refactor: support Audit and Enforce validation failure actions (#5152)

* feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-11-01 09:56:52 +00:00 · 2022-11-01 09:56:52 +00:00 · d2658a1bc8
commit d2658a1bc8
parent 9e89aa341b
20 changed files with 125 additions and 109 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@
 ### Note
 - Flag `autogenInternals` was removed, policy mutation has been removed.
 - Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`.
 ## v1.8.1-rc3
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@ -13,12 +13,21 @@ type ValidationFailureAction string
 // Policy Reporting Modes
 const (
-	// Enforce blocks the request on failure
+	// enforceOld blocks the request on failure
-	Enforce ValidationFailureAction = "enforce"
+	// DEPRECATED: use enforce instead
-	// Audit indicates not to block the request on failure, but report failures as policy violations
+	enforceOld ValidationFailureAction = "enforce"
-	Audit ValidationFailureAction = "audit"
+	// enforce blocks the request on failure
 	enforce ValidationFailureAction = "Enforce"
 )
 func (a ValidationFailureAction) Enforce() bool {
 	return a == enforce || a == enforceOld
 }
 func (a ValidationFailureAction) Audit() bool {
 	return !a.Enforce()
 }
 type ValidationFailureActionOverride struct {
 	// +kubebuilder:validation:Enum=audit;enforce
 	Action     ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
@ -50,7 +59,7 @@ type Spec struct {
 	// and report an error in a policy report. Optional.
 	// Allowed values are audit or enforce. The default value is "audit".
 	// +optional
-	// +kubebuilder:validation:Enum=audit;enforce
+	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
 	// +kubebuilder:default=audit
 	ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
@ -207,15 +216,6 @@ func (s *Spec) GetFailurePolicy() FailurePolicyType {
 	return *s.FailurePolicy
 }
 // GetValidationFailureAction returns the validation failure action to be applied
 func (s *Spec) GetValidationFailureAction() ValidationFailureAction {
 	if s.ValidationFailureAction == "" {
 		return Audit
 	}
 	return s.ValidationFailureAction
 }
 // GetFailurePolicy returns the failure policy to be applied
 func (s *Spec) GetApplyRules() ApplyRulesType {
 	if s.ApplyRules == nil {
--- a/api/kyverno/v2beta1/spec_types.go
+++ b/api/kyverno/v2beta1/spec_types.go
@ -32,7 +32,7 @@ type Spec struct {
 	// and report an error in a policy report. Optional.
 	// Allowed values are audit or enforce. The default value is "audit".
 	// +optional
-	// +kubebuilder:validation:Enum=audit;enforce
+	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
 	// +kubebuilder:default=audit
 	ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
@ -187,15 +187,6 @@ func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType {
 	return *s.FailurePolicy
 }
 // GetValidationFailureAction returns the validation failure action to be applied
 func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
 	if s.ValidationFailureAction == "" {
 		return kyvernov1.Audit
 	}
 	return s.ValidationFailureAction
 }
 // GetFailurePolicy returns the failure policy to be applied
 func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType {
 	if s.ApplyRules == nil {
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@ -2832,6 +2832,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -6352,6 +6354,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -10496,6 +10500,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -14016,6 +14022,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@ -2892,6 +2892,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -8511,6 +8513,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@ -2893,6 +2893,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -8514,6 +8516,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
--- a/config/install.yaml
+++ b/config/install.yaml
@ -4214,6 +4214,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -9833,6 +9835,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -16309,6 +16313,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -21930,6 +21936,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@ -4208,6 +4208,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -9827,6 +9829,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -16300,6 +16304,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
@ -21921,6 +21927,8 @@ spec:
                enum:
                - audit
                - enforce
                - Audit
                - Enforce
                type: string
              validationFailureActionOverrides:
                description: ValidationFailureActionOverrides is a Cluster Policy
--- a/pkg/controllers/metrics/policy/metrics.go
+++ b/pkg/controllers/metrics/policy/metrics.go
@ -54,7 +54,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(logger logr.Logger
 		logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
 	}
 	// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
-	if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction() != oldSpec.GetValidationFailureAction() {
+	if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() {
 		err = policyChangesMetric.RegisterPolicy(pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
 		if err != nil {
 			logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())
--- a/pkg/engine/imageVerifyValidate.go
+++ b/pkg/engine/imageVerifyValidate.go
@ -35,7 +35,7 @@ func processImageValidationRule(log logr.Logger, ctx *PolicyContext, rule *kyver
 	}
 	if !preconditionsPassed {
-		if ctx.Policy.GetSpec().ValidationFailureAction == kyvernov1.Audit {
+		if ctx.Policy.GetSpec().ValidationFailureAction.Audit() {
 			return nil
 		}
--- a/pkg/engine/response/response.go
+++ b/pkg/engine/response/response.go
@ -228,9 +228,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string {
 func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
 	for _, v := range er.PolicyResponse.ValidationFailureActionOverrides {
 		if v.Action != kyvernov1.Enforce && v.Action != kyvernov1.Audit {
 			continue
 		}
 		for _, ns := range v.Namespaces {
 			if wildcard.Match(ns, er.PatchedResource.GetNamespace()) {
 				return v.Action
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -78,7 +78,7 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime
 	resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace()
 	resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind()
 	resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion()
-	resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().GetValidationFailureAction()
+	resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().ValidationFailureAction
 	for _, v := range ctx.Policy.GetSpec().ValidationFailureActionOverrides {
 		resp.PolicyResponse.ValidationFailureActionOverrides = append(resp.PolicyResponse.ValidationFailureActionOverrides, response.ValidationFailureActionOverride{Action: v.Action, Namespaces: v.Namespaces})
--- a/pkg/metrics/parsers.go
+++ b/pkg/metrics/parsers.go
@ -9,14 +9,10 @@ import (
 )
 func ParsePolicyValidationMode(validationFailureAction kyvernov1.ValidationFailureAction) (PolicyValidationMode, error) {
-	switch validationFailureAction {
+	if validationFailureAction.Enforce() {
 	case kyvernov1.Enforce:
 		return Enforce, nil
 	case kyvernov1.Audit:
 		return Audit, nil
 	default:
 		return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit")
 	}
 	return Audit, nil
 }
 func ParsePolicyBackgroundMode(policy kyvernov1.PolicyInterface) PolicyBackgroundMode {
@ -76,6 +72,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
 		policyType = Namespaced
 	}
 	backgroundMode := ParsePolicyBackgroundMode(policy)
-	validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
+	validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction)
 	return name, namespace, policyType, backgroundMode, validationMode, err
 }
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -1142,8 +1142,8 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string)
 func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
 	action := map[string]sets.String{
-		string(kyvernov1.Enforce): sets.NewString(),
+		"enforce":  sets.NewString(),
-		string(kyvernov1.Audit):   sets.NewString(),
+		"audit":    sets.NewString(),
 		"enforceW": sets.NewString(),
 		"auditW":   sets.NewString(),
 	}
@ -1151,23 +1151,22 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
 	for i, vfa := range s.ValidationFailureActionOverrides {
 		patternList, nsList := utils.SeperateWildcards(vfa.Namespaces)
-		if vfa.Action == kyvernov1.Audit {
+		if vfa.Action.Audit() {
-			if action[string(kyvernov1.Enforce)].HasAny(nsList...) {
+			if action["enforce"].HasAny(nsList...) {
 				return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(),
-					strings.Join(action[string(kyvernov1.Enforce)].Intersection(sets.NewString(nsList...)).List(), ", "))
+					strings.Join(action["enforce"].Intersection(sets.NewString(nsList...)).List(), ", "))
 			}
 			action["auditW"].Insert(patternList...)
-		} else if vfa.Action == kyvernov1.Enforce {
+		} else if vfa.Action.Enforce() {
-			if action[string(kyvernov1.Audit)].HasAny(nsList...) {
+			if action["audit"].HasAny(nsList...) {
 				return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(),
-					strings.Join(action[string(kyvernov1.Audit)].Intersection(sets.NewString(nsList...)).List(), ", "))
+					strings.Join(action["audit"].Intersection(sets.NewString(nsList...)).List(), ", "))
 			}
 			action["enforceW"].Insert(patternList...)
 		}
-		action[string(vfa.Action)].Insert(nsList...)
+		action[strings.ToLower(string(vfa.Action))].Insert(nsList...)
-		err := validateWildcardsWithNamespaces(action[string(kyvernov1.Enforce)].List(),
+		err := validateWildcardsWithNamespaces(action["enforce"].List(), action["audit"].List(), action["enforceW"].List(), action["auditW"].List())
 			action[string(kyvernov1.Audit)].List(), action["enforceW"].List(), action["auditW"].List())
 		if err != nil {
 			return fmt.Errorf("path: %s: %s", path.Index(i).Child("namespaces").String(), err.Error())
 		}
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -1640,17 +1640,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc1",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
@ -1672,17 +1672,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc2",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
@ -1703,17 +1703,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc3",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default*",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
@ -1735,17 +1735,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc4",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"*",
 						},
@ -1767,17 +1767,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc5",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"?*",
 						},
@ -1799,17 +1799,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc6",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default?",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default1",
 						},
@ -1831,17 +1831,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc7",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default*",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"?*",
 						},
@ -1863,16 +1863,16 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc8",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"*",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"?*",
 						},
@ -1894,17 +1894,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc9",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default*",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 							"test*",
@ -1927,17 +1927,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc10",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"*efault",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
@ -1959,17 +1959,17 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc11",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default-*",
 							"test",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
@ -1990,16 +1990,16 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc12",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default*?",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 							"test*",
@ -2021,16 +2021,16 @@ func Test_ValidateNamespace(t *testing.T) {
 		{
 			description: "tc13",
 			spec: &kyverno.Spec{
-				ValidationFailureAction: kyverno.Enforce,
+				ValidationFailureAction: "Enforce",
 				ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
 					{
-						Action: kyverno.Enforce,
+						Action: "Enforce",
 						Namespaces: []string{
 							"default?",
 						},
 					},
 					{
-						Action: kyverno.Audit,
+						Action: "Audit",
 						Namespaces: []string{
 							"default",
 						},
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@ -63,9 +63,9 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace,
 		keepPolicy := true
 		switch pkey {
 		case ValidateAudit:
-			keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Audit, nspace, policy)
+			keepPolicy = checkValidationFailureActionOverrides(false, nspace, policy)
 		case ValidateEnforce:
-			keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Enforce, nspace, policy)
+			keepPolicy = checkValidationFailureActionOverrides(true, nspace, policy)
 		}
 		if keepPolicy { // add policy to result
 			policies = append(policies, policy)
@ -74,14 +74,14 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace,
 	return policies
 }
-func checkValidationFailureActionOverrides(requestedAction kyvernov1.ValidationFailureAction, ns string, policy kyvernov1.PolicyInterface) bool {
+func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
 	validationFailureAction := policy.GetSpec().ValidationFailureAction
 	validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides
-	if validationFailureAction != requestedAction && (ns == "" || len(validationFailureActionOverrides) == 0) {
+	if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
 		return false
 	}
 	for _, action := range validationFailureActionOverrides {
-		if action.Action != requestedAction && kyvernoutils.ContainsNamepace(action.Namespaces, ns) {
+		if action.Action.Enforce() != enforce && kyvernoutils.ContainsNamepace(action.Namespaces, ns) {
 			return false
 		}
 	}
--- a/pkg/policycache/store.go
+++ b/pkg/policycache/store.go
@ -74,11 +74,11 @@ func computeKind(gvk string) string {
 }
 func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
-	if spec.GetValidationFailureAction() == kyvernov1.Enforce {
+	if spec.ValidationFailureAction.Enforce() {
 		return true
 	}
 	for _, k := range spec.ValidationFailureActionOverrides {
-		if k.Action == kyvernov1.Enforce {
+		if k.Action.Enforce() {
 			return true
 		}
 	}
--- a/pkg/utils/engine/response.go
+++ b/pkg/utils/engine/response.go
@ -19,7 +19,7 @@ func IsResponseSuccessful(engineReponses []*response.EngineResponse) bool {
 // 1. a policy fails (i.e. creates a violation) and validationFailureAction is set to 'enforce'
 // 2. a policy has a processing error and failurePolicy is set to 'Fail`
 func BlockRequest(er *response.EngineResponse, failurePolicy kyvernov1.FailurePolicyType) bool {
-	if er.IsFailed() && er.GetValidationFailureAction() == kyvernov1.Enforce {
+	if er.IsFailed() && er.GetValidationFailureAction().Enforce() {
 		return true
 	}
 	if er.IsError() && failurePolicy == kyvernov1.Fail {
--- a/pkg/webhooks/resource/handlers_test.go
+++ b/pkg/webhooks/resource/handlers_test.go
@ -290,7 +290,7 @@ func Test_AdmissionResponseValid(t *testing.T) {
 	assert.Equal(t, response.Allowed, true)
 	assert.Equal(t, len(response.Warnings), 0)
-	validPolicy.Spec.ValidationFailureAction = kyverno.Enforce
+	validPolicy.Spec.ValidationFailureAction = "Enforce"
 	policyCache.Set(key, &validPolicy)
 	response = handlers.Validate(logger, request, "", time.Now())
@ -323,7 +323,7 @@ func Test_AdmissionResponseInvalid(t *testing.T) {
 	}
 	keyInvalid := makeKey(&invalidPolicy)
-	invalidPolicy.Spec.ValidationFailureAction = kyverno.Enforce
+	invalidPolicy.Spec.ValidationFailureAction = "Enforce"
 	policyCache.Set(keyInvalid, &invalidPolicy)
 	response := handlers.Validate(logger, request, "", time.Now())
@ -364,7 +364,7 @@ func Test_ImageVerify(t *testing.T) {
 		},
 	}
-	policy.Spec.ValidationFailureAction = kyverno.Enforce
+	policy.Spec.ValidationFailureAction = "Enforce"
 	policyCache.Set(key, &policy)
 	response := handlers.Mutate(logger, request, "", time.Now())
--- a/pkg/webhooks/utils/block_test.go
+++ b/pkg/webhooks/utils/block_test.go
@ -59,7 +59,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Enforce,
+						ValidationFailureAction: "Enforce",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-fail",
@ -80,7 +80,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Audit,
+						ValidationFailureAction: "Audit",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-fail",
@ -101,7 +101,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Audit,
+						ValidationFailureAction: "Audit",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-error",
@ -122,7 +122,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Audit,
+						ValidationFailureAction: "Audit",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-error",
@ -143,7 +143,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Audit,
+						ValidationFailureAction: "Audit",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-warning",
@ -164,7 +164,7 @@ func TestBlockRequest(t *testing.T) {
 			engineResponses: []*response.EngineResponse{
 				{
 					PolicyResponse: response.PolicyResponse{
-						ValidationFailureAction: kyvernov1.Audit,
+						ValidationFailureAction: "Audit",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-warning",
@ -205,7 +205,7 @@ func TestGetBlockedMessages(t *testing.T) {
 						Policy: response.PolicySpec{
 							Name: "test",
 						},
-						ValidationFailureAction: kyvernov1.Enforce,
+						ValidationFailureAction: "Enforce",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-fail",
@ -232,7 +232,7 @@ func TestGetBlockedMessages(t *testing.T) {
 						Policy: response.PolicySpec{
 							Name: "test",
 						},
-						ValidationFailureAction: kyvernov1.Enforce,
+						ValidationFailureAction: "Enforce",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-error",
@ -259,7 +259,7 @@ func TestGetBlockedMessages(t *testing.T) {
 						Policy: response.PolicySpec{
 							Name: "test",
 						},
-						ValidationFailureAction: kyvernov1.Enforce,
+						ValidationFailureAction: "Enforce",
 						Rules: []response.RuleResponse{
 							{
 								Name:    "rule-fail",