.ClusterPolicies(),
-				kyvernoV2beta1.PolicyExceptions(),
+				kyvernoV2.PolicyExceptions(),
 				vapInformer,
 				vapBindingInformer,
 				kubeInformer.Core().V1().Namespaces(),
--- a/pkg/controllers/exceptions/controller.go
+++ b/pkg/controllers/exceptions/controller.go
@ -9,12 +9,12 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
+	kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
+	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
@ -22,7 +22,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 )
-type ruleIndex = map[string][]*kyvernov2beta1.PolicyException
+type ruleIndex = map[string][]*kyvernov2.PolicyException
 type policyIndex = map[string]ruleIndex
@ -30,7 +30,7 @@ type controller struct {
 	// listers
 	cpolLister  kyvernov1listers.ClusterPolicyLister
 	polLister   kyvernov1listers.PolicyLister
-	polexLister kyvernov2beta1listers.PolicyExceptionLister
+	polexLister kyvernov2listers.PolicyExceptionLister
 	// queue
 	queue workqueue.RateLimitingInterface
@ -50,7 +50,7 @@ const (
 func NewController(
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
 	polInformer kyvernov1informers.PolicyInformer,
-	polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
+	polexInformer kyvernov2informers.PolicyExceptionInformer,
 	namespace string,
 ) *controller {
 	queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
@ -78,13 +78,13 @@ func (c *controller) Run(ctx context.Context, workers int) {
 	controllerutils.Run(ctx, logger.V(3), ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile)
 }
-func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) {
+func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) {
 	c.lock.RLock()
 	defer c.lock.RUnlock()
 	return c.index[policyName][ruleName], nil
 }
-func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) {
+func (c *controller) addPolex(polex *kyvernov2.PolicyException) {
 	names := sets.New[string]()
 	for _, ex := range polex.Spec.Exceptions {
 		names.Insert(ex.PolicyName)
@ -94,7 +94,7 @@ func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) {
 	}
 }
-func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyvernov2beta1.PolicyException) {
+func (c *controller) updatePolex(old *kyvernov2.PolicyException, new *kyvernov2.PolicyException) {
 	names := sets.New[string]()
 	for _, ex := range old.Spec.Exceptions {
 		names.Insert(ex.PolicyName)
@ -107,7 +107,7 @@ func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyver
 	}
 }
-func (c *controller) deletePolex(polex *kyvernov2beta1.PolicyException) {
+func (c *controller) deletePolex(polex *kyvernov2.PolicyException) {
 	names := sets.New[string]()
 	for _, ex := range polex.Spec.Exceptions {
 		names.Insert(ex.PolicyName)
@ -133,7 +133,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
 	}
 }
-func (c *controller) listExceptions() ([]*kyvernov2beta1.PolicyException, error) {
+func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
 	if c.namespace == "" {
 		return c.polexLister.List(labels.Everything())
 	}
@ -145,7 +145,7 @@ func (c *controller) buildRuleIndex(key string, policy kyvernov1.PolicyInterface
 	if err != nil {
 		return nil, err
 	}
-	slices.SortFunc(polexList, func(a, b *kyvernov2beta1.PolicyException) int {
+	slices.SortFunc(polexList, func(a, b *kyvernov2.PolicyException) int {
 		if cmp := cmp.Compare(a.Namespace, b.Namespace); cmp != 0 {
 			return cmp
 		}
--- a/pkg/controllers/report/background/controller.go
+++ b/pkg/controllers/report/background/controller.go
@ -6,14 +6,14 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
+	kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
+	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
@ -57,7 +57,7 @@ type controller struct {
 	// listers
 	polLister        kyvernov1listers.PolicyLister
 	cpolLister       kyvernov1listers.ClusterPolicyLister
-	polexLister      kyvernov2beta1listers.PolicyExceptionLister
+	polexLister      kyvernov2listers.PolicyExceptionLister
 	vapLister        admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
 	vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
 	bgscanrLister    cache.GenericLister
@ -85,7 +85,7 @@ func NewController(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
-	polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
+	polexInformer kyvernov2informers.PolicyExceptionInformer,
 	vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
 	vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
 	nsInformer corev1informers.NamespaceInformer,
@ -171,17 +171,17 @@ func (c *controller) deletePolicy(obj kyvernov1.PolicyInterface) {
 	c.enqueueResources()
 }
-func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
+func (c *controller) addException(obj *kyvernov2.PolicyException) {
 	c.enqueueResources()
 }
-func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
+func (c *controller) updateException(old, obj *kyvernov2.PolicyException) {
 	if old.GetResourceVersion() != obj.GetResourceVersion() {
 		c.enqueueResources()
 	}
 }
-func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
+func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
 	c.enqueueResources()
 }
@ -243,7 +243,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
 	}
 }
-func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2beta1.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
+func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
 	// if the reportMetadata does not exist, we need a full reconcile
 	reportMetadata, err := c.getMeta(namespace, name)
 	if err != nil {
@ -302,7 +302,7 @@ func (c *controller) reconcileReport(
 	uid types.UID,
 	gvk schema.GroupVersionKind,
 	resource resource.Resource,
-	exceptions []kyvernov2beta1.PolicyException,
+	exceptions []kyvernov2.PolicyException,
 	bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
 	policies ...engineapi.GenericPolicy,
 ) error {
--- a/pkg/controllers/report/utils/utils.go
+++ b/pkg/controllers/report/utils/utils.go
@ -3,11 +3,11 @@ package utils
 import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
+	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
@ -111,8 +111,8 @@ func FetchPolicies(polLister kyvernov1listers.PolicyLister, namespace string) ([
 	return policies, nil
 }
-func FetchPolicyExceptions(polexLister kyvernov2beta1listers.PolicyExceptionLister, namespace string) ([]kyvernov2beta1.PolicyException, error) {
+func FetchPolicyExceptions(polexLister kyvernov2listers.PolicyExceptionLister, namespace string) ([]kyvernov2.PolicyException, error) {
-	var exceptions []kyvernov2beta1.PolicyException
+	var exceptions []kyvernov2.PolicyException
 	if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil {
 		return nil, err
 	} else {
--- a/pkg/controllers/validatingadmissionpolicy-generate/controller.go
+++ b/pkg/controllers/validatingadmissionpolicy-generate/controller.go
@ -7,13 +7,13 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/auth/checker"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
+	kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
-	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
+	kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/event"
@ -48,7 +48,7 @@ type controller struct {
 	// listers
 	cpolLister       kyvernov1listers.ClusterPolicyLister
-	polexLister      kyvernov2beta1listers.PolicyExceptionLister
+	polexLister      kyvernov2listers.PolicyExceptionLister
 	vapLister        admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
 	vapbindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
@ -64,7 +64,7 @@ func NewController(
 	kyvernoClient versioned.Interface,
 	discoveryClient dclient.IDiscovery,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
-	polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
+	polexInformer kyvernov2informers.PolicyExceptionInformer,
 	vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
 	vapbindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
 	eventGen event.Interface,
@ -148,12 +148,12 @@ func (c *controller) enqueuePolicy(obj kyvernov1.PolicyInterface) {
 	c.queue.Add(key)
 }
-func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
+func (c *controller) addException(obj *kyvernov2.PolicyException) {
 	logger.Info("policy exception created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
 	c.enqueueException(obj)
 }
-func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
+func (c *controller) updateException(old, obj *kyvernov2.PolicyException) {
 	if datautils.DeepEqual(old.Spec, obj.Spec) {
 		return
 	}
@ -161,14 +161,14 @@ func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
 	c.enqueueException(obj)
 }
-func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
+func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
-	polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2beta1.PolicyException)
+	polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2.PolicyException)
 	logger.Info("policy exception deleted", "uid", polex.GetUID(), "kind", polex.GetKind(), "name", polex.GetName())
 	c.enqueueException(obj)
 }
-func (c *controller) enqueueException(obj *kyvernov2beta1.PolicyException) {
+func (c *controller) enqueueException(obj *kyvernov2.PolicyException) {
 	for _, exception := range obj.Spec.Exceptions {
 		// skip adding namespaced policies in the queue.
 		// skip adding policies with multiple rules in the queue.
--- a/pkg/engine/api/ruleresponse.go
+++ b/pkg/engine/api/ruleresponse.go
@ -3,7 +3,7 @@ package api
 import (
 	"fmt"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
 	"k8s.io/api/admissionregistration/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -44,7 +44,7 @@ type RuleResponse struct {
 	// podSecurityChecks contains pod security checks (only if this is a pod security rule)
 	podSecurityChecks *PodSecurityChecks
 	// exception is the exception applied (if any)
-	exception *kyvernov2beta1.PolicyException
+	exception *kyvernov2.PolicyException
 	// binding is the validatingadmissionpolicybinding (if any)
 	binding *v1alpha1.ValidatingAdmissionPolicyBinding
 	// emitWarning enable passing rule message as warning to api server warning header
@ -88,7 +88,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
 	return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
 }
-func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
+func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse {
 	r.exception = exception
 	return &r
 }
@ -129,7 +129,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
 	return r.stats
 }
-func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
+func (r *RuleResponse) Exception() *kyvernov2.PolicyException {
 	return r.exception
 }
--- a/pkg/engine/api/selector.go
+++ b/pkg/engine/api/selector.go
@ -1,12 +1,12 @@
 package api
 import (
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 )
 // PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
 type PolicyExceptionSelector interface {
 	// Find returns policy exceptions matching a given policy name and rule name.
 	// Objects returned here must be treated as read-only.
-	Find(string, string) ([]*kyvernov2beta1.PolicyException, error)
+	Find(string, string) ([]*kyvernov2.PolicyException, error)
 }
--- a/pkg/engine/exceptions.go
+++ b/pkg/engine/exceptions.go
@ -2,7 +2,7 @@ package engine
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"k8s.io/client-go/tools/cache"
 )
@ -10,7 +10,7 @@ import (
 func (e *engine) GetPolicyExceptions(
 	policy kyvernov1.PolicyInterface,
 	rule string,
-) ([]*kyvernov2beta1.PolicyException, error) {
+) ([]*kyvernov2.PolicyException, error) {
 	if e.exceptionSelector == nil {
 		return nil, nil
 	}
--- a/pkg/engine/handlers/handler.go
+++ b/pkg/engine/handlers/handler.go
@ -5,7 +5,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@ -18,7 +18,7 @@ type Handler interface {
 		unstructured.Unstructured,
 		kyvernov1.Rule,
 		engineapi.EngineContextLoader,
-		[]*kyvernov2beta1.PolicyException,
+		[]*kyvernov2.PolicyException,
 	) (unstructured.Unstructured, []engineapi.RuleResponse)
 }
--- a/pkg/engine/handlers/mutation/mutate_existing.go
+++ b/pkg/engine/handlers/mutation/mutate_existing.go
@ -5,7 +5,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	"github.com/kyverno/kyverno/pkg/engine/internal"
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	contextLoader engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/handlers/mutation/mutate_image.go
+++ b/pkg/engine/handlers/mutation/mutate_image.go
@ -6,7 +6,7 @@ import (
 	json_patch "github.com/evanphx/json-patch/v5"
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
@ -66,7 +66,7 @@ func (h mutateImageHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	contextLoader engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/handlers/mutation/mutate_resource.go
+++ b/pkg/engine/handlers/mutation/mutate_resource.go
@ -5,7 +5,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	"github.com/kyverno/kyverno/pkg/engine/mutate"
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	contextLoader engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/handlers/validation/validate_cel.go
+++ b/pkg/engine/handlers/validation/validate_cel.go
@ -6,7 +6,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	"github.com/kyverno/kyverno/pkg/engine/internal"
@ -45,7 +45,7 @@ func (h validateCELHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	_ engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	if engineutils.IsDeleteRequest(policyContext) {
 		logger.V(3).Info("skipping CEL validation on deleted resource")
--- a/pkg/engine/handlers/validation/validate_image.go
+++ b/pkg/engine/handlers/validation/validate_image.go
@ -7,7 +7,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
@ -45,7 +45,7 @@ func (h validateImageHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	_ engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/handlers/validation/validate_manifest.go
+++ b/pkg/engine/handlers/validation/validate_manifest.go
@ -15,7 +15,7 @@ import (
 	"github.com/ghodss/yaml"
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	_ engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/handlers/validation/validate_pss.go
+++ b/pkg/engine/handlers/validation/validate_pss.go
@ -9,7 +9,7 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
@ -37,7 +37,7 @@ func (h validatePssHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	_ engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	if engineutils.IsDeleteRequest(policyContext) {
 		logger.V(3).Info("skipping PSS validation on deleted resource")
--- a/pkg/engine/handlers/validation/validate_resource.go
+++ b/pkg/engine/handlers/validation/validate_resource.go
@ -9,7 +9,7 @@ import (
 	"github.com/go-logr/logr"
 	gojmespath "github.com/kyverno/go-jmespath"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	"github.com/kyverno/kyverno/pkg/engine/internal"
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	contextLoader engineapi.EngineContextLoader,
-	exceptions []*kyvernov2beta1.PolicyException,
+	exceptions []*kyvernov2.PolicyException,
 ) (unstructured.Unstructured, []engineapi.RuleResponse) {
 	// check if there is a policy exception matches the incoming resource
 	exception := engineutils.MatchesException(exceptions, policyContext, logger)
--- a/pkg/engine/utils/exceptions.go
+++ b/pkg/engine/utils/exceptions.go
@ -15,7 +15,7 @@ import (
 // MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
 // It returns the matched policy exception.
-func MatchesException(polexs []*kyvernov2beta1.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2beta1.PolicyException {
+func MatchesException(polexs []*kyvernov2.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2.PolicyException {
 	gvk, subresource := policyContext.ResourceKind()
 	resource := policyContext.NewResource()
 	if resource.Object == nil {
--- a/pkg/exceptions/selector.go
+++ b/pkg/exceptions/selector.go
@ -1,12 +1,12 @@
 package exceptions
 import (
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	"k8s.io/apimachinery/pkg/labels"
 )
 type Lister interface {
-	List(labels.Selector) ([]*kyvernov2beta1.PolicyException, error)
+	List(labels.Selector) ([]*kyvernov2.PolicyException, error)
 }
 type selector struct {
@ -19,12 +19,12 @@ func New(lister Lister) selector {
 	}
 }
-func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) {
+func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) {
 	polexs, err := s.lister.List(labels.Everything())
 	if err != nil {
 		return nil, err
 	}
-	var results []*kyvernov2beta1.PolicyException
+	var results []*kyvernov2.PolicyException
 	for _, polex := range polexs {
 		if polex.Contains(policyName, ruleName) {
 			results = append(results, polex)
--- a/pkg/utils/admission/exception.go
+++ b/pkg/utils/admission/exception.go
@ -1,21 +1,21 @@
 package admission
 import (
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/util/json"
 )
-func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
+func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) {
-	var exception *kyvernov2beta1.PolicyException
+	var exception *kyvernov2.PolicyException
 	if err := json.Unmarshal(raw, &exception); err != nil {
 		return nil, err
 	}
 	return exception, nil
 }
-func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
+func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) {
-	var empty *kyvernov2beta1.PolicyException
+	var empty *kyvernov2.PolicyException
 	exception, err := UnmarshalPolicyException(request.Object.Raw)
 	if err != nil {
 		return exception, empty, err
--- a/pkg/utils/admission/exception_test.go
+++ b/pkg/utils/admission/exception_test.go
@ -6,7 +6,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/json"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@ -56,7 +56,7 @@ func TestUnmarshalPolicyException(t *testing.T) {
 				if err != nil {
 					t.Errorf("Unexpected error: %v", err)
 				}
-				var exception *kyvernov2beta1.PolicyException
+				var exception *kyvernov2.PolicyException
 				json.Unmarshal(test.raw, &exception)
 				if !reflect.DeepEqual(result, exception) {
 					t.Errorf("Expected %+v, got %+v", exception, result)
@ -155,7 +155,7 @@ func TestGetPolicyExceptions(t *testing.T) {
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
 			p1, p2, _ := GetPolicyExceptions(test.args.request)
-			var empty *kyvernov2beta1.PolicyException
+			var empty *kyvernov2.PolicyException
 			expectedP1, err := UnmarshalPolicyException(test.args.request.Object.Raw)
 			if err != nil {
 				expectedP2 := empty
--- a/pkg/utils/report/metadata.go
+++ b/pkg/utils/report/metadata.go
@ -9,7 +9,7 @@ import (
 	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@ -85,7 +85,7 @@ func PolicyLabel(policy engineapi.GenericPolicy) string {
 	return PolicyLabelPrefix(policy) + policy.GetName()
 }
-func PolicyExceptionLabel(exception kyvernov2beta1.PolicyException) string {
+func PolicyExceptionLabel(exception kyvernov2.PolicyException) string {
 	return LabelPrefixPolicyException + exception.GetName()
 }
@ -164,7 +164,7 @@ func SetPolicyLabel(report reportsv1.ReportInterface, policy engineapi.GenericPo
 	controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion())
 }
-func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2beta1.PolicyException) {
+func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2.PolicyException) {
 	controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
 }
--- a/pkg/validation/exception/validate.go
+++ b/pkg/validation/exception/validate.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"github.com/go-logr/logr"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 )
 const (
@ -18,7 +18,7 @@ type ValidationOptions struct {
 }
 // Validate checks policy exception is valid
-func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
+func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) {
 	var warnings []string
 	if !opts.Enabled {
 		warnings = append(warnings, disabledPolex)
--- a/pkg/webhooks/resource/fake.go
+++ b/pkg/webhooks/resource/fake.go
@ -40,7 +40,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) *resour
 	dclient := dclient.NewEmptyFakeClient()
 	configuration := config.NewDefaultConfiguration(false)
 	urLister := kyvernoInformers.Kyverno().V2().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
-	peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
+	peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister()
 	jp := jmespath.New(configuration)
 	rclient := registryclient.NewOrDie()