diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
index f1c6918dd6..231c3874c5 100644
--- a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
+++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
@@ -6,7 +6,79 @@ import (
 
 // ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.
 type ValidatingPolicySpec struct {
-	admissionregistrationv1.ValidatingAdmissionPolicySpec `json:",inline"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`
+
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	// +listType=atomic
+	// +optional
+	Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`
+
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	// +listType=atomic
+	// +optional
+	AuditAnnotations []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the policy is skipped
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
+
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	Variables []admissionregistrationv1.Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// ValidationAction specifies the action to be taken when the matched resource violates the policy.
 	// Required.
diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
index 1890a456dc..37031d3eb3 100644
--- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
+++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
@@ -889,7 +889,38 @@ func (in *ValidatingPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
 	*out = *in
-	in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
+	if in.MatchConstraints != nil {
+		in, out := &in.MatchConstraints, &out.MatchConstraints
+		*out = new(v1.MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Validations != nil {
+		in, out := &in.Validations, &out.Validations
+		*out = make([]v1.Validation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FailurePolicy != nil {
+		in, out := &in.FailurePolicy, &out.FailurePolicy
+		*out = new(v1.FailurePolicyType)
+		**out = **in
+	}
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make([]v1.AuditAnnotation, len(*in))
+		copy(*out, *in)
+	}
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]v1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make([]v1.Variable, len(*in))
+		copy(*out, *in)
+	}
 	if in.ValidationAction != nil {
 		in, out := &in.ValidationAction, &out.ValidationAction
 		*out = make([]v1.ValidationAction, len(*in))
diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 4050260e70..3ad7969bcf 100644
--- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -530,26 +530,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.
diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
index dccdce2b07..572badb4d6 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
@@ -524,26 +524,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.
diff --git a/codecov.yml b/codecov.yml
index 3c9724f162..94ad4c2a02 100644
--- a/codecov.yml
+++ b/codecov.yml
@@ -1,2 +1,2 @@
 ignore:
-- api/**/zz_*.go'
+- api/**/zz_*.go
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index dccdce2b07..572badb4d6 100644
--- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -524,26 +524,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 2bced0afe7..3374d52ae7 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -49072,26 +49072,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index c0c86e4f89..80e6674aa4 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -10696,17 +10696,118 @@ ValidatingPolicySpec
 <table class="table table-striped">
 <tr>
 <td>
-<code>ValidatingAdmissionPolicySpec</code><br/>
+<code>matchConstraints</code><br/>
 <em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
-Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
+Kubernetes admissionregistration/v1.MatchResources
 </a>
 </em>
 </td>
 <td>
-<p>
-(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
-</p>
+<p>MatchConstraints specifies what resources this policy is designed to validate.
+The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
+However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+Required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>validations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Validation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Validations contain CEL expressions which is used to apply the validation.
+Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>failurePolicy</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
+Kubernetes admissionregistration/v1.FailurePolicyType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>failurePolicy defines how to handle failures for the admission policy. Failures can
+occur from CEL expression parse errors, type check errors, runtime errors and invalid
+or mis-configured policy definitions or bindings.</p>
+<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
+A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
+<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
+<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+define how failures are enforced.</p>
+<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>auditAnnotations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.AuditAnnotation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>auditAnnotations contains CEL expressions which are used to produce audit
+annotations for the audit event of the API request.
+validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of conditions that must be met for a request to be validated.
+Match conditions filter requests that have already been matched by the rules,
+namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.</p>
+<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
+manner as validation expressions.</p>
+<p>The exact matching logic is (in order):
+1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+3. If any matchCondition evaluates to an error (but none are FALSE):
+- If failurePolicy=Fail, reject the request
+- If failurePolicy=Ignore, the policy is skipped</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>variables</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Variable
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under <code>variables</code> in other expressions of the policy
+except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
+<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
+Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
 </td>
 </tr>
 <tr>
@@ -12362,17 +12463,118 @@ string
 <tbody>
 <tr>
 <td>
-<code>ValidatingAdmissionPolicySpec</code><br/>
+<code>matchConstraints</code><br/>
 <em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
-Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
+Kubernetes admissionregistration/v1.MatchResources
 </a>
 </em>
 </td>
 <td>
-<p>
-(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
-</p>
+<p>MatchConstraints specifies what resources this policy is designed to validate.
+The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
+However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+Required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>validations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Validation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Validations contain CEL expressions which is used to apply the validation.
+Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>failurePolicy</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
+Kubernetes admissionregistration/v1.FailurePolicyType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>failurePolicy defines how to handle failures for the admission policy. Failures can
+occur from CEL expression parse errors, type check errors, runtime errors and invalid
+or mis-configured policy definitions or bindings.</p>
+<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
+A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
+<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
+<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+define how failures are enforced.</p>
+<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>auditAnnotations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.AuditAnnotation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>auditAnnotations contains CEL expressions which are used to produce audit
+annotations for the audit event of the API request.
+validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of conditions that must be met for a request to be validated.
+Match conditions filter requests that have already been matched by the rules,
+namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.</p>
+<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
+manner as validation expressions.</p>
+<p>The exact matching logic is (in order):
+1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+3. If any matchCondition evaluates to an error (but none are FALSE):
+- If failurePolicy=Fail, reject the request
+- If failurePolicy=Ignore, the policy is skipped</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>variables</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Variable
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under <code>variables</code> in other expressions of the policy
+except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
+<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
+Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
 </td>
 </tr>
 <tr>
diff --git a/pkg/admissionpolicy/builder.go b/pkg/admissionpolicy/builder.go
index 3ad6222192..bd77d52001 100644
--- a/pkg/admissionpolicy/builder.go
+++ b/pkg/admissionpolicy/builder.go
@@ -97,7 +97,6 @@ func BuildValidatingAdmissionPolicy(
 	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
 		matchResources = *vpol.Spec.MatchConstraints
 		matchConditions = vpol.Spec.MatchConditions
-		paramKind = vpol.Spec.ParamKind
 		validations = vpol.Spec.Validations
 		auditAnnotations = vpol.Spec.AuditAnnotations
 		variables = vpol.Spec.Variables
diff --git a/pkg/cel/policy/compiler_test.go b/pkg/cel/policy/compiler_test.go
index b07b2e60f3..11a22c03ac 100644
--- a/pkg/cel/policy/compiler_test.go
+++ b/pkg/cel/policy/compiler_test.go
@@ -25,32 +25,30 @@ func Test_compiler_Compile(t *testing.T) {
 				Name: "foo",
 			},
 			Spec: policiesv1alpha1.ValidatingPolicySpec{
-				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-					MatchConstraints: &admissionregistrationv1.MatchResources{
-						ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-							{
-								RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-									Operations: []admissionregistrationv1.OperationType{
-										admissionregistrationv1.Create,
-										admissionregistrationv1.Update,
-									},
-									Rule: admissionregistrationv1.Rule{
-										APIGroups:   []string{""},
-										APIVersions: []string{"v1"},
-										Resources:   []string{"pods"},
-									},
+				MatchConstraints: &admissionregistrationv1.MatchResources{
+					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+						{
+							RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+								Operations: []admissionregistrationv1.OperationType{
+									admissionregistrationv1.Create,
+									admissionregistrationv1.Update,
+								},
+								Rule: admissionregistrationv1.Rule{
+									APIGroups:   []string{""},
+									APIVersions: []string{"v1"},
+									Resources:   []string{"pods"},
 								},
 							},
 						},
 					},
-					Variables: []admissionregistrationv1.Variable{{
-						Name:       "environment",
-						Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'",
-					}},
-					Validations: []admissionregistrationv1.Validation{{
-						Expression: "variables.environment == true",
-					}},
 				},
+				Variables: []admissionregistrationv1.Variable{{
+					Name:       "environment",
+					Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'",
+				}},
+				Validations: []admissionregistrationv1.Validation{{
+					Expression: "variables.environment == true",
+				}},
 			},
 		},
 	}, {
@@ -64,32 +62,30 @@ func Test_compiler_Compile(t *testing.T) {
 				Name: "foo",
 			},
 			Spec: policiesv1alpha1.ValidatingPolicySpec{
-				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-					MatchConstraints: &admissionregistrationv1.MatchResources{
-						ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-							{
-								RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-									Operations: []admissionregistrationv1.OperationType{
-										admissionregistrationv1.Create,
-										admissionregistrationv1.Update,
-									},
-									Rule: admissionregistrationv1.Rule{
-										APIGroups:   []string{""},
-										APIVersions: []string{"v1"},
-										Resources:   []string{"pods"},
-									},
+				MatchConstraints: &admissionregistrationv1.MatchResources{
+					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+						{
+							RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+								Operations: []admissionregistrationv1.OperationType{
+									admissionregistrationv1.Create,
+									admissionregistrationv1.Update,
+								},
+								Rule: admissionregistrationv1.Rule{
+									APIGroups:   []string{""},
+									APIVersions: []string{"v1"},
+									Resources:   []string{"pods"},
 								},
 							},
 						},
 					},
-					Variables: []admissionregistrationv1.Variable{{
-						Name:       "cm",
-						Expression: "context.GetConfigMap('foo', 'bar')",
-					}},
-					Validations: []admissionregistrationv1.Validation{{
-						Expression: "variables.cm != null",
-					}},
 				},
+				Variables: []admissionregistrationv1.Variable{{
+					Name:       "cm",
+					Expression: "context.GetConfigMap('foo', 'bar')",
+				}},
+				Validations: []admissionregistrationv1.Validation{{
+					Expression: "variables.cm != null",
+				}},
 			},
 		},
 	}}
diff --git a/pkg/controllers/webhook/validatingpolicy_test.go b/pkg/controllers/webhook/validatingpolicy_test.go
index f3c533850e..c63880ffbf 100644
--- a/pkg/controllers/webhook/validatingpolicy_test.go
+++ b/pkg/controllers/webhook/validatingpolicy_test.go
@@ -22,19 +22,17 @@ func TestBuildWebhookRules(t *testing.T) {
 			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-							FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
-							MatchConstraints: &admissionregistrationv1.MatchResources{
-								ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-									{
-										RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-											Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-											Rule: admissionregistrationv1.Rule{
-												APIGroups:   []string{"*"},
-												APIVersions: []string{"*"},
-												Resources:   []string{"*"},
-												Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
-											},
+						FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
+						MatchConstraints: &admissionregistrationv1.MatchResources{
+							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+								{
+									RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+										Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
+										Rule: admissionregistrationv1.Rule{
+											APIGroups:   []string{"*"},
+											APIVersions: []string{"*"},
+											Resources:   []string{"*"},
+											Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
 										},
 									},
 								},
@@ -66,19 +64,17 @@ func TestBuildWebhookRules(t *testing.T) {
 			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-							FailurePolicy: ptr.To(admissionregistrationv1.Fail),
-							MatchConstraints: &admissionregistrationv1.MatchResources{
-								ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-									{
-										RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-											Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-											Rule: admissionregistrationv1.Rule{
-												APIGroups:   []string{"*"},
-												APIVersions: []string{"*"},
-												Resources:   []string{"*"},
-												Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
-											},
+						FailurePolicy: ptr.To(admissionregistrationv1.Fail),
+						MatchConstraints: &admissionregistrationv1.MatchResources{
+							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+								{
+									RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+										Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
+										Rule: admissionregistrationv1.Rule{
+											APIGroups:   []string{"*"},
+											APIVersions: []string{"*"},
+											Resources:   []string{"*"},
+											Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
 										},
 									},
 								},
@@ -116,20 +112,18 @@ func TestBuildWebhookRules(t *testing.T) {
 						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(30)),
 						},
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-							FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
-							MatchConstraints: &admissionregistrationv1.MatchResources{
-								MatchPolicy: ptr.To(admissionregistrationv1.Exact),
-								ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-									{
-										RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-											Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-											Rule: admissionregistrationv1.Rule{
-												APIGroups:   []string{"*"},
-												APIVersions: []string{"*"},
-												Resources:   []string{"*"},
-												Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
-											},
+						FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
+						MatchConstraints: &admissionregistrationv1.MatchResources{
+							MatchPolicy: ptr.To(admissionregistrationv1.Exact),
+							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+								{
+									RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+										Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
+										Rule: admissionregistrationv1.Rule{
+											APIGroups:   []string{"*"},
+											APIVersions: []string{"*"},
+											Resources:   []string{"*"},
+											Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
 										},
 									},
 								},
@@ -170,29 +164,27 @@ func TestBuildWebhookRules(t *testing.T) {
 						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(20)),
 						},
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
-							FailurePolicy: ptr.To(admissionregistrationv1.Fail),
-							MatchConstraints: &admissionregistrationv1.MatchResources{
-								MatchPolicy: ptr.To(admissionregistrationv1.Exact),
-								ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
-									{
-										RuleWithOperations: admissionregistrationv1.RuleWithOperations{
-											Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
-											Rule: admissionregistrationv1.Rule{
-												APIGroups:   []string{"*"},
-												APIVersions: []string{"*"},
-												Resources:   []string{"*"},
-												Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
-											},
+						FailurePolicy: ptr.To(admissionregistrationv1.Fail),
+						MatchConstraints: &admissionregistrationv1.MatchResources{
+							MatchPolicy: ptr.To(admissionregistrationv1.Exact),
+							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
+								{
+									RuleWithOperations: admissionregistrationv1.RuleWithOperations{
+										Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
+										Rule: admissionregistrationv1.Rule{
+											APIGroups:   []string{"*"},
+											APIVersions: []string{"*"},
+											Resources:   []string{"*"},
+											Scope:       ptr.To(admissionregistrationv1.ScopeType("*")),
 										},
 									},
 								},
 							},
-							MatchConditions: []admissionregistrationv1.MatchCondition{
-								{
-									Name:       "exclude-leases",
-									Expression: "!(request.resource.group == 'coordination.k8s.io' && request.resource.resource == 'leases')",
-								},
+						},
+						MatchConditions: []admissionregistrationv1.MatchCondition{
+							{
+								Name:       "exclude-leases",
+								Expression: "!(request.resource.group == 'coordination.k8s.io' && request.resource.resource == 'leases')",
 							},
 						},
 					},