feat: stop reusing admissionregistrationv1.ValidatingAdmissionPolicySpec (#12246)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

api/policies.kyverno.io/v1alpha1/validating_spec_types.go

@@ -6,7 +6,79 @@ import (
 
 // ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.
 type ValidatingPolicySpec struct {
-	admissionregistrationv1.ValidatingAdmissionPolicySpec `json:",inline"`
+	// MatchConstraints specifies what resources this policy is designed to validate.
+	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+	// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+	// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+	// Required.
+	MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`
+
+	// Validations contain CEL expressions which is used to apply the validation.
+	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+	// required.
+	// +listType=atomic
+	// +optional
+	Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`
+
+	// failurePolicy defines how to handle failures for the admission policy. Failures can
+	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
+	// or mis-configured policy definitions or bindings.
+	//
+	// A policy is invalid if spec.paramKind refers to a non-existent Kind.
+	// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+	//
+	// failurePolicy does not define how validations that evaluate to false are handled.
+	//
+	// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+	// define how failures are enforced.
+	//
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+
+	// auditAnnotations contains CEL expressions which are used to produce audit
+	// annotations for the audit event of the API request.
+	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+	// required.
+	// +listType=atomic
+	// +optional
+	AuditAnnotations []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+
+	// MatchConditions is a list of conditions that must be met for a request to be validated.
+	// Match conditions filter requests that have already been matched by the rules,
+	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// If a parameter object is provided, it can be accessed via the `params` handle in the same
+	// manner as validation expressions.
+	//
+	// The exact matching logic is (in order):
+	//   1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+	//   3. If any matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Fail, reject the request
+	//      - If failurePolicy=Ignore, the policy is skipped
+	//
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
+
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy
+	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+	//
+	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
+	// Thus, Variables must be sorted by the order of first appearance and acyclic.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=name
+	// +optional
+	Variables []admissionregistrationv1.Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
 
 	// ValidationAction specifies the action to be taken when the matched resource violates the policy.
 	// Required.

api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go

@@ -889,7 +889,38 @@ func (in *ValidatingPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
 	*out = *in
-	in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
+	if in.MatchConstraints != nil {
+		in, out := &in.MatchConstraints, &out.MatchConstraints
+		*out = new(v1.MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Validations != nil {
+		in, out := &in.Validations, &out.Validations
+		*out = make([]v1.Validation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FailurePolicy != nil {
+		in, out := &in.FailurePolicy, &out.FailurePolicy
+		*out = new(v1.FailurePolicyType)
+		**out = **in
+	}
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make([]v1.AuditAnnotation, len(*in))
+		copy(*out, *in)
+	}
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]v1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make([]v1.Variable, len(*in))
+		copy(*out, *in)
+	}
 	if in.ValidationAction != nil {
 		in, out := &in.ValidationAction, &out.ValidationAction
 		*out = make([]v1.ValidationAction, len(*in))

charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -530,26 +530,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.

cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml

@@ -524,26 +524,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.

codecov.yml

@@ -1,2 +1,2 @@
 ignore:
-- api/**/zz_*.go'
+- api/**/zz_*.go

config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -524,26 +524,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.

config/install-latest-testing.yaml

@@ -49072,26 +49072,6 @@ spec:
                     x-kubernetes-list-type: atomic
                 type: object
                 x-kubernetes-map-type: atomic
-              paramKind:
-                description: |-
-                  ParamKind specifies the kind of resources used to parameterize this policy.
-                  If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
-                  If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
-                  If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
-                properties:
-                  apiVersion:
-                    description: |-
-                      APIVersion is the API group version the resources belong to.
-                      In format of "group/version".
-                      Required.
-                    type: string
-                  kind:
-                    description: |-
-                      Kind is the API kind the resources belong to.
-                      Required.
-                    type: string
-                type: object
-                x-kubernetes-map-type: atomic
               validationActions:
                 description: |-
                   ValidationAction specifies the action to be taken when the matched resource violates the policy.

docs/user/crd/index.html

@@ -10696,17 +10696,118 @@ ValidatingPolicySpec
 <table class="table table-striped">
 <tr>
 <td>
-<code>ValidatingAdmissionPolicySpec</code><br/>
+<code>matchConstraints</code><br/>
 <em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
-Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
+Kubernetes admissionregistration/v1.MatchResources
 </a>
 </em>
 </td>
 <td>
-<p>
+<p>MatchConstraints specifies what resources this policy is designed to validate.
-(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
+The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
-</p>
+However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+Required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>validations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Validation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Validations contain CEL expressions which is used to apply the validation.
+Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>failurePolicy</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
+Kubernetes admissionregistration/v1.FailurePolicyType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>failurePolicy defines how to handle failures for the admission policy. Failures can
+occur from CEL expression parse errors, type check errors, runtime errors and invalid
+or mis-configured policy definitions or bindings.</p>
+<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
+A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
+<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
+<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+define how failures are enforced.</p>
+<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>auditAnnotations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.AuditAnnotation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>auditAnnotations contains CEL expressions which are used to produce audit
+annotations for the audit event of the API request.
+validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of conditions that must be met for a request to be validated.
+Match conditions filter requests that have already been matched by the rules,
+namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.</p>
+<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
+manner as validation expressions.</p>
+<p>The exact matching logic is (in order):
+1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+3. If any matchCondition evaluates to an error (but none are FALSE):
+- If failurePolicy=Fail, reject the request
+- If failurePolicy=Ignore, the policy is skipped</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>variables</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Variable
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under <code>variables</code> in other expressions of the policy
+except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
+<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
+Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
 </td>
 </tr>
 <tr>
@@ -12362,17 +12463,118 @@ string
 <tbody>
 <tr>
 <td>
-<code>ValidatingAdmissionPolicySpec</code><br/>
+<code>matchConstraints</code><br/>
 <em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
-Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
+Kubernetes admissionregistration/v1.MatchResources
 </a>
 </em>
 </td>
 <td>
-<p>
+<p>MatchConstraints specifies what resources this policy is designed to validate.
-(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
+The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
-</p>
+However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+Required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>validations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Validation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Validations contain CEL expressions which is used to apply the validation.
+Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>failurePolicy</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
+Kubernetes admissionregistration/v1.FailurePolicyType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>failurePolicy defines how to handle failures for the admission policy. Failures can
+occur from CEL expression parse errors, type check errors, runtime errors and invalid
+or mis-configured policy definitions or bindings.</p>
+<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
+A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
+<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
+<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+define how failures are enforced.</p>
+<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>auditAnnotations</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.AuditAnnotation
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>auditAnnotations contains CEL expressions which are used to produce audit
+annotations for the audit event of the API request.
+validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchConditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.MatchCondition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchConditions is a list of conditions that must be met for a request to be validated.
+Match conditions filter requests that have already been matched by the rules,
+namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+There are a maximum of 64 match conditions allowed.</p>
+<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
+manner as validation expressions.</p>
+<p>The exact matching logic is (in order):
+1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+3. If any matchCondition evaluates to an error (but none are FALSE):
+- If failurePolicy=Fail, reject the request
+- If failurePolicy=Ignore, the policy is skipped</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>variables</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
+[]Kubernetes admissionregistration/v1.Variable
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under <code>variables</code> in other expressions of the policy
+except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
+<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
+Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
 </td>
 </tr>
 <tr>

pkg/admissionpolicy/builder.go

@@ -97,7 +97,6 @@ func BuildValidatingAdmissionPolicy(
 	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
 		matchResources = *vpol.Spec.MatchConstraints
 		matchConditions = vpol.Spec.MatchConditions
-		paramKind = vpol.Spec.ParamKind
 		validations = vpol.Spec.Validations
 		auditAnnotations = vpol.Spec.AuditAnnotations
 		variables = vpol.Spec.Variables

pkg/cel/policy/compiler_test.go

@@ -25,7 +25,6 @@ func Test_compiler_Compile(t *testing.T) {
 				Name: "foo",
 			},
 			Spec: policiesv1alpha1.ValidatingPolicySpec{
-				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -52,7 +51,6 @@ func Test_compiler_Compile(t *testing.T) {
 				}},
 			},
 		},
-		},
 	}, {
 		name: "with configmap",
 		policy: &policiesv1alpha1.ValidatingPolicy{
@@ -64,7 +62,6 @@ func Test_compiler_Compile(t *testing.T) {
 				Name: "foo",
 			},
 			Spec: policiesv1alpha1.ValidatingPolicySpec{
-				ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 				MatchConstraints: &admissionregistrationv1.MatchResources{
 					ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
 						{
@@ -91,7 +88,6 @@ func Test_compiler_Compile(t *testing.T) {
 				}},
 			},
 		},
-		},
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/controllers/webhook/validatingpolicy_test.go

@@ -22,7 +22,6 @@ func TestBuildWebhookRules(t *testing.T) {
 			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 						FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
 						MatchConstraints: &admissionregistrationv1.MatchResources{
 							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
@@ -42,7 +41,6 @@ func TestBuildWebhookRules(t *testing.T) {
 					},
 				},
 			},
-			},
 			expectedWebhooks: []admissionregistrationv1.ValidatingWebhook{
 				{
 					Name: config.ValidatingPolicyWebhookName + "-ignore",
@@ -66,7 +64,6 @@ func TestBuildWebhookRules(t *testing.T) {
 			vpols: []*policiesv1alpha1.ValidatingPolicy{
 				{
 					Spec: policiesv1alpha1.ValidatingPolicySpec{
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 						FailurePolicy: ptr.To(admissionregistrationv1.Fail),
 						MatchConstraints: &admissionregistrationv1.MatchResources{
 							ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
@@ -86,7 +83,6 @@ func TestBuildWebhookRules(t *testing.T) {
 					},
 				},
 			},
-			},
 			expectedWebhooks: []admissionregistrationv1.ValidatingWebhook{
 				{
 					Name: config.ValidatingPolicyWebhookName + "-fail",
@@ -116,7 +112,6 @@ func TestBuildWebhookRules(t *testing.T) {
 						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(30)),
 						},
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 						FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
 						MatchConstraints: &admissionregistrationv1.MatchResources{
 							MatchPolicy: ptr.To(admissionregistrationv1.Exact),
@@ -137,7 +132,6 @@ func TestBuildWebhookRules(t *testing.T) {
 					},
 				},
 			},
-			},
 			expectedWebhooks: []admissionregistrationv1.ValidatingWebhook{
 				{
 					Name:         config.ValidatingPolicyWebhookName + "-ignore-finegrained-test-fine-grained-ignore",
@@ -170,7 +164,6 @@ func TestBuildWebhookRules(t *testing.T) {
 						WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
 							TimeoutSeconds: ptr.To(int32(20)),
 						},
-						ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
 						FailurePolicy: ptr.To(admissionregistrationv1.Fail),
 						MatchConstraints: &admissionregistrationv1.MatchResources{
 							MatchPolicy: ptr.To(admissionregistrationv1.Exact),
@@ -197,7 +190,6 @@ func TestBuildWebhookRules(t *testing.T) {
 					},
 				},
 			},
-			},
 			expectedWebhooks: []admissionregistrationv1.ValidatingWebhook{
 				{
 					Name:         config.ValidatingPolicyWebhookName + "-fail-finegrained-test-fine-grained-fail",