From afdbc1ac572ae10fccaa7001a6b42fd8fb4ce9d6 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 6 Mar 2020 03:47:49 +0530
Subject: [PATCH 001/201] 725 validationfailureaction enforce now returns a
 more concise error

---
 pkg/webhooks/common.go | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index a6a2682476..af3fbbd851 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -40,11 +40,12 @@ func toBlockResource(engineReponses []response.EngineResponse) bool {
 func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string {
 	var str []string
 	var resourceInfo string
-
+	var failedPolicies []string
 	for _, er := range engineReponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
+			failedPolicies = append(failedPolicies, er.PolicyResponse.Policy)
 			resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
-			str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy))
+			str = append(str, fmt.Sprintf("failed policy %s", er.PolicyResponse.Policy))
 			for _, rule := range er.PolicyResponse.Rules {
 				if !rule.Success {
 					str = append(str, rule.ToString())
@@ -52,7 +53,19 @@ func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string
 			}
 		}
 	}
-	return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
+
+	var failureReason string
+	switch {
+	case len(failedPolicies) > 1:
+		failureReason = fmt.Sprintf("Resource %s blocked by policies %s, kindly refer to logs for further details", resourceInfo, strings.Join(failedPolicies, ", "))
+	case len(failedPolicies) == 1:
+		failureReason = fmt.Sprintf("Resource %s blocked by policy %s, kindly refer to logs for further details", resourceInfo, failedPolicies[0])
+	case len(failedPolicies) == 0:
+		failureReason = fmt.Sprintf("Resource %s has been blocked due to internal error, kindly refer to logs for further details", resourceInfo)
+	}
+
+	glog.V(4).Infof("Resource %s %s", resourceInfo, strings.Join(str, ";"))
+	return failureReason
 }
 
 // getErrorMsg gets all failed engine response message

From ffd3487ace1a7f4702215f995f0415f192b8c54f Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 6 Mar 2020 17:11:33 +0530
Subject: [PATCH 002/201] 725 changed returned error

---
 pkg/engine/validation.go |  3 ++-
 pkg/webhooks/common.go   | 30 +++++++++++-------------------
 2 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index de05323f87..10e86e084f 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -234,7 +234,8 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 				errorStr = append(errorStr, err.Error())
 			}
 			resp.Success = false
-			resp.Message = fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
 			return resp
 		}
 	}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index af3fbbd851..34b1f2c968 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"strings"
 
+	yamlv2 "gopkg.in/yaml.v2"
+
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
@@ -38,34 +40,24 @@ func toBlockResource(engineReponses []response.EngineResponse) bool {
 
 // getEnforceFailureErrorMsg gets the error messages for failed enforce policy
 func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string {
-	var str []string
-	var resourceInfo string
-	var failedPolicies []string
+	policyToRule := make(map[string]interface{})
+	var resourceName string
 	for _, er := range engineReponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
-			failedPolicies = append(failedPolicies, er.PolicyResponse.Policy)
-			resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
-			str = append(str, fmt.Sprintf("failed policy %s", er.PolicyResponse.Policy))
+			ruleToReason := make(map[string]string)
 			for _, rule := range er.PolicyResponse.Rules {
 				if !rule.Success {
-					str = append(str, rule.ToString())
+					ruleToReason[rule.Name] = rule.Message
 				}
 			}
+			resourceName = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
+
+			policyToRule[er.PolicyResponse.Policy] = ruleToReason
 		}
 	}
 
-	var failureReason string
-	switch {
-	case len(failedPolicies) > 1:
-		failureReason = fmt.Sprintf("Resource %s blocked by policies %s, kindly refer to logs for further details", resourceInfo, strings.Join(failedPolicies, ", "))
-	case len(failedPolicies) == 1:
-		failureReason = fmt.Sprintf("Resource %s blocked by policy %s, kindly refer to logs for further details", resourceInfo, failedPolicies[0])
-	case len(failedPolicies) == 0:
-		failureReason = fmt.Sprintf("Resource %s has been blocked due to internal error, kindly refer to logs for further details", resourceInfo)
-	}
-
-	glog.V(4).Infof("Resource %s %s", resourceInfo, strings.Join(str, ";"))
-	return failureReason
+	result, _ := yamlv2.Marshal(policyToRule)
+	return "\n\nresource " + resourceName + " was blocked due to the following policies\n\n" + string(result)
 }
 
 // getErrorMsg gets all failed engine response message

From 6f07aac36a0f5a8cd677eb2894d684c5194cc799 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 6 Mar 2020 17:19:41 +0530
Subject: [PATCH 003/201] 725 fixing tests

---
 pkg/engine/validation_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index 2792723d09..a7a036bedc 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -294,7 +294,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation rule 'check-default-namespace' failed. [anyPattern[0] failed; Validation rule failed at '/metadata/namespace/' to validate value '<nil>' with pattern '?*' anyPattern[1] failed; Validation rule failed at '/metadata/namespace/' to validate value '<nil>' with pattern '!default']"}
+	msgs := []string{"Validation rule 'check-default-namespace' has failed"}
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
 	}
@@ -1582,5 +1582,5 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 
 	// expectedMsg := "Validation error: ; Validation rule test-path-not-exist anyPattern[0] failed at path /spec/template/spec/containers/0/name/. Validation rule test-path-not-exist anyPattern[1] failed at path /spec/template/spec/containers/0/name/."
 	assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
-	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' failed. [anyPattern[0] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*' anyPattern[1] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*']")
+	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' has failed")
 }

From b1063a95e125a0151b408f9446d45b410731f6ea Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Wed, 11 Mar 2020 18:14:23 -0700
Subject: [PATCH 004/201] refactor & validate operations for generate rules in
 PolicyValidation

---
 pkg/auth/auth.go                     | 108 +++++
 pkg/auth/auth_test.go                |  48 +++
 pkg/engine/variables/common.go       |  14 +
 pkg/policy/actions.go                |  50 +++
 pkg/policy/common/common.go          |  85 ++++
 pkg/policy/generate/auth.go          |  71 ++++
 pkg/policy/generate/fake.go          |  21 +
 pkg/policy/generate/fake/auth.go     |  31 ++
 pkg/policy/generate/validate.go      | 148 +++++++
 pkg/policy/generate/validate_test.go |  89 ++++
 pkg/policy/mutate/validate.go        |  63 +++
 pkg/policy/mutate/validate_test.go   | 151 +++++++
 pkg/policy/validate.go               | 220 +---------
 pkg/policy/validate/validate.go      |  61 +++
 pkg/policy/validate/validate_test.go | 381 ++++++++++++++++++
 pkg/policy/validate_test.go          | 582 +--------------------------
 pkg/webhooks/policyvalidation.go     |   2 +-
 17 files changed, 1332 insertions(+), 793 deletions(-)
 create mode 100644 pkg/auth/auth.go
 create mode 100644 pkg/auth/auth_test.go
 create mode 100644 pkg/engine/variables/common.go
 create mode 100644 pkg/policy/actions.go
 create mode 100644 pkg/policy/common/common.go
 create mode 100644 pkg/policy/generate/auth.go
 create mode 100644 pkg/policy/generate/fake.go
 create mode 100644 pkg/policy/generate/fake/auth.go
 create mode 100644 pkg/policy/generate/validate.go
 create mode 100644 pkg/policy/generate/validate_test.go
 create mode 100644 pkg/policy/mutate/validate.go
 create mode 100644 pkg/policy/mutate/validate_test.go
 create mode 100644 pkg/policy/validate/validate.go
 create mode 100644 pkg/policy/validate/validate_test.go

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
new file mode 100644
index 0000000000..06d8ea22a2
--- /dev/null
+++ b/pkg/auth/auth.go
@@ -0,0 +1,108 @@
+package auth
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/golang/glog"
+	client "github.com/nirmata/kyverno/pkg/dclient"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+//CanIOptions provides utility ti check if user has authorization for the given operation
+type CanIOptions struct {
+	namespace string
+	verb      string
+	kind      string
+	client    *client.Client
+}
+
+//NewCanI returns a new instance of operation access controler evaluator
+func NewCanI(client *client.Client, kind, namespace, verb string) *CanIOptions {
+	o := CanIOptions{
+		client: client,
+	}
+
+	o.namespace = namespace
+	o.kind = kind
+	o.verb = verb
+
+	return &o
+}
+
+//RunAccessCheck checks if the caller can perform the operation
+// - operation is a combination of namespace, kind, verb
+// - can only evaluate a single verb
+// - group version resource is determined from the kind using the discovery client REST mapper
+// - If disallowed, the reason and evaluationError is avialable in the logs
+// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
+func (o *CanIOptions) RunAccessCheck() (bool, error) {
+	// get GroupVersionResource from RESTMapper
+	// get GVR from kind
+	gvr := o.client.DiscoveryClient.GetGVRFromKind(o.kind)
+	if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) {
+		// cannot find GVR
+		return false, fmt.Errorf("failed to get the Group Version Resource for kind %s", o.kind)
+	}
+
+	var sar *authorizationv1.SelfSubjectAccessReview
+
+	sar = &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Namespace: o.namespace,
+				Verb:      o.verb,
+				Group:     gvr.Group,
+				Resource:  gvr.Resource,
+			},
+		},
+	}
+	// Set self subject access review
+	// - namespace
+	// - verb
+	// - resource
+	// - subresource
+
+	// Create the Resource
+	resp, err := o.client.CreateResource("SelfSubjectAccessReview", "", sar, false)
+	if err != nil {
+		glog.Errorf("failed to create resource %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		return false, err
+	}
+
+	// status.allowed
+	allowed, ok, err := unstructured.NestedBool(resp.Object, "status", "allowed")
+	if !ok {
+		if err != nil {
+			glog.Errorf("unexpected error when getting status.allowed for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		}
+		glog.Errorf("status.allowed not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+	}
+
+	if !allowed {
+		// status.reason
+		reason, ok, err := unstructured.NestedString(resp.Object, "status", "reason")
+		if !ok {
+			if err != nil {
+				glog.Errorf("unexpected error when getting status.reason for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+			}
+			glog.Errorf("status.reason not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		}
+		// status.evaluationError
+		evaluationError, ok, err := unstructured.NestedString(resp.Object, "status", "evaludationError")
+		if !ok {
+			if err != nil {
+				glog.Errorf("unexpected error when getting status.evaluationError for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+			}
+			glog.Errorf("status.evaluationError not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		}
+
+		// Reporting ? (just logs)
+		glog.Errorf("reason to disallow operation: %s", reason)
+		glog.Errorf("evaluationError to disallow operation: %s", evaluationError)
+	}
+
+	return allowed, nil
+}
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
new file mode 100644
index 0000000000..6dbc800285
--- /dev/null
+++ b/pkg/auth/auth_test.go
@@ -0,0 +1,48 @@
+package auth
+
+// import (
+// 	"testing"
+// 	"time"
+
+// 	"github.com/golang/glog"
+// 	"github.com/nirmata/kyverno/pkg/config"
+// 	dclient "github.com/nirmata/kyverno/pkg/dclient"
+// 	"github.com/nirmata/kyverno/pkg/signal"
+// )
+
+// func Test_Auth_pass(t *testing.T) {
+// 	// needs running cluster
+// 	var kubeconfig string
+// 	stopCh := signal.SetupSignalHandler()
+// 	kubeconfig = "/Users/shivd/.kube/config"
+// 	clientConfig, err := config.CreateClientConfig(kubeconfig)
+// 	if err != nil {
+// 		glog.Fatalf("Error building kubeconfig: %v\n", err)
+// 	}
+
+// 	// DYNAMIC CLIENT
+// 	// - client for all registered resources
+// 	// - invalidate local cache of registered resource every 10 seconds
+// 	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
+// 	if err != nil {
+// 		glog.Fatalf("Error creating client: %v\n", err)
+// 	}
+
+// 	// Can i authenticate
+
+// 	kind := "Deployment"
+// 	namespace := "default"
+// 	verb := "test"
+// 	canI := NewCanI(client, kind, namespace, verb)
+// 	ok, err := canI.RunAccessCheck()
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	if ok {
+// 		t.Log("allowed")
+// 	} else {
+// 		t.Log("notallowed")
+// 	}
+// 	t.FailNow()
+
+// }
diff --git a/pkg/engine/variables/common.go b/pkg/engine/variables/common.go
new file mode 100644
index 0000000000..751040a03d
--- /dev/null
+++ b/pkg/engine/variables/common.go
@@ -0,0 +1,14 @@
+package variables
+
+import "regexp"
+
+//IsVariable returns true if the element contains a 'valid' variable {{}}
+func IsVariable(element string) bool {
+	validRegex := regexp.MustCompile(variableRegex)
+	groups := validRegex.FindAllStringSubmatch(element, -1)
+	if len(groups) == 0 {
+		// there was no match
+		return false
+	}
+	return true
+}
diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go
new file mode 100644
index 0000000000..cdf37ed1a8
--- /dev/null
+++ b/pkg/policy/actions.go
@@ -0,0 +1,50 @@
+package policy
+
+import (
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/policy/generate"
+	"github.com/nirmata/kyverno/pkg/policy/mutate"
+	"github.com/nirmata/kyverno/pkg/policy/validate"
+)
+
+//Validation provides methods to validate a rule
+type Validation interface {
+	Validate() (string, error)
+}
+
+//validateAction performs validation on the rule actions
+// - Mutate
+// - Validation
+// - Generate
+func validateActions(idx int, rule kyverno.Rule, client *dclient.Client) error {
+	var checker Validation
+
+	// Mutate
+	if rule.HasMutate() {
+		checker = mutate.NewMutateFactory(rule.Mutation)
+		if path, err := checker.Validate(); err != nil {
+			return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err)
+		}
+	}
+
+	// Validate
+	if rule.HasValidate() {
+		checker = validate.NewValidateFactory(rule.Validation)
+		if path, err := checker.Validate(); err != nil {
+			return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err)
+		}
+	}
+
+	// Generate
+	if rule.HasGenerate() {
+		checker = generate.NewGenerateFactory(client, rule.Generation)
+		if path, err := checker.Validate(); err != nil {
+			return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/policy/common/common.go b/pkg/policy/common/common.go
new file mode 100644
index 0000000000..35bc132007
--- /dev/null
+++ b/pkg/policy/common/common.go
@@ -0,0 +1,85 @@
+package common
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+)
+
+//ValidatePattern validates the pattern
+func ValidatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	switch typedPatternElement := patternElement.(type) {
+	case map[string]interface{}:
+		return validateMap(typedPatternElement, path, supportedAnchors)
+	case []interface{}:
+		return validateArray(typedPatternElement, path, supportedAnchors)
+	case string, float64, int, int64, bool, nil:
+		//TODO? check operator
+		return "", nil
+	default:
+		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
+	}
+}
+func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	// check if anchors are defined
+	for key, value := range patternMap {
+		// if key is anchor
+		// check regex () -> this is anchor
+		// ()
+		// single char ()
+		re, err := regexp.Compile(`^.?\(.+\)$`)
+		if err != nil {
+			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
+		}
+
+		matched := re.MatchString(key)
+		// check the type of anchor
+		if matched {
+			// some type of anchor
+			// check if valid anchor
+			if !checkAnchors(key, supportedAnchors) {
+				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
+			}
+
+			// addition check for existence anchor
+			// value must be of type list
+			if anchor.IsExistenceAnchor(key) {
+				typedValue, ok := value.([]interface{})
+				if !ok {
+					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
+				}
+				// validate there is only one entry in the list
+				if len(typedValue) == 0 || len(typedValue) > 1 {
+					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
+				}
+			}
+		}
+		// lets validate the values now :)
+		if errPath, err := ValidatePattern(value, path+"/"+key, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	for i, patternElement := range patternArray {
+		currentPath := path + strconv.Itoa(i) + "/"
+		// lets validate the values now :)
+		if errPath, err := ValidatePattern(patternElement, currentPath, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
+	for _, f := range supportedAnchors {
+		if f(key) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/policy/generate/auth.go b/pkg/policy/generate/auth.go
new file mode 100644
index 0000000000..0bcd0cb0a1
--- /dev/null
+++ b/pkg/policy/generate/auth.go
@@ -0,0 +1,71 @@
+package generate
+
+import (
+	"github.com/nirmata/kyverno/pkg/auth"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+)
+
+//Operations provides methods to performing operations on resource
+type Operations interface {
+	// CanICreate returns 'true' if self can 'create' resource
+	CanICreate(kind, namespace string) (bool, error)
+	// CanIUpdate returns 'true' if self can 'update' resource
+	CanIUpdate(kind, namespace string) (bool, error)
+	// CanIDelete returns 'true' if self can 'delete' resource
+	CanIDelete(kind, namespace string) (bool, error)
+	// CanIGet returns 'true' if self can 'get' resource
+	CanIGet(kind, namespace string) (bool, error)
+}
+
+//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
+type Auth struct {
+	client *dclient.Client
+}
+
+//NewAuth returns a new instance of Auth for operations
+func NewAuth(client *dclient.Client) *Auth {
+	a := Auth{
+		client: client,
+	}
+	return &a
+}
+
+// CanICreate returns 'true' if self can 'create' resource
+func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "create")
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIUpdate returns 'true' if self can 'update' resource
+func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "update")
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIDelete returns 'true' if self can 'delete' resource
+func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "delete")
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIGet returns 'true' if self can 'get' resource
+func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "get")
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go
new file mode 100644
index 0000000000..0d561c7a94
--- /dev/null
+++ b/pkg/policy/generate/fake.go
@@ -0,0 +1,21 @@
+package generate
+
+import (
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/policy/generate/fake"
+)
+
+//FakeGenerate provides implementation for generate rule processing
+// with mocks/fakes for cluster interactions
+type FakeGenerate struct {
+	Generate
+}
+
+//NewFakeGenerate returns a new instance of generatecheck that uses
+// fake/mock implementation for operation access(always returns true)
+func NewFakeGenerate(rule kyverno.Generation) *FakeGenerate {
+	g := FakeGenerate{}
+	g.rule = rule
+	g.authCheck = fake.NewFakeAuth()
+	return &g
+}
diff --git a/pkg/policy/generate/fake/auth.go b/pkg/policy/generate/fake/auth.go
new file mode 100644
index 0000000000..3e7467bf06
--- /dev/null
+++ b/pkg/policy/generate/fake/auth.go
@@ -0,0 +1,31 @@
+package fake
+
+//FakeAuth providers implementation for testing, retuning true for all operations
+type FakeAuth struct {
+}
+
+//NewFakeAuth returns a new instance of Fake Auth that returns true for each operation
+func NewFakeAuth() *FakeAuth {
+	a := FakeAuth{}
+	return &a
+}
+
+// CanICreate returns 'true'
+func (a *FakeAuth) CanICreate(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIUpdate returns 'true'
+func (a *FakeAuth) CanIUpdate(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIDelete returns 'true'
+func (a *FakeAuth) CanIDelete(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIGet returns 'true'
+func (a *FakeAuth) CanIGet(kind, namespace string) (bool, error) {
+	return true, nil
+}
diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go
new file mode 100644
index 0000000000..230891516b
--- /dev/null
+++ b/pkg/policy/generate/validate.go
@@ -0,0 +1,148 @@
+package generate
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/golang/glog"
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Generate provides implementation to validate 'generate' rule
+type Generate struct {
+	// rule to hold 'generate' rule specifications
+	rule kyverno.Generation
+	// authCheck to check access for operations
+	authCheck Operations
+}
+
+//NewGenerateFactory returns a new instance of Generate validation checker
+func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation) *Generate {
+	g := Generate{
+		rule:      rule,
+		authCheck: NewAuth(client),
+	}
+
+	return &g
+}
+
+//Validate validates the generate rule in validation
+func (g *Generate) Validate() (string, error) {
+	rule := g.rule
+	if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("clone or data are required")
+	}
+	if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
+	}
+	kind, name, namespace := rule.Kind, rule.Name, rule.Namespace
+
+	if name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if kind == "" {
+		return "kind", fmt.Errorf("kind cannot be empty")
+	}
+	// Can I generate resource
+
+	if !reflect.DeepEqual(rule.Clone, kyverno.CloneFrom{}) {
+		if path, err := g.validateClone(rule.Clone, kind); err != nil {
+			return fmt.Sprintf("clone.%s", path), err
+		}
+	}
+	if rule.Data != nil {
+		//TODO: is this required ?? as anchors can only be on pattern and not resource
+		// we can add this check by not sure if its needed here
+		if path, err := common.ValidatePattern(rule.Data, "/", []anchor.IsAnchor{}); err != nil {
+			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
+		}
+	}
+
+	// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
+	// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
+	// instuctions to modify the RBAC for kyverno are mentioned at https://github.com/nirmata/kyverno/blob/master/documentation/installation.md
+	// - operations required: create/update/delete/get
+	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
+	if err := g.canIGenerate(kind, namespace); err != nil {
+		return "", err
+	}
+	return "", nil
+}
+
+func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, error) {
+	if c.Name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if c.Namespace == "" {
+		return "namespace", fmt.Errorf("namespace cannot be empty")
+	}
+	namespace := c.Namespace
+	// Skip if there is variable defined
+	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
+		// GET
+		ok, err := g.authCheck.CanIGet(kind, namespace)
+		if err != nil {
+			return "", err
+		}
+		if !ok {
+			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+	} else {
+		glog.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+	}
+	return "", nil
+}
+
+//canIGenerate returns a error if kyverno cannot perform oprations
+func (g *Generate) canIGenerate(kind, namespace string) error {
+	// Skip if there is variable defined
+	authCheck := g.authCheck
+	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
+		// CREATE
+		ok, err := authCheck.CanICreate(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+		// UPDATE
+		ok, err = authCheck.CanIUpdate(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+		// GET
+		ok, err = authCheck.CanIGet(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+
+		// DELETE
+		ok, err = authCheck.CanIDelete(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+
+	} else {
+		glog.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+	}
+
+	return nil
+}
diff --git a/pkg/policy/generate/validate_test.go b/pkg/policy/generate/validate_test.go
new file mode 100644
index 0000000000..631aac6ed3
--- /dev/null
+++ b/pkg/policy/generate/validate_test.go
@@ -0,0 +1,89 @@
+package generate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_Generate(t *testing.T) {
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "podSelector": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var genRule kyverno.Generation
+	err := json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker := NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Generate_HasAnchors(t *testing.T) {
+	var err error
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "(podSelector)": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var genRule kyverno.Generation
+	err = json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker := NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	rawGenerate = []byte(`
+	{
+		"kind": "ConfigMap",
+		"name": "copied-cm",
+		"clone": {
+		   "^(namespace)": "default",
+		   "name": "game"
+		}
+	 }`)
+
+	err = json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker = NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
new file mode 100644
index 0000000000..581645740e
--- /dev/null
+++ b/pkg/policy/mutate/validate.go
@@ -0,0 +1,63 @@
+package mutate
+
+import (
+	"errors"
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Mutate provides implementation to validate 'mutate' rule
+type Mutate struct {
+	// rule to hold 'mutate' rule specifications
+	rule kyverno.Mutation
+}
+
+//NewMutateFactory returns a new instance of Mutate validation checker
+func NewMutateFactory(rule kyverno.Mutation) *Mutate {
+	m := Mutate{
+		rule: rule,
+	}
+	return &m
+}
+
+//Validate validates the 'mutate' rul
+func (m *Mutate) Validate() (string, error) {
+	rule := m.rule
+	// JSON Patches
+	if len(rule.Patches) != 0 {
+		for i, patch := range rule.Patches {
+			if err := validatePatch(patch); err != nil {
+				return fmt.Sprintf("patch[%d]", i), err
+			}
+		}
+	}
+	// Overlay
+	if rule.Overlay != nil {
+		path, err := common.ValidatePattern(rule.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
+		if err != nil {
+			return path, err
+		}
+	}
+	return "", nil
+}
+
+// Validate if all mandatory PolicyPatch fields are set
+func validatePatch(pp kyverno.Patch) error {
+	if pp.Path == "" {
+		return errors.New("JSONPatch field 'path' is mandatory")
+	}
+	if pp.Operation == "add" || pp.Operation == "replace" {
+		if pp.Value == nil {
+			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
+		}
+
+		return nil
+	} else if pp.Operation == "remove" {
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
+}
diff --git a/pkg/policy/mutate/validate_test.go b/pkg/policy/mutate/validate_test.go
new file mode 100644
index 0000000000..84ff0e59b7
--- /dev/null
+++ b/pkg/policy/mutate/validate_test.go
@@ -0,0 +1,151 @@
+package mutate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		  "spec": {
+			"(serviceAccountName)": "*",
+			"automountServiceAccountToken": false
+		  }
+		}
+	  }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "+(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_Mismatched(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "^(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutateExistence kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutateExistence)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutateExistence)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateEqual kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "=(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateEqual)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutateEqual)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateNegation kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "X(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateNegation)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutateEqual)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Mutate_Unsupported(t *testing.T) {
+	var err error
+	var mutate kyverno.Mutation
+	// case 1
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "!(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "~(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index bc44d7524f..f6ac936c90 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -4,12 +4,10 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
-	"regexp"
-	"strconv"
 	"strings"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -17,7 +15,7 @@ import (
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
-func Validate(p kyverno.ClusterPolicy) error {
+func Validate(p kyverno.ClusterPolicy, client *dclient.Client) error {
 	if path, err := validateUniqueRuleName(p); err != nil {
 		return fmt.Errorf("path: spec.%s: %v", path, err)
 	}
@@ -50,24 +48,12 @@ func Validate(p kyverno.ClusterPolicy) error {
 			// as there are more than 1 operation in rule, not need to evaluate it further
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
-		// Operation Validation
-		// Mutation
-		if rule.HasMutate() {
-			if path, err := validateMutation(rule.Mutation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", i, path, err)
-			}
-		}
-		// Validation
-		if rule.HasValidate() {
-			if path, err := validateValidation(rule.Validation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", i, path, err)
-			}
-		}
-		// Generation
-		if rule.HasGenerate() {
-			if path, err := validateGeneration(rule.Generation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", i, path, err)
-			}
+		// validate rule actions
+		// - Mutate
+		// - Validate
+		// - Generate
+		if err := validateActions(i, rule, client); err != nil {
+			return err
 		}
 
 		// If a rules match block does not match any kind,
@@ -262,193 +248,3 @@ func validateResourceDescription(rd kyverno.ResourceDescription) error {
 	}
 	return nil
 }
-
-func validateMutation(m kyverno.Mutation) (string, error) {
-	// JSON Patches
-	if len(m.Patches) != 0 {
-		for i, patch := range m.Patches {
-			if err := validatePatch(patch); err != nil {
-				return fmt.Sprintf("patch[%d]", i), err
-			}
-		}
-	}
-	// Overlay
-	if m.Overlay != nil {
-		path, err := validatePattern(m.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
-		if err != nil {
-			return path, err
-		}
-	}
-	return "", nil
-}
-
-// Validate if all mandatory PolicyPatch fields are set
-func validatePatch(pp kyverno.Patch) error {
-	if pp.Path == "" {
-		return errors.New("JSONPatch field 'path' is mandatory")
-	}
-	if pp.Operation == "add" || pp.Operation == "replace" {
-		if pp.Value == nil {
-			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
-		}
-
-		return nil
-	} else if pp.Operation == "remove" {
-		return nil
-	}
-
-	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
-}
-
-func validateValidation(v kyverno.Validation) (string, error) {
-	if err := validateOverlayPattern(v); err != nil {
-		// no need to proceed ahead
-		return "", err
-	}
-
-	if v.Pattern != nil {
-		if path, err := validatePattern(v.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-			return fmt.Sprintf("pattern.%s", path), err
-		}
-	}
-
-	if len(v.AnyPattern) != 0 {
-		for i, pattern := range v.AnyPattern {
-			if path, err := validatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
-			}
-		}
-	}
-	return "", nil
-}
-
-// validateOverlayPattern checks one of pattern/anyPattern must exist
-func validateOverlayPattern(v kyverno.Validation) error {
-	if v.Pattern == nil && len(v.AnyPattern) == 0 {
-		return fmt.Errorf("a pattern or anyPattern must be specified")
-	}
-
-	if v.Pattern != nil && len(v.AnyPattern) != 0 {
-		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
-	}
-
-	return nil
-}
-
-// Validate returns error if generator is configured incompletely
-func validateGeneration(gen kyverno.Generation) (string, error) {
-
-	if gen.Data == nil && gen.Clone == (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("clone or data are required")
-	}
-	if gen.Data != nil && gen.Clone != (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
-	}
-	// check kind is non empty
-	// check name is non empty
-	if gen.Name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if gen.Kind == "" {
-		return "kind", fmt.Errorf("kind cannot be empty")
-	}
-	if !reflect.DeepEqual(gen.Clone, kyverno.CloneFrom{}) {
-		if path, err := validateClone(gen.Clone); err != nil {
-			return fmt.Sprintf("clone.%s", path), err
-		}
-	}
-	if gen.Data != nil {
-		//TODO: is this required ?? as anchors can only be on pattern and not resource
-		// we can add this check by not sure if its needed here
-		if path, err := validatePattern(gen.Data, "/", []anchor.IsAnchor{}); err != nil {
-			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
-		}
-	}
-	return "", nil
-}
-
-func validateClone(c kyverno.CloneFrom) (string, error) {
-	if c.Name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if c.Namespace == "" {
-		return "namespace", fmt.Errorf("namespace cannot be empty")
-	}
-	return "", nil
-}
-
-func validatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	switch typedPatternElement := patternElement.(type) {
-	case map[string]interface{}:
-		return validateMap(typedPatternElement, path, supportedAnchors)
-	case []interface{}:
-		return validateArray(typedPatternElement, path, supportedAnchors)
-	case string, float64, int, int64, bool, nil:
-		//TODO? check operator
-		return "", nil
-	default:
-		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
-	}
-}
-
-func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	// check if anchors are defined
-	for key, value := range patternMap {
-		// if key is anchor
-		// check regex () -> this is anchor
-		// ()
-		// single char ()
-		re, err := regexp.Compile(`^.?\(.+\)$`)
-		if err != nil {
-			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
-		}
-
-		matched := re.MatchString(key)
-		// check the type of anchor
-		if matched {
-			// some type of anchor
-			// check if valid anchor
-			if !checkAnchors(key, supportedAnchors) {
-				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
-			}
-
-			// addition check for existence anchor
-			// value must be of type list
-			if anchor.IsExistenceAnchor(key) {
-				typedValue, ok := value.([]interface{})
-				if !ok {
-					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
-				}
-				// validate there is only one entry in the list
-				if len(typedValue) == 0 || len(typedValue) > 1 {
-					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
-				}
-			}
-		}
-		// lets validate the values now :)
-		if errPath, err := validatePattern(value, path+"/"+key, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	for i, patternElement := range patternArray {
-		currentPath := path + strconv.Itoa(i) + "/"
-		// lets validate the values now :)
-		if errPath, err := validatePattern(patternElement, currentPath, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
-	for _, f := range supportedAnchors {
-		if f(key) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
new file mode 100644
index 0000000000..3889f9f163
--- /dev/null
+++ b/pkg/policy/validate/validate.go
@@ -0,0 +1,61 @@
+package validate
+
+import (
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Validate provides implementation to validate 'validate' rule
+type Validate struct {
+	// rule to hold 'validate' rule specifications
+	rule kyverno.Validation
+}
+
+//NewValidateFactory returns a new instance of Mutate validation checker
+func NewValidateFactory(rule kyverno.Validation) *Validate {
+	m := Validate{
+		rule: rule,
+	}
+	return &m
+}
+
+//Validate validates the 'validate' rule
+func (v *Validate) Validate() (string, error) {
+	rule := v.rule
+	if err := v.validateOverlayPattern(); err != nil {
+		// no need to proceed ahead
+		return "", err
+	}
+
+	if rule.Pattern != nil {
+		if path, err := common.ValidatePattern(rule.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+			return fmt.Sprintf("pattern.%s", path), err
+		}
+	}
+
+	if len(rule.AnyPattern) != 0 {
+		for i, pattern := range rule.AnyPattern {
+			if path, err := common.ValidatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
+			}
+		}
+	}
+	return "", nil
+}
+
+// validateOverlayPattern checks one of pattern/anyPattern must exist
+func (v *Validate) validateOverlayPattern() error {
+	rule := v.rule
+	if rule.Pattern == nil && len(rule.AnyPattern) == 0 {
+		return fmt.Errorf("a pattern or anyPattern must be specified")
+	}
+
+	if rule.Pattern != nil && len(rule.AnyPattern) != 0 {
+		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
+	}
+
+	return nil
+}
diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go
new file mode 100644
index 0000000000..ee83204707
--- /dev/null
+++ b/pkg/policy/validate/validate_test.go
@@ -0,0 +1,381 @@
+package validate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_OverlayPattern_Empty(t *testing.T) {
+	rawValidation := []byte(`
+   {}`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+ 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
+      }
+	`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  }
+		],
+		"pattern": {
+		  "spec": {
+			"containers": [
+			  {
+				"name": "*",
+				"securityContext": {
+				  "allowPrivilegeEscalation": false,
+				  "privileged": false
+				}
+			  }
+			]
+		  }
+		}
+	  }`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+func Test_Validate_OverlayPattern_Valid(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  },
+		  {
+			"spec": {
+			  "containers": [
+				{
+				  "name": "*",
+				  "securityContext": {
+					"allowPrivilegeEscalation": false,
+					"privileged": false
+				  }
+				}
+			  ]
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "template": {
+				"spec": {
+				  "containers": [
+					{
+					  "^(securityContext)": {
+						"runAsNonRoot": true
+					  }
+					}
+				  ]
+				}
+			  }
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
+	rawValidation := []byte(`{
+		"message": "validate container security contexts",
+		"pattern": {
+		  "spec": {
+			"template": {
+			  "spec": {
+				"containers": [
+				  {
+					"securityContext": {
+					  "allowPrivilegeEscalation": "^(false)"
+					}
+				  }
+				]
+			  }
+			}
+		  }
+		}
+	  }
+	  		  `)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
+	var err error
+	var validation kyverno.Validation
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		   {
+			  "spec": {
+				 "template": {
+					"spec": {
+					   "^(containers)": [
+						  {
+							 "securityContext": {
+								"runAsNonRoot": "true"
+							 }
+						  }
+					   ]
+					}
+				 }
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+	rawValidation = []byte(`
+	{
+		"message": "validate container security contexts",
+		"pattern": {
+		   "spec": {
+			  "template": {
+				 "spec": {
+					"^(containers)": [
+					   {
+						  "securityContext": {
+							 "allowPrivilegeEscalation": "false"
+						  }
+					   }
+					]
+				 }
+			  }
+		   }
+		}
+	 }	`)
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker = NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
+
+func Test_Validate_Validate_ValidAnchor(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+	var rawValidate []byte
+	// case 1
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"anyPattern": [
+		    {
+			  "spec": {
+				 "securityContext": {
+					"(runAsNonRoot)": true
+				 }
+			  }
+		   },
+		   {
+			  "spec": {
+				 "^(containers)": [
+					{
+					   "name": "*",
+					   "securityContext": {
+						  "runAsNonRoot": true
+					   }
+					}
+				 ]
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+
+	// case 2
+	validate = kyverno.Validation{}
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "=(securityContext)": {
+				 "runAsNonRoot": "true"
+			  }
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker = NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Validate_Mismatched(t *testing.T) {
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "+(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	 }`)
+
+	var validate kyverno.Validation
+	err := json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Validate_Unsupported(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+
+	// case 1
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "!(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "~(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker = NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 387c87707b..e020001627 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -287,369 +287,6 @@ func Test_Validate_ResourceDescription_InvalidSelector(t *testing.T) {
 	assert.Assert(t, err != nil)
 }
 
-func Test_Validate_OverlayPattern_Empty(t *testing.T) {
-	rawValidation := []byte(`
-   {}`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
- 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
-      }
-	`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  }
-		],
-		"pattern": {
-		  "spec": {
-			"containers": [
-			  {
-				"name": "*",
-				"securityContext": {
-				  "allowPrivilegeEscalation": false,
-				  "privileged": false
-				}
-			  }
-			]
-		  }
-		}
-	  }`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Valid(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  },
-		  {
-			"spec": {
-			  "containers": [
-				{
-				  "name": "*",
-				  "securityContext": {
-					"allowPrivilegeEscalation": false,
-					"privileged": false
-				  }
-				}
-			  ]
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.NilError(t, err)
-	}
-
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "template": {
-				"spec": {
-				  "containers": [
-					{
-					  "^(securityContext)": {
-						"runAsNonRoot": true
-					  }
-					}
-				  ]
-				}
-			  }
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
-	rawValidation := []byte(`{
-		"message": "validate container security contexts",
-		"pattern": {
-		  "spec": {
-			"template": {
-			  "spec": {
-				"containers": [
-				  {
-					"securityContext": {
-					  "allowPrivilegeEscalation": "^(false)"
-					}
-				  }
-				]
-			  }
-			}
-		  }
-		}
-	  }
-	  		  `)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
-	var err error
-	var validation kyverno.Validation
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		   {
-			  "spec": {
-				 "template": {
-					"spec": {
-					   "^(containers)": [
-						  {
-							 "securityContext": {
-								"runAsNonRoot": "true"
-							 }
-						  }
-					   ]
-					}
-				 }
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-	rawValidation = []byte(`
-	{
-		"message": "validate container security contexts",
-		"pattern": {
-		   "spec": {
-			  "template": {
-				 "spec": {
-					"^(containers)": [
-					   {
-						  "securityContext": {
-							 "allowPrivilegeEscalation": "false"
-						  }
-					   }
-					]
-				 }
-			  }
-		   }
-		}
-	 }	`)
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
-func Test_Validate_Validate_ValidAnchor(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-	var rawValidate []byte
-	// case 1
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"anyPattern": [
-		    {
-			  "spec": {
-				 "securityContext": {
-					"(runAsNonRoot)": true
-				 }
-			  }
-		   },
-		   {
-			  "spec": {
-				 "^(containers)": [
-					{
-					   "name": "*",
-					   "securityContext": {
-						  "runAsNonRoot": true
-					   }
-					}
-				 ]
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.NilError(t, err)
-	}
-
-	// case 2
-	validate = kyverno.Validation{}
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "=(securityContext)": {
-				 "runAsNonRoot": "true"
-			  }
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Validate_Mismatched(t *testing.T) {
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "+(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	 }`)
-
-	var validate kyverno.Validation
-	err := json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Validate_Unsupported(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-
-	// case 1
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "!(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "~(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
 func Test_Validate_Policy(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -736,225 +373,10 @@ func Test_Validate_Policy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = Validate(policy)
+	err = Validate(policy, nil)
 	assert.NilError(t, err)
 }
 
-func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		  "spec": {
-			"(serviceAccountName)": "*",
-			"automountServiceAccountToken": false
-		  }
-		}
-	  }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-	if _, err := validateMutation(mutate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "+(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_Mismatched(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "^(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutateExistence kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutateExistence)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateExistence); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateEqual kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "=(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateEqual)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateEqual); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateNegation kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "X(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateNegation)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateEqual); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Mutate_Unsupported(t *testing.T) {
-	var err error
-	var mutate kyverno.Mutation
-	// case 1
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "!(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "~(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Generate(t *testing.T) {
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "podSelector": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	var generate kyverno.Generation
-	err := json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Generate_HasAnchors(t *testing.T) {
-	var err error
-	var generate kyverno.Generation
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "(podSelector)": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	rawGenerate = []byte(`
-	{
-		"kind": "ConfigMap",
-		"name": "copied-cm",
-		"clone": {
-		   "^(namespace)": "default",
-		   "name": "game"
-		}
-	 }`)
-
-	errNew := json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, errNew)
-	err = json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
 func Test_Validate_ErrorFormat(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -1097,7 +519,7 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = Validate(policy)
+	err = Validate(policy, nil)
 	assert.Assert(t, err != nil)
 }
 
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index ebe45e47cc..fcb79c7163 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -27,7 +27,7 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
 				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
 			}}
 	}
-	if err := policyvalidate.Validate(*policy); err != nil {
+	if err := policyvalidate.Validate(*policy, ws.client); err != nil {
 		admissionResp = &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{

From 5912eda1c07e841dbc2e95687f1048aaae897051 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Wed, 11 Mar 2020 18:14:42 -0700
Subject: [PATCH 005/201] fix comments

---
 pkg/policy/generate/validate.go | 2 +-
 pkg/policy/mutate/validate.go   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go
index 230891516b..427faa33e9 100644
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@@ -30,7 +30,7 @@ func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation) *Genera
 	return &g
 }
 
-//Validate validates the generate rule in validation
+//Validate validates the 'generate' rule
 func (g *Generate) Validate() (string, error) {
 	rule := g.rule
 	if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) {
diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
index 581645740e..6a24c3d388 100644
--- a/pkg/policy/mutate/validate.go
+++ b/pkg/policy/mutate/validate.go
@@ -23,7 +23,7 @@ func NewMutateFactory(rule kyverno.Mutation) *Mutate {
 	return &m
 }
 
-//Validate validates the 'mutate' rul
+//Validate validates the 'mutate' rule
 func (m *Mutate) Validate() (string, error) {
 	rule := m.rule
 	// JSON Patches

From 8dda9cc4130a223cb867d83e9e222d6b51c39f12 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 16 Mar 2020 14:08:13 +0530
Subject: [PATCH 006/201] 725 error response now returns rule message if it
 exists

---
 pkg/engine/validation.go | 6 +++++-
 pkg/webhooks/common.go   | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 10e86e084f..fc4e89bf1c 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -235,7 +235,11 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 			}
 			resp.Success = false
 			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
-			resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
+			if rule.Validation.Message == "" {
+				resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
+			} else {
+				resp.Message = rule.Validation.Message
+			}
 			return resp
 		}
 	}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 34b1f2c968..2ca90049f8 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -39,10 +39,10 @@ func toBlockResource(engineReponses []response.EngineResponse) bool {
 }
 
 // getEnforceFailureErrorMsg gets the error messages for failed enforce policy
-func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string {
+func getEnforceFailureErrorMsg(engineResponses []response.EngineResponse) string {
 	policyToRule := make(map[string]interface{})
 	var resourceName string
-	for _, er := range engineReponses {
+	for _, er := range engineResponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
 			ruleToReason := make(map[string]string)
 			for _, rule := range er.PolicyResponse.Rules {

From 46c3b785189e58cee9d45f346d26581715e1ccf8 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 16 Mar 2020 14:18:51 +0530
Subject: [PATCH 007/201] 725 fixing tests

---
 pkg/engine/validation_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index a7a036bedc..5a77d81b69 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -294,7 +294,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation rule 'check-default-namespace' has failed"}
+	msgs := []string{"A namespace is required"}
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
 	}

From 1b1ab78f77998810e5e8dee114d09a2967ba4835 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Tue, 17 Mar 2020 11:05:20 -0700
Subject: [PATCH 008/201] logs & access

---
 cmd/initContainer/main.go                     |  64 +++++---
 cmd/kyverno/main.go                           |  84 ++++++----
 pkg/api/kyverno/v1/zz_generated.deepcopy.go   |   8 +-
 pkg/auth/auth.go                              |  24 +--
 pkg/checker/checker.go                        |  41 ++---
 pkg/checker/status.go                         |  26 ++--
 pkg/client/clientset/versioned/clientset.go   |   7 +
 .../versioned/fake/clientset_generated.go     |   7 +-
 .../typed/kyverno/v1/kyverno_client.go        |   3 +-
 pkg/config/config.go                          |  24 +--
 pkg/config/dynamicconfig.go                   |  39 ++---
 pkg/dclient/certificates.go                   |  37 +++--
 pkg/dclient/client.go                         |  31 ++--
 pkg/engine/anchor/anchor.go                   |  15 +-
 pkg/engine/context/context.go                 |  19 +--
 pkg/engine/context/evaluate.go                |   7 +-
 pkg/engine/generation.go                      |  17 +-
 pkg/engine/mutate/overlayCondition.go         |   3 +-
 pkg/engine/mutation.go                        |  35 ++---
 pkg/engine/policyContext.go                   |   3 +
 pkg/engine/utils.go                           |   5 +-
 pkg/engine/validate/pattern.go                |  76 ++++-----
 pkg/engine/validate/pattern_test.go           | 113 +++++++-------
 pkg/engine/validate/validate.go               |  52 +++----
 pkg/engine/validate/validate_test.go          |  43 ++---
 pkg/engine/validation.go                      |  53 ++++---
 pkg/engine/variables/evaluate.go              |  11 +-
 pkg/engine/variables/evaluate_test.go         |  61 ++++----
 pkg/engine/variables/operator/equal.go        |  40 ++---
 pkg/engine/variables/operator/notequal.go     |  39 ++---
 pkg/engine/variables/operator/operator.go     |  12 +-
 pkg/engine/variables/variables_test.go        |  19 +--
 pkg/engine/variables/vars.go                  |  34 ++--
 pkg/engine/variables/vars_test.go             |   7 +-
 pkg/event/controller.go                       |  52 ++++---
 pkg/generate/cleanup/controller.go            |  47 +++---
 pkg/generate/controller.go                    |  42 +++--
 pkg/generate/generate.go                      |  64 ++++----
 pkg/generate/labels.go                        |   6 +-
 pkg/generate/report.go                        |   5 +-
 pkg/log/deleg.go                              | 121 ++++++++++++++
 pkg/log/log.go                                |  15 ++
 pkg/log/null.go                               |  44 ++++++
 pkg/policy/actions.go                         |   3 +-
 pkg/policy/apply.go                           |  41 ++---
 pkg/policy/background.go                      |  11 +-
 pkg/policy/cleanup.go                         |  44 ++++--
 pkg/policy/controller.go                      |  53 ++++---
 pkg/policy/existing.go                        |  61 +++-----
 pkg/policy/generate/auth.go                   |  13 +-
 pkg/policy/generate/validate.go               |  13 +-
 pkg/policy/namespacedpv.go                    |   8 +-
 pkg/policy/report.go                          |  16 +-
 pkg/policystore/policystore.go                |  16 +-
 pkg/policyviolation/builder.go                |   7 +-
 pkg/policyviolation/builder_test.go           |   3 +-
 pkg/policyviolation/generator.go              |  37 +++--
 pkg/utils/util.go                             |  15 +-
 pkg/version/version.go                        |  10 +-
 pkg/webhookconfig/checker.go                  |   8 +-
 pkg/webhookconfig/common.go                   | 147 +++++++++++++++++-
 pkg/webhookconfig/policy.go                   |  16 +-
 pkg/webhookconfig/registration.go             |  25 ++-
 pkg/webhookconfig/resource.go                 |  37 +++--
 pkg/webhookconfig/rwebhookregister.go         |  35 +++--
 pkg/webhooks/admission_test.go                |   1 -
 pkg/webhooks/annotations.go                   |  22 ++-
 pkg/webhooks/annotations_test.go              |  13 +-
 pkg/webhooks/checker.go                       |   5 +-
 pkg/webhooks/common.go                        |  12 +-
 pkg/webhooks/generate/generate.go             |  30 ++--
 pkg/webhooks/generation.go                    |  13 +-
 pkg/webhooks/mutation.go                      |  37 ++---
 pkg/webhooks/policymutation.go                |  50 +++---
 pkg/webhooks/policymutation_test.go           |  15 +-
 pkg/webhooks/policyvalidation.go              |   4 +-
 pkg/webhooks/report.go                        |   7 +-
 pkg/webhooks/server.go                        |  57 +++----
 pkg/webhooks/validation.go                    |  33 ++--
 79 files changed, 1415 insertions(+), 958 deletions(-)
 create mode 100644 pkg/log/deleg.go
 create mode 100644 pkg/log/log.go
 create mode 100644 pkg/log/null.go
 delete mode 100644 pkg/webhooks/admission_test.go

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 9c5a9141ba..7a9de3557f 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -5,23 +5,26 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"os"
 	"regexp"
 	"strconv"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/signal"
 	"k8s.io/apimachinery/pkg/api/errors"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var (
 	kubeconfig string
+	setupLog   = log.Log.WithName("setup")
 )
 
 const (
@@ -30,20 +33,21 @@ const (
 )
 
 func main() {
-	defer glog.Flush()
 	// os signal handler
 	stopCh := signal.SetupSignalHandler()
 	// create client config
 	clientConfig, err := createClientConfig(kubeconfig)
 	if err != nil {
-		glog.Fatalf("Error building kubeconfig: %v\n", err)
+		setupLog.Error(err, "Failed to build kubeconfig")
+		os.Exit(1)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh)
+	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 
 	// Exit for unsupported version of kubernetes cluster
@@ -78,12 +82,12 @@ func main() {
 	for err := range merge(done, stopCh, p1, p2) {
 		if err != nil {
 			failure = true
-			glog.Errorf("failed to cleanup: %v", err)
+			log.Log.Error(err, "failed to cleanup resource")
 		}
 	}
 	// if there is any failure then we fail process
 	if failure {
-		glog.Errorf("failed to cleanup webhook configurations")
+		log.Log.Info("failed to cleanup webhook configurations")
 		os.Exit(1)
 	}
 }
@@ -95,36 +99,41 @@ func init() {
 	flag.Set("stderrthreshold", "WARNING")
 	flag.Set("v", "2")
 	flag.Parse()
+	log.SetLogger(zap.New(func(o *zap.Options) {
+		o.Development = true
+	}))
 }
 
 func removeWebhookIfExists(client *client.Client, kind string, name string) error {
+	logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name)
 	var err error
 	// Get resource
 	_, err = client.GetResource(kind, "", name)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("%s(%s) not found", name, kind)
+		logger.V(4).Info("resource not found")
 		return nil
 	}
 	if err != nil {
-		glog.Errorf("failed to get resource %s(%s)", name, kind)
+		logger.Error(err, "failed to get resource")
 		return err
 	}
 	// Delete resource
 	err = client.DeleteResource(kind, "", name, false)
 	if err != nil {
-		glog.Errorf("failed to delete resource %s(%s)", name, kind)
+		logger.Error(err, "failed to delete resource")
 		return err
 	}
-	glog.Infof("cleaned up resource %s(%s)", name, kind)
+	logger.Info("removed the resource")
 	return nil
 }
 
 func createClientConfig(kubeconfig string) (*rest.Config, error) {
+	logger := log.Log
 	if kubeconfig == "" {
-		glog.Info("Using in-cluster configuration")
+		logger.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	glog.Infof("Using configuration from '%s'", kubeconfig)
+	logger.Info(fmt.Sprintf("Using configuration from '%s'", kubeconfig))
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
 
@@ -163,6 +172,7 @@ func gen(done <-chan struct{}, stopCh <-chan struct{}, requests ...request) <-ch
 
 // processes the requests
 func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}, requests <-chan request) <-chan error {
+	logger := log.Log.WithName("process")
 	out := make(chan error)
 	go func() {
 		defer close(out)
@@ -170,10 +180,10 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 			select {
 			case out <- removeWebhookIfExists(client, req.kind, req.name):
 			case <-done:
-				println("done process")
+				logger.Info("done")
 				return
 			case <-stopCh:
-				println("shutting down process")
+				logger.Info("shutting down")
 				return
 			}
 		}
@@ -183,6 +193,7 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 
 // waits for all processes to be complete and merges result
 func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan error) <-chan error {
+	logger := log.Log.WithName("merge")
 	var wg sync.WaitGroup
 	out := make(chan error)
 	// gets the output from each process
@@ -192,10 +203,10 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 			select {
 			case out <- err:
 			case <-done:
-				println("done merge")
+				logger.Info("done")
 				return
 			case <-stopCh:
-				println("shutting down merge")
+				logger.Info("shutting down")
 				return
 			}
 		}
@@ -215,30 +226,37 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 }
 
 func isVersionSupported(client *client.Client) {
+	logger := log.Log
 	serverVersion, err := client.DiscoveryClient.GetServerVersion()
 	if err != nil {
-		glog.Fatalf("Failed to get kubernetes server version: %v\n", err)
+		logger.Error(err, "Failed to get kubernetes server version")
+		os.Exit(1)
 	}
 	exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`)
 	groups := exp.FindAllStringSubmatch(serverVersion.String(), -1)
 	if len(groups) != 1 || len(groups[0]) != 4 {
-		glog.Fatalf("Failed to extract kubernetes server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	// convert string to int
 	// assuming the version are always intergers
 	major, err := strconv.Atoi(groups[0][1])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes major server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	minor, err := strconv.Atoi(groups[0][2])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes minor server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	sub, err := strconv.Atoi(groups[0][3])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes sub minor server version:%v. err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	if major <= 1 && minor <= 12 && sub < 7 {
-		glog.Fatalf("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", serverVersion)
+		logger.Info("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 }
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 62cefceeb9..8ecf67cefd 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -3,6 +3,8 @@ package main
 import (
 	"context"
 	"flag"
+	"fmt"
+	"os"
 	"time"
 
 	"github.com/golang/glog"
@@ -14,6 +16,7 @@ import (
 	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/generate"
 	generatecleanup "github.com/nirmata/kyverno/pkg/generate/cleanup"
+	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/policy"
 	"github.com/nirmata/kyverno/pkg/policystore"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
@@ -24,6 +27,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks"
 	webhookgenerate "github.com/nirmata/kyverno/pkg/webhooks/generate"
 	kubeinformers "k8s.io/client-go/informers"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var (
@@ -35,20 +39,23 @@ var (
 	// will be removed in future and the configuration will be set only via configmaps
 	filterK8Resources string
 	// User FQDN as CSR CN
-	fqdncn bool
+	fqdncn    bool
+	verbosity string
+	setupLog  = log.Log.WithName("setup")
 )
 
 func main() {
 	defer glog.Flush()
-	version.PrintVersionInfo()
+	version.PrintVersionInfo(log.Log)
 	// cleanUp Channel
 	cleanUp := make(chan struct{})
 	//  handle os signals
 	stopCh := signal.SetupSignalHandler()
 	// CLIENT CONFIG
-	clientConfig, err := config.CreateClientConfig(kubeconfig)
+	clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log)
 	if err != nil {
-		glog.Fatalf("Error building kubeconfig: %v\n", err)
+		setupLog.Error(err, "Failed to build kubeconfig")
+		os.Exit(1)
 	}
 
 	// KYVENO CRD CLIENT
@@ -57,29 +64,33 @@ func main() {
 	//		- PolicyViolation
 	pclient, err := kyvernoclient.NewForConfig(clientConfig)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
 	// - invalidate local cache of registered resource every 10 seconds
-	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
+	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 	// CRD CHECK
 	// - verify if the CRD for Policy & PolicyViolation are available
-	if !utils.CRDInstalled(client.DiscoveryClient) {
-		glog.Fatalf("Required CRDs unavailable")
+	if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
+		setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
+		os.Exit(1)
 	}
 	// KUBERNETES CLIENT
 	kubeClient, err := utils.NewKubeClient(clientConfig)
 	if err != nil {
-		glog.Fatalf("Error creating kubernetes client: %v\n", err)
+		setupLog.Error(err, "Failed to create kubernetes client")
+		os.Exit(1)
 	}
 
 	// TODO(shuting): To be removed for v1.2.0
-	utils.CleanupOldCrd(client)
+	utils.CleanupOldCrd(client, log.Log)
 
 	// KUBERNETES RESOURCES INFORMER
 	// watches namespace resource
@@ -96,16 +107,18 @@ func main() {
 		clientConfig,
 		client,
 		serverIP,
-		int32(webhookTimeout))
+		int32(webhookTimeout),
+		log.Log)
 
 	// Resource Mutating Webhook Watcher
-	lastReqTime := checker.NewLastReqTime()
+	lastReqTime := checker.NewLastReqTime(log.Log.WithName("LastReqTime"))
 	rWebhookWatcher := webhookconfig.NewResourceWebhookRegister(
 		lastReqTime,
 		kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(),
 		kubeInformer.Admissionregistration().V1beta1().ValidatingWebhookConfigurations(),
 		webhookRegistrationClient,
 		runValidationInMutatingWebhook,
+		log.Log.WithName("ResourceWebhookRegister"),
 	)
 
 	// KYVERNO CRD INFORMER
@@ -124,23 +137,28 @@ func main() {
 	configData := config.NewConfigData(
 		kubeClient,
 		kubeInformer.Core().V1().ConfigMaps(),
-		filterK8Resources)
+		filterK8Resources,
+		log.Log.WithName("ConfigData"),
+	)
 
 	// Policy meta-data store
-	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies())
+	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies(), log.Log.WithName("PolicyStore"))
 
 	// EVENT GENERATOR
 	// - generate event with retry mechanism
 	egen := event.NewEventGenerator(
 		client,
-		pInformer.Kyverno().V1().ClusterPolicies())
+		pInformer.Kyverno().V1().ClusterPolicies(),
+		log.Log.WithName("EventGenerator"))
 
 	// POLICY VIOLATION GENERATOR
 	// -- generate policy violation
 	pvgen := policyviolation.NewPVGenerator(pclient,
 		client,
 		pInformer.Kyverno().V1().ClusterPolicyViolations(),
-		pInformer.Kyverno().V1().PolicyViolations())
+		pInformer.Kyverno().V1().PolicyViolations(),
+		log.Log.WithName("PolicyViolationGenerator"),
+	)
 
 	// POLICY CONTROLLER
 	// - reconciliation policy and policy violation
@@ -156,13 +174,16 @@ func main() {
 		egen,
 		pvgen,
 		policyMetaStore,
-		rWebhookWatcher)
+		rWebhookWatcher,
+		log.Log.WithName("PolicyController"),
+	)
 	if err != nil {
-		glog.Fatalf("error creating policy controller: %v\n", err)
+		setupLog.Error(err, "Failed to create policy controller")
+		os.Exit(1)
 	}
 
 	// GENERATE REQUEST GENERATOR
-	grgen := webhookgenerate.NewGenerator(pclient, stopCh)
+	grgen := webhookgenerate.NewGenerator(pclient, stopCh, log.Log.WithName("GenerateRequestGenerator"))
 
 	// GENERATE CONTROLLER
 	// - applies generate rules on resources based on generate requests created by webhook
@@ -174,6 +195,7 @@ func main() {
 		egen,
 		pvgen,
 		kubedynamicInformer,
+		log.Log.WithName("GenerateController"),
 	)
 	// GENERATE REQUEST CLEANUP
 	// -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout
@@ -183,12 +205,14 @@ func main() {
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		pInformer.Kyverno().V1().GenerateRequests(),
 		kubedynamicInformer,
+		log.Log.WithName("GenerateCleanUpController"),
 	)
 
 	// CONFIGURE CERTIFICATES
 	tlsPair, err := client.InitTLSPemPair(clientConfig, fqdncn)
 	if err != nil {
-		glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
+		setupLog.Error(err, "Failed to initialize TLS key/certificate pair")
+		os.Exit(1)
 	}
 
 	// WEBHOOK REGISTRATION
@@ -197,7 +221,8 @@ func main() {
 	// resource webhook confgiuration is generated dynamically in the webhook server and policy controller
 	// based on the policy resources created
 	if err = webhookRegistrationClient.Register(); err != nil {
-		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
+		setupLog.Error(err, "Failed to register Admission webhooks")
+		os.Exit(1)
 	}
 
 	// WEBHOOOK
@@ -221,9 +246,12 @@ func main() {
 		pvgen,
 		grgen,
 		rWebhookWatcher,
-		cleanUp)
+		cleanUp,
+		log.Log.WithName("WebhookServer"),
+	)
 	if err != nil {
-		glog.Fatalf("Unable to create webhook server: %v\n", err)
+		setupLog.Error(err, "Failed to create webhook server")
+		os.Exit(1)
 	}
 	// Start the components
 	pInformer.Start(stopCh)
@@ -259,7 +287,7 @@ func main() {
 	// resource cleanup
 	// remove webhook configurations
 	<-cleanUp
-	glog.Info("successful shutdown of kyverno controller")
+	setupLog.Info("Kyverno shutdown successful")
 }
 
 func init() {
@@ -271,6 +299,10 @@ func init() {
 
 	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
 	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
-	config.LogDefaultFlags()
+	config.LogDefaultFlags(setupLog)
+	flag.StringVar(&verbosity, "verbosity", "", "set verbosity for logs")
 	flag.Parse()
+	log.SetLogger(zap.New(func(o *zap.Options) {
+		o.Development = true
+	}))
 }
diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
index d4d7cc6820..ff1a7c63e4 100644
--- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
@@ -74,7 +74,7 @@ func (in *ClusterPolicy) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicy, len(*in))
@@ -135,7 +135,7 @@ func (in *ClusterPolicyViolation) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyViolationList) DeepCopyInto(out *ClusterPolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicyViolation, len(*in))
@@ -241,7 +241,7 @@ func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext {
 func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]GenerateRequest, len(*in))
@@ -420,7 +420,7 @@ func (in *PolicyViolation) DeepCopyObject() runtime.Object {
 func (in *PolicyViolationList) DeepCopyInto(out *PolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]PolicyViolation, len(*in))
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index 06d8ea22a2..d2ab06ffd1 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -17,12 +17,14 @@ type CanIOptions struct {
 	verb      string
 	kind      string
 	client    *client.Client
+	log       logr.Logger
 }
 
 //NewCanI returns a new instance of operation access controler evaluator
-func NewCanI(client *client.Client, kind, namespace, verb string) *CanIOptions {
+func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions {
 	o := CanIOptions{
 		client: client,
+		log:    log,
 	}
 
 	o.namespace = namespace
@@ -64,11 +66,12 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 	// - verb
 	// - resource
 	// - subresource
+	logger := o.log.WithValues("kind", sar.Kind, "namespace", sar.Namespace, "name", sar.Name)
 
 	// Create the Resource
 	resp, err := o.client.CreateResource("SelfSubjectAccessReview", "", sar, false)
 	if err != nil {
-		glog.Errorf("failed to create resource %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		logger.Error(err, "failed to create resource")
 		return false, err
 	}
 
@@ -76,9 +79,9 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 	allowed, ok, err := unstructured.NestedBool(resp.Object, "status", "allowed")
 	if !ok {
 		if err != nil {
-			glog.Errorf("unexpected error when getting status.allowed for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+			logger.Error(err, "failed to get the field", "field", "status.allowed")
 		}
-		glog.Errorf("status.allowed not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+		logger.Info("field not found", "field", "status.allowed")
 	}
 
 	if !allowed {
@@ -86,22 +89,21 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 		reason, ok, err := unstructured.NestedString(resp.Object, "status", "reason")
 		if !ok {
 			if err != nil {
-				glog.Errorf("unexpected error when getting status.reason for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+				logger.Error(err, "failed to get the field", "field", "status.reason")
 			}
-			glog.Errorf("status.reason not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+			logger.Info("field not found", "field", "status.reason")
 		}
 		// status.evaluationError
 		evaluationError, ok, err := unstructured.NestedString(resp.Object, "status", "evaludationError")
 		if !ok {
 			if err != nil {
-				glog.Errorf("unexpected error when getting status.evaluationError for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+				logger.Error(err, "failed to get the field", "field", "status.evaluationError")
 			}
-			glog.Errorf("status.evaluationError not found for %s/%s/%s", sar.Kind, sar.Namespace, sar.Name)
+			logger.Info("field not found", "field", "status.evaluationError")
 		}
 
 		// Reporting ? (just logs)
-		glog.Errorf("reason to disallow operation: %s", reason)
-		glog.Errorf("evaluationError to disallow operation: %s", evaluationError)
+		logger.Info("disallowed operation", "reason", reason, "evaluationError", evaluationError)
 	}
 
 	return allowed, nil
diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go
index 762776dffd..16b8276d40 100644
--- a/pkg/checker/checker.go
+++ b/pkg/checker/checker.go
@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
@@ -20,8 +20,9 @@ const (
 
 // LastReqTime stores the lastrequest times for incoming api-requests
 type LastReqTime struct {
-	t  time.Time
-	mu sync.RWMutex
+	t   time.Time
+	mu  sync.RWMutex
+	log logr.Logger
 }
 
 //Time returns the lastrequest time
@@ -39,16 +40,17 @@ func (t *LastReqTime) SetTime(tm time.Time) {
 }
 
 //NewLastReqTime returns a new instance of LastRequestTime store
-func NewLastReqTime() *LastReqTime {
+func NewLastReqTime(log logr.Logger) *LastReqTime {
 	return &LastReqTime{
-		t: time.Now(),
+		t:   time.Now(),
+		log: log,
 	}
 }
 
-func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister) bool {
+func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister, log logr.Logger) bool {
 	policies, err := pLister.ListResources(labels.NewSelector())
 	if err != nil {
-		glog.Error()
+		log.Error(err, "failed to list cluster policies")
 	}
 	for _, policy := range policies {
 		if policy.HasMutateOrValidateOrGenerate() {
@@ -62,15 +64,16 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic
 
 //Run runs the checker and verify the resource update
 func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) {
-	glog.V(2).Infof("starting default resync for webhook checker with resync time %d nanoseconds", defaultResync)
+	logger := t.log
+	logger.V(2).Info("tarting default resync for webhook checker", "resyncTime", defaultResync)
 	maxDeadline := deadline * time.Duration(MaxRetryCount)
 	ticker := time.NewTicker(defaultResync)
 	/// interface to update and increment kyverno webhook status via annotations
-	statuscontrol := NewVerifyControl(client, eventGen)
+	statuscontrol := NewVerifyControl(client, eventGen, logger.WithName("StatusControl"))
 	// send the initial update status
-	if checkIfPolicyWithMutateAndGenerateExists(pLister) {
+	if checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
 		if err := statuscontrol.SuccessStatus(); err != nil {
-			glog.Error(err)
+			logger.Error(err, "failed to set 'success' status")
 		}
 	}
 
@@ -84,36 +87,36 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev
 		case <-ticker.C:
 			// if there are no policies then we dont have a webhook on resource.
 			// we indirectly check if the resource
-			if !checkIfPolicyWithMutateAndGenerateExists(pLister) {
+			if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
 				continue
 			}
 			// get current time
 			timeDiff := time.Since(t.Time())
 			if timeDiff > maxDeadline {
-				glog.Infof("failed to receive any request for more than %v ", maxDeadline)
-				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				logger.Info("request exceeded max deadline", "deadline", maxDeadline)
+				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// set the status unavailable
 				if err := statuscontrol.FailedStatus(); err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to set 'failed' status")
 				}
 				continue
 			}
 			if timeDiff > deadline {
-				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// send request to update the kyverno deployment
 				if err := statuscontrol.IncrementAnnotation(); err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to increment annotation")
 				}
 				continue
 			}
 			// if the status was false before then we update it to true
 			// send request to update the kyverno deployment
 			if err := statuscontrol.SuccessStatus(); err != nil {
-				glog.Error(err)
+				logger.Error(err, "failed to update success status")
 			}
 		case <-stopCh:
 			// handler termination signal
-			glog.V(2).Infof("stopping default resync for webhook checker")
+			logger.V(2).Info("stopping default resync for webhook checker")
 			return
 		}
 	}
diff --git a/pkg/checker/status.go b/pkg/checker/status.go
index 39b19189dd..110abf8eef 100644
--- a/pkg/checker/status.go
+++ b/pkg/checker/status.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 )
@@ -29,6 +29,7 @@ type StatusInterface interface {
 type StatusControl struct {
 	client   *dclient.Client
 	eventGen event.Interface
+	log      logr.Logger
 }
 
 //SuccessStatus ...
@@ -42,20 +43,22 @@ func (vc StatusControl) FailedStatus() error {
 }
 
 // NewVerifyControl ...
-func NewVerifyControl(client *dclient.Client, eventGen event.Interface) *StatusControl {
+func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr.Logger) *StatusControl {
 	return &StatusControl{
 		client:   client,
 		eventGen: eventGen,
+		log:      log,
 	}
 }
 
 func (vc StatusControl) setStatus(status string) error {
-	glog.Infof("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status)
+	logger := vc.log
+	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status))
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
+		logger.Error(err, "failed to get deployment resource")
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -67,7 +70,7 @@ func (vc StatusControl) setStatus(status string) error {
 	if ok {
 		// annotatiaion is present
 		if webhookAction == status {
-			glog.V(4).Infof("annotation %s already set to '%s'", annWebhookStats, status)
+			logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStats, status))
 			return nil
 		}
 	}
@@ -77,7 +80,7 @@ func (vc StatusControl) setStatus(status string) error {
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annWebhookStats, deployName, deployNamespace, err)
+		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annWebhookStats, deployName, deployNamespace))
 		return err
 	}
 	// create event on kyverno deployment
@@ -97,12 +100,13 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) {
 
 //IncrementAnnotation ...
 func (vc StatusControl) IncrementAnnotation() error {
-	glog.Infof("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter)
+	logger := vc.log
+	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter))
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
+		logger.Error(err, "failed to get deployment %s in namespace %s", deployName, deployNamespace)
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -112,18 +116,18 @@ func (vc StatusControl) IncrementAnnotation() error {
 	}
 	counter, err := strconv.Atoi(ann[annCounter])
 	if err != nil {
-		glog.V(4).Infof("failed to parse string: %v", err)
+		logger.Error(err, "Failed to parse string")
 		return err
 	}
 	// increment counter
 	counter++
 	ann[annCounter] = strconv.Itoa(counter)
-	glog.Infof("incrementing annotation %s counter to %d", annCounter, counter)
+	logger.Info("incrementing annotation", "old", annCounter, "new", counter)
 	deploy.SetAnnotations(ann)
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annCounter, deployName, deployNamespace, err)
+		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace))
 		return err
 	}
 	return nil
diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go
index 5fbce444ff..8aa7b0e529 100644
--- a/pkg/client/clientset/versioned/clientset.go
+++ b/pkg/client/clientset/versioned/clientset.go
@@ -19,6 +19,8 @@ limitations under the License.
 package versioned
 
 import (
+	"fmt"
+
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -51,9 +53,14 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 }
 
 // NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
 func NewForConfig(c *rest.Config) (*Clientset, error) {
 	configShallowCopy := *c
 	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
 		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
 	}
 	var cs Clientset
diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go
index 215b1d997a..c3264dcb64 100644
--- a/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -41,7 +41,7 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 		}
 	}
 
-	cs := &Clientset{}
+	cs := &Clientset{tracker: o}
 	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
@@ -63,12 +63,17 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 type Clientset struct {
 	testing.Fake
 	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
 }
 
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	return c.discovery
 }
 
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
 var _ clientset.Interface = &Clientset{}
 
 // KyvernoV1 retrieves the KyvernoV1Client
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
index 54d8944680..8c1b5a0ea8 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
@@ -21,7 +21,6 @@ package v1
 import (
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
-	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	rest "k8s.io/client-go/rest"
 )
 
@@ -86,7 +85,7 @@ func setConfigDefaults(config *rest.Config) error {
 	gv := v1.SchemeGroupVersion
 	config.GroupVersion = &gv
 	config.APIPath = "/apis"
-	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
 
 	if config.UserAgent == "" {
 		config.UserAgent = rest.DefaultKubernetesUserAgent()
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 241728a2c7..bb9dfae909 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -2,8 +2,9 @@ package config
 
 import (
 	"flag"
+	"os"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
 )
@@ -74,29 +75,34 @@ var (
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
 
-//LogDefaultFlags sets default glog flags
-func LogDefaultFlags() {
+//LogDefaultFlags sets default flags
+func LogDefaultFlags(log logr.Logger) {
+	logger := log.WithName("LogDefaultFlags")
 	var err error
 	err = flag.Set("logtostderr", "true")
 	if err != nil {
-		glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err)
+		logger.Error(err, "failed to set flag", "flag", "logtostderr", "value", "true")
+		os.Exit(1)
 	}
 	err = flag.Set("stderrthreshold", "WARNING")
 	if err != nil {
-		glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err)
+		logger.Error(err, "failed to set flag", "flag", "stderrthreshold", "value", "WARNING")
+		os.Exit(1)
 	}
 	flag.Set("v", "2")
 	if err != nil {
-		glog.Fatalf("failed to set flag 'v' to '2':%v", err)
+		logger.Error(err, "failed to set flag", "flag", "v", "value", "2")
+		os.Exit(1)
 	}
 }
 
 //CreateClientConfig creates client config
-func CreateClientConfig(kubeconfig string) (*rest.Config, error) {
+func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
+	logger := log.WithName("CreateClientConfig")
 	if kubeconfig == "" {
-		glog.Info("Using in-cluster configuration")
+		logger.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	glog.V(4).Infof("Using configuration from '%s'", kubeconfig)
+	logger.V(4).Info("Using specified kubeconfig", "kubeconfig", kubeconfig)
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go
index 6bf624e7bb..1787f67bd9 100644
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@@ -1,14 +1,13 @@
 package config
 
 import (
-	"fmt"
 	"os"
 	"reflect"
 	"regexp"
 	"strings"
 	"sync"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	v1 "k8s.io/api/core/v1"
 	informers "k8s.io/client-go/informers/core/v1"
@@ -31,6 +30,7 @@ type ConfigData struct {
 	filters []k8Resource
 	// hasynced
 	cmSycned cache.InformerSynced
+	log      logr.Logger
 }
 
 // ToFilter checks if the given resource is set to be filtered in the configuration
@@ -51,20 +51,21 @@ type Interface interface {
 }
 
 // NewConfigData ...
-func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string) *ConfigData {
+func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string, log logr.Logger) *ConfigData {
 	// environment var is read at start only
 	if cmNameEnv == "" {
-		glog.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
+		log.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
 	}
 	cd := ConfigData{
 		client:   rclient,
 		cmName:   os.Getenv(cmNameEnv),
 		cmSycned: cmInformer.Informer().HasSynced,
+		log:      log,
 	}
 	//TODO: this has been added to backward support command line arguments
 	// will be removed in future and the configuration will be set only via configmaps
 	if filterK8Resources != "" {
-		glog.Info("Init configuration from commandline arguments")
+		cd.log.Info("init configuration from commandline arguments")
 		cd.initFilters(filterK8Resources)
 	}
 
@@ -78,9 +79,10 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
 
 //Run checks syncing
 func (cd *ConfigData) Run(stopCh <-chan struct{}) {
+	logger := cd.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, cd.cmSycned) {
-		glog.Error("configuration: failed to sync informer cache")
+		logger.Info("configuration: failed to sync informer cache")
 	}
 }
 
@@ -103,16 +105,17 @@ func (cd *ConfigData) updateCM(old, cur interface{}) {
 }
 
 func (cd *ConfigData) deleteCM(obj interface{}) {
+	logger := cd.log
 	cm, ok := obj.(*v1.ConfigMap)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("failed to get object from tombstone")
 			return
 		}
 		_, ok = tombstone.Obj.(*v1.ConfigMap)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj))
+			logger.Info("Tombstone contained object that is not a ConfigMap", "object", obj)
 			return
 		}
 	}
@@ -125,19 +128,20 @@ func (cd *ConfigData) deleteCM(obj interface{}) {
 }
 
 func (cd *ConfigData) load(cm v1.ConfigMap) {
+	logger := cd.log.WithValues("name", cm.Name, "namespace", cm.Namespace)
 	if cm.Data == nil {
-		glog.V(4).Infof("Configuration: No data defined in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: No data defined in ConfigMap")
 		return
 	}
 	// get resource filters
 	filters, ok := cm.Data["resourceFilters"]
 	if !ok {
-		glog.V(4).Infof("Configuration: No resourceFilters defined in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
 		return
 	}
 	// filters is a string
 	if filters == "" {
-		glog.V(4).Infof("Configuration: resourceFilters is empty in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
 		return
 	}
 	// parse and load the configuration
@@ -146,11 +150,10 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 
 	newFilters := parseKinds(filters)
 	if reflect.DeepEqual(newFilters, cd.filters) {
-		glog.V(4).Infof("Configuration: resourceFilters did not change in ConfigMap %s", cm.Name)
+		logger.V(4).Info("resourceFilters did not change")
 		return
 	}
-	glog.V(4).Infof("Configuration: Old resource filters %v", cd.filters)
-	glog.Infof("Configuration: New resource filters to %v", newFilters)
+	logger.V(4).Info(" Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
@@ -158,20 +161,20 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 //TODO: this has been added to backward support command line arguments
 // will be removed in future and the configuration will be set only via configmaps
 func (cd *ConfigData) initFilters(filters string) {
+	logger := cd.log
 	// parse and load the configuration
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 
 	newFilters := parseKinds(filters)
-	glog.Infof("Configuration: Init resource filters to %v", newFilters)
+	logger.Info("Init resource filters", "filters", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
 
 func (cd *ConfigData) unload(cm v1.ConfigMap) {
-	// TODO pick one msg
-	glog.Infof("Configuration: ConfigMap %s deleted, removing configuration filters", cm.Name)
-	glog.Infof("Configuration: Removing all resource filters as ConfigMap %s deleted", cm.Name)
+	logger := cd.log
+	logger.Info("ConfigMap deleted, removing configuration filters", "name", cm.Name, "namespace", cm.Namespace)
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 	cd.filters = []k8Resource{}
diff --git a/pkg/dclient/certificates.go b/pkg/dclient/certificates.go
index 76b3cda819..125dc7cec3 100644
--- a/pkg/dclient/certificates.go
+++ b/pkg/dclient/certificates.go
@@ -6,7 +6,6 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	tls "github.com/nirmata/kyverno/pkg/tls"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -19,13 +18,14 @@ import (
 // Created pair is stored in cluster's secret.
 // Returns struct with key/certificate pair.
 func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.TlsPemPair, error) {
+	logger := c.log
 	certProps, err := c.GetTLSCertProps(configuration)
 	if err != nil {
 		return nil, err
 	}
 	tlsPair := c.ReadTlsPair(certProps)
 	if tls.IsTLSPairShouldBeUpdated(tlsPair) {
-		glog.Info("Generating new key/certificate pair for TLS")
+		logger.Info("Generating new key/certificate pair for TLS")
 		tlsPair, err = c.generateTLSPemPair(certProps, fqdncn)
 		if err != nil {
 			return nil, err
@@ -35,8 +35,7 @@ func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.T
 		}
 		return tlsPair, nil
 	}
-
-	glog.Infoln("Using existing TLS key/certificate pair")
+	logger.Info("Using existing TLS key/certificate pair")
 	return tlsPair, nil
 }
 
@@ -71,6 +70,7 @@ func (c *Client) generateTLSPemPair(props tls.TlsCertificateProps, fqdncn bool)
 
 // Submits and approves certificate request, returns request which need to be fetched
 func (c *Client) submitAndApproveCertificateRequest(req *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
+	logger := c.log.WithName("submitAndApproveCertificateRequest")
 	certClient, err := c.GetCSRInterface()
 	if err != nil {
 		return nil, err
@@ -86,7 +86,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 			if err != nil {
 				return nil, fmt.Errorf("Unable to delete existing certificate request: %v", err)
 			}
-			glog.Info("Old certificate request is deleted")
+			logger.Info("Old certificate request is deleted")
 			break
 		}
 	}
@@ -95,7 +95,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, err
 	}
-	glog.Infof("Certificate request %s is created", unstrRes.GetName())
+	logger.Info("Certificate request created", "name", unstrRes.GetName())
 
 	res, err := convertToCSR(unstrRes)
 	if err != nil {
@@ -110,7 +110,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, fmt.Errorf("Unable to approve certificate request: %v", err)
 	}
-	glog.Infof("Certificate request %s is approved", res.ObjectMeta.Name)
+	logger.Info("Certificate request is approved", "name", res.ObjectMeta.Name)
 
 	return res, nil
 }
@@ -144,9 +144,10 @@ func (c *Client) fetchCertificateFromRequest(req *certificates.CertificateSignin
 
 //ReadRootCASecret returns the RootCA from the pre-defined secret
 func (c *Client) ReadRootCASecret() (result []byte) {
+	logger := c.log.WithName("ReadRootCASecret")
 	certProps, err := c.GetTLSCertProps(c.clientConfig)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get TLS Cert Properties")
 		return result
 	}
 	sname := generateRootCASecretName(certProps)
@@ -156,16 +157,16 @@ func (c *Client) ReadRootCASecret() (result []byte) {
 	}
 	tlsca, err := convertToSecret(stlsca)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to convert secret", "name", sname, "namespace", certProps.Namespace)
 		return result
 	}
 
 	result = tlsca.Data[rootCAKey]
 	if len(result) == 0 {
-		glog.Warningf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name)
+		logger.Info("root CA certificate not found in secret", "name", tlsca.Name, "namespace", certProps.Namespace)
 		return result
 	}
-	glog.V(4).Infof("using CA bundle defined in secret %s/%s to validate the webhook's server certificate", certProps.Namespace, tlsca.Name)
+	logger.V(4).Info("using CA bundle defined in secret to validate the webhook's server certificate", "name", tlsca.Name, "namespace", certProps.Namespace)
 	return result
 }
 
@@ -174,10 +175,11 @@ const rootCAKey string = "rootCA.crt"
 
 //ReadTlsPair Reads the pair of TLS certificate and key from the specified secret.
 func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
+	logger := c.log.WithName("ReadTlsPair")
 	sname := generateTLSPairSecretName(props)
 	unstrSecret, err := c.GetResource(Secrets, props.Namespace, sname)
 	if err != nil {
-		glog.Warningf("Unable to get secret %s/%s: %s", props.Namespace, sname, err)
+		logger.Error(err, "Failed to get secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 
@@ -188,7 +190,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		sname := generateRootCASecretName(props)
 		_, err := c.GetResource(Secrets, props.Namespace, sname)
 		if err != nil {
-			glog.Errorf("Root CA secret %s/%s is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", props.Namespace, sname)
+			logger.Error(err, "Root CA secret is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", "name", sname, "namespace", props.Namespace)
 			return nil
 		}
 	}
@@ -201,11 +203,11 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		PrivateKey:  secret.Data[v1.TLSPrivateKeyKey],
 	}
 	if len(pemPair.Certificate) == 0 {
-		glog.Warningf("TLS Certificate not found in secret %s/%s", props.Namespace, sname)
+		logger.Info("TLS Certificate not found in secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 	if len(pemPair.PrivateKey) == 0 {
-		glog.Warningf("TLS PrivateKey not found in secret %s/%s", props.Namespace, sname)
+		logger.Info("TLS PrivateKey not found in secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 	return &pemPair
@@ -214,6 +216,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 //WriteTlsPair Writes the pair of TLS certificate and key to the specified secret.
 // Updates existing secret or creates new one.
 func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPemPair) error {
+	logger := c.log.WithName("WriteTlsPair")
 	name := generateTLSPairSecretName(props)
 	_, err := c.GetResource(Secrets, props.Namespace, name)
 	if err != nil {
@@ -235,7 +238,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 
 		_, err := c.CreateResource(Secrets, props.Namespace, secret, false)
 		if err == nil {
-			glog.Infof("Secret %s is created", name)
+			logger.Info("secret created", "name", name, "namespace", props.Namespace)
 		}
 		return err
 	}
@@ -251,7 +254,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 	if err != nil {
 		return err
 	}
-	glog.Infof("Secret %s is updated", name)
+	logger.Info("secret updated", "name", name, "namespace", props.Namespace)
 	return nil
 }
 
diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index 9bb212369e..9fbfe0a0b0 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/config"
 	apps "k8s.io/api/apps/v1"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -30,13 +30,15 @@ import (
 //Client enables interaction with k8 resource
 type Client struct {
 	client          dynamic.Interface
+	log             logr.Logger
 	clientConfig    *rest.Config
 	kclient         kubernetes.Interface
 	DiscoveryClient IDiscovery
 }
 
 //NewClient creates new instance of client
-func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}) (*Client, error) {
+func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}, log logr.Logger) (*Client, error) {
+
 	dclient, err := dynamic.NewForConfig(config)
 	if err != nil {
 		return nil, err
@@ -49,9 +51,10 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}
 		client:       dclient,
 		clientConfig: config,
 		kclient:      kclient,
+		log:          log.WithName("Client"),
 	}
 	// Set discovery client
-	discoveryClient := ServerPreferredResources{memory.NewMemCacheClient(kclient.Discovery())}
+	discoveryClient := ServerPreferredResources{cachedClient: memory.NewMemCacheClient(kclient.Discovery()), log: client.log}
 	// client will invalidate registered resources cache every x seconds,
 	// As there is no way to identify if the registered resource is available or not
 	// we will be invalidating the local cache, so the next request get a fresh cache
@@ -187,7 +190,6 @@ func (c *Client) UpdateStatusResource(kind string, namespace string, obj interfa
 func convertToUnstructured(obj interface{}) *unstructured.Unstructured {
 	unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&obj)
 	if err != nil {
-		glog.Errorf("Unable to convert : %v", err)
 		return nil
 	}
 	return &unstructured.Unstructured{Object: unstructuredObj}
@@ -225,22 +227,24 @@ func (c *Client) SetDiscovery(discoveryClient IDiscovery) {
 //ServerPreferredResources stores the cachedClient instance for discovery client
 type ServerPreferredResources struct {
 	cachedClient discovery.CachedDiscoveryInterface
+	log          logr.Logger
 }
 
 //Poll will keep invalidate the local cache
 func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struct{}) {
+	logger := c.log.WithName("Poll")
 	// start a ticker
 	ticker := time.NewTicker(resync)
 	defer func() { ticker.Stop() }()
-	glog.Infof("Starting registered resources sync: every %d seconds", resync)
+	logger.Info("starting registered resources sync", "period", resync)
 	for {
 		select {
 		case <-stopCh:
-			glog.Info("Stopping registered resources sync")
+			logger.Info("stopping registered resources sync")
 			return
 		case <-ticker.C:
 			// set cache as stale
-			glog.V(6).Info("invalidating local client cache for registered resources")
+			logger.V(6).Info("invalidating local client cache for registered resources")
 			c.cachedClient.Invalidate()
 		}
 	}
@@ -254,12 +258,12 @@ func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struc
 func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource {
 	var gvr schema.GroupVersionResource
 	var err error
-	gvr, err = loadServerResources(kind, c.cachedClient)
+	gvr, err = loadServerResources(kind, c.cachedClient, c.log)
 	if err != nil && !c.cachedClient.Fresh() {
 
 		// invalidate cahce & re-try once more
 		c.cachedClient.Invalidate()
-		gvr, err = loadServerResources(kind, c.cachedClient)
+		gvr, err = loadServerResources(kind, c.cachedClient, c.log)
 		if err == nil {
 			return gvr
 		}
@@ -272,11 +276,12 @@ func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) {
 	return c.cachedClient.ServerVersion()
 }
 
-func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (schema.GroupVersionResource, error) {
-	serverresources, err := cdi.ServerPreferredResources()
+func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log logr.Logger) (schema.GroupVersionResource, error) {
+	logger := log.WithName("loadServerResources")
 	emptyGVR := schema.GroupVersionResource{}
+	serverresources, err := cdi.ServerPreferredResources()
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get registered preferred resources")
 		return emptyGVR, err
 	}
 	for _, serverresource := range serverresources {
@@ -286,7 +291,7 @@ func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (sche
 			if resource.Kind == k && !strings.Contains(resource.Name, "/") {
 				gv, err := schema.ParseGroupVersion(serverresource.GroupVersion)
 				if err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to parse groupVersion from schema", "groupVersion", serverresource.GroupVersion)
 					return emptyGVR, err
 				}
 				return gv.WithResource(resource.Name), nil
diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go
index 2d81a068ec..a8e7a1184a 100644
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@@ -4,7 +4,8 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
+	"github.com/nirmata/kyverno/pkg/log"
 )
 
 //ValidationHandler for element processes
@@ -12,7 +13,7 @@ type ValidationHandler interface {
 	Handle(handler resourceElementHandler, resourceMap map[string]interface{}, originPattern interface{}) (string, error)
 }
 
-type resourceElementHandler = func(resourceElement, patternElement, originPattern interface{}, path string) (string, error)
+type resourceElementHandler = func(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error)
 
 //CreateElementHandler factory to process elements
 func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler {
@@ -82,7 +83,7 @@ func (eh EqualityHandler) Handle(handler resourceElementHandler, resourceMap map
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(value, eh.pattern, originPattern, currentPath)
+		returnPath, err := handler(log.Log, value, eh.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -115,7 +116,7 @@ func (dh DefaultHandler) Handle(handler resourceElementHandler, resourceMap map[
 	} else if dh.pattern == "*" && resourceMap[dh.element] == nil {
 		return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element)
 	} else {
-		path, err := handler(resourceMap[dh.element], dh.pattern, originPattern, currentPath)
+		path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath)
 		if err != nil {
 			return path, err
 		}
@@ -146,7 +147,7 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(value, ch.pattern, originPattern, currentPath)
+		returnPath, err := handler(log.Log, value, ch.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -194,7 +195,6 @@ func (eh ExistenceHandler) Handle(handler resourceElementHandler, resourceMap ma
 			}
 			return validateExistenceListResource(handler, typedResource, typedPatternMap, originPattern, currentPath)
 		default:
-			glog.Error("Invalid type: Existence ^ () anchor can be used only on list/array type resource")
 			return currentPath, fmt.Errorf("Invalid resource type %T: Existence ^ () anchor can be used only on list/array type resource", value)
 		}
 	}
@@ -206,10 +206,9 @@ func validateExistenceListResource(handler resourceElementHandler, resourceList
 	// if non satisfy then throw an error
 	for i, resourceElement := range resourceList {
 		currentPath := path + strconv.Itoa(i) + "/"
-		_, err := handler(resourceElement, patternMap, originPattern, currentPath)
+		_, err := handler(log.Log, resourceElement, patternMap, originPattern, currentPath)
 		if err == nil {
 			// condition is satisfied, dont check further
-			glog.V(4).Infof("Existence check satisfied at path %s, for pattern %v", currentPath, patternMap)
 			return "", nil
 		}
 	}
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index 05805a0a91..21e1fed7fc 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -6,8 +6,9 @@ import (
 	"sync"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/log"
 )
 
 //Interface to manage context operations
@@ -33,6 +34,7 @@ type Context struct {
 	mu            sync.RWMutex
 	jsonRaw       []byte
 	whiteListVars []string
+	log           logr.Logger
 }
 
 //NewContext returns a new context
@@ -42,6 +44,7 @@ func NewContext(whiteListVars ...string) *Context {
 		// data:    map[string]interface{}{},
 		jsonRaw:       []byte(`{}`), // empty json struct
 		whiteListVars: whiteListVars,
+		log:           log.Log.WithName("context"),
 	}
 	return &ctx
 }
@@ -54,7 +57,7 @@ func (ctx *Context) AddJSON(dataRaw []byte) error {
 	// merge json
 	ctx.jsonRaw, err = jsonpatch.MergePatch(ctx.jsonRaw, dataRaw)
 	if err != nil {
-		glog.V(4).Infof("failed to merge JSON data: %v", err)
+		ctx.log.Error(err, "failed to merge JSON data")
 		return err
 	}
 	return nil
@@ -66,7 +69,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 	// unmarshall the resource struct
 	var data interface{}
 	if err := json.Unmarshal(dataRaw, &data); err != nil {
-		glog.V(4).Infof("failed to unmarshall the context data: %v", err)
+		ctx.log.Error(err, "failed to unmarshall the resource")
 		return err
 	}
 
@@ -82,7 +85,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the resource")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -98,7 +101,7 @@ func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the UserInfo")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -118,8 +121,6 @@ func (ctx *Context) AddSA(userName string) error {
 	// filter namespace
 	groups := strings.Split(sa, ":")
 	if len(groups) >= 2 {
-		glog.V(4).Infof("serviceAccount namespace: %s", groups[0])
-		glog.V(4).Infof("serviceAccount name: %s", groups[1])
 		saName = groups[1]
 		saNamespace = groups[0]
 	}
@@ -131,7 +132,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNameRaw, err := json.Marshal(saNameObj)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the SA")
 		return err
 	}
 	if err := ctx.AddJSON(saNameRaw); err != nil {
@@ -145,7 +146,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNsRaw, err := json.Marshal(saNsObj)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the SA namespace")
 		return err
 	}
 	if err := ctx.AddJSON(saNsRaw); err != nil {
diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go
index 78f9643497..f15a8a1e17 100644
--- a/pkg/engine/context/evaluate.go
+++ b/pkg/engine/context/evaluate.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/golang/glog"
 	jmespath "github.com/jmespath/go-jmespath"
 )
 
@@ -19,7 +18,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 	// compile the query
 	queryPath, err := jmespath.Compile(query)
 	if err != nil {
-		glog.V(4).Infof("incorrect query %s: %v", query, err)
+		ctx.log.Error(err, "incorrect query", "query", query)
 		return emptyResult, fmt.Errorf("incorrect query %s: %v", query, err)
 	}
 	// search
@@ -28,13 +27,13 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 
 	var data interface{}
 	if err := json.Unmarshal(ctx.jsonRaw, &data); err != nil {
-		glog.V(4).Infof("failed to unmarshall context: %v", err)
+		ctx.log.Error(err, "failed to unmarshal context")
 		return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err)
 	}
 
 	result, err := queryPath.Search(data)
 	if err != nil {
-		glog.V(4).Infof("failed to search query %s: %v", query, err)
+		ctx.log.Error(err, "failed to search query", "query", query)
 		return emptyResult, fmt.Errorf("failed to search query %s: %v", query, err)
 	}
 	return result, nil
diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 25c7204851..94cb3d95df 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -1,11 +1,12 @@
 package engine
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -18,23 +19,23 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) {
 	resource := policyContext.NewResource
 	admissionInfo := policyContext.AdmissionInfo
 	ctx := policyContext.Context
-	return filterRules(policy, resource, admissionInfo, ctx)
+	logger := log.Log.WithName("Generate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+	return filterRules(policy, resource, admissionInfo, ctx, logger)
 }
 
-func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) *response.RuleResponse {
+func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) *response.RuleResponse {
 	if !rule.HasGenerate() {
 		return nil
 	}
 	if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-		glog.V(4).Infof(err.Error())
 		return nil
 	}
 	// operate on the copy of the conditions, as we perform variable substitution
 	copyConditions := copyConditions(rule.Conditions)
 
 	// evaluate pre-conditions
-	if !variables.EvaluateConditions(ctx, copyConditions) {
-		glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+	if !variables.EvaluateConditions(log, ctx, copyConditions) {
+		log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
 		return nil
 	}
 	// build rule Response
@@ -44,7 +45,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	}
 }
 
-func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) response.EngineResponse {
+func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) response.EngineResponse {
 	resp := response.EngineResponse{
 		PolicyResponse: response.PolicyResponse{
 			Policy: policy.Name,
@@ -57,7 +58,7 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	}
 
 	for _, rule := range policy.Spec.Rules {
-		if ruleResp := filterRule(rule, resource, admissionInfo, ctx); ruleResp != nil {
+		if ruleResp := filterRule(rule, resource, admissionInfo, ctx, log); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
 	}
diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go
index 134cc23cc0..62232d99da 100755
--- a/pkg/engine/mutate/overlayCondition.go
+++ b/pkg/engine/mutate/overlayCondition.go
@@ -8,6 +8,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
+	"github.com/nirmata/kyverno/pkg/log"
 )
 
 func meetConditions(resource, overlay interface{}) (string, overlayError) {
@@ -139,7 +140,7 @@ func compareOverlay(resource, overlay interface{}, path string) (string, overlay
 			}
 		}
 	case string, float64, int, int64, bool, nil:
-		if !validate.ValidateValueWithPattern(resource, overlay) {
+		if !validate.ValidateValueWithPattern(log.Log, resource, overlay) {
 			glog.V(4).Infof("Mutate rule: failed validating value %v with overlay %v", resource, overlay)
 			return path, newOverlayError(conditionFailure, fmt.Sprintf("Failed validating value %v with overlay %v", resource, overlay))
 		}
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index d1fab46211..52a356dcb1 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -5,11 +5,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/mutate"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -28,26 +29,25 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	policy := policyContext.Policy
 	resource := policyContext.NewResource
 	ctx := policyContext.Context
-
+	logger := log.Log.WithName("Mutate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+	logger.V(4).Info("start processing", "startTime", startTime)
 	startMutateResultResponse(&resp, policy, resource)
-	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
-	defer endMutateResultResponse(&resp, startTime)
+	defer endMutateResultResponse(logger, &resp, startTime)
 
 	patchedResource := policyContext.NewResource
 	for _, rule := range policy.Spec.Rules {
 		var ruleResponse response.RuleResponse
+		logger := logger.WithValues("rule", rule.Name)
 		//TODO: to be checked before calling the resources as well
 		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
 			continue
 		}
-		startTime := time.Now()
-		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
-			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
+			logger.V(4).Info("resource fails the match description")
 			continue
 		}
 
@@ -55,8 +55,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(ctx, copyConditions) {
-			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+		if !variables.EvaluateConditions(logger, ctx, copyConditions) {
+			logger.V(4).Info("resource fails the preconditions")
 			continue
 		}
 
@@ -66,7 +66,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			overlay := mutation.Overlay
 			// subsiitue the variables
 			var err error
-			if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
+			if overlay, err = variables.SubstituteVars(logger, ctx, overlay); err != nil {
 				// variable subsitution failed
 				ruleResponse.Success = false
 				ruleResponse.Message = err.Error()
@@ -78,11 +78,9 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			if ruleResponse.Success {
 				// - overlay pattern does not match the resource conditions
 				if ruleResponse.Patches == nil {
-					glog.V(4).Infof(ruleResponse.Message)
 					continue
 				}
-
-				glog.V(4).Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+				logger.V(4).Info("overlay applied succesfully")
 			}
 
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
@@ -93,7 +91,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		if rule.Mutation.Patches != nil {
 			var ruleResponse response.RuleResponse
 			ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)
-			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+			logger.V(4).Info("patches applied successfully")
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount(&resp)
 		}
@@ -108,12 +106,12 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			var ruleResponse response.RuleResponse
 			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, podTemplateRule, patchedResource)
 			if !ruleResponse.Success {
-				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
+				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
 				continue
 			}
 
 			if ruleResponse.Success && ruleResponse.Patches != nil {
-				glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
+				logger.V(2).Info("inserted annotation for podTemplate")
 				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			}
 		}
@@ -137,10 +135,9 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	// TODO(shuting): set response with mutationFailureAction
 }
 
-func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) {
+func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	glog.V(4).Infof("finished applying mutation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
-	glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
+	logger.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
 }
 
 // podTemplateRule mutate pod template with annotation
diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go
index 20dd04c52c..3e1f7d22aa 100644
--- a/pkg/engine/policyContext.go
+++ b/pkg/engine/policyContext.go
@@ -1,6 +1,7 @@
 package engine
 
 import (
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -20,4 +21,6 @@ type PolicyContext struct {
 	Client *client.Client
 	// Contexts to store resources
 	Context context.EvalInterface
+	// log
+	log logr.Logger
 }
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index c97b2eccb8..a6c9b39734 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -6,12 +6,11 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 
-	"github.com/golang/glog"
-
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -53,7 +52,7 @@ func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
 func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
 	selector, err := metav1.LabelSelectorAsSelector(labelSelector)
 	if err != nil {
-		glog.Error(err)
+		log.Log.Error(err, "failed to build label selector")
 		return false, err
 	}
 
diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go
index e7b37283bd..7779f9b6ca 100644
--- a/pkg/engine/validate/pattern.go
+++ b/pkg/engine/validate/pattern.go
@@ -1,12 +1,13 @@
 package validate
 
 import (
+	"fmt"
 	"math"
 	"regexp"
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 	apiresource "k8s.io/apimachinery/pkg/api/resource"
@@ -21,52 +22,52 @@ const (
 )
 
 // ValidateValueWithPattern validates value with operators and wildcards
-func ValidateValueWithPattern(value, pattern interface{}) bool {
+func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool {
 	switch typedPattern := pattern.(type) {
 	case bool:
 		typedValue, ok := value.(bool)
 		if !ok {
-			glog.V(4).Infof("Expected bool, found %T", value)
+			log.V(4).Info("Expected type bool", "type", fmt.Sprintf("%T", value), "value", value)
 			return false
 		}
 		return typedPattern == typedValue
 	case int:
-		return validateValueWithIntPattern(value, int64(typedPattern))
+		return validateValueWithIntPattern(log, value, int64(typedPattern))
 	case int64:
-		return validateValueWithIntPattern(value, typedPattern)
+		return validateValueWithIntPattern(log, value, typedPattern)
 	case float64:
-		return validateValueWithFloatPattern(value, typedPattern)
+		return validateValueWithFloatPattern(log, value, typedPattern)
 	case string:
-		return validateValueWithStringPatterns(value, typedPattern)
+		return validateValueWithStringPatterns(log, value, typedPattern)
 	case nil:
-		return validateValueWithNilPattern(value)
+		return validateValueWithNilPattern(log, value)
 	case map[string]interface{}:
 		// TODO: check if this is ever called?
-		return validateValueWithMapPattern(value, typedPattern)
+		return validateValueWithMapPattern(log, value, typedPattern)
 	case []interface{}:
 		// TODO: check if this is ever called?
-		glog.Warning("Arrays as patterns are not supported")
+		log.Info("arrays as patterns is not supported")
 		return false
 	default:
-		glog.Warningf("Unknown type as pattern: %v", typedPattern)
+		log.Info("Unkown type", "type", fmt.Sprintf("%T", typedPattern), "value", typedPattern)
 		return false
 	}
 }
 
-func validateValueWithMapPattern(value interface{}, typedPattern map[string]interface{}) bool {
+func validateValueWithMapPattern(log logr.Logger, value interface{}, typedPattern map[string]interface{}) bool {
 	// verify the type of the resource value is map[string]interface,
 	// we only check for existence of object, not the equality of content and value
 	//TODO: check if adding
 	_, ok := value.(map[string]interface{})
 	if !ok {
-		glog.Warningf("Expected map[string]interface{}, found %T\n", value)
+		log.Info("Expected type map[string]interface{}", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 	return true
 }
 
 // Handler for int values during validation process
-func validateValueWithIntPattern(value interface{}, pattern int64) bool {
+func validateValueWithIntPattern(log logr.Logger, value interface{}, pattern int64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		return int64(typedValue) == pattern
@@ -78,38 +79,38 @@ func validateValueWithIntPattern(value interface{}, pattern int64) bool {
 			return int64(typedValue) == pattern
 		}
 
-		glog.Warningf("Expected int, found float: %f\n", typedValue)
+		log.Info("Expected type int", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case string:
 		// extract int64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num == pattern
 	default:
-		glog.Warningf("Expected int, found: %T\n", value)
+		log.Info("Expected type int", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for float values during validation process
-func validateValueWithFloatPattern(value interface{}, pattern float64) bool {
+func validateValueWithFloatPattern(log logr.Logger, value interface{}, pattern float64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int(pattern) == value
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case int64:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int64(pattern) == value
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case float64:
 		return typedValue == pattern
@@ -117,18 +118,18 @@ func validateValueWithFloatPattern(value interface{}, pattern float64) bool {
 		// extract float64 from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num == pattern
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for nil values during validation process
-func validateValueWithNilPattern(value interface{}) bool {
+func validateValueWithNilPattern(log logr.Logger, value interface{}) bool {
 	switch typed := value.(type) {
 	case float64:
 		return typed == 0.0
@@ -143,20 +144,20 @@ func validateValueWithNilPattern(value interface{}) bool {
 	case nil:
 		return true
 	case map[string]interface{}, []interface{}:
-		glog.Warningf("Maps and arrays could not be checked with nil pattern")
+		log.Info("Maps and arrays could not be checked with nil pattern")
 		return false
 	default:
-		glog.Warningf("Unknown type as value when checking for nil pattern: %T\n", value)
+		log.Info("Unknown type as value when checking for nil pattern", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for pattern values during validation process
-func validateValueWithStringPatterns(value interface{}, pattern string) bool {
+func validateValueWithStringPatterns(log logr.Logger, value interface{}, pattern string) bool {
 	statements := strings.Split(pattern, "|")
 	for _, statement := range statements {
 		statement = strings.Trim(statement, " ")
-		if validateValueWithStringPattern(value, statement) {
+		if validateValueWithStringPattern(log, value, statement) {
 			return true
 		}
 	}
@@ -166,24 +167,24 @@ func validateValueWithStringPatterns(value interface{}, pattern string) bool {
 
 // Handler for single pattern value during validation process
 // Detects if pattern has a number
-func validateValueWithStringPattern(value interface{}, pattern string) bool {
+func validateValueWithStringPattern(log logr.Logger, value interface{}, pattern string) bool {
 	operator := operator.GetOperatorFromStringPattern(pattern)
 	pattern = pattern[len(operator):]
 	number, str := getNumberAndStringPartsFromPattern(pattern)
 
 	if "" == number {
-		return validateString(value, str, operator)
+		return validateString(log, value, str, operator)
 	}
 
-	return validateNumberWithStr(value, pattern, operator)
+	return validateNumberWithStr(log, value, pattern, operator)
 }
 
 // Handler for string values
-func validateString(value interface{}, pattern string, operatorVariable operator.Operator) bool {
+func validateString(log logr.Logger, value interface{}, pattern string, operatorVariable operator.Operator) bool {
 	if operator.NotEqual == operatorVariable || operator.Equal == operatorVariable {
 		strValue, ok := value.(string)
 		if !ok {
-			glog.Warningf("Expected string, found %T\n", value)
+			log.Info("Expected type string", "type", fmt.Sprintf("%T", value), "value", value)
 			return false
 		}
 
@@ -195,17 +196,16 @@ func validateString(value interface{}, pattern string, operatorVariable operator
 
 		return wildcardResult
 	}
-
-	glog.Warningf("Operators >, >=, <, <= are not applicable to strings")
+	log.Info("Operators >, >=, <, <= are not applicable to strings")
 	return false
 }
 
 // validateNumberWithStr compares quantity if pattern type is quantity
 //  or a wildcard match to pattern string
-func validateNumberWithStr(value interface{}, pattern string, operator operator.Operator) bool {
+func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
 	typedValue, err := convertToString(value)
 	if err != nil {
-		glog.Warning(err)
+		log.Error(err, "failed to convert to string")
 		return false
 	}
 
@@ -214,7 +214,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator.
 	if err == nil {
 		valueQuan, err := apiresource.ParseQuantity(typedValue)
 		if err != nil {
-			glog.Warningf("Invalid quantity in resource %s, err: %v\n", typedValue, err)
+			log.Error(err, "invalid quantity in resource", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 			return false
 		}
 
@@ -223,7 +223,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator.
 
 	// 2. wildcard match
 	if !wildcard.Match(pattern, typedValue) {
-		glog.Warningf("Value '%s' has not passed wildcard check: %s", typedValue, pattern)
+		log.Info("value failed wildcard check", "type", fmt.Sprintf("%T", typedValue), "value", typedValue, "check", pattern)
 		return false
 	}
 	return true
diff --git a/pkg/engine/validate/pattern_test.go b/pkg/engine/validate/pattern_test.go
index 8ee4e34881..6783376aeb 100644
--- a/pkg/engine/validate/pattern_test.go
+++ b/pkg/engine/validate/pattern_test.go
@@ -5,14 +5,15 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/operator"
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 )
 
 func TestValidateValueWithPattern_Bool(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(true, true))
-	assert.Assert(t, !ValidateValueWithPattern(true, false))
-	assert.Assert(t, !ValidateValueWithPattern(false, true))
-	assert.Assert(t, ValidateValueWithPattern(false, false))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, true, true))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, true, false))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, false, true))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, false, false))
 }
 
 func TestValidateString_AsteriskTest(t *testing.T) {
@@ -20,8 +21,8 @@ func TestValidateString_AsteriskTest(t *testing.T) {
 	value := "anything"
 	empty := ""
 
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
-	assert.Assert(t, validateString(empty, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, empty, pattern, operator.Equal))
 }
 
 func TestValidateString_LeftAsteriskTest(t *testing.T) {
@@ -29,32 +30,32 @@ func TestValidateString_LeftAsteriskTest(t *testing.T) {
 	value := "leftright"
 	right := "right"
 
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
-	assert.Assert(t, validateString(right, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, right, pattern, operator.Equal))
 
 	value = "leftmiddle"
 	middle := "middle"
 
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
-	assert.Assert(t, !validateString(middle, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, middle, pattern, operator.Equal))
 }
 
 func TestValidateString_MiddleAsteriskTest(t *testing.T) {
 	pattern := "ab*ba"
 	value := "abbeba"
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
 
 	value = "abbca"
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
 }
 
 func TestValidateString_QuestionMark(t *testing.T) {
 	pattern := "ab?ba"
 	value := "abbba"
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
 
 	value = "abbbba"
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
 }
 
 func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
@@ -76,7 +77,7 @@ func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
@@ -98,7 +99,7 @@ func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, !ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
@@ -120,7 +121,7 @@ func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
@@ -142,7 +143,7 @@ func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
@@ -164,7 +165,7 @@ func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
@@ -186,77 +187,77 @@ func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_StringsLogicalOr(t *testing.T) {
 	pattern := "192.168.88.1 | 10.100.11.*"
 	value := "10.100.11.54"
-	assert.Assert(t, ValidateValueWithPattern(value, pattern))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value, pattern))
 }
 
 func TestValidateValueWithPattern_EqualTwoFloats(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(7.0, 7.000))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, 7.0, 7.000))
 }
 
 func TestValidateValueWithNilPattern_NullPatternStringValue(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern("value"))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, "value"))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultString(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(""))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, ""))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultFloat(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(0.0))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, 0.0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternFloat(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(0.1))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, 0.1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultInt(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(0))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, 0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternInt(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(1))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, 1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultBool(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(false))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, false))
 }
 
 func TestValidateValueWithNilPattern_NullPatternTrueBool(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(true))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, true))
 }
 
 func TestValidateValueWithFloatPattern_FloatValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.9914, 7.9914))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.9914, 7.9914))
 }
 
 func TestValidateValueWithFloatPattern_FloatValueNotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(7.9914, 7.99141))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.9914, 7.99141))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFractionIntValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7, 7.000000))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7.000000))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWitFraction(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(7.000001, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.000001, 7))
 }
 
 func TestValidateValueWithIntPattern_NotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(8, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 8, 7))
 }
 
 func TestGetNumberAndStringPartsFromPattern_NumberAndString(t *testing.T) {
@@ -290,35 +291,35 @@ func TestGetNumberAndStringPartsFromPattern_Empty(t *testing.T) {
 }
 
 func TestValidateNumberWithStr_LessFloatAndInt(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr(7.00001, "7.000001", operator.More))
-	assert.Assert(t, validateNumberWithStr(7.00001, "7", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7.000001", operator.More))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7", operator.NotEqual))
 
-	assert.Assert(t, validateNumberWithStr(7.0000, "7", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr(6.000000001, "6", operator.Less))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.0000, "7", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, 6.000000001, "6", operator.Less))
 }
 
 func TestValidateQuantity_InvalidQuantity(t *testing.T) {
-	assert.Assert(t, !validateNumberWithStr("1024Gi", "", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr("gii", "1024Gi", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "1024Gi", "", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "gii", "1024Gi", operator.Equal))
 }
 
 func TestValidateQuantity_Equal(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr("1024Gi", "1024Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("1024Mi", "1Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("0.2", "200m", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("500", "500", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr("2048", "1024", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(1024, "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1024Gi", "1024Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1024Mi", "1Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", "200m", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "500", "500", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "2048", "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, 1024, "1024", operator.Equal))
 }
 
 func TestValidateQuantity_Operation(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr("1Gi", "1000Mi", operator.More))
-	assert.Assert(t, validateNumberWithStr("1G", "1Gi", operator.Less))
-	assert.Assert(t, validateNumberWithStr("500m", "0.5", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr("1", "500m", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr("0.5", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1Gi", "1000Mi", operator.More))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1G", "1Gi", operator.Less))
+	assert.Assert(t, validateNumberWithStr(log.Log, "500m", "0.5", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1", "500m", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.5", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.NotEqual))
 }
 
 func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go
index 9d94f07789..a3764cce22 100644
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@@ -8,15 +8,15 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 )
 
 // ValidateResourceWithPattern is a start of element-by-element validation process
 // It assumes that validation is started from root, so "/" is passed
-func ValidateResourceWithPattern(resource, pattern interface{}) (string, error) {
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+func ValidateResourceWithPattern(log logr.Logger, resource, pattern interface{}) (string, error) {
+	path, err := validateResourceElement(log, resource, pattern, pattern, "/")
 	if err != nil {
 		return path, err
 	}
@@ -27,44 +27,44 @@ func ValidateResourceWithPattern(resource, pattern interface{}) (string, error)
 // validateResourceElement detects the element type (map, array, nil, string, int, bool, float)
 // and calls corresponding handler
 // Pattern tree and resource tree can have different structure. In this case validation fails
-func validateResourceElement(resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
+func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
 	var err error
 	switch typedPatternElement := patternElement.(type) {
 	// map
 	case map[string]interface{}:
 		typedResourceElement, ok := resourceElement.(map[string]interface{})
 		if !ok {
-			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
+			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
 			return path, fmt.Errorf("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
 		}
 
-		return validateMap(typedResourceElement, typedPatternElement, originPattern, path)
+		return validateMap(log, typedResourceElement, typedPatternElement, originPattern, path)
 	// array
 	case []interface{}:
 		typedResourceElement, ok := resourceElement.([]interface{})
 		if !ok {
-			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
+			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
 			return path, fmt.Errorf("Validation rule Failed at path %s, resource does not satisfy the expected overlay pattern", path)
 		}
 
-		return validateArray(typedResourceElement, typedPatternElement, originPattern, path)
+		return validateArray(log, typedResourceElement, typedPatternElement, originPattern, path)
 	// elementary values
 	case string, float64, int, int64, bool, nil:
 		/*Analyze pattern */
 		if checkedPattern := reflect.ValueOf(patternElement); checkedPattern.Kind() == reflect.String {
 			if isStringIsReference(checkedPattern.String()) { //check for $ anchor
-				patternElement, err = actualizePattern(originPattern, checkedPattern.String(), path)
+				patternElement, err = actualizePattern(log, originPattern, checkedPattern.String(), path)
 				if err != nil {
 					return path, err
 				}
 			}
 		}
-		if !ValidateValueWithPattern(resourceElement, patternElement) {
+		if !ValidateValueWithPattern(log, resourceElement, patternElement) {
 			return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
 		}
 
 	default:
-		glog.V(4).Infof("Pattern contains unknown type %T. Path: %s", patternElement, path)
+		log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement))
 		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
 	}
 	return "", nil
@@ -72,7 +72,7 @@ func validateResourceElement(resourceElement, patternElement, originPattern inte
 
 // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap
 // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement
-func validateMap(resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
+func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
 	// check if there is anchor in pattern
 	// Phase 1 : Evaluate all the anchors
 	// Phase 2 : Evaluate non-anchors
@@ -91,7 +91,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int
 		if err != nil {
 			// If Conditional anchor fails then we dont process the resources
 			if anchor.IsConditionAnchor(key) {
-				glog.V(4).Infof("condition anchor did not satisfy, wont process the resources: %s", err)
+				log.Error(err, "condition anchor did not satisfy, wont process the resource")
 				return "", nil
 			}
 			return handlerPath, err
@@ -109,7 +109,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int
 	return "", nil
 }
 
-func validateArray(resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
+func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
 
 	if 0 == len(patternArray) {
 		return path, fmt.Errorf("Pattern Array empty")
@@ -119,7 +119,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 	case map[string]interface{}:
 		// This is special case, because maps in arrays can have anchors that must be
 		// processed with the special way affecting the entire array
-		path, err := validateArrayOfMaps(resourceArray, typedPatternElement, originPattern, path)
+		path, err := validateArrayOfMaps(log, resourceArray, typedPatternElement, originPattern, path)
 		if err != nil {
 			return path, err
 		}
@@ -127,7 +127,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 		// In all other cases - detect type and handle each array element with validateResourceElement
 		for i, patternElement := range patternArray {
 			currentPath := path + strconv.Itoa(i) + "/"
-			path, err := validateResourceElement(resourceArray[i], patternElement, originPattern, currentPath)
+			path, err := validateResourceElement(log, resourceArray[i], patternElement, originPattern, currentPath)
 			if err != nil {
 				return path, err
 			}
@@ -137,7 +137,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 	return "", nil
 }
 
-func actualizePattern(origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
+func actualizePattern(log logr.Logger, origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
 	var foundValue interface{}
 
 	referencePattern = strings.Trim(referencePattern, "$()")
@@ -155,7 +155,7 @@ func actualizePattern(origPattern interface{}, referencePattern, absolutePath st
 	// value :=
 	actualPath := formAbsolutePath(referencePattern, absolutePath)
 
-	valFromReference, err := getValueFromReference(origPattern, actualPath)
+	valFromReference, err := getValueFromReference(log, origPattern, actualPath)
 	if err != nil {
 		return err, nil
 	}
@@ -196,15 +196,15 @@ func formAbsolutePath(referencePath, absolutePath string) string {
 }
 
 //Prepares original pattern, path to value, and call traverse function
-func getValueFromReference(origPattern interface{}, reference string) (interface{}, error) {
+func getValueFromReference(log logr.Logger, origPattern interface{}, reference string) (interface{}, error) {
 	originalPatternMap := origPattern.(map[string]interface{})
 	reference = reference[1:]
 	statements := strings.Split(reference, "/")
 
-	return getValueFromPattern(originalPatternMap, statements, 0)
+	return getValueFromPattern(log, originalPatternMap, statements, 0)
 }
 
-func getValueFromPattern(patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
+func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
 
 	for key, pattern := range patternMap {
 		rawKey := getRawKeyIfWrappedWithAttributes(key)
@@ -221,11 +221,11 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 				for i, value := range typedPattern {
 					resourceMap, ok := value.(map[string]interface{})
 					if !ok {
-						glog.V(4).Infof("Pattern and resource have different structures. Expected %T, found %T", pattern, value)
+						log.V(4).Info("Pattern and resource have different structures.", "expected", fmt.Sprintf("%T", pattern), "current", fmt.Sprintf("%T", value))
 						return nil, fmt.Errorf("Validation rule failed, resource does not have expected pattern %v", patternMap)
 					}
 					if keys[currentKeyIndex+1] == strconv.Itoa(i) {
-						return getValueFromPattern(resourceMap, keys, currentKeyIndex+2)
+						return getValueFromPattern(log, resourceMap, keys, currentKeyIndex+2)
 					}
 					return nil, errors.New("Reference to non-existent place in the document")
 				}
@@ -233,7 +233,7 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 			return nil, errors.New("Reference to non-existent place in the document")
 		case map[string]interface{}:
 			if keys[currentKeyIndex] == rawKey {
-				return getValueFromPattern(typedPattern, keys, currentKeyIndex+1)
+				return getValueFromPattern(log, typedPattern, keys, currentKeyIndex+1)
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case string, float64, int, int64, bool, nil:
@@ -251,12 +251,12 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 
 // validateArrayOfMaps gets anchors from pattern array map element, applies anchors logic
 // and then validates each map due to the pattern
-func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
+func validateArrayOfMaps(log logr.Logger, resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
 	for i, resourceElement := range resourceMapArray {
 		// check the types of resource element
 		// expect it to be map, but can be anything ?:(
 		currentPath := path + strconv.Itoa(i) + "/"
-		returnpath, err := validateResourceElement(resourceElement, patternMap, originPattern, currentPath)
+		returnpath, err := validateResourceElement(log, resourceElement, patternMap, originPattern, currentPath)
 		if err != nil {
 			return returnpath, err
 		}
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index acabd87ac1..bf18787324 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 )
 
@@ -100,7 +101,7 @@ func TestValidateMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -196,7 +197,7 @@ func TestValidateMap_AsteriskForInt(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	t.Log(path)
 	assert.NilError(t, err)
 }
@@ -289,7 +290,7 @@ func TestValidateMap_AsteriskForMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -377,7 +378,7 @@ func TestValidateMap_AsteriskForArray(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -468,7 +469,7 @@ func TestValidateMap_AsteriskFieldIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/template/spec/containers/0/")
 	assert.Assert(t, err != nil)
 }
@@ -559,7 +560,7 @@ func TestValidateMap_livenessProbeIsNull(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	json.Unmarshal(rawMap, &resource)
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -649,7 +650,7 @@ func TestValidateMap_livenessProbeIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -695,7 +696,7 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	// assert.Equal(t, path, "/1/object/0/key2/")
 	// assert.NilError(t, err)
@@ -730,7 +731,7 @@ func TestValidateMapElement_OneElementInArrayPass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -784,7 +785,7 @@ func TestValidateMap_CorrectRelativePathInConfig(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -838,7 +839,7 @@ func TestValidateMap_RelativePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -892,7 +893,7 @@ func TestValidateMap_OnlyAnchorsInPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -946,7 +947,7 @@ func TestValidateMap_MalformedReferenceOnlyDolarMark(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1000,7 +1001,7 @@ func TestValidateMap_RelativePathWithParentheses(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -1054,7 +1055,7 @@ func TestValidateMap_MalformedPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1108,7 +1109,7 @@ func TestValidateMap_AbosolutePathExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1149,7 +1150,7 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1191,7 +1192,7 @@ func TestValidateMap_AbsolutePathToMetadata_fail(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/image/")
 	assert.Assert(t, err != nil)
 }
@@ -1245,7 +1246,7 @@ func TestValidateMap_AbosolutePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1276,7 +1277,7 @@ func TestActualizePattern_GivenRelativePathThatExists(t *testing.T) {
 
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 
-	pattern, err := actualizePattern(pattern, referencePath, absolutePath)
+	pattern, err := actualizePattern(log.Log, pattern, referencePath, absolutePath)
 
 	assert.Assert(t, err == nil)
 }
@@ -1347,7 +1348,7 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) {
 	json.Unmarshal(rawPattern, &pattern)
 	json.Unmarshal(rawMap, &resource)
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/0/object/0/key2/")
 	assert.Assert(t, err != nil)
 }
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index de05323f87..eb94649361 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -5,13 +5,14 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -23,17 +24,18 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	oldR := policyContext.OldResource
 	ctx := policyContext.Context
 	admissionInfo := policyContext.AdmissionInfo
+	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name, "kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
 
 	// policy information
-	glog.V(4).Infof("started applying validation rules of policy %q (%v)", policy.Name, startTime)
+	logger.V(4).Info("start processing", "startTime", startTime)
 
 	// Process new & old resource
 	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
 		// Create Mode
 		// Operate on New Resource only
-		resp := validateResource(ctx, policy, newR, admissionInfo)
+		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
 		startResultResponse(resp, policy, newR)
-		defer endResultResponse(resp, startTime)
+		defer endResultResponse(logger, resp, startTime)
 		// set PatchedResource with origin resource if empty
 		// in order to create policy violation
 		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
@@ -44,14 +46,14 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	// Update Mode
 	// Operate on New and Old Resource only
 	// New resource
-	oldResponse := validateResource(ctx, policy, oldR, admissionInfo)
-	newResponse := validateResource(ctx, policy, newR, admissionInfo)
+	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
+	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
 
 	// if the old and new response is same then return empty response
 	if !isSameResponse(oldResponse, newResponse) {
 		// there are changes send response
 		startResultResponse(newResponse, policy, newR)
-		defer endResultResponse(newResponse, startTime)
+		defer endResultResponse(logger, newResponse, startTime)
 		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
 			newResponse.PatchedResource = newR
 		}
@@ -73,10 +75,9 @@ func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPo
 	resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction
 }
 
-func endResultResponse(resp *response.EngineResponse, startTime time.Time) {
+func endResultResponse(log logr.Logger, resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	glog.V(4).Infof("Finished applying validation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
-	glog.V(4).Infof("Validation Rules appplied successfully count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
+	log.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
 }
 
 func incrementAppliedCount(resp *response.EngineResponse) {
@@ -84,20 +85,18 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue
 		}
-		startTime := time.Now()
-		glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
+			log.V(4).Info("resource fails the match description")
 			continue
 		}
 
@@ -105,13 +104,13 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(ctx, copyConditions) {
-			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+		if !variables.EvaluateConditions(log, ctx, copyConditions) {
+			log.V(4).Info("resource fails the preconditions")
 			continue
 		}
 
 		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-			ruleResponse := validatePatterns(ctx, resource, rule)
+			ruleResponse := validatePatterns(log, ctx, resource, rule)
 			incrementAppliedCount(resp)
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 		}
@@ -159,14 +158,15 @@ func isSameRules(oldRules []response.RuleResponse, newRules []response.RuleRespo
 }
 
 // validatePatterns validate pattern and anyPattern
-func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
+func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
 	startTime := time.Now()
-	glog.V(4).Infof("started applying validation rule %q (%v)", rule.Name, startTime)
+	logger := log.WithValues("rule", rule.Name)
+	logger.V(4).Info("start processing rule", "startTime", startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Validation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished applying validation rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finshed processing", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 	// work on a copy of validation rule
 	validationRule := rule.Validation.DeepCopy()
@@ -176,7 +176,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 		// substitute variables in the pattern
 		pattern := validationRule.Pattern
 		var err error
-		if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
+		if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
 			// variable subsitution failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed. '%s'",
@@ -184,7 +184,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 			return resp
 		}
 
-		if path, err := validate.ValidateResourceWithPattern(resource.Object, pattern); err != nil {
+		if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
 			// validation failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed at path '%s'",
@@ -192,7 +192,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 			return resp
 		}
 		// rule application successful
-		glog.V(4).Infof("rule %s pattern validated successfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+		logger.V(4).Info("successfully processed rule")
 		resp.Success = true
 		resp.Message = fmt.Sprintf("Validation rule '%s' succeeded.", rule.Name)
 		return resp
@@ -203,19 +203,18 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 		var failedAnyPatternsErrors []error
 		var err error
 		for idx, pattern := range validationRule.AnyPattern {
-			if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
+			if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
 				// variable subsitution failed
 				failedSubstitutionsErrors = append(failedSubstitutionsErrors, err)
 				continue
 			}
-			_, err := validate.ValidateResourceWithPattern(resource.Object, pattern)
+			_, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern)
 			if err == nil {
 				resp.Success = true
 				resp.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded.", rule.Name, idx)
 				return resp
 			}
-			glog.V(4).Infof("Validation error: %s; Validation rule %s anyPattern[%d] for %s/%s/%s",
-				rule.Validation.Message, rule.Name, idx, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+			logger.V(4).Info(fmt.Sprintf("validation rule failed for anyPattern[%d]", idx), "message", rule.Validation.Message)
 			patternErr := fmt.Errorf("anyPattern[%d] failed; %s", idx, err)
 			failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr)
 		}
diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go
index 519a909d01..d0ebf7ed74 100644
--- a/pkg/engine/variables/evaluate.go
+++ b/pkg/engine/variables/evaluate.go
@@ -1,16 +1,16 @@
 package variables
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables/operator"
 )
 
 //Evaluate evaluates the condition
-func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool {
+func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition) bool {
 	// get handler for the operator
-	handle := operator.CreateOperatorHandler(ctx, condition.Operator, SubstituteVars)
+	handle := operator.CreateOperatorHandler(log, ctx, condition.Operator, SubstituteVars)
 	if handle == nil {
 		return false
 	}
@@ -18,11 +18,10 @@ func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool {
 }
 
 //EvaluateConditions evaluates multiple conditions
-func EvaluateConditions(ctx context.EvalInterface, conditions []kyverno.Condition) bool {
+func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition) bool {
 	// AND the conditions
 	for _, condition := range conditions {
-		if !Evaluate(ctx, condition) {
-			glog.V(4).Infof("condition %v failed", condition)
+		if !Evaluate(log, ctx, condition) {
 			return false
 		}
 	}
diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go
index 33b3a4f2b7..78bc599672 100644
--- a/pkg/engine/variables/evaluate_test.go
+++ b/pkg/engine/variables/evaluate_test.go
@@ -6,6 +6,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
+	"github.com/nirmata/kyverno/pkg/log"
 )
 
 // STRINGS
@@ -18,7 +19,7 @@ func Test_Eval_Equal_Const_String_Pass(t *testing.T) {
 		Value:    "name",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -32,7 +33,7 @@ func Test_Eval_Equal_Const_String_Fail(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -46,7 +47,7 @@ func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -60,7 +61,7 @@ func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) {
 		Value:    "name",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -76,7 +77,7 @@ func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) {
 		Value:    true,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -90,7 +91,7 @@ func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) {
 		Value:    false,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -104,7 +105,7 @@ func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) {
 		Value:    false,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -118,7 +119,7 @@ func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) {
 		Value:    true,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -133,7 +134,7 @@ func Test_Eval_Equal_Const_int_Pass(t *testing.T) {
 		Value:    1,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -147,7 +148,7 @@ func Test_Eval_Equal_Const_int_Fail(t *testing.T) {
 		Value:    2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -161,7 +162,7 @@ func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) {
 		Value:    2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -175,7 +176,7 @@ func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) {
 		Value:    1,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -190,7 +191,7 @@ func Test_Eval_Equal_Const_int64_Pass(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -204,7 +205,7 @@ func Test_Eval_Equal_Const_int64_Fail(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -218,7 +219,7 @@ func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -232,7 +233,7 @@ func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -248,7 +249,7 @@ func Test_Eval_Equal_Const_float64_Pass(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -262,7 +263,7 @@ func Test_Eval_Equal_Const_float64_Fail(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -276,7 +277,7 @@ func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -290,7 +291,7 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -320,7 +321,7 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -348,7 +349,7 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -376,7 +377,7 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -404,7 +405,7 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -434,7 +435,7 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -460,7 +461,7 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -486,7 +487,7 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -512,7 +513,7 @@ func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -545,7 +546,7 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) {
 		Value:    "temp",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -576,7 +577,7 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) {
 		Value:    "temp1",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go
index 81ea80c621..1bc181f0f8 100644
--- a/pkg/engine/variables/operator/equal.go
+++ b/pkg/engine/variables/operator/equal.go
@@ -1,19 +1,21 @@
 package operator
 
 import (
+	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewEqualHandler returns handler to manage Equal operations
-func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return EqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
+		log:        log,
 	}
 }
 
@@ -21,6 +23,7 @@ func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionH
 type EqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
+	log        logr.Logger
 }
 
 //Evaluate evaluates expression with Equal Operator
@@ -28,14 +31,14 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = eh.subHandler(eh.ctx, key); err != nil {
+	if key, err = eh.subHandler(eh.log, eh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
+		eh.log.Error(err, "Failed to resolve variable", "variable", key)
 		return false
 	}
-	if value, err = eh.subHandler(eh.ctx, value); err != nil {
+	if value, err = eh.subHandler(eh.log, eh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
+		eh.log.Error(err, "Failed to resolve variable", "variable", value)
 		return false
 	}
 
@@ -56,7 +59,7 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return eh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		glog.Errorf("Unsupported type %v", typedKey)
+		eh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
 		return false
 	}
 }
@@ -65,7 +68,7 @@ func (eh EqualHandler) validateValueWithSlicePattern(key []interface{}, value in
 	if val, ok := value.([]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
+	eh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -73,7 +76,7 @@ func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, v
 	if val, ok := value.(map[string]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
+	eh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -81,7 +84,8 @@ func (eh EqualHandler) validateValuewithStringPattern(key string, value interfac
 	if val, ok := value.(string); ok {
 		return key == val
 	}
-	glog.Warningf("Expected string, %v is of type %T", value, value)
+
+	eh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -92,25 +96,25 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 		if key == math.Trunc(key) {
 			return int(key) == typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) == typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case float64:
 		return typedValue == key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			eh.log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num == key
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		eh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return false
@@ -119,7 +123,7 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		glog.Error("Expected bool, found %V", value)
+		eh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return key == typedValue
@@ -136,18 +140,18 @@ func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{})
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) == key
 		}
-		glog.Warningf("Expected int, found float: %f", typedValue)
+		eh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			eh.log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num == key
 	default:
-		glog.Warningf("Expected int, %v is of type %T", value, value)
+		eh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/notequal.go b/pkg/engine/variables/operator/notequal.go
index 9af9e891f3..ce9b4e87f8 100644
--- a/pkg/engine/variables/operator/notequal.go
+++ b/pkg/engine/variables/operator/notequal.go
@@ -1,19 +1,21 @@
 package operator
 
 import (
+	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewNotEqualHandler returns handler to manage NotEqual operations
-func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewNotEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return NotEqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
+		log:        log,
 	}
 }
 
@@ -21,6 +23,7 @@ func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstituti
 type NotEqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
+	log        logr.Logger
 }
 
 //Evaluate evaluates expression with NotEqual Operator
@@ -28,14 +31,14 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = neh.subHandler(neh.ctx, key); err != nil {
+	if key, err = neh.subHandler(neh.log, neh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
+		neh.log.Error(err, "Failed to resolve variable", "variable", key)
 		return false
 	}
-	if value, err = neh.subHandler(neh.ctx, value); err != nil {
+	if value, err = neh.subHandler(neh.log, neh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
+		neh.log.Error(err, "Failed to resolve variable", "variable", value)
 		return false
 	}
 	// key and value need to be of same type
@@ -55,7 +58,7 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return neh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		glog.Error("Unsupported type %V", typedKey)
+		neh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
 		return false
 	}
 }
@@ -64,7 +67,7 @@ func (neh NotEqualHandler) validateValueWithSlicePattern(key []interface{}, valu
 	if val, ok := value.([]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
+	neh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -72,7 +75,7 @@ func (neh NotEqualHandler) validateValueWithMapPattern(key map[string]interface{
 	if val, ok := value.(map[string]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
+	neh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -80,7 +83,7 @@ func (neh NotEqualHandler) validateValuewithStringPattern(key string, value inte
 	if val, ok := value.(string); ok {
 		return key != val
 	}
-	glog.Warningf("Expected string, %v is of type %T", value, value)
+	neh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -91,25 +94,25 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 		if key == math.Trunc(key) {
 			return int(key) != typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) != typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case float64:
 		return typedValue != key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			neh.log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num != key
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		neh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return false
@@ -118,7 +121,7 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 func (neh NotEqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		glog.Error("Expected bool, found %V", value)
+		neh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return key != typedValue
@@ -135,18 +138,18 @@ func (neh NotEqualHandler) validateValuewithIntPattern(key int64, value interfac
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) != key
 		}
-		glog.Warningf("Expected int, found float: %f\n", typedValue)
+		neh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			neh.log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num != key
 	default:
-		glog.Warningf("Expected int, %v is of type %T", value, value)
+		neh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go
index 2b3f9ce7a1..adafe69982 100644
--- a/pkg/engine/variables/operator/operator.go
+++ b/pkg/engine/variables/operator/operator.go
@@ -1,7 +1,7 @@
 package operator
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
@@ -17,17 +17,17 @@ type OperatorHandler interface {
 }
 
 //VariableSubstitutionHandler defines the handler function for variable substitution
-type VariableSubstitutionHandler = func(ctx context.EvalInterface, pattern interface{}) (interface{}, error)
+type VariableSubstitutionHandler = func(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error)
 
 //CreateOperatorHandler returns the operator handler based on the operator used in condition
-func CreateOperatorHandler(ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
+func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
 	switch op {
 	case kyverno.Equal:
-		return NewEqualHandler(ctx, subHandler)
+		return NewEqualHandler(log, ctx, subHandler)
 	case kyverno.NotEqual:
-		return NewNotEqualHandler(ctx, subHandler)
+		return NewNotEqualHandler(log, ctx, subHandler)
 	default:
-		glog.Errorf("unsupported operator: %s", string(op))
+		log.Info("operator not supported", "operator", string(op))
 	}
 	return nil
 }
diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go
index 6d2eb7c60c..45b0ac58f8 100644
--- a/pkg/engine/variables/variables_test.go
+++ b/pkg/engine/variables/variables_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/log"
 	authenticationv1 "k8s.io/api/authentication/v1"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -84,7 +85,7 @@ func Test_variablesub1(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -174,7 +175,7 @@ func Test_variablesub_multiple(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -261,7 +262,7 @@ func Test_variablesubstitution(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -322,7 +323,7 @@ func Test_variableSubstitutionValue(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -380,7 +381,7 @@ func Test_variableSubstitutionValueOperatorNotEqual(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -439,7 +440,7 @@ func Test_variableSubstitutionValueFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Log("expected to fails")
 		t.Fail()
 	}
@@ -497,7 +498,7 @@ func Test_variableSubstitutionObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -561,7 +562,7 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Error(err)
 	}
 
@@ -620,7 +621,7 @@ func Test_variableSubstitutionMultipleObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 4c336f2ede..59fd8f7fd5 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
@@ -17,9 +17,9 @@ const (
 
 //SubstituteVars replaces the variables with the values defined in the context
 // - if any variable is invaid or has nil value, it is considered as a failed varable substitution
-func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
+func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
 	errs := []error{}
-	pattern = subVars(ctx, pattern, "", &errs)
+	pattern = subVars(log, ctx, pattern, "", &errs)
 	if len(errs) == 0 {
 		// no error while parsing the pattern
 		return pattern, nil
@@ -27,40 +27,40 @@ func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}
 	return pattern, fmt.Errorf("%v", errs)
 }
 
-func subVars(ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
+func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
 	switch typedPattern := pattern.(type) {
 	case map[string]interface{}:
-		return subMap(ctx, typedPattern, path, errs)
+		return subMap(log, ctx, typedPattern, path, errs)
 	case []interface{}:
-		return subArray(ctx, typedPattern, path, errs)
+		return subArray(log, ctx, typedPattern, path, errs)
 	case string:
-		return subValR(ctx, typedPattern, path, errs)
+		return subValR(log, ctx, typedPattern, path, errs)
 	default:
 		return pattern
 	}
 }
 
-func subMap(ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
+func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
 	for key, patternElement := range patternMap {
 		curPath := path + "/" + key
-		value := subVars(ctx, patternElement, curPath, errs)
+		value := subVars(log, ctx, patternElement, curPath, errs)
 		patternMap[key] = value
 
 	}
 	return patternMap
 }
 
-func subArray(ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
+func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
 	for idx, patternElement := range patternList {
 		curPath := path + "/" + strconv.Itoa(idx)
-		value := subVars(ctx, patternElement, curPath, errs)
+		value := subVars(log, ctx, patternElement, curPath, errs)
 		patternList[idx] = value
 	}
 	return patternList
 }
 
 // subValR resolves the variables if defined
-func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
 
 	// variable values can be scalar values(string,int, float) or they can be obects(map,slice)
 	// - {{variable}}
@@ -73,7 +73,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 	// since this might be a potential place for error, required better error reporting and handling
 
 	// object values are only suported for single variable substitution
-	if ok, retVal := processIfSingleVariable(ctx, valuePattern, path, errs); ok {
+	if ok, retVal := processIfSingleVariable(log, ctx, valuePattern, path, errs); ok {
 		return retVal
 	}
 	// var emptyInterface interface{}
@@ -82,7 +82,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 	for {
 		valueStr := valuePattern
 		if len(failedVars) != 0 {
-			glog.Info("some failed variables short-circuiting")
+			log.Info("failed to resolve variablesl short-circuiting")
 			break
 		}
 		// get variables at this level
@@ -123,7 +123,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 				continue
 			}
 			// if type is not scalar then consider this as a failed variable
-			glog.Infof("variable %s resolves to non-scalar value %v. Non-Scalar values are not supported for nested variables", k, v)
+			log.Info("variable resolves to non-scalar value. Non-Scalar values are not supported for nested variables", "variable", k, "value", v)
 			failedVars = append(failedVars, k)
 		}
 		valuePattern = newVal
@@ -143,10 +143,10 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 // if the value can be evaluted return the value
 // -> return value can be scalar or object type
 // -> if the variable is not present in the context then add an error and dont process further
-func processIfSingleVariable(ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
+func processIfSingleVariable(log logr.Logger, ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
 	valueStr, ok := valuePattern.(string)
 	if !ok {
-		glog.Infof("failed to convert %v to string", valuePattern)
+		log.Info("failed to convert to string", "pattern", valuePattern)
 		return false, nil
 	}
 	// get variables at this level
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index 171c62ace4..33745ea81f 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 )
 
@@ -64,7 +65,7 @@ func Test_subVars_success(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, pattern); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, pattern); err != nil {
 		t.Error(err)
 	}
 }
@@ -125,7 +126,7 @@ func Test_subVars_failed(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, pattern); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, pattern); err == nil {
 		t.Error("error is expected")
 	}
 }
@@ -152,5 +153,5 @@ func Test_SubvarRecursive(t *testing.T) {
 	ctx := context.NewContext()
 	assert.Assert(t, ctx.AddResource(resourceRaw))
 	errs := []error{}
-	subValR(ctx, string(patternRaw), "/", &errs)
+	subValR(log.Log, ctx, string(patternRaw), "/", &errs)
 }
diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index aa98d09e42..0125397c8d 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -3,7 +3,7 @@ package event
 import (
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -34,6 +34,7 @@ type Generator struct {
 	admissionCtrRecorder record.EventRecorder
 	// events generated at namespaced policy controller to process 'generate' rule
 	genPolicyRecorder record.EventRecorder
+	log               logr.Logger
 }
 
 //Interface to generate event
@@ -42,32 +43,33 @@ type Interface interface {
 }
 
 //NewEventGenerator to generate a new event controller
-func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer) *Generator {
+func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer, log logr.Logger) *Generator {
 
 	gen := Generator{
 		client:               client,
 		pLister:              pInformer.Lister(),
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), eventWorkQueueName),
 		pSynced:              pInformer.Informer().HasSynced,
-		policyCtrRecorder:    initRecorder(client, PolicyController),
-		admissionCtrRecorder: initRecorder(client, AdmissionController),
-		genPolicyRecorder:    initRecorder(client, GeneratePolicyController),
+		policyCtrRecorder:    initRecorder(client, PolicyController, log),
+		admissionCtrRecorder: initRecorder(client, AdmissionController, log),
+		genPolicyRecorder:    initRecorder(client, GeneratePolicyController, log),
+		log:                  log,
 	}
 	return &gen
 }
 
-func initRecorder(client *client.Client, eventSource Source) record.EventRecorder {
+func initRecorder(client *client.Client, eventSource Source, log logr.Logger) record.EventRecorder {
 	// Initliaze Event Broadcaster
 	err := scheme.AddToScheme(scheme.Scheme)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to add to scheme")
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(glog.V(4).Infof)
+	eventBroadcaster.StartLogging(log.Info)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
-		glog.Error(err) // TODO: add more specific error
+		log.Error(err, "failed to get event interface for logging")
 		return nil
 	}
 	eventBroadcaster.StartRecordingToSink(
@@ -81,11 +83,12 @@ func initRecorder(client *client.Client, eventSource Source) record.EventRecorde
 
 //Add queues an event for generation
 func (gen *Generator) Add(infos ...Info) {
+	logger := gen.log
 	for _, info := range infos {
 		if info.Name == "" {
 			// dont create event for resources with generateName
 			// as the name is not generated yet
-			glog.V(4).Infof("received info %v, not creating an event as the resource has not been assigned a name yet", info)
+			logger.V(4).Info("not creating an event as the resource has not been assigned a name yet", "kind", info.Kind, "name", info.Name, "namespace", info.Namespace)
 			continue
 		}
 		gen.queue.Add(info)
@@ -94,12 +97,14 @@ func (gen *Generator) Add(infos ...Info) {
 
 // Run begins generator
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
+	logger := gen.log
 	defer utilruntime.HandleCrash()
-	glog.Info("Starting event generator")
-	defer glog.Info("Shutting down event generator")
+
+	logger.Info("start")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pSynced) {
-		glog.Error("event generator: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -114,24 +119,25 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
+	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
 	}
 	// This controller retries if something goes wrong. After that, it stops trying.
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.Warningf("Error syncing events %v(re-queuing request, the resource might not have been created yet): %v", key, err)
+		logger.Error(err, "Error syncing events;re-queuing request,the resource might not have been created yet", "key", key)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
-	glog.Error(err)
-	glog.Warningf("Dropping the key out of the queue: %v", err)
+	logger.Error(err, "dropping the key out of queue", "key", key)
 }
 
 func (gen *Generator) processNextWorkItem() bool {
+	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -144,7 +150,7 @@ func (gen *Generator) processNextWorkItem() bool {
 
 		if key, ok = obj.(Info); !ok {
 			gen.queue.Forget(obj)
-			glog.Warningf("Expecting type info by got %v\n", obj)
+			logger.Info("Incorrect type; expected type 'info'", "obj", obj)
 			return nil
 		}
 		err := gen.syncHandler(key)
@@ -152,13 +158,14 @@ func (gen *Generator) processNextWorkItem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to process next work item")
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(key Info) error {
+	logger := gen.log
 	var robj runtime.Object
 	var err error
 	switch key.Kind {
@@ -166,13 +173,13 @@ func (gen *Generator) syncHandler(key Info) error {
 		//TODO: policy is clustered resource so wont need namespace
 		robj, err = gen.pLister.Get(key.Name)
 		if err != nil {
-			glog.V(4).Infof("Error creating event: unable to get policy %s, will retry ", key.Name)
+			logger.Error(err, "failed to get policy", "name", key.Name)
 			return err
 		}
 	default:
 		robj, err = gen.client.GetResource(key.Kind, key.Namespace, key.Name)
 		if err != nil {
-			glog.V(4).Infof("Error creating event: unable to get resource %s/%s/%s, will retry ", key.Kind, key.Namespace, key.Name)
+			logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
 			return err
 		}
 	}
@@ -192,13 +199,14 @@ func (gen *Generator) syncHandler(key Info) error {
 	case GeneratePolicyController:
 		gen.genPolicyRecorder.Event(robj, eventType, key.Reason, key.Message)
 	default:
-		glog.Info("info.source not defined for the event generator request")
+		logger.Info("info.source not defined for the request")
 	}
 	return nil
 }
 
 //NewEvent builds a event creation request
 func NewEvent(
+	log logr.Logger,
 	rkind,
 	rapiVersion,
 	rnamespace,
@@ -209,7 +217,7 @@ func NewEvent(
 	args ...interface{}) Info {
 	msgText, err := getEventMsg(message, args...)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to get event message")
 	}
 	return Info{
 		Kind:      rkind,
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index 396058a346..b7cc7a2d46 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -1,11 +1,11 @@
 package cleanup
 
 import (
-	"fmt"
 	"time"
 
 	"github.com/golang/glog"
 
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -53,6 +53,7 @@ type Controller struct {
 	//TODO: list of generic informers
 	// only support Namespaces for deletion of resource
 	nsInformer informers.GenericInformer
+	log        logr.Logger
 }
 
 //NewController returns a new controller instance to manage generate-requests
@@ -62,6 +63,7 @@ func NewController(
 	pInformer kyvernoinformer.ClusterPolicyInformer,
 	grInformer kyvernoinformer.GenerateRequestInformer,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
+	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		kyvernoClient: kyvernoclient,
@@ -70,6 +72,7 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:           workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"),
 		dynamicInformer: dynamicInformer,
+		log:             log,
 	}
 	c.control = Control{client: kyvernoclient}
 	c.enqueueGR = c.enqueue
@@ -102,10 +105,11 @@ func NewController(
 }
 
 func (c *Controller) deleteGenericResource(obj interface{}) {
+	logger := c.log
 	r := obj.(*unstructured.Unstructured)
 	grs, err := c.grLister.GetGenerateRequestsForResource(r.GetKind(), r.GetNamespace(), r.GetName())
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", r.GetKind(), r.GetNamespace(), r.GetName(), err)
+		logger.Error(err, "failed to get generate request CR for resource", "kind", r.GetKind(), "namespace", r.GetNamespace(), "name", r.GetName())
 		return
 	}
 	// re-evaluate the GR as the resource was deleted
@@ -115,26 +119,27 @@ func (c *Controller) deleteGenericResource(obj interface{}) {
 }
 
 func (c *Controller) deletePolicy(obj interface{}) {
+	logger := c.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("ouldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("Tombstone contained object that is not a Generate Request", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting Policy %s", p.Name)
+	logger.V(4).Info("deleting policy", "name", p.Name)
 	// clean up the GR
 	// Get the corresponding GR
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(p.Name)
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for policy %s: %v", p.Name, err)
+		logger.Error(err, "failed to generate request CR for the policy", "name", p.Name)
 		return
 	}
 	for _, gr := range grs {
@@ -153,44 +158,46 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
+	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("ombstone contained object that is not a Generate Request", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting GR %s", gr.Name)
+	logger.V(4).Info("deleting Generate Request CR", "name", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
+	logger := c.log
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
 		glog.Error(err)
 		return
 	}
-	glog.V(4).Infof("cleanup enqueu: %v", gr.Name)
+	logger.V(4).Info("eneque generate request", "name", gr.Name)
 	c.queue.Add(key)
 }
 
 //Run starts the generate-request re-conciliation loop
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
+	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
-
-	glog.Info("Starting generate-policy-cleanup controller")
-	defer glog.Info("Shutting down generate-policy-cleanup controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		glog.Error("generate-policy-cleanup controller: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -219,31 +226,33 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
+	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
+		logger.Error(err, "failed to sync generate request", "key", key)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
+	logger.Error(err, "dropping generate request out of the queue", "key", key)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
+	logger := c.log.WithValues("key", key)
 	var err error
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
+	logger.Info("started syncing generate request", "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished syncying generate request", "processingTIme", time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if errors.IsNotFound(err) {
-		glog.Infof("Generate Request %s has been deleted", key)
+		logger.Info("generate request has been deleted")
 		return nil
 	}
 	if err != nil {
diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go
index 944b8b49cb..8560043996 100644
--- a/pkg/generate/controller.go
+++ b/pkg/generate/controller.go
@@ -1,10 +1,9 @@
 package generate
 
 import (
-	"fmt"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -57,6 +56,7 @@ type Controller struct {
 	//TODO: list of generic informers
 	// only support Namespaces for re-evalutation on resource updates
 	nsInformer informers.GenericInformer
+	log        logr.Logger
 }
 
 //NewController returns an instance of the Generate-Request Controller
@@ -68,6 +68,7 @@ func NewController(
 	eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
+	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		client:        client,
@@ -78,6 +79,7 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:           workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"),
 		dynamicInformer: dynamicInformer,
+		log:             log,
 	}
 	c.statusControl = StatusControl{client: kyvernoclient}
 
@@ -112,11 +114,12 @@ func NewController(
 }
 
 func (c *Controller) updateGenericResource(old, cur interface{}) {
+	logger := c.log
 	curR := cur.(*unstructured.Unstructured)
 
 	grs, err := c.grLister.GetGenerateRequestsForResource(curR.GetKind(), curR.GetNamespace(), curR.GetName())
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", curR.GetKind(), curR.GetNamespace(), curR.GetName(), err)
+		logger.Error(err, "failed to get generate request CR for the resoource", "kind", curR.GetKind(), "name", curR.GetName(), "namespace", curR.GetNamespace())
 		return
 	}
 	// re-evaluate the GR as the resource was updated
@@ -129,13 +132,14 @@ func (c *Controller) updateGenericResource(old, cur interface{}) {
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		glog.Error(err)
+		c.log.Error(err, "failed to extract name")
 		return
 	}
 	c.queue.Add(key)
 }
 
 func (c *Controller) updatePolicy(old, cur interface{}) {
+	logger := c.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	if oldP.ResourceVersion == curP.ResourceVersion {
@@ -143,11 +147,11 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
-	glog.V(4).Infof("Updating Policy %s", oldP.Name)
+	logger.V(4).Info("updating policy", "name", oldP.Name)
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(curP.Name)
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for policy %s: %v", curP.Name, err)
+		logger.Error(err, "failed to generate request for policy", "name", curP.Name)
 		return
 	}
 	// re-evaluate the GR as the policy was updated
@@ -178,34 +182,36 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
+	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("tombstone contained object that is not a Generate Request CR", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting GR %s", gr.Name)
+	logger.Info("deleting generate request", "name", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 //Run ...
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
+	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
-	glog.Info("Starting generate-policy controller")
-	defer glog.Info("Shutting down generate-policy controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		glog.Error("generate-policy controller: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -234,27 +240,29 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
+	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
+		logger.Error(err, "failed to sync generate request", "key", key)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
+	logger.Error(err, "Dropping generate request from the queue", "key", key)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
+	logger := c.log
 	var err error
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
+	logger.Info("started sync", "key", key, "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished sync", "key", key, "processingTime", time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -263,7 +271,7 @@ func (c *Controller) syncGenerateRequest(key string) error {
 
 	gr, err := c.grLister.Get(grName)
 	if err != nil {
-		glog.V(4).Info(err)
+		logger.Error(err, "failed to list generate requests")
 		return err
 	}
 	return c.processGR(gr)
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index cd9ab1b2fd..6adbb5b75b 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -16,6 +16,7 @@ import (
 )
 
 func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
+	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	var err error
 	var resource *unstructured.Unstructured
 	var genResources []kyverno.ResourceSpec
@@ -23,45 +24,46 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
 	resource, err = getResource(c.client, gr.Spec.Resource)
 	if err != nil {
 		// Dont update status
-		glog.V(4).Infof("resource does not exist or is yet to be created, requeuing: %v", err)
+		logger.Error(err, "resource does not exist or is yet to be created, requeueing")
 		return err
 	}
 	// 2 - Apply the generate policy on the resource
 	genResources, err = c.applyGenerate(*resource, *gr)
 	// 3 - Report Events
-	reportEvents(err, c.eventGen, *gr, *resource)
+	reportEvents(logger, err, c.eventGen, *gr, *resource)
 	// 4 - Update Status
 	return updateStatus(c.statusControl, *gr, err, genResources)
 }
 
 func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
+	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	// Get the list of rules to be applied
 	// get policy
 	policy, err := c.pLister.Get(gr.Spec.Policy)
 	if err != nil {
-		glog.V(4).Infof("policy %s not found: %v", gr.Spec.Policy, err)
+		logger.Error(err, "policy not found")
 		return nil, nil
 	}
 	// build context
 	ctx := context.NewContext()
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
-		glog.V(4).Infof("failed to marshal resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		return nil, err
 	}
 	err = ctx.AddResource(resourceRaw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context: %v", err)
+		logger.Error(err, "failed to load resource in context")
 		return nil, err
 	}
 	err = ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context: %v", err)
+		logger.Error(err, "failed to load SA in context")
 		return nil, err
 	}
 	err = ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load serviceAccount in context: %v", err)
+		logger.Error(err, "failed to load UserInfo in context")
 		return nil, err
 	}
 
@@ -75,12 +77,12 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 	// check if the policy still applies to the resource
 	engineResponse := engine.Generate(policyContext)
 	if len(engineResponse.PolicyResponse.Rules) == 0 {
-		glog.V(4).Infof("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
+		logger.V(4).Info("policy does not apply to resource")
 		return nil, fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
 	}
 
 	// Apply the generate rule on resource
-	return applyGeneratePolicy(c.client, policyContext)
+	return applyGeneratePolicy(logger, c.client, policyContext)
 }
 
 func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error {
@@ -92,7 +94,7 @@ func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateReque
 	return statusControl.Success(gr, genResources)
 }
 
-func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyContext) ([]kyverno.ResourceSpec, error) {
+func applyGeneratePolicy(log logr.Logger, client *dclient.Client, policyContext engine.PolicyContext) ([]kyverno.ResourceSpec, error) {
 	// List of generatedResources
 	var genResources []kyverno.ResourceSpec
 	// Get the response as the actions to be performed on the resource
@@ -111,7 +113,7 @@ func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyCont
 		if !rule.HasGenerate() {
 			continue
 		}
-		genResource, err := applyRule(client, rule, resource, ctx, processExisting)
+		genResource, err := applyRule(log, client, rule, resource, ctx, processExisting)
 		if err != nil {
 			return nil, err
 		}
@@ -121,7 +123,7 @@ func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyCont
 	return genResources, nil
 }
 
-func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
+func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
 	var rdata map[string]interface{}
 	var err error
 	var mode ResourceMode
@@ -136,7 +138,7 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	// format : {{<variable_name}}
 	// - if there is variables that are not defined the context -> results in error and rule is not applied
 	// - valid variables are replaced with the values
-	if _, err := variables.SubstituteVars(ctx, genUnst.Object); err != nil {
+	if _, err := variables.SubstituteVars(log, ctx, genUnst.Object); err != nil {
 		return noGenResource, err
 	}
 	genKind, _, err := unstructured.NestedString(genUnst.Object, "kind")
@@ -168,9 +170,9 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	}
 
 	if genData != nil {
-		rdata, mode, err = manageData(genKind, genNamespace, genName, genData, client, resource)
+		rdata, mode, err = manageData(log, genKind, genNamespace, genName, genData, client, resource)
 	} else {
-		rdata, mode, err = manageClone(genKind, genNamespace, genName, genCopy, client, resource)
+		rdata, mode, err = manageClone(log, genKind, genNamespace, genName, genCopy, client, resource)
 	}
 	if err != nil {
 		return noGenResource, err
@@ -197,38 +199,38 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	// - app.kubernetes.io/managed-by: kyverno
 	// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
 	manageLabels(newResource, resource)
-
+	logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
 	if mode == Create {
 		// Reset resource version
 		newResource.SetResourceVersion("")
 		// Create the resource
-		glog.V(4).Infof("Creating new resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("creating new resource")
 		_, err = client.CreateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to create resource
 			return noGenResource, err
 		}
-		glog.V(4).Infof("Created new resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("created new resource")
 
 	} else if mode == Update {
-		glog.V(4).Infof("Updating existing resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("updating existing resource")
 		// Update the resource
 		_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to update resource
 			return noGenResource, err
 		}
-		glog.V(4).Infof("Updated existing resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("updated new resource")
 	}
 
 	return newGenResource, nil
 }
 
-func manageData(kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageData(log logr.Logger, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	obj, err := client.GetResource(kind, namespace, name)
 	if apierrors.IsNotFound(err) {
-		glog.V(4).Infof("Resource %s/%s/%s does not exists, will try to create", kind, namespace, name)
+		log.Error(err, "resource does not exist, will try to create", "genKind", kind, "genNamespace", namespace, "genName", name)
 		return data, Create, nil
 	}
 	if err != nil {
@@ -237,18 +239,17 @@ func manageData(kind, namespace, name string, data map[string]interface{}, clien
 		return nil, Skip, err
 	}
 	// Resource exists; verfiy the content of the resource
-	err = checkResource(data, obj)
+	err = checkResource(log, data, obj)
 	if err == nil {
 		// Existing resource does contain the mentioned configuration in spec, skip processing the resource as it is already in expected state
 		return nil, Skip, nil
 	}
-
-	glog.V(4).Infof("Resource %s/%s/%s exists but missing required configuration, will try to update", kind, namespace, name)
+	log.Info("to be generated resoruce already exists, but is missing the specifeid configurations, will try to update", "genKind", kind, "genNamespace", namespace, "genName", name)
 	return data, Update, nil
 
 }
 
-func manageClone(kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageClone(log logr.Logger, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	_, err := client.GetResource(kind, namespace, name)
 	if err == nil {
@@ -257,6 +258,7 @@ func manageClone(kind, namespace, name string, clone map[string]interface{}, cli
 	}
 	//TODO: check this
 	if !apierrors.IsNotFound(err) {
+		log.Error(err, "reference/clone resource is not found", "genKind", kind, "genNamespace", namespace, "genName", name)
 		//something wrong while fetching resource
 		return nil, Skip, err
 	}
@@ -274,8 +276,6 @@ func manageClone(kind, namespace, name string, clone map[string]interface{}, cli
 		// attempting to clone it self, this will fail -> short-ciruit it
 		return nil, Skip, nil
 	}
-
-	glog.V(4).Infof("check if resource %s/%s/%s exists", kind, newRNs, newRName)
 	// check if the resource as reference in clone exists?
 	obj, err := client.GetResource(kind, newRNs, newRName)
 	if err != nil {
@@ -298,10 +298,10 @@ const (
 	Update = "UPDATE"
 )
 
-func checkResource(newResourceSpec interface{}, resource *unstructured.Unstructured) error {
+func checkResource(log logr.Logger, newResourceSpec interface{}, resource *unstructured.Unstructured) error {
 	// check if the resource spec if a subset of the resource
-	if path, err := validate.ValidateResourceWithPattern(resource.Object, newResourceSpec); err != nil {
-		glog.V(4).Infof("Failed to match the resource at path %s: err %v", path, err)
+	if path, err := validate.ValidateResourceWithPattern(log, resource.Object, newResourceSpec); err != nil {
+		log.Error(err, "Failed to match the resource ", "path", path)
 		return err
 	}
 	return nil
diff --git a/pkg/generate/labels.go b/pkg/generate/labels.go
index 282caf55fa..312d49c1e7 100644
--- a/pkg/generate/labels.go
+++ b/pkg/generate/labels.go
@@ -3,7 +3,7 @@ package generate
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -30,7 +30,7 @@ func managedBy(labels map[string]string) {
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			glog.Infof("resource managed by %s, kyverno wont over-ride the label", val)
+			log.Log.Info(fmt.Sprintf("resource managed by %s, kyverno wont over-ride the label", val))
 			return
 		}
 	}
@@ -46,7 +46,7 @@ func generatedBy(labels map[string]string, triggerResource unstructured.Unstruct
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			glog.Infof("resource generated by %s, kyverno wont over-ride the label", val)
+			log.Log.Info(fmt.Sprintf("resource generated by %s, kyverno wont over-ride the label", val))
 			return
 		}
 	}
diff --git a/pkg/generate/report.go b/pkg/generate/report.go
index eaa5939e41..f9d24fcc10 100644
--- a/pkg/generate/report.go
+++ b/pkg/generate/report.go
@@ -3,13 +3,13 @@ package generate
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/event"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
+func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
 	if err == nil {
 		// Success Events
 		// - resource -> policy rule applied successfully
@@ -18,7 +18,6 @@ func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateReques
 		eventGen.Add(events...)
 		return
 	}
-	glog.V(4).Infof("reporing events for %v", err)
 	events := failedEvents(err, gr, resource)
 	eventGen.Add(events...)
 }
diff --git a/pkg/log/deleg.go b/pkg/log/deleg.go
new file mode 100644
index 0000000000..4bfee0b69b
--- /dev/null
+++ b/pkg/log/deleg.go
@@ -0,0 +1,121 @@
+package log
+
+import (
+	"sync"
+
+	"github.com/go-logr/logr"
+)
+
+// loggerPromise knows how to populate a concrete logr.Logger
+// with options, given an actual base logger later on down the line.
+type loggerPromise struct {
+	logger        *DelegatingLogger
+	childPromises []*loggerPromise
+	promisesLock  sync.Mutex
+
+	name *string
+	tags []interface{}
+}
+
+// WithName provides a new Logger with the name appended
+func (p *loggerPromise) WithName(l *DelegatingLogger, name string) *loggerPromise {
+	res := &loggerPromise{
+		logger:       l,
+		name:         &name,
+		promisesLock: sync.Mutex{},
+	}
+
+	p.promisesLock.Lock()
+	defer p.promisesLock.Unlock()
+	p.childPromises = append(p.childPromises, res)
+	return res
+}
+
+// WithValues provides a new Logger with the tags appended
+func (p *loggerPromise) WithValues(l *DelegatingLogger, tags ...interface{}) *loggerPromise {
+	res := &loggerPromise{
+		logger:       l,
+		tags:         tags,
+		promisesLock: sync.Mutex{},
+	}
+
+	p.promisesLock.Lock()
+	defer p.promisesLock.Unlock()
+	p.childPromises = append(p.childPromises, res)
+	return res
+}
+
+// Fulfill instantiates the Logger with the provided logger
+func (p *loggerPromise) Fulfill(parentLogger logr.Logger) {
+	var logger = parentLogger
+	if p.name != nil {
+		logger = logger.WithName(*p.name)
+	}
+
+	if p.tags != nil {
+		logger = logger.WithValues(p.tags...)
+	}
+
+	p.logger.Logger = logger
+	p.logger.promise = nil
+
+	for _, childPromise := range p.childPromises {
+		childPromise.Fulfill(logger)
+	}
+}
+
+// DelegatingLogger is a logr.Logger that delegates to another logr.Logger.
+// If the underlying promise is not nil, it registers calls to sub-loggers with
+// the logging factory to be populated later, and returns a new delegating
+// logger.  It expects to have *some* logr.Logger set at all times (generally
+// a no-op logger before the promises are fulfilled).
+type DelegatingLogger struct {
+	logr.Logger
+	promise *loggerPromise
+}
+
+// WithName provides a new Logger with the name appended
+func (l *DelegatingLogger) WithName(name string) logr.Logger {
+	if l.promise == nil {
+		return l.Logger.WithName(name)
+	}
+
+	res := &DelegatingLogger{Logger: l.Logger}
+	promise := l.promise.WithName(res, name)
+	res.promise = promise
+
+	return res
+}
+
+// WithValues provides a new Logger with the tags appended
+func (l *DelegatingLogger) WithValues(tags ...interface{}) logr.Logger {
+	if l.promise == nil {
+		return l.Logger.WithValues(tags...)
+	}
+
+	res := &DelegatingLogger{Logger: l.Logger}
+	promise := l.promise.WithValues(res, tags...)
+	res.promise = promise
+
+	return res
+}
+
+// Fulfill switches the logger over to use the actual logger
+// provided, instead of the temporary initial one, if this method
+// has not been previously called.
+func (l *DelegatingLogger) Fulfill(actual logr.Logger) {
+	if l.promise != nil {
+		l.promise.Fulfill(actual)
+	}
+}
+
+// NewDelegatingLogger constructs a new DelegatingLogger which uses
+// the given logger before it's promise is fulfilled.
+func NewDelegatingLogger(initial logr.Logger) *DelegatingLogger {
+	l := &DelegatingLogger{
+		Logger:  initial,
+		promise: &loggerPromise{promisesLock: sync.Mutex{}},
+	}
+	l.promise.logger = l
+	return l
+}
diff --git a/pkg/log/log.go b/pkg/log/log.go
new file mode 100644
index 0000000000..d8ec75b46c
--- /dev/null
+++ b/pkg/log/log.go
@@ -0,0 +1,15 @@
+package log
+
+import (
+	"github.com/go-logr/logr"
+)
+
+// SetLogger sets a concrete logging implementation for all deferred Loggers.
+func SetLogger(l logr.Logger) {
+	Log.Fulfill(l)
+}
+
+// Log is the base logger used by kubebuilder.  It delegates
+// to another logr.Logger.  You *must* call SetLogger to
+// get any actual logging.
+var Log = NewDelegatingLogger(NullLogger{})
diff --git a/pkg/log/null.go b/pkg/log/null.go
new file mode 100644
index 0000000000..7e806e032c
--- /dev/null
+++ b/pkg/log/null.go
@@ -0,0 +1,44 @@
+package log
+
+import (
+	"github.com/go-logr/logr"
+)
+
+// NB: this is the same as the null logger logr/testing,
+// but avoids accidentally adding the testing flags to
+// all binaries.
+
+// NullLogger is a logr.Logger that does nothing.
+type NullLogger struct{}
+
+var _ logr.Logger = NullLogger{}
+
+// Info implements logr.InfoLogger
+func (NullLogger) Info(_ string, _ ...interface{}) {
+	// Do nothing.
+}
+
+// Enabled implements logr.InfoLogger
+func (NullLogger) Enabled() bool {
+	return false
+}
+
+// Error implements logr.Logger
+func (NullLogger) Error(_ error, _ string, _ ...interface{}) {
+	// Do nothing.
+}
+
+// V implements logr.Logger
+func (log NullLogger) V(_ int) logr.InfoLogger {
+	return log
+}
+
+// WithName implements logr.Logger
+func (log NullLogger) WithName(_ string) logr.Logger {
+	return log
+}
+
+// WithValues implements logr.Logger
+func (log NullLogger) WithValues(_ ...interface{}) logr.Logger {
+	return log
+}
diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go
index cdf37ed1a8..6042177ecf 100644
--- a/pkg/policy/actions.go
+++ b/pkg/policy/actions.go
@@ -5,6 +5,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/policy/generate"
 	"github.com/nirmata/kyverno/pkg/policy/mutate"
 	"github.com/nirmata/kyverno/pkg/policy/validate"
@@ -40,7 +41,7 @@ func validateActions(idx int, rule kyverno.Rule, client *dclient.Client) error {
 
 	// Generate
 	if rule.HasGenerate() {
-		checker = generate.NewGenerateFactory(client, rule.Generation)
+		checker = generate.NewGenerateFactory(client, rule.Generation, log.Log)
 		if path, err := checker.Validate(); err != nil {
 			return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
 		}
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index ed4b72ac65..f777e21ab1 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -19,12 +19,13 @@ import (
 
 // applyPolicy applies policy on a resource
 //TODO: generation rules
-func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface) (responses []response.EngineResponse) {
+func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface, log logr.Logger) (responses []response.EngineResponse) {
+	logger := log.WithValues("kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 	startTime := time.Now()
 	var policyStats []PolicyStat
-	glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime)
+	logger.Info("start applying policy", "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime))
+		logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime))
 	}()
 
 	// gather stats from the engine response
@@ -66,10 +67,10 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	ctx.AddResource(transformResource(resource))
 
 	//MUTATION
-	engineResponse, err = mutation(policy, resource, policyStatus, ctx)
+	engineResponse, err = mutation(policy, resource, policyStatus, ctx, logger)
 	engineResponses = append(engineResponses, engineResponse)
 	if err != nil {
-		glog.Errorf("unable to process mutation rules: %v", err)
+		logger.Error(err, "failed to process mutation rule")
 	}
 	gatherStat(policy.Name, engineResponse.PolicyResponse)
 	//send stats
@@ -86,52 +87,52 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	//TODO: GENERATION
 	return engineResponses
 }
-func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface, ctx context.EvalInterface) (response.EngineResponse, error) {
+func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface, ctx context.EvalInterface, log logr.Logger) (response.EngineResponse, error) {
 
 	engineResponse := engine.Mutate(engine.PolicyContext{Policy: policy, NewResource: resource, Context: ctx})
 	if !engineResponse.IsSuccesful() {
-		glog.V(4).Infof("mutation had errors reporting them")
+		log.V(4).Info("failed to apply mutation rules; reporting them")
 		return engineResponse, nil
 	}
 	// Verify if the JSON pathes returned by the Mutate are already applied to the resource
 	if reflect.DeepEqual(resource, engineResponse.PatchedResource) {
 		// resources matches
-		glog.V(4).Infof("resource %s/%s/%s satisfies policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
+		log.V(4).Info("resource already satisfys the policy")
 		return engineResponse, nil
 	}
-	return getFailedOverallRuleInfo(resource, engineResponse)
+	return getFailedOverallRuleInfo(resource, engineResponse, log)
 }
 
 // getFailedOverallRuleInfo gets detailed info for over-all mutation failure
-func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse) (response.EngineResponse, error) {
+func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse, log logr.Logger) (response.EngineResponse, error) {
 	rawResource, err := resource.MarshalJSON()
 	if err != nil {
-		glog.V(4).Infof("unable to marshal resource: %v\n", err)
+		log.Error(err, "faield to marshall resource")
 		return response.EngineResponse{}, err
 	}
 
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
-		glog.V(4).Infof("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
+		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
 		if len(rule.Patches) == 0 {
 			continue
 		}
 		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
 		if err != nil {
-			glog.V(4).Infof("unable to decode patch %s: %v", rule.Patches, err)
+			log.Error(err, "failed to decode JSON patch", "patches", rule.Patches)
 			return response.EngineResponse{}, err
 		}
 
 		// apply the patches returned by mutate to the original resource
 		patchedResource, err := patch.Apply(rawResource)
 		if err != nil {
-			glog.V(4).Infof("unable to apply patch %s: %v", rule.Patches, err)
+			log.Error(err, "failed to apply JSON patch", "patches", rule.Patches)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
-			glog.V(4).Infof("policy %s rule %s condition not satisfied by existing resource", engineResponse.PolicyResponse.Policy, rule.Name)
+			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches))
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches, log))
 		}
 	}
 	return engineResponse, nil
@@ -143,14 +144,14 @@ type jsonPatch struct {
 	Value interface{} `json:"value"`
 }
 
-func extractPatchPath(patches [][]byte) string {
+func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	var resultPath []string
 	// extract the patch path and value
 	for _, patch := range patches {
-		glog.V(4).Infof("expected json patch not found in resource: %s", string(patch))
+		log.V(4).Info("expected json patch not found in resource", "patch", string(patch))
 		var data jsonPatch
 		if err := json.Unmarshal(patch, &data); err != nil {
-			glog.V(4).Infof("Failed to decode the generated patch %v: Error %v", string(patch), err)
+			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
 			continue
 		}
 		resultPath = append(resultPath, data.Path)
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 423fc51c4d..cec13c74d7 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -6,6 +6,7 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/log"
 )
 
 //ContainsUserInfo returns error is userInfo is defined
@@ -35,23 +36,23 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
 		filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
-			if condition.Key, err = variables.SubstituteVars(ctx, condition.Key); err != nil {
+			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
 			}
 
-			if condition.Value, err = variables.SubstituteVars(ctx, condition.Value); err != nil {
+			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
 			}
 		}
 
-		if rule.Mutation.Overlay, err = variables.SubstituteVars(ctx, rule.Mutation.Overlay); err != nil {
+		if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/mutate/overlay", idx)
 		}
-		if rule.Validation.Pattern, err = variables.SubstituteVars(ctx, rule.Validation.Pattern); err != nil {
+		if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/pattern", idx)
 		}
 		for idx2, pattern := range rule.Validation.AnyPattern {
-			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(ctx, pattern); err != nil {
+			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
 			}
 		}
diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go
index 6a41c579ba..40394c2785 100644
--- a/pkg/policy/cleanup.go
+++ b/pkg/policy/cleanup.go
@@ -4,57 +4,71 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
+func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
+	for _, er := range ers {
+		if !er.IsSuccesful() {
+			continue
+		}
+		if len(er.PolicyResponse.Rules) == 0 {
+			continue
+		}
+		// clean up after the policy has been corrected
+		pc.cleanUpPolicyViolation(er.PolicyResponse)
+	}
+}
+
 func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) {
+	logger := pc.log
 	// - check if there is violation on resource (label:Selector)
 	if pResponse.Resource.Namespace == "" {
-		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name)
+		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger)
 		if err != nil {
-			glog.Errorf("failed to cleanUp violations: %v", err)
+			logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name)
 			return
 		}
 
 		if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
 			return
 		}
-
-		glog.V(4).Infof("cleanup cluster violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey())
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("failed to delete cluster policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err)
+			logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name)
+		} else {
+			logger.Info("deleted cluster policy violation", "name", pv.Name)
 		}
-
 		return
 	}
 
 	// namespace policy violation
-	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name)
+	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name)
 		return
 	}
 
 	if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) {
 		return
 	}
-	glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", nspv.Name, pResponse.Resource.Namespace, nspv.Spec.ResourceSpec.ToKey())
 	if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {
-		glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", nspv.Name, nspv.Spec.ResourceSpec.ToKey(), err)
+		logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
+	} else {
+		logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
 	}
 }
 
 // Wont do the claiming of objects, just lookup based on selectors
-func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string) (kyverno.ClusterPolicyViolation, error) {
+func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) {
 	var err error
 	// Check Violation on resource
 	pvs, err := pvLister.List(labels.Everything())
 	if err != nil {
-		glog.V(2).Infof("unable to list policy violations : %v", err)
+		log.Error(err, "failed to list cluster policy violations")
 		return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)
 	}
 
@@ -69,10 +83,10 @@ func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyNam
 	return kyverno.ClusterPolicyViolation{}, nil
 }
 
-func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string) (kyverno.PolicyViolation, error) {
+func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) {
 	nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything())
 	if err != nil {
-		glog.V(2).Infof("failed to list namespaced pv: %v", err)
+		log.Error(err, "failed to list namespaced policy violation")
 		return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
 	}
 
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 04200cd5a5..822f11621e 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -1,11 +1,10 @@
 package policy
 
 import (
-	"fmt"
 	"reflect"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
@@ -75,6 +74,7 @@ type PolicyController struct {
 	pvGenerator policyviolation.GeneratorInterface
 	// resourceWebhookWatcher queues the webhook creation request, creates the webhook
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	log                    logr.Logger
 }
 
 // NewPolicyController create a new PolicyController
@@ -87,10 +87,11 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
 	pMetaStore policystore.UpdateInterface,
-	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister) (*PolicyController, error) {
+	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
+	log logr.Logger) (*PolicyController, error) {
 	// Event broad caster
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartLogging(log.Info)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		return nil, err
@@ -107,6 +108,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 		pMetaStore:             pMetaStore,
 		pvGenerator:            pvGenerator,
 		resourceWebhookWatcher: resourceWebhookWatcher,
+		log:                    log,
 	}
 
 	pc.pvControl = RealPVControl{Client: kyvernoClient, Recorder: pc.eventRecorder}
@@ -152,6 +154,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 }
 
 func (pc *PolicyController) addPolicy(obj interface{}) {
+	logger := pc.log
 	p := obj.(*kyverno.ClusterPolicy)
 	// Only process policies that are enabled for "background" execution
 	// policy.spec.background -> "True"
@@ -175,19 +178,19 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 			return
 		}
 	}
-
-	glog.V(4).Infof("Adding Policy %s", p.Name)
+	logger.V(4).Info("adding policy", "name", p.Name)
 	pc.enqueuePolicy(p)
 }
 
 func (pc *PolicyController) updatePolicy(old, cur interface{}) {
+	logger := pc.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	// TODO: optimize this : policy meta-store
 	// Update policy-> (remove,add)
 	err := pc.pMetaStore.UnRegister(*oldP)
 	if err != nil {
-		glog.Infof("Failed to unregister policy %s", oldP.Name)
+		logger.Error(err, "failed to unregister policy", "name", oldP.Name)
 	}
 	pc.pMetaStore.Register(*curP)
 
@@ -210,28 +213,29 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 			return
 		}
 	}
-	glog.V(4).Infof("Updating Policy %s", oldP.Name)
+	logger.V(4).Info("updating policy", "name", oldP.Name)
 	pc.enqueuePolicy(curP)
 }
 
 func (pc *PolicyController) deletePolicy(obj interface{}) {
+	logger := pc.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("couldnt get object from tomstone", "obj", obj)
 			return
 		}
 		p, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Policy %#v", obj))
+			logger.Info("tombstone container object that is not a policy", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting Policy %s", p.Name)
+	logger.V(4).Info("deleting policy", "name", p.Name)
 	// Unregister from policy meta-store
 	if err := pc.pMetaStore.UnRegister(*p); err != nil {
-		glog.Infof("failed to unregister policy %s", p.Name)
+		logger.Error(err, "failed to unregister policy", "name", p.Name)
 	}
 	// we process policies that are not set of background processing as we need to perform policy violation
 	// cleanup when a policy is deleted.
@@ -239,9 +243,10 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 }
 
 func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
+	logger := pc.log
 	key, err := cache.MetaNamespaceKeyFunc(policy)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to enqueu policy")
 		return
 	}
 	pc.queue.Add(key)
@@ -249,15 +254,16 @@ func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
 
 // Run begins watching and syncing.
 func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
+	logger := pc.log
 
 	defer utilruntime.HandleCrash()
 	defer pc.queue.ShutDown()
 
-	glog.Info("Starting policy controller")
-	defer glog.Info("Shutting down policy controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced) {
-		glog.Error("failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 
@@ -295,31 +301,33 @@ func (pc *PolicyController) processNextWorkItem() bool {
 }
 
 func (pc *PolicyController) handleErr(err error, key interface{}) {
+	logger := pc.log
 	if err == nil {
 		pc.queue.Forget(key)
 		return
 	}
 
 	if pc.queue.NumRequeues(key) < maxRetries {
-		glog.V(2).Infof("Error syncing Policy %v: %v", key, err)
+		logger.Error(err, "failed to sync policy", "key", key)
 		pc.queue.AddRateLimited(key)
 		return
 	}
 
 	utilruntime.HandleError(err)
-	glog.V(2).Infof("Dropping policy %q out of the queue: %v", key, err)
+	logger.V(2).Info("dropping policy out of queue", "key", key)
 	pc.queue.Forget(key)
 }
 
 func (pc *PolicyController) syncPolicy(key string) error {
+	logger := pc.log
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing policy %q (%v)", key, startTime)
+	logger.V(4).Info("started syncing policy", "key", key, "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime))
 	}()
 	policy, err := pc.pLister.Get(key)
 	if errors.IsNotFound(err) {
-		glog.V(2).Infof("Policy %v has been deleted", key)
+		logger.V(2).Info("policy deleted", "key", key)
 		// delete cluster policy violation
 		if err := pc.deleteClusterPolicyViolations(key); err != nil {
 			return err
@@ -334,8 +342,7 @@ func (pc *PolicyController) syncPolicy(key string) error {
 		// remove webhook configurations if there are no policies
 		if err := pc.removeResourceWebhookConfiguration(); err != nil {
 			// do not fail, if unable to delete resource webhook config
-			glog.V(4).Infof("failed to remove resource webhook configuration: %v", err)
-			glog.Errorln(err)
+			logger.Error(err, "failed to remove resource webhook configurations")
 		}
 		return nil
 	}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 9165978ca4..d0e2bc1fd0 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -5,7 +5,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
@@ -19,27 +19,28 @@ import (
 )
 
 func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []response.EngineResponse {
+	logger := pc.log.WithValues("policy", policy.Name)
 	// Parse through all the resources
 	// drops the cache after configured rebuild time
 	pc.rm.Drop()
 	var engineResponses []response.EngineResponse
 	// get resource that are satisfy the resource description defined in the rules
-	resourceMap := listResources(pc.client, policy, pc.configHandler)
+	resourceMap := listResources(pc.client, policy, pc.configHandler, logger)
 	for _, resource := range resourceMap {
 		// pre-processing, check if the policy and resource version has been processed before
 		if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {
-			glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
+			logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 			continue
 		}
 
 		// skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied
-		if skipPodApplication(resource) {
+		if skipPodApplication(resource, logger) {
 			continue
 		}
 
 		// apply the policy on each
-		glog.V(4).Infof("apply policy %s with resource version %s on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
-		engineResponse := applyPolicy(policy, resource, pc.statusAggregator)
+		logger.V(4).Info("apply policy on resource", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+		engineResponse := applyPolicy(policy, resource, pc.statusAggregator, logger)
 		// get engine response for mutation & validation independently
 		engineResponses = append(engineResponses, engineResponse...)
 		// post-processing, register the resource as processed
@@ -48,36 +49,26 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 	return engineResponses
 }
 
-func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface) map[string]unstructured.Unstructured {
+func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
 	// key uid
 	resourceMap := map[string]unstructured.Unstructured{}
 
 	for _, rule := range policy.Spec.Rules {
 		// resources that match
 		for _, k := range rule.MatchResources.Kinds {
-			// if kindIsExcluded(k, rule.ExcludeResources.Kinds) {
-			// 	glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k)
-			// 	continue
-			// }
 			var namespaces []string
-			if k == "Namespace" {
-				// TODO
-				// this is handled by generator controller
-				glog.V(4).Infof("skipping processing policy %s rule %s for kind Namespace", policy.Name, rule.Name)
-				continue
-			}
 			if len(rule.MatchResources.Namespaces) > 0 {
 				namespaces = append(namespaces, rule.MatchResources.Namespaces...)
-				glog.V(4).Infof("namespaces specified for inclusion: %v", rule.MatchResources.Namespaces)
+				log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
 			} else {
-				glog.V(4).Infof("processing policy %s rule %s, namespace not defined, getting all namespaces ", policy.Name, rule.Name)
+				log.V(4).Info("processing all namespaces", "rule", rule.Name)
 				// get all namespaces
-				namespaces = getAllNamespaces(client)
+				namespaces = getAllNamespaces(client, log)
 			}
 
 			// get resources in the namespaces
 			for _, ns := range namespaces {
-				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler)
+				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
 				mergeresources(resourceMap, rMap)
 			}
 
@@ -86,16 +77,16 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
 	return resourceMap
 }
 
-func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface) map[string]unstructured.Unstructured {
+func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}
 	// merge include and exclude label selector values
 	ls := rule.MatchResources.Selector
 	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
-	glog.V(4).Infof("get resources for kind %s, namespace %s, selector %v", kind, namespace, rule.MatchResources.Selector)
+	log.V(4).Info("list resources to be processed")
 	list, err := client.ListResource(kind, namespace, ls)
 	if err != nil {
-		glog.Infof("unable to get resources: err %v", err)
+		log.Error(err, "failed to list resources", "kind", kind)
 		return nil
 	}
 	// filter based on name
@@ -103,7 +94,6 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {
-				glog.V(4).Infof("skipping resource %s/%s due to include condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
 				continue
 			}
 		}
@@ -118,12 +108,11 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 
 	// exclude the resources
 	// skip resources to be filtered
-	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler)
-	//	glog.V(4).Infof("resource map: %v", resourceMap)
+	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler, log)
 	return resourceMap
 }
 
-func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface) {
+func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface, log logr.Logger) {
 	if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) {
 		return
 	}
@@ -154,7 +143,7 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
 		// if the label selector is incorrect, should be fail or
 		if err != nil {
-			glog.Error(err)
+			log.Error(err, "failed to build label selector")
 			return Skip
 		}
 		if selector.Matches(labels.Set(labelsMap)) {
@@ -205,8 +194,6 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		}
 		// exclude the filtered resources
 		if configHandler.ToFilter(resource.GetKind(), resource.GetNamespace(), resource.GetName()) {
-			//TODO: improve the text
-			glog.V(4).Infof("excluding resource %s/%s/%s as its satisfies the filtered resources", resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			delete(included, uid)
 			continue
 		}
@@ -244,12 +231,13 @@ func mergeresources(a, b map[string]unstructured.Unstructured) {
 	}
 }
 
-func getAllNamespaces(client *client.Client) []string {
+func getAllNamespaces(client *client.Client, log logr.Logger) []string {
+
 	var namespaces []string
 	// get all namespaces
 	nsList, err := client.ListResource("Namespace", "", nil)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to list namespaces")
 		return namespaces
 	}
 	for _, ns := range nsList.Items {
@@ -291,14 +279,11 @@ type resourceManager interface {
 //TODO: or drop based on the size
 func (rm *ResourceManager) Drop() {
 	timeSince := time.Since(rm.time)
-	glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince)
-	glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second)
 	if timeSince > time.Duration(rm.rebuildTime)*time.Second {
 		rm.mux.Lock()
 		defer rm.mux.Unlock()
 		rm.data = map[string]interface{}{}
 		rm.time = time.Now()
-		glog.V(4).Infof("dropping cache at time %v", rm.time)
 	}
 }
 
@@ -327,14 +312,14 @@ func buildKey(policy, pv, kind, ns, name, rv string) string {
 	return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv
 }
 
-func skipPodApplication(resource unstructured.Unstructured) bool {
+func skipPodApplication(resource unstructured.Unstructured, log logr.Logger) bool {
 	if resource.GetKind() != "Pod" {
 		return false
 	}
 
 	annotation := resource.GetAnnotations()
 	if _, ok := annotation[engine.PodTemplateAnnotation]; ok {
-		glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod/%s/%s", resource.GetNamespace(), resource.GetName())
+		log.V(4).Info("Policies already processed on pod controllers, skip processing policy on Pod", "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 		return true
 	}
 
diff --git a/pkg/policy/generate/auth.go b/pkg/policy/generate/auth.go
index 0bcd0cb0a1..3da64a4289 100644
--- a/pkg/policy/generate/auth.go
+++ b/pkg/policy/generate/auth.go
@@ -1,6 +1,7 @@
 package generate
 
 import (
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/auth"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 )
@@ -20,19 +21,21 @@ type Operations interface {
 //Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
 type Auth struct {
 	client *dclient.Client
+	log    logr.Logger
 }
 
 //NewAuth returns a new instance of Auth for operations
-func NewAuth(client *dclient.Client) *Auth {
+func NewAuth(client *dclient.Client, log logr.Logger) *Auth {
 	a := Auth{
 		client: client,
+		log:    log,
 	}
 	return &a
 }
 
 // CanICreate returns 'true' if self can 'create' resource
 func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "create")
+	canI := auth.NewCanI(a.client, kind, namespace, "create", a.log)
 	ok, err := canI.RunAccessCheck()
 	if err != nil {
 		return false, err
@@ -42,7 +45,7 @@ func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
 
 // CanIUpdate returns 'true' if self can 'update' resource
 func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "update")
+	canI := auth.NewCanI(a.client, kind, namespace, "update", a.log)
 	ok, err := canI.RunAccessCheck()
 	if err != nil {
 		return false, err
@@ -52,7 +55,7 @@ func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
 
 // CanIDelete returns 'true' if self can 'delete' resource
 func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "delete")
+	canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log)
 	ok, err := canI.RunAccessCheck()
 	if err != nil {
 		return false, err
@@ -62,7 +65,7 @@ func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
 
 // CanIGet returns 'true' if self can 'get' resource
 func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "get")
+	canI := auth.NewCanI(a.client, kind, namespace, "get", a.log)
 	ok, err := canI.RunAccessCheck()
 	if err != nil {
 		return false, err
diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go
index 427faa33e9..460842ea98 100644
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
@@ -18,13 +18,16 @@ type Generate struct {
 	rule kyverno.Generation
 	// authCheck to check access for operations
 	authCheck Operations
+	//logger
+	log logr.Logger
 }
 
 //NewGenerateFactory returns a new instance of Generate validation checker
-func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation) *Generate {
+func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log logr.Logger) *Generate {
 	g := Generate{
 		rule:      rule,
-		authCheck: NewAuth(client),
+		authCheck: NewAuth(client, log),
+		log:       log,
 	}
 
 	return &g
@@ -92,7 +95,7 @@ func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, erro
 			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
 		}
 	} else {
-		glog.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
 	}
 	return "", nil
 }
@@ -141,7 +144,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
 		}
 
 	} else {
-		glog.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
 	}
 
 	return nil
diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go
index 654343d7df..828ae7806f 100644
--- a/pkg/policy/namespacedpv.go
+++ b/pkg/policy/namespacedpv.go
@@ -7,6 +7,7 @@ import (
 )
 
 func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
+	logger := pc.log
 	pv := obj.(*kyverno.PolicyViolation)
 
 	if pv.DeletionTimestamp != nil {
@@ -20,14 +21,15 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("namepaced policy violation does not belong to any active policy, will be cleanedup", "namespacePolicyViolation", pv.Name)
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete namespaced policy violation", "namespacedPolicyViolation", pv.Name)
 			return
 		}
-		glog.V(4).Infof("PolicyViolation %s deleted", pv.Name)
+		logger.V(4).Info("resource delete", "namespacePOlicyViolation", pv.Name)
 		return
 	}
+
 	glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
diff --git a/pkg/policy/report.go b/pkg/policy/report.go
index 206a6ebd61..3eb7502125 100644
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@@ -13,11 +13,12 @@ import (
 // - has violation -> report
 // - no violation -> cleanup policy violations
 func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {
+	logger := pc.log
 	// generate Events
 	eventInfos := generateEvents(engineResponses)
 	pc.eventGen.Add(eventInfos...)
 	// create policy violation
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	pc.pvGenerator.Add(pvInfos...)
 	// cleanup existing violations if any
 	// if there is any error in clean up, we dont re-queue the resource
@@ -25,19 +26,6 @@ func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineRe
 	pc.cleanUp(engineResponses)
 }
 
-func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
-	for _, er := range ers {
-		if !er.IsSuccesful() {
-			continue
-		}
-		if len(er.PolicyResponse.Rules) == 0 {
-			continue
-		}
-		// clean up after the policy has been corrected
-		pc.cleanUpPolicyViolation(er.PolicyResponse)
-	}
-}
-
 func generateEvents(ers []response.EngineResponse) []event.Info {
 	var eventInfos []event.Info
 	for _, er := range ers {
diff --git a/pkg/policystore/policystore.go b/pkg/policystore/policystore.go
index 3d23b106e4..633007d5ca 100644
--- a/pkg/policystore/policystore.go
+++ b/pkg/policystore/policystore.go
@@ -3,12 +3,11 @@ package policystore
 import (
 	"sync"
 
-	"k8s.io/apimachinery/pkg/labels"
-
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 
@@ -24,6 +23,7 @@ type PolicyStore struct {
 	pLister kyvernolister.ClusterPolicyLister
 	// returns true if the cluster policy store has been synced at least once
 	pSynched cache.InformerSynced
+	log      logr.Logger
 }
 
 //UpdateInterface provides api to update policies
@@ -40,25 +40,29 @@ type LookupInterface interface {
 }
 
 // NewPolicyStore returns a new policy store
-func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore {
+func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,
+	log logr.Logger) *PolicyStore {
 	ps := PolicyStore{
 		data:     make(kindMap),
 		pLister:  pInformer.Lister(),
 		pSynched: pInformer.Informer().HasSynced,
+		log:      log,
 	}
 	return &ps
 }
 
 //Run checks syncing
 func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
+	logger := ps.log
 	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
-		glog.Error("policy meta store: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 }
 
 //Register a new policy
 func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
-	glog.V(4).Infof("adding resources %s", policy.Name)
+	logger := ps.log
+	logger.V(4).Info("adding policy", "name", policy.Name)
 	ps.mu.Lock()
 	defer ps.mu.Unlock()
 	var pmap policyMap
diff --git a/pkg/policyviolation/builder.go b/pkg/policyviolation/builder.go
index 1de366eb66..da556697be 100644
--- a/pkg/policyviolation/builder.go
+++ b/pkg/policyviolation/builder.go
@@ -3,24 +3,23 @@ package policyviolation
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 )
 
 //GeneratePVsFromEngineResponse generate Violations from engine responses
-func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) {
+func GeneratePVsFromEngineResponse(ers []response.EngineResponse, log logr.Logger) (pvInfos []Info) {
 	for _, er := range ers {
 		// ignore creation of PV for resources that are yet to be assigned a name
 		if er.PolicyResponse.Resource.Name == "" {
-			glog.V(4).Infof("resource %v, has not been assigned a name, not creating a policy violation for it", er.PolicyResponse.Resource)
+			log.V(4).Info("resource does no have a name assigned yet, not creating a policy violation", "resource", er.PolicyResponse.Resource)
 			continue
 		}
 		// skip when response succeed
 		if er.IsSuccesful() {
 			continue
 		}
-		glog.V(4).Infof("Building policy violation for engine response %v", er)
 		// build policy violation info
 		pvInfos = append(pvInfos, buildPVInfo(er))
 	}
diff --git a/pkg/policyviolation/builder_test.go b/pkg/policyviolation/builder_test.go
index bd3f8c97f0..2498b7b5f2 100644
--- a/pkg/policyviolation/builder_test.go
+++ b/pkg/policyviolation/builder_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 )
 
@@ -52,6 +53,6 @@ func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
 		},
 	}
 
-	pvInfos := GeneratePVsFromEngineResponse(ers)
+	pvInfos := GeneratePVsFromEngineResponse(ers, log.Log)
 	assert.Assert(t, len(pvInfos) == 1)
 }
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index 7d820f980b..94099fefaf 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
@@ -40,6 +40,7 @@ type Generator struct {
 	nspvSynced cache.InformerSynced
 	queue      workqueue.RateLimitingInterface
 	dataStore  *dataStore
+	log        logr.Logger
 }
 
 //NewDataStore returns an instance of data store
@@ -103,7 +104,8 @@ type GeneratorInterface interface {
 func NewPVGenerator(client *kyvernoclient.Clientset,
 	dclient *dclient.Client,
 	pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
-	nspvInformer kyvernoinformer.PolicyViolationInformer) *Generator {
+	nspvInformer kyvernoinformer.PolicyViolationInformer,
+	log logr.Logger) *Generator {
 	gen := Generator{
 		kyvernoInterface: client.KyvernoV1(),
 		dclient:          dclient,
@@ -113,6 +115,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
 		nspvSynced:       nspvInformer.Informer().HasSynced,
 		queue:            workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
 		dataStore:        newDataStore(),
+		log:              log,
 	}
 	return &gen
 }
@@ -130,18 +133,18 @@ func (gen *Generator) enqueue(info Info) {
 func (gen *Generator) Add(infos ...Info) {
 	for _, info := range infos {
 		gen.enqueue(info)
-		glog.V(3).Infof("Added policy violation: %s", info.toKey())
 	}
 }
 
 // Run starts the workers
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
+	logger := gen.log
 	defer utilruntime.HandleCrash()
-	glog.Info("Start policy violation generator")
-	defer glog.Info("Shutting down policy violation generator")
+	logger.Info("start")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pvSynced, gen.nspvSynced) {
-		glog.Error("policy violation generator: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -156,6 +159,7 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
+	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
@@ -163,23 +167,22 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 
 	// retires requests if there is error
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.V(4).Infof("Error syncing policy violation %v: %v", key, err)
+		logger.Error(err, "failed to sync policy violation", "key", key)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
-	glog.Error(err)
 	// remove from data store
 	if keyHash, ok := key.(string); ok {
 		gen.dataStore.delete(keyHash)
 	}
-
-	glog.Warningf("Dropping the key out of the queue: %v", err)
+	logger.Error(err, "dropping key out of the queue", "key", key)
 }
 
 func (gen *Generator) processNextWorkitem() bool {
+	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -191,7 +194,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		var ok bool
 		if keyHash, ok = obj.(string); !ok {
 			gen.queue.Forget(obj)
-			glog.Warningf("Expecting type string but got %v\n", obj)
+			logger.Info("incorrect type; expecting type 'string'", "obj", obj)
 			return nil
 		}
 		// lookup data store
@@ -199,7 +202,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		if reflect.DeepEqual(info, Info{}) {
 			// empty key
 			gen.queue.Forget(obj)
-			glog.Warningf("Got empty key %v\n", obj)
+			logger.Info("empty key")
 			return nil
 		}
 		err := gen.syncHandler(info)
@@ -207,14 +210,14 @@ func (gen *Generator) processNextWorkitem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to process item")
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(info Info) error {
-	glog.V(4).Infof("received info:%v", info)
+	logger := gen.log
 	var handler pvGenerator
 	builder := newPvBuilder()
 	if info.Resource.GetNamespace() == "" {
@@ -229,12 +232,12 @@ func (gen *Generator) syncHandler(info Info) error {
 	pv := builder.generate(info)
 
 	// Create Policy Violations
-	glog.V(3).Infof("Creating policy violation: %s", info.toKey())
+	logger.V(4).Info("creating policy violation", "key", info.toKey())
 	if err := handler.create(pv); err != nil {
 		failure = true
-		glog.V(3).Infof("Failed to create policy violation: %v", err)
+		logger.Error(err, "failed to create policy violation")
 	} else {
-		glog.V(3).Infof("Policy violation created: %s", info.toKey())
+		logger.Info("created policy violation", "key", info.toKey())
 	}
 
 	if failure {
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index c6c41f4be0..5fe0602e71 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -3,8 +3,7 @@ package utils
 import (
 	"reflect"
 
-	"github.com/golang/glog"
-
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -59,14 +58,15 @@ func Btoi(b bool) int {
 }
 
 //CRDInstalled to check if the CRD is installed or not
-func CRDInstalled(discovery client.IDiscovery) bool {
+func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
+	logger := log.WithName("CRDInstalled")
 	check := func(kind string) bool {
 		gvr := discovery.GetGVRFromKind(kind)
 		if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
-			glog.Errorf("%s CRD not installed", kind)
+			logger.Info("CRD not installed", "kind", kind)
 			return false
 		}
-		glog.Infof("CRD %s found ", kind)
+		logger.Info("CRD found", "kind", kind)
 		return true
 	}
 	if !check("ClusterPolicy") || !check("ClusterPolicyViolation") || !check("PolicyViolation") {
@@ -77,11 +77,12 @@ func CRDInstalled(discovery client.IDiscovery) bool {
 
 //CleanupOldCrd deletes any existing NamespacedPolicyViolation resources in cluster
 // If resource violates policy, new Violations will be generated
-func CleanupOldCrd(client *dclient.Client) {
+func CleanupOldCrd(client *dclient.Client, log logr.Logger) {
+	logger := log.WithName("CleanupOldCrd")
 	gvr := client.DiscoveryClient.GetGVRFromKind("NamespacedPolicyViolation")
 	if !reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
 		if err := client.DeleteResource("CustomResourceDefinition", "", "namespacedpolicyviolations.kyverno.io", false); err != nil {
-			glog.Infof("Failed to remove previous CRD namespacedpolicyviolations: %v", err)
+			logger.Error(err, "Failed to remove prevous CRD", "kind", "namespacedpolicyviolation")
 		}
 	}
 }
diff --git a/pkg/version/version.go b/pkg/version/version.go
index ef768a35bf..8d9303d204 100644
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,7 +1,7 @@
 package version
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 )
 
 // These fields are set during an official build
@@ -13,8 +13,8 @@ var (
 )
 
 //PrintVersionInfo displays the kyverno version - git version
-func PrintVersionInfo() {
-	glog.Infof("Kyverno version: %s\n", BuildVersion)
-	glog.Infof("Kyverno BuildHash: %s\n", BuildHash)
-	glog.Infof("Kyverno BuildTime: %s\n", BuildTime)
+func PrintVersionInfo(log logr.Logger) {
+	log.Info("Kyverno", "Version", BuildVersion)
+	log.Info("Kyverno", "BuildHash", BuildHash)
+	log.Info("Kyverno", "BuildTime", BuildTime)
 }
diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go
index ee85f36c35..e1923a507c 100644
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@@ -19,8 +19,8 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.VerifyMutatingWebhookName,
 				config.VerifyMutatingWebhookServicePath,
 				caData,
@@ -42,8 +42,8 @@ func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.VerifyMutatingWebhookName,
 				url,
 				caData,
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index d73fcafb13..69ccaca885 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -61,10 +61,43 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 	}
 }
 
-func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+// func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+// 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+// 	failurePolicy := admregapi.Ignore
+// 	return admregapi.Webhook{
+// 		Name: name,
+// 		ClientConfig: admregapi.WebhookClientConfig{
+// 			URL:      &url,
+// 			CABundle: caData,
+// 		},
+// 		SideEffects: &sideEffect,
+// 		Rules: []admregapi.RuleWithOperations{
+// 			admregapi.RuleWithOperations{
+// 				Operations: operationTypes,
+// 				Rule: admregapi.Rule{
+// 					APIGroups: []string{
+// 						apiGroups,
+// 					},
+// 					APIVersions: []string{
+// 						apiVersions,
+// 					},
+// 					Resources: []string{
+// 						resource,
+// 					},
+// 				},
+// 			},
+// 		},
+// 		AdmissionReviewVersions: []string{"v1beta1"},
+// 		TimeoutSeconds:          &timeoutSeconds,
+// 		FailurePolicy:           &failurePolicy,
+// 	}
+// }
+
+// debug mutating webhook
+func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.Webhook{
+	return admregapi.MutatingWebhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			URL:      &url,
@@ -93,10 +126,116 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou
 	}
 }
 
-func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.Webhook{
+	return admregapi.ValidatingWebhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			URL:      &url,
+			CABundle: caData,
+		},
+		SideEffects: &sideEffect,
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		AdmissionReviewVersions: []string{"v1beta1"},
+		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
+	}
+}
+
+// func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+// 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+// 	failurePolicy := admregapi.Ignore
+// 	return admregapi.Webhook{
+// 		Name: name,
+// 		ClientConfig: admregapi.WebhookClientConfig{
+// 			Service: &admregapi.ServiceReference{
+// 				Namespace: config.KubePolicyNamespace,
+// 				Name:      config.WebhookServiceName,
+// 				Path:      &servicePath,
+// 			},
+// 			CABundle: caData,
+// 		},
+// 		SideEffects: &sideEffect,
+// 		Rules: []admregapi.RuleWithOperations{
+// 			admregapi.RuleWithOperations{
+// 				Operations: operationTypes,
+// 				Rule: admregapi.Rule{
+// 					APIGroups: []string{
+// 						apiGroups,
+// 					},
+// 					APIVersions: []string{
+// 						apiVersions,
+// 					},
+// 					Resources: []string{
+// 						resource,
+// 					},
+// 				},
+// 			},
+// 		},
+// 		AdmissionReviewVersions: []string{"v1beta1"},
+// 		TimeoutSeconds:          &timeoutSeconds,
+// 		FailurePolicy:           &failurePolicy,
+// 	}
+// }
+
+// mutating webhook
+func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
+	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
+	return admregapi.MutatingWebhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			Service: &admregapi.ServiceReference{
+				Namespace: config.KubePolicyNamespace,
+				Name:      config.WebhookServiceName,
+				Path:      &servicePath,
+			},
+			CABundle: caData,
+		},
+		SideEffects: &sideEffect,
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		AdmissionReviewVersions: []string{"v1beta1"},
+		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
+	}
+}
+
+// validating webhook
+func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
+	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
+	return admregapi.ValidatingWebhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			Service: &admregapi.ServiceReference{
diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go
index d1798a54e5..1a518596a7 100644
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@@ -18,8 +18,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateValidatingWebhook(
 				config.PolicyValidatingWebhookName,
 				config.PolicyValidatingWebhookServicePath,
 				caData,
@@ -42,8 +42,8 @@ func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateDebugValidatingWebhook(
 				config.PolicyValidatingWebhookName,
 				url,
 				caData,
@@ -66,8 +66,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.PolicyMutatingWebhookName,
 				config.PolicyMutatingWebhookServicePath,
 				caData,
@@ -89,8 +89,8 @@ func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(c
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.PolicyMutatingWebhookName,
 				url,
 				caData,
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 8db0cba73c..9edf71d1e0 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -2,9 +2,11 @@ package webhookconfig
 
 import (
 	"errors"
+	"fmt"
 	"sync"
 	"time"
 
+	"github.com/go-logr/logr"
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@@ -27,6 +29,7 @@ type WebhookRegistrationClient struct {
 	// serverIP should be used if running Kyverno out of clutser
 	serverIP       string
 	timeoutSeconds int32
+	log            logr.Logger
 }
 
 // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
@@ -34,19 +37,22 @@ func NewWebhookRegistrationClient(
 	clientConfig *rest.Config,
 	client *client.Client,
 	serverIP string,
-	webhookTimeout int32) *WebhookRegistrationClient {
+	webhookTimeout int32,
+	log logr.Logger) *WebhookRegistrationClient {
 	return &WebhookRegistrationClient{
 		clientConfig:   clientConfig,
 		client:         client,
 		serverIP:       serverIP,
 		timeoutSeconds: webhookTimeout,
+		log:            log.WithName("WebhookRegistrationClient"),
 	}
 }
 
 // Register creates admission webhooks configs on cluster
 func (wrc *WebhookRegistrationClient) Register() error {
+	logger := wrc.log.WithName("Register")
 	if wrc.serverIP != "" {
-		glog.Infof("Registering webhook with url https://%s\n", wrc.serverIP)
+		logger.Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP))
 	}
 
 	// For the case if cluster already has this configs
@@ -88,6 +94,7 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<-
 // used to forward request to kyverno webhooks to apply policeis
 // Mutationg webhook is be used for Mutating purpose
 func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error {
+	logger := wrc.log
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
 
@@ -108,16 +115,17 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 	}
 	_, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		glog.V(4).Infof("resource mutating webhook configuration %s, already exists. not creating one", config.Name)
+		logger.V(4).Info("resource mutating webhook configuration already exists. not creating one", "name", config.Name)
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to create resource mutating webhook configuration %s: %v", config.Name, err)
+		logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name)
 		return err
 	}
 	return nil
 }
 
+//CreateResourceValidatingWebhookConfiguration ...
 func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.ValidatingWebhookConfiguration
@@ -134,14 +142,15 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati
 		// clientConfig - service
 		config = wrc.constructValidatingWebhookConfig(caData)
 	}
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	_, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		glog.V(4).Infof("resource validating webhook configuration %s, already exists. not creating one", config.Name)
+		logger.V(4).Info("resource already exists. not create one")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to create resource validating webhook configuration %s: %v", config.Name, err)
+		logger.Error(err, "failed to create resource")
 		return err
 	}
 	return nil
@@ -168,13 +177,13 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration
 		// clientConfig - service
 		config = wrc.contructPolicyValidatingWebhookConfig(caData)
 	}
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	// create validating webhook configuration resource
 	if _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-
-	glog.V(4).Infof("created Validating Webhook Configuration %s ", config.Name)
+	logger.V(4).Info("created resource")
 	return nil
 }
 
diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go
index 090c33636a..050517da0a 100644
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -11,15 +10,15 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
-	glog.V(4).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url)
-
+	logger.V(4).Info("Debug MutatingWebhookConfig registed", "url", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.MutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.MutatingWebhookName,
 				url,
 				caData,
@@ -42,8 +41,8 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.MutatingWebhookName,
 				config.MutatingWebhookServicePath,
 				caData,
@@ -68,32 +67,31 @@ func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() str
 
 //RemoveResourceMutatingWebhookConfiguration removes mutating webhook configuration for all resources
 func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() error {
-
 	configName := wrc.GetResourceMutatingWebhookConfigName()
+	logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind, "name", configName)
 	// delete webhook configuration
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
+		logger.Error(err, "resource does not exit")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
+		logger.V(4).Info("failed to delete resource")
 		return err
 	}
-	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
+	logger.V(4).Info("deleted resource")
 	return nil
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath)
-	glog.V(4).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.ValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateDebugValidatingWebhook(
 				config.ValidatingWebhookName,
 				url,
 				caData,
@@ -116,8 +114,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateValidatingWebhook(
 				config.ValidatingWebhookName,
 				config.ValidatingWebhookServicePath,
 				caData,
@@ -141,15 +139,16 @@ func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() s
 
 func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error {
 	configName := wrc.GetResourceValidatingWebhookConfigName()
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName)
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
+		logger.Error(err, "resource does not exist; deleted already")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
+		logger.Error(err, "failed to delete the resource")
 		return err
 	}
-	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
+	logger.Info("resource deleted")
 	return nil
 }
diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go
index aacdc72b9f..a312e07277 100644
--- a/pkg/webhookconfig/rwebhookregister.go
+++ b/pkg/webhookconfig/rwebhookregister.go
@@ -3,7 +3,7 @@ package webhookconfig
 import (
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	checker "github.com/nirmata/kyverno/pkg/checker"
 	"github.com/tevino/abool"
 	mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1"
@@ -23,6 +23,7 @@ type ResourceWebhookRegister struct {
 	vWebhookConfigLister           mconfiglister.ValidatingWebhookConfigurationLister
 	webhookRegistrationClient      *WebhookRegistrationClient
 	RunValidationInMutatingWebhook string
+	log                            logr.Logger
 }
 
 // NewResourceWebhookRegister returns a new instance of ResourceWebhookRegister manager
@@ -32,6 +33,7 @@ func NewResourceWebhookRegister(
 	vconfigwebhookinformer mconfiginformer.ValidatingWebhookConfigurationInformer,
 	webhookRegistrationClient *WebhookRegistrationClient,
 	runValidationInMutatingWebhook string,
+	log logr.Logger,
 ) *ResourceWebhookRegister {
 	return &ResourceWebhookRegister{
 		pendingCreation:                abool.New(),
@@ -42,52 +44,54 @@ func NewResourceWebhookRegister(
 		vWebhookConfigLister:           vconfigwebhookinformer.Lister(),
 		webhookRegistrationClient:      webhookRegistrationClient,
 		RunValidationInMutatingWebhook: runValidationInMutatingWebhook,
+		log:                            log,
 	}
 }
 
 //RegisterResourceWebhook registers a resource webhook
 func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
+	logger := rww.log
 	// drop the request if creation is in processing
 	if rww.pendingCreation.IsSet() {
-		glog.V(3).Info("resource webhook configuration is in pending creation, skip the request")
+		logger.V(3).Info("resource webhook configuration is in pending creation, skip the request")
 		return
 	}
 
 	timeDiff := time.Since(rww.LastReqTime.Time())
 	if timeDiff < checker.DefaultDeadline {
-		glog.V(3).Info("Verified webhook status, creating webhook configuration")
+		logger.V(3).Info("verified webhook status, creating webhook configuration")
 		go func() {
 			mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 			mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName)
 			if mutatingConfig != nil {
-				glog.V(4).Info("mutating webhoook configuration already exists")
+				logger.V(4).Info("mutating webhoook configuration already exists")
 			} else {
 				rww.pendingCreation.Set()
 				err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
 				rww.pendingCreation.UnSet()
 				if err1 != nil {
-					glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err1)
+					logger.Error(err1, "failed to create resource mutating webhook configuration, re-queue creation request")
 					rww.RegisterResourceWebhook()
 					return
 				}
-				glog.V(3).Info("Successfully created mutating webhook configuration for resources")
+				logger.V(3).Info("successfully created mutating webhook configuration for resources")
 			}
 
 			if rww.RunValidationInMutatingWebhook != "true" {
 				validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 				validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName)
 				if validatingConfig != nil {
-					glog.V(4).Info("validating webhoook configuration already exists")
+					logger.V(4).Info("validating webhoook configuration already exists")
 				} else {
 					rww.pendingCreation.Set()
 					err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration()
 					rww.pendingCreation.UnSet()
 					if err2 != nil {
-						glog.Errorf("failed to create resource validating webhook configuration: %v, re-queue creation request", err2)
+						logger.Error(err2, "failed to create resource validating webhook configuration; re-queue creation request")
 						rww.RegisterResourceWebhook()
 						return
 					}
-					glog.V(3).Info("Successfully created validating webhook configuration for resources")
+					logger.V(3).Info("successfully created validating webhook configuration for resources")
 				}
 			}
 		}()
@@ -96,19 +100,20 @@ func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
 
 //Run starts the ResourceWebhookRegister manager
 func (rww *ResourceWebhookRegister) Run(stopCh <-chan struct{}) {
+	logger := rww.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, rww.mwebhookconfigSynced, rww.vwebhookconfigSynced) {
-		glog.Error("configuration: failed to sync webhook informer cache")
+		logger.Info("configuration: failed to sync webhook informer cache")
 	}
-
 }
 
 // RemoveResourceWebhookConfiguration removes the resource webhook configurations
 func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
+	logger := rww.log
 	mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 	mutatingConfig, err := rww.mWebhookConfigLister.Get(mutatingConfigName)
 	if err != nil {
-		glog.V(4).Infof("failed to list mutating webhook config: %v", err)
+		logger.Error(err, "failed to list mutating webhook config")
 		return err
 	}
 	if mutatingConfig != nil {
@@ -116,14 +121,14 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 		if err != nil {
 			return err
 		}
-		glog.V(3).Info("removed mutating resource webhook configuration")
+		logger.V(3).Info("emoved mutating resource webhook configuration")
 	}
 
 	if rww.RunValidationInMutatingWebhook != "true" {
 		validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 		validatingConfig, err := rww.vWebhookConfigLister.Get(validatingConfigName)
 		if err != nil {
-			glog.V(4).Infof("failed to list validating webhook config: %v", err)
+			logger.Error(err, "failed to list validating webhook config")
 			return err
 		}
 		if validatingConfig != nil {
@@ -131,7 +136,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 			if err != nil {
 				return err
 			}
-			glog.V(3).Info("removed validating resource webhook configuration")
+			logger.V(3).Info("removed validating resource webhook configuration")
 		}
 	}
 	return nil
diff --git a/pkg/webhooks/admission_test.go b/pkg/webhooks/admission_test.go
deleted file mode 100644
index d753352a72..0000000000
--- a/pkg/webhooks/admission_test.go
+++ /dev/null
@@ -1 +0,0 @@
-package webhooks_test
diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index 34d3e10468..eddded1cde 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -7,7 +7,7 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -38,7 +38,7 @@ var operationToPastTense = map[string]string{
 	"test":    "tested",
 }
 
-func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte {
+func generateAnnotationPatches(engineResponses []response.EngineResponse, log logr.Logger) []byte {
 	var annotations map[string]string
 
 	for _, er := range engineResponses {
@@ -53,7 +53,7 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte
 	}
 
 	var patchResponse annresponse
-	value := annotationFromEngineResponses(engineResponses)
+	value := annotationFromEngineResponses(engineResponses, log)
 	if value == nil {
 		// no patches or error while processing patches
 		return nil
@@ -90,21 +90,21 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte
 	// check the patch
 	_, err := jsonpatch.DecodePatch([]byte("[" + string(patchByte) + "]"))
 	if err != nil {
-		glog.Errorf("Failed to make patch from annotation'%s', err: %v\n ", string(patchByte), err)
+		log.Error(err, "failed o build JSON patch for annotation", "patch", string(patchByte))
 	}
 
 	return patchByte
 }
 
-func annotationFromEngineResponses(engineResponses []response.EngineResponse) []byte {
+func annotationFromEngineResponses(engineResponses []response.EngineResponse, log logr.Logger) []byte {
 	var annotationContent = make(map[string]string)
 	for _, engineResponse := range engineResponses {
 		if !engineResponse.IsSuccesful() {
-			glog.V(3).Infof("Policy %s failed, skip preparing annotation\n", engineResponse.PolicyResponse.Policy)
+			log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.PolicyResponse.Policy)
 			continue
 		}
 
-		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse)
+		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse, log)
 		if rulePatches == nil {
 			continue
 		}
@@ -126,13 +126,13 @@ func annotationFromEngineResponses(engineResponses []response.EngineResponse) []
 	return result
 }
 
-func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rulePatch {
+func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log logr.Logger) []rulePatch {
 	var rulePatches []rulePatch
 	for _, ruleInfo := range policyResponse.Rules {
 		for _, patch := range ruleInfo.Patches {
 			var patchmap map[string]interface{}
 			if err := json.Unmarshal(patch, &patchmap); err != nil {
-				glog.Errorf("Failed to parse patch bytes, err: %v\n", err)
+				log.Error(err, "Failed to parse JSON patch bytes")
 				continue
 			}
 
@@ -142,14 +142,12 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rule
 				Path:     patchmap["path"].(string)}
 
 			rulePatches = append(rulePatches, rp)
-			glog.V(4).Infof("Annotation value prepared: %v\n", rulePatches)
+			log.V(4).Info("annotation value prepared", "patches", rulePatches)
 		}
 	}
-
 	if len(rulePatches) == 0 {
 		return nil
 	}
-
 	return rulePatches
 }
 
diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go
index 320e347ea3..dc4c6e6c95 100644
--- a/pkg/webhooks/annotations_test.go
+++ b/pkg/webhooks/annotations_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -42,7 +43,7 @@ func Test_empty_annotation(t *testing.T) {
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, nil)
 
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
 }
@@ -54,7 +55,7 @@ func Test_exist_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -67,7 +68,7 @@ func Test_exist_kyverno_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -79,11 +80,11 @@ func Test_annotation_nil_patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 	assert.Assert(t, annPatches == nil)
 
 	engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, true, annotation)
-	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew})
+	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew}, log.Log)
 	assert.Assert(t, annPatchesNew == nil)
 }
 
@@ -93,7 +94,7 @@ func Test_annotation_failed_Patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, false, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	assert.Assert(t, annPatches == nil)
 }
diff --git a/pkg/webhooks/checker.go b/pkg/webhooks/checker.go
index e6ccfc41c9..4a52fa7649 100644
--- a/pkg/webhooks/checker.go
+++ b/pkg/webhooks/checker.go
@@ -1,13 +1,12 @@
 package webhooks
 
 import (
-	"github.com/golang/glog"
 	"k8s.io/api/admission/v1beta1"
 )
 
 func (ws *WebhookServer) handleVerifyRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	glog.V(4).Infof("Receive request in mutating webhook '/verify': Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+	logger := ws.log.WithValues("action", "verify", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index a6a2682476..f9c4ab2ccc 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
@@ -25,14 +25,14 @@ func isResponseSuccesful(engineReponses []response.EngineResponse) bool {
 
 // returns true -> if there is even one policy that blocks resource request
 // returns false -> if all the policies are meant to report only, we dont block resource request
-func toBlockResource(engineReponses []response.EngineResponse) bool {
+func toBlockResource(engineReponses []response.EngineResponse, log logr.Logger) bool {
 	for _, er := range engineReponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
-			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
+			log.Info("spec.ValidationFailureAction set to enforcel blocking resource request", "policy", er.PolicyResponse.Policy)
 			return true
 		}
 	}
-	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")
+	log.V(4).Info("sepc.ValidationFailureAction set to auit for all applicable policies;allowing resource reques; reporting with policy violation ")
 	return false
 }
 
@@ -98,14 +98,14 @@ const (
 	Audit   = "audit"   // dont block the request on failure, but report failiures as policy violations
 )
 
-func processResourceWithPatches(patch []byte, resource []byte) []byte {
+func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
 	if patch == nil {
 		return resource
 	}
 
 	resource, err := engineutils.ApplyPatchNew(resource, patch)
 	if err != nil {
-		glog.Errorf("failed to patch resource: %v", err)
+		log.Error(err, "failed to patch resource:")
 		return nil
 	}
 	return resource
diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go
index f120c9fb5d..3631845541 100644
--- a/pkg/webhooks/generate/generate.go
+++ b/pkg/webhooks/generate/generate.go
@@ -5,7 +5,7 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -23,37 +23,41 @@ type Generator struct {
 	ch     chan kyverno.GenerateRequestSpec
 	client *kyvernoclient.Clientset
 	stopCh <-chan struct{}
+	log    logr.Logger
 }
 
 //NewGenerator returns a new instance of Generate-Request resource generator
-func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}) *Generator {
+func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}, log logr.Logger) *Generator {
 	gen := &Generator{
 		ch:     make(chan kyverno.GenerateRequestSpec, 1000),
 		client: client,
 		stopCh: stopCh,
+		log:    log,
 	}
 	return gen
 }
 
 //Create to create generate request resoruce (blocking call if channel is full)
 func (g *Generator) Create(gr kyverno.GenerateRequestSpec) error {
-	glog.V(4).Infof("create GR %v", gr)
+	logger := g.log
+	logger.V(4).Info("creating Generate Request", "request", gr)
 	// Send to channel
 	select {
 	case g.ch <- gr:
 		return nil
 	case <-g.stopCh:
-		glog.Info("shutting down channel")
+		logger.Info("shutting down channel")
 		return fmt.Errorf("shutting down gr create channel")
 	}
 }
 
 // Run starts the generate request spec
 func (g *Generator) Run(workers int) {
+	logger := g.log
 	defer utilruntime.HandleCrash()
-	glog.V(4).Info("Started generate request")
+	logger.V(4).Info("starting")
 	defer func() {
-		glog.V(4).Info("Shutting down generate request")
+		logger.V(4).Info("shutting down")
 	}()
 	for i := 0; i < workers; i++ {
 		go wait.Until(g.process, time.Second, g.stopCh)
@@ -62,17 +66,18 @@ func (g *Generator) Run(workers int) {
 }
 
 func (g *Generator) process() {
+	logger := g.log
 	for r := range g.ch {
-		glog.V(4).Infof("received generate request %v", r)
+		logger.V(4).Info("recieved generate request", "request", r)
 		if err := g.generate(r); err != nil {
-			glog.Errorf("Failed to create Generate Request CR: %v", err)
+			logger.Error(err, "failed to generate request CR")
 		}
 	}
 }
 
 func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 	// create a generate request
-	if err := retryCreateResource(g.client, grSpec); err != nil {
+	if err := retryCreateResource(g.client, grSpec, g.log); err != nil {
 		return err
 	}
 	return nil
@@ -81,7 +86,10 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 // -> receiving channel to take requests to create request
 // use worker pattern to read and create the CR resource
 
-func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec) error {
+func retryCreateResource(client *kyvernoclient.Clientset,
+	grSpec kyverno.GenerateRequestSpec,
+	log logr.Logger,
+) error {
 	var i int
 	var err error
 	createResource := func() error {
@@ -95,7 +103,7 @@ func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.Generat
 		// gr.Status.State = kyverno.Pending
 		// generate requests created in kyverno namespace
 		_, err = client.KyvernoV1().GenerateRequests("kyverno").Create(&gr)
-		glog.V(4).Infof("retry %v create generate request", i)
+		log.V(4).Info("retrying create generate request CR", "retryCount", i, "name", gr.GetGenerateName(), "namespace", gr.GetNamespace())
 		i++
 		return err
 	}
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 2dddf71e1c..6f005a504e 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -1,7 +1,6 @@
 package webhooks
 
 import (
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -13,19 +12,19 @@ import (
 
 //HandleGenerate handles admission-requests for policies with generate rules
 func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
+	logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 	var engineResponses []response.EngineResponse
 
 	// convert RAW to unstructured
 	resource, err := utils.ConvertToUnstructured(request.Object.Raw)
 	if err != nil {
 		//TODO: skip applying the admission control ?
-		glog.Errorf("unable to convert raw resource to unstructured: %v", err)
+		logger.Error(err, "failed to convert RAR resource to unstructured format")
 		return true, ""
 	}
 
 	// CREATE resources, do not have name, assigned in admission-request
-	glog.V(4).Infof("Handle Generate: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
 
 	userRequestInfo := kyverno.RequestInfo{
 		Roles:             roles,
@@ -36,16 +35,16 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 	// load service account in context
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 650fce8374..b7028bfcb2 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -1,9 +1,6 @@
 package webhooks
 
 import (
-	"time"
-
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -19,8 +16,8 @@ import (
 // HandleMutation handles mutating webhook admission request
 // return value: generated patches
 func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
-	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+	logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 
 	var patches [][]byte
 	var policyStats []policyctr.PolicyStat
@@ -70,16 +67,16 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
@@ -89,8 +86,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
+		logger.V(2).Info("evaluating policy", "policy", policy.Name)
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
@@ -98,27 +94,24 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		// Gather policy application statistics
 		gatherStat(policy.Name, engineResponse.PolicyResponse)
 		if !engineResponse.IsSuccesful() {
-			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
+			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
-		glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
+		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
 
 		policyContext.NewResource = engineResponse.PatchedResource
 	}
 
 	// generate annotations
-	if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil {
+	if annPatches := generateAnnotationPatches(engineResponses, logger); annPatches != nil {
 		patches = append(patches, annPatches)
 	}
 
-	// report time
-	reportTime := time.Now()
-
 	// AUDIT
 	// generate violation when response fails
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	ws.pvGenerator.Add(pvInfos...)
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -128,7 +121,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	//   all policies were applied succesfully.
 	//   create an event on the resource
 	// ADD EVENTS
-	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update))
+	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update), logger)
 	ws.eventGen.Add(events...)
 
 	sendStat(false)
@@ -136,19 +129,15 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// debug info
 	func() {
 		if len(patches) != 0 {
-			glog.V(4).Infof("Patches generated for %s/%s/%s, operation=%v:\n %v",
-				resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.Operation, string(engineutils.JoinPatches(patches)))
+			logger.V(4).Info("JSON patches generated")
 		}
 
 		// if any of the policies fails, print out the error
 		if !isResponseSuccesful(engineResponses) {
-			glog.Errorf("Failed to mutate the resource, report as violation: %s\n", getErrorMsg(engineResponses))
+			logger.Info("failed to apply mutation rules on the resource, reporting policy violation", "errors", getErrorMsg(engineResponses))
 		}
 	}()
 
-	// report time end
-	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName())
-
 	// patches holds all the successful patches, if no patch is created, it returns nil
 	return engineutils.JoinPatches(patches)
 }
diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index 8081528edd..dea2f87fff 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/utils"
@@ -17,12 +17,13 @@ import (
 )
 
 func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	var policy *kyverno.ClusterPolicy
 	raw := request.Object.Raw
 
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
 	if err := json.Unmarshal(raw, &policy); err != nil {
-		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
+		logger.Error(err, "faield to unmarshall policy admission request")
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -31,10 +32,9 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 		}
 	}
 	// Generate JSON Patches for defaults
-	patches, updateMsgs := generateJSONPatchesForDefaults(policy)
+	patches, updateMsgs := generateJSONPatchesForDefaults(policy, logger)
 	if patches != nil {
 		patchType := v1beta1.PatchTypeJSONPatch
-		glog.V(4).Infof("defaulted values %v policy %s", updateMsgs, policy.Name)
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -44,35 +44,34 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 			PatchType: &patchType,
 		}
 	}
-	glog.V(4).Infof("nothing to default for policy %s", policy.Name)
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
 }
 
-func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []string) {
+func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, []string) {
 	var patches [][]byte
 	var updateMsgs []string
 
 	// default 'ValidationFailureAction'
-	if patch, updateMsg := defaultvalidationFailureAction(policy); patch != nil {
+	if patch, updateMsg := defaultvalidationFailureAction(policy, log); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
 	// default 'Background'
-	if patch, updateMsg := defaultBackgroundFlag(policy); patch != nil {
+	if patch, updateMsg := defaultBackgroundFlag(policy, log); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
-	patch, errs := generatePodControllerRule(*policy)
+	patch, errs := generatePodControllerRule(*policy, log)
 	if len(errs) > 0 {
 		var errMsgs []string
 		for _, err := range errs {
 			errMsgs = append(errMsgs, err.Error())
+			log.Error(err, "failed to generate pod controller rule")
 		}
-		glog.Errorf("failed auto generating rule for pod controllers: %s", errMsgs)
 		updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";"))
 	}
 
@@ -81,11 +80,11 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st
 	return utils.JoinPatches(patches), updateMsgs
 }
 
-func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) {
+func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
 	// default 'Background' flag to 'true' if not specified
 	defaultVal := true
 	if policy.Spec.Background == nil {
-		glog.V(4).Infof("default policy %s 'Background' to '%s'", policy.Name, strconv.FormatBool(true))
+		log.V(4).Info("setting default value", "spec.background", true)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -97,19 +96,19 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) {
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			glog.Errorf("failed to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
+			log.Error(err, "failed to set default value", "spec.background", true)
 			return nil, ""
 		}
-		glog.V(4).Infof("generate JSON Patch to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
+		log.Info("generated JSON Patch to set default", "spec.background", true)
 		return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true))
 	}
 	return nil, ""
 }
 
-func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) {
+func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
 	// default ValidationFailureAction to "audit" if not specified
 	if policy.Spec.ValidationFailureAction == "" {
-		glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit)
+		log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -121,10 +120,10 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
+			log.Error(err, "failed to default value", "spec.validationFailureAction", Audit)
 			return nil, ""
 		}
-		glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
+		log.Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit)
 		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit)
 	}
 	return nil, ""
@@ -140,7 +139,7 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 //             make sure all fields are applicable to pod cotrollers
 
 // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
-func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) {
+func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	ann := policy.GetAnnotations()
 	controllers, ok := ann[engine.PodControllersAnnotation]
 
@@ -159,10 +158,9 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte,
 	if controllers == "none" {
 		return nil, nil
 	}
+	log.V(3).Info("auto generating rule for pod controllers", "controlers", controllers)
 
-	glog.V(3).Infof("Auto generating rule for pod controller: %s", controllers)
-
-	p, err := generateRulePatches(policy, controllers)
+	p, err := generateRulePatches(policy, controllers, log)
 	patches = append(patches, p...)
 	errs = append(errs, err...)
 	return
@@ -197,7 +195,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
 }
 
 // generateRulePatches generates rule for podControllers based on scenario A and C
-func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rulePatches [][]byte, errs []error) {
+func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
 	var genRule kyvernoRule
 	insertIdx := len(policy.Spec.Rules)
 
@@ -210,7 +208,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rule
 	for _, rule := range policy.Spec.Rules {
 		patchPostion := insertIdx
 
-		genRule = generateRuleForControllers(rule, controllers)
+		genRule = generateRuleForControllers(rule, controllers, log)
 		if reflect.DeepEqual(genRule, kyvernoRule{}) {
 			continue
 		}
@@ -272,7 +270,7 @@ type kyvernoRule struct {
 	Validation       *kyverno.Validation       `json:"validate,omitempty"`
 }
 
-func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRule {
+func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule {
 	if strings.HasPrefix(rule.Name, "autogen-") {
 		return kyvernoRule{}
 	}
@@ -292,7 +290,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu
 	if controllers == "all" {
 		if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil ||
 			exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil {
-			glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name)
+			log.Info("skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", "rule", rule.Name)
 			return kyvernoRule{}
 		}
 		controllers = engine.PodControllers
diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go
index 0b5af63c59..f600ff8220 100644
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@@ -7,6 +7,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
+	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 )
 
@@ -28,7 +29,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -61,7 +62,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -112,7 +113,7 @@ func TestGeneratePodControllerRule_DisableFeature(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -163,7 +164,7 @@ func TestGeneratePodControllerRule_Mutate(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -261,7 +262,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -333,7 +334,7 @@ func TestGeneratePodControllerRule_ValidateAnyPattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -471,7 +472,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index fcb79c7163..917e541bbc 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 	v1beta1 "k8s.io/api/admission/v1beta1"
@@ -13,6 +12,7 @@ import (
 
 //HandlePolicyValidation performs the validation check on policy resource
 func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("action", "policyvalidation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	var policy *kyverno.ClusterPolicy
 	admissionResp := &v1beta1.AdmissionResponse{
 		Allowed: true,
@@ -21,7 +21,7 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
 	raw := request.Object.Raw
 	if err := json.Unmarshal(raw, &policy); err != nil {
-		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
+		logger.Error(err, "failed to unmarshal incoming resource to policy type")
 		return &v1beta1.AdmissionResponse{Allowed: false,
 			Result: &metav1.Status{
 				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go
index 035a60688e..83e67c5753 100644
--- a/pkg/webhooks/report.go
+++ b/pkg/webhooks/report.go
@@ -3,6 +3,7 @@ package webhooks
 import (
 	"strings"
 
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 
@@ -10,7 +11,7 @@ import (
 )
 
 //generateEvents generates event info for the engine responses
-func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool) []event.Info {
+func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
 	var events []event.Info
 	// Scenario 1
 	// - Admission-Response is SUCCESS && CREATE
@@ -26,6 +27,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			successRulesStr := strings.Join(successRules, ";")
 			// event on resource
 			e := event.NewEvent(
+				log,
 				er.PolicyResponse.Resource.Kind,
 				er.PolicyResponse.Resource.APIVersion,
 				er.PolicyResponse.Resource.Namespace,
@@ -59,6 +61,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			filedRulesStr := strings.Join(failedRules, ";")
 			// Event on Policy
 			e := event.NewEvent(
+				log,
 				"ClusterPolicy",
 				kyverno.SchemeGroupVersion.String(),
 				"",
@@ -90,6 +93,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		filedRulesStr := strings.Join(failedRules, ";")
 		// Event on the policy
 		e := event.NewEvent(
+			log,
 			"ClusterPolicy",
 			kyverno.SchemeGroupVersion.String(),
 			"",
@@ -104,6 +108,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		// Event on the resource
 		// event on resource
 		e = event.NewEvent(
+			log,
 			er.PolicyResponse.Resource.Kind,
 			er.PolicyResponse.Resource.APIVersion,
 			er.PolicyResponse.Resource.Namespace,
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index d401cdc449..3d3fbcd857 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -69,6 +69,7 @@ type WebhookServer struct {
 	// generate request generator
 	grGenerator            *generate.Generator
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	log                    logr.Logger
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
@@ -88,7 +89,9 @@ func NewWebhookServer(
 	pvGenerator policyviolation.GeneratorInterface,
 	grGenerator *generate.Generator,
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
-	cleanUp chan<- struct{}) (*WebhookServer, error) {
+	cleanUp chan<- struct{},
+	log logr.Logger,
+) (*WebhookServer, error) {
 
 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
@@ -120,6 +123,7 @@ func NewWebhookServer(
 		pMetaStore:                pMetaStore,
 		grGenerator:               grGenerator,
 		resourceWebhookWatcher:    resourceWebhookWatcher,
+		log:                       log,
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
@@ -148,8 +152,9 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	if admissionReview == nil {
 		return
 	}
+	logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name)
 	defer func() {
-		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
+		logger.V(4).Info("request processed", "processingTime", time.Since(startTime))
 	}()
 
 	admissionReview.Response = &v1beta1.AdmissionResponse{
@@ -195,31 +200,29 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
+		logger.Error(err, "failed to list policies. Policies are NOT being applied")
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
-	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
-				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
+			logger.Error(err, "failed to get RBAC infromation for request")
 		}
 	}
-	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// convert RAW to unstructured
 	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
-		glog.Errorf(err.Error())
+		logger.Error(err, "failed to convert RAW resource to unstructured format")
 
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
@@ -245,13 +248,13 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
 
 	// patch the resource with patches before handling validation rules
-	patchedResource := processResourceWithPatches(patches, request.Object.Raw)
+	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
 
 	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
 		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -269,7 +272,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	if request.Operation == v1beta1.Create {
 		ok, msg := ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -292,31 +295,29 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
+		logger.Error(err, "failed to list policies. Policies are NOT being applied")
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
-	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
-				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
+			logger.Error(err, "failed to get RBAC infromation for request")
 		}
 	}
-	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
 	if !ok {
-		glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+		logger.Info("admission request denied")
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
@@ -336,27 +337,28 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
+	logger := ws.log
 	if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
-		glog.Error("webhook: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	go func(ws *WebhookServer) {
-		glog.V(3).Infof("serving on %s\n", ws.server.Addr)
+		logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
 		if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
-			glog.Infof("HTTP server error: %v", err)
+			logger.Error(err, "failed to listen to requests")
 		}
 	}(ws)
-	glog.Info("Started Webhook Server")
+	logger.Info("starting")
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
 	// max deadline: deadline*3 (set the deployment annotation as false)
 	go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
-
 }
 
 // Stop TLS server and returns control after the server is shut down
 func (ws *WebhookServer) Stop(ctx context.Context) {
+	logger := ws.log
 	// cleanUp
 	// remove the static webhookconfigurations
 	go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
@@ -364,7 +366,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 	err := ws.server.Shutdown(ctx)
 	if err != nil {
 		// Error from closing listeners, or context timeout:
-		glog.Info("Server Shutdown error: ", err)
+		logger.Error(err, "shutting down server")
 		ws.server.Close()
 	}
 }
@@ -372,6 +374,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 // bodyToAdmissionReview creates AdmissionReview object from request body
 // Answers to the http.ResponseWriter if request is not valid
 func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
+	logger := ws.log
 	var body []byte
 	if request.Body != nil {
 		if data, err := ioutil.ReadAll(request.Body); err == nil {
@@ -379,21 +382,21 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt
 		}
 	}
 	if len(body) == 0 {
-		glog.Error("Error: empty body")
+		logger.Info("empty body")
 		http.Error(writer, "empty body", http.StatusBadRequest)
 		return nil
 	}
 
 	contentType := request.Header.Get("Content-Type")
 	if contentType != "application/json" {
-		glog.Error("Error: invalid Content-Type: ", contentType)
+		logger.Info("invalid Content-Type", "contextType", contentType)
 		http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
 		return nil
 	}
 
 	admissionReview := &v1beta1.AdmissionReview{}
 	if err := json.Unmarshal(body, &admissionReview); err != nil {
-		glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err)
+		logger.Error(err, "failed to decode request body to type 'AdmissionReview")
 		http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
 		return nil
 	}
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index cf30c61f17..6457b10a2c 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -2,9 +2,7 @@ package webhooks
 
 import (
 	"reflect"
-	"time"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -19,11 +17,10 @@ import (
 // If there are no errors in validating rule we apply generation rules
 // patchedResource is the (resource + patches) after applying mutation rules
 func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
-	glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 
 	var policyStats []policyctr.PolicyStat
-	evalTime := time.Now()
 	// gather stats from the engine response
 	gatherStat := func(policyName string, policyResponse response.PolicyResponse) {
 		ps := policyctr.PolicyStat{}
@@ -57,7 +54,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	newR, oldR, err := extractResources(patchedResource, request)
 	if err != nil {
 		// as resource cannot be parsed, we skip processing
-		glog.Error(err)
+		logger.Error(err, "failed to extract resource")
 		return true, ""
 	}
 	userRequestInfo := kyverno.RequestInfo{
@@ -69,17 +66,17 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
@@ -90,8 +87,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		glog.V(2).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-			newR.GetKind(), newR.GetNamespace(), newR.GetName(), request.UID, request.Operation)
+		logger.V(2).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
@@ -103,17 +99,13 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 		// Gather policy application statistics
 		gatherStat(policy.Name, engineResponse.PolicyResponse)
 		if !engineResponse.IsSuccesful() {
-			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, newR.GetNamespace(), newR.GetName())
+			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
 	}
-	glog.V(4).Infof("eval: %v %s/%s/%s ", time.Since(evalTime), request.Kind, request.Namespace, request.Name)
-	// report time
-	reportTime := time.Now()
-
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"
-	blocked := toBlockResource(engineResponses)
+	blocked := toBlockResource(engineResponses, logger)
 
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -125,10 +117,10 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// Scenario 3:
 	//   all policies were applied succesfully.
 	//   create an event on the resource
-	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update))
+	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger)
 	ws.eventGen.Add(events...)
 	if blocked {
-		glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName())
+		logger.V(4).Info("resource blocked")
 		sendStat(true)
 		// EVENTS
 		// - event on the Policy
@@ -137,10 +129,9 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	ws.pvGenerator.Add(pvInfos...)
 	sendStat(false)
 	// report time end
-	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name)
 	return true, ""
 }

From d327309d725aa05b710a2d94c213e5229a659a6b Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Tue, 17 Mar 2020 16:25:34 -0700
Subject: [PATCH 009/201] refactor logging

---
 cmd/initContainer/main.go                  |  26 ++---
 cmd/kyverno/main.go                        |  47 ++++----
 pkg/config/config.go                       |  43 ++++----
 pkg/engine/anchor/anchor.go                |   2 +-
 pkg/engine/context/context.go              |   2 +-
 pkg/engine/generation.go                   |   2 +-
 pkg/engine/mutate/overlay.go               |  36 +++---
 pkg/engine/mutate/overlayCondition.go      |  26 ++---
 pkg/engine/mutate/overlayCondition_test.go |  31 +++---
 pkg/engine/mutate/overlay_test.go          |  27 ++---
 pkg/engine/mutate/patches.go               |  17 +--
 pkg/engine/mutate/patches_test.go          |  19 ++--
 pkg/engine/mutation.go                     |   8 +-
 pkg/engine/utils.go                        |   2 +-
 pkg/engine/validate/pattern_test.go        |   2 +-
 pkg/engine/validate/validate_test.go       |   2 +-
 pkg/engine/validation.go                   |   2 +-
 pkg/engine/variables/evaluate_test.go      |   2 +-
 pkg/engine/variables/variables_test.go     |   2 +-
 pkg/engine/variables/vars_test.go          |   2 +-
 pkg/generate/cleanup/cleanup.go            |  15 +--
 pkg/generate/cleanup/controller.go         |   4 +-
 pkg/generate/labels.go                     |   2 +-
 pkg/generate/status.go                     |  10 +-
 pkg/log/deleg.go                           | 121 ---------------------
 pkg/log/log.go                             |  15 ---
 pkg/log/null.go                            |  44 --------
 pkg/policy/actions.go                      |   2 +-
 pkg/policy/background.go                   |   2 +-
 pkg/policy/clusterpv.go                    |  39 +++----
 pkg/policy/common.go                       |   4 +-
 pkg/policy/controller.go                   |   2 +-
 pkg/policy/namespacedpv.go                 |  38 ++++---
 pkg/policy/report.go                       |  17 +--
 pkg/policy/status.go                       |  47 ++++----
 pkg/policy/webhookregistration.go          |   8 +-
 pkg/policyviolation/builder_test.go        |   2 +-
 pkg/policyviolation/clusterpv.go           |  22 ++--
 pkg/policyviolation/common.go              |   4 +-
 pkg/policyviolation/generator.go           |   4 +-
 pkg/policyviolation/namespacedpv.go        |  23 ++--
 pkg/testrunner/scenario.go                 |   8 +-
 pkg/testrunner/utils.go                    |   4 +-
 pkg/userinfo/roleRef.go                    |   6 +-
 pkg/userinfo/roleRef_test.go               |   7 +-
 pkg/webhookconfig/checker.go               |  13 ++-
 pkg/webhookconfig/common.go                |  45 ++------
 pkg/webhookconfig/policy.go                |   7 +-
 pkg/webhookconfig/registration.go          |  34 +++---
 pkg/webhooks/annotations_test.go           |   2 +-
 pkg/webhooks/policymutation_test.go        |   2 +-
 51 files changed, 330 insertions(+), 523 deletions(-)
 delete mode 100644 pkg/log/deleg.go
 delete mode 100644 pkg/log/log.go
 delete mode 100644 pkg/log/null.go

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 7a9de3557f..e9e377cb7f 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -14,12 +14,13 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
-	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/signal"
 	"k8s.io/apimachinery/pkg/api/errors"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
@@ -33,6 +34,15 @@ const (
 )
 
 func main() {
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
+	// arguments
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	if err := flag.Set("v", "2"); err != nil {
+		klog.Fatalf("failed to set log level: %v", err)
+	}
+	flag.Parse()
+
 	// os signal handler
 	stopCh := signal.SetupSignalHandler()
 	// create client config
@@ -92,18 +102,6 @@ func main() {
 	}
 }
 
-func init() {
-	// arguments
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.Set("logtostderr", "true")
-	flag.Set("stderrthreshold", "WARNING")
-	flag.Set("v", "2")
-	flag.Parse()
-	log.SetLogger(zap.New(func(o *zap.Options) {
-		o.Development = true
-	}))
-}
-
 func removeWebhookIfExists(client *client.Client, kind string, name string) error {
 	logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name)
 	var err error
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 8ecf67cefd..fe0ede9abe 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -7,7 +7,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"
@@ -16,7 +15,6 @@ import (
 	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/generate"
 	generatecleanup "github.com/nirmata/kyverno/pkg/generate/cleanup"
-	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/policy"
 	"github.com/nirmata/kyverno/pkg/policystore"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
@@ -27,7 +25,9 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks"
 	webhookgenerate "github.com/nirmata/kyverno/pkg/webhooks/generate"
 	kubeinformers "k8s.io/client-go/informers"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
@@ -39,13 +39,29 @@ var (
 	// will be removed in future and the configuration will be set only via configmaps
 	filterK8Resources string
 	// User FQDN as CSR CN
-	fqdncn    bool
-	verbosity string
-	setupLog  = log.Log.WithName("setup")
+	fqdncn   bool
+	setupLog = log.Log.WithName("setup")
 )
 
 func main() {
-	defer glog.Flush()
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
+	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
+	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
+	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
+	if err := flag.Set("v", "2"); err != nil {
+		setupLog.Error(err, "failed to set log level")
+		os.Exit(1)
+		// klog.Fatalf("failed to set log level: %v", err)
+	}
+
+	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
+	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
+
+	flag.Parse()
+
 	version.PrintVersionInfo(log.Log)
 	// cleanUp Channel
 	cleanUp := make(chan struct{})
@@ -289,20 +305,3 @@ func main() {
 	<-cleanUp
 	setupLog.Info("Kyverno shutdown successful")
 }
-
-func init() {
-	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
-	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
-	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
-
-	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
-	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
-	config.LogDefaultFlags(setupLog)
-	flag.StringVar(&verbosity, "verbosity", "", "set verbosity for logs")
-	flag.Parse()
-	log.SetLogger(zap.New(func(o *zap.Options) {
-		o.Development = true
-	}))
-}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index bb9dfae909..cfbbc35f62 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,9 +1,6 @@
 package config
 
 import (
-	"flag"
-	"os"
-
 	"github.com/go-logr/logr"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
@@ -75,26 +72,26 @@ var (
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
 
-//LogDefaultFlags sets default flags
-func LogDefaultFlags(log logr.Logger) {
-	logger := log.WithName("LogDefaultFlags")
-	var err error
-	err = flag.Set("logtostderr", "true")
-	if err != nil {
-		logger.Error(err, "failed to set flag", "flag", "logtostderr", "value", "true")
-		os.Exit(1)
-	}
-	err = flag.Set("stderrthreshold", "WARNING")
-	if err != nil {
-		logger.Error(err, "failed to set flag", "flag", "stderrthreshold", "value", "WARNING")
-		os.Exit(1)
-	}
-	flag.Set("v", "2")
-	if err != nil {
-		logger.Error(err, "failed to set flag", "flag", "v", "value", "2")
-		os.Exit(1)
-	}
-}
+// //LogDefaultFlags sets default flags
+// func LogDefaultFlags(log logr.Logger) {
+// 	logger := log.WithName("LogDefaultFlags")
+// 	var err error
+// 	err = flag.Set("logtostderr", "true")
+// 	if err != nil {
+// 		logger.Error(err, "failed to set flag", "flag", "logtostderr", "value", "true")
+// 		os.Exit(1)
+// 	}
+// 	err = flag.Set("stderrthreshold", "WARNING")
+// 	if err != nil {
+// 		logger.Error(err, "failed to set flag", "flag", "stderrthreshold", "value", "WARNING")
+// 		os.Exit(1)
+// 	}
+// 	flag.Set("v", "2")
+// 	if err != nil {
+// 		logger.Error(err, "failed to set flag", "flag", "v", "value", "2")
+// 		os.Exit(1)
+// 	}
+// }
 
 //CreateClientConfig creates client config
 func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go
index a8e7a1184a..9dccab3577 100644
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@@ -5,7 +5,7 @@ import (
 	"strconv"
 
 	"github.com/go-logr/logr"
-	"github.com/nirmata/kyverno/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //ValidationHandler for element processes
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index 21e1fed7fc..163e81fef0 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -8,7 +8,7 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Interface to manage context operations
diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 94cb3d95df..4ec3d05de8 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -6,8 +6,8 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Generate checks for validity of generate rule on the resource
diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go
index 21e5e7b77e..a0d4dfb655 100644
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@@ -10,51 +10,53 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	jsonpatch "github.com/evanphx/json-patch"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 )
 
 // ProcessOverlay processes mutation overlay on the resource
-func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
 	startTime := time.Now()
-	glog.V(4).Infof("started applying overlay rule %q (%v)", ruleName, startTime)
+	logger := log.WithValues("rule", ruleName)
+	logger.V(4).Info("started applying overlay rule ", "startTime", startTime)
 	resp.Name = ruleName
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished applying overlay rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finished applying overlay rule", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 
-	patches, overlayerr := processOverlayPatches(resource.UnstructuredContent(), overlay)
+	patches, overlayerr := processOverlayPatches(logger, resource.UnstructuredContent(), overlay)
 	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// condition key is not present in the resource, don't apply this rule
 		// consider as success
 		case conditionNotPresent:
-			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			logger.V(3).Info("skip applying rule")
 			resp.Success = true
 			return resp, resource
 		// conditions are not met, don't apply this rule
 		case conditionFailure:
-			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			logger.V(3).Info("skip applying rule")
 			//TODO: send zero response and not consider this as applied?
 			resp.Success = true
 			resp.Message = overlayerr.ErrorMsg()
 			return resp, resource
 		// rule application failed
 		case overlayFailure:
-			glog.Errorf("Resource %s/%s/%s: failed to process overlay: %v in the rule %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg(), ruleName)
+			logger.Info("failed to process overlay")
 			resp.Success = false
 			resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg())
 			return resp, resource
 		default:
-			glog.Errorf("Resource %s/%s/%s: Unknown type of error: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.Error())
+			logger.Info("failed to process overlay")
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Unknown type of error: %v", overlayerr.Error())
 			return resp, resource
@@ -70,7 +72,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		glog.Infof("unable to marshall resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -79,7 +81,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
 	if err != nil {
 		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
-		glog.V(2).Infof("%s, patches=%s", msg, string(utils.JoinPatches(patches)))
+		logger.V(2).Info("applying patches", "patches", string(utils.JoinPatches(patches)))
 		resp.Success = false
 		resp.Message = msg
 		return resp, resource
@@ -87,7 +89,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
-		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
+		logger.Error(err, "failed to unmarshal resource")
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
@@ -101,17 +103,17 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	return resp, patchedResource
 }
 
-func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) {
-	if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
+func processOverlayPatches(log logr.Logger, resource, overlay interface{}) ([][]byte, overlayError) {
+	if path, overlayerr := meetConditions(log, resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// anchor key does not exist in the resource, skip applying policy
 		case conditionNotPresent:
-			glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path)
+			log.V(4).Info("skip applying policy", "path", path, "error", overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, condition tag not present: %v at %s", overlayerr.ErrorMsg(), path))
 		// anchor key is not satisfied in the resource, skip applying policy
 		case conditionFailure:
 			// anchor key is not satisfied in the resource, skip applying policy
-			glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr)
+			log.V(4).Info("failed to validate condition", "path", path, "error", overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, conditions are not met at %s, %v", path, overlayerr))
 		}
 	}
@@ -383,7 +385,7 @@ func prepareJSONValue(overlay interface{}) string {
 	overlayWithoutAnchors := removeAnchorFromSubTree(overlay)
 	jsonOverlay, err := json.Marshal(overlayWithoutAnchors)
 	if err != nil || hasOnlyAnchors(overlay) {
-		glog.V(3).Info(err)
+		log.Log.Error(err, "failed to marshall withoutanchors or has only anchors")
 		return ""
 	}
 
diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go
index 62232d99da..56b19de4e9 100755
--- a/pkg/engine/mutate/overlayCondition.go
+++ b/pkg/engine/mutate/overlayCondition.go
@@ -5,18 +5,18 @@ import (
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
-	"github.com/nirmata/kyverno/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-func meetConditions(resource, overlay interface{}) (string, overlayError) {
-	return checkConditions(resource, overlay, "/")
+func meetConditions(log logr.Logger, resource, overlay interface{}) (string, overlayError) {
+	return checkConditions(log, resource, overlay, "/")
 }
 
 // resource and overlay should be the same type
-func checkConditions(resource, overlay interface{}, path string) (string, overlayError) {
+func checkConditions(log logr.Logger, resource, overlay interface{}, path string) (string, overlayError) {
 	// overlay has no anchor, return true
 	if !hasNestedAnchors(overlay) {
 		return "", overlayError{}
@@ -27,7 +27,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla
 	// condition never be true in this case
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
 		if hasNestedAnchors(overlay) {
-			glog.V(4).Infof("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource)
+			log.V(4).Info(fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource))
 			return path, newOverlayError(conditionFailure,
 				fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T %v, resource %T %v", path, overlay, overlay, resource, resource))
 
@@ -45,7 +45,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla
 	default:
 		// anchor on non map/array is invalid:
 		// - anchor defined on values
-		glog.Warningln("Found invalid conditional anchor: anchor defined on values")
+		log.Info("Found invalid conditional anchor: anchor defined on values")
 		return "", overlayError{}
 	}
 }
@@ -69,12 +69,12 @@ func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}, path st
 
 func checkConditionOnArray(resource, overlay []interface{}, path string) (string, overlayError) {
 	if 0 == len(overlay) {
-		glog.Infof("Mutate overlay pattern is empty, path %s", path)
+		log.Log.V(4).Info("Mutate overlay pattern is empty", "path", path)
 		return "", overlayError{}
 	}
 
 	if reflect.TypeOf(resource[0]) != reflect.TypeOf(overlay[0]) {
-		glog.V(4).Infof("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])
+		log.Log.V(4).Info(fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
 		return path, newOverlayError(conditionFailure,
 			fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
 	}
@@ -112,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
 // resource - A: B2
 func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) {
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
-		glog.V(4).Infof("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
+		log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
 		return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource))
 	}
 
@@ -141,7 +141,7 @@ func compareOverlay(resource, overlay interface{}, path string) (string, overlay
 		}
 	case string, float64, int, int64, bool, nil:
 		if !validate.ValidateValueWithPattern(log.Log, resource, overlay) {
-			glog.V(4).Infof("Mutate rule: failed validating value %v with overlay %v", resource, overlay)
+			log.Log.V(4).Info(fmt.Sprintf("Mutate rule: failed validating value %v with overlay %v", resource, overlay))
 			return path, newOverlayError(conditionFailure, fmt.Sprintf("Failed validating value %v with overlay %v", resource, overlay))
 		}
 	default:
@@ -166,7 +166,7 @@ func validateNonAnchorOverlayMap(resourceMap, overlayWithoutAnchor map[string]in
 				continue
 			}
 		}
-		if newPath, err := checkConditions(resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
+		if newPath, err := checkConditions(log.Log, resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
 			return newPath, err
 		}
 	}
@@ -180,7 +180,7 @@ func checkConditionsOnArrayOfSameTypes(resource, overlay []interface{}, path str
 	default:
 		for i, overlayElement := range overlay {
 			curPath := path + strconv.Itoa(i) + "/"
-			path, err := checkConditions(resource[i], overlayElement, curPath)
+			path, err := checkConditions(log.Log, resource[i], overlayElement, curPath)
 			if !reflect.DeepEqual(err, overlayError{}) {
 				return path, err
 			}
diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index b898acfbcd..e157a126b3 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestMeetConditions_NoAnchor(t *testing.T) {
@@ -28,7 +29,7 @@ func TestMeetConditions_NoAnchor(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(nil, overlay)
+	_, err := meetConditions(log.Log, nil, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -81,7 +82,7 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, !reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`
@@ -101,7 +102,7 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, overlayerr := meetConditions(resource, overlay)
+	_, overlayerr := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 }
 
@@ -140,7 +141,7 @@ func TestMeetConditions_DifferentTypes(t *testing.T) {
 	json.Unmarshal(overlayRaw, &overlay)
 
 	// anchor exist
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/"))
 }
 
@@ -193,7 +194,7 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444")
 }
 
@@ -251,7 +252,7 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -328,7 +329,7 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -409,7 +410,7 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
 	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -443,7 +444,7 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false")
 
 	overlayRaw = []byte(`{
@@ -472,7 +473,7 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -501,7 +502,7 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -535,7 +536,7 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err := meetConditions(resource, overlay)
+	_, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -564,7 +565,7 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -593,7 +594,7 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value ENV_VALUE with overlay ENV_VALUE1")
 }
 
@@ -652,7 +653,7 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	path, err := meetConditions(resource, overlay)
+	path, err := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(path) == 0)
 }
diff --git a/pkg/engine/mutate/overlay_test.go b/pkg/engine/mutate/overlay_test.go
index 8c062fe58d..5c7135b6b7 100644
--- a/pkg/engine/mutate/overlay_test.go
+++ b/pkg/engine/mutate/overlay_test.go
@@ -8,6 +8,7 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {
@@ -66,7 +67,7 @@ func TestProcessOverlayPatches_NestedListWithAnchor(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -166,7 +167,7 @@ func TestProcessOverlayPatches_InsertIntoArray(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -287,7 +288,7 @@ func TestProcessOverlayPatches_TestInsertToArray(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -370,7 +371,7 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -458,7 +459,7 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -494,7 +495,7 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /spec/template/metadata/labels/app/, [overlayError:0] Failed validating value nginx with overlay nginx1")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -523,7 +524,7 @@ func TestProcessOverlayPatches_AddingAnchor(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -608,7 +609,7 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -686,7 +687,7 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -750,7 +751,7 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -807,7 +808,7 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /subsets/0/ports/0/port/, [overlayError:0] Failed validating value 443 with overlay 444")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -889,7 +890,7 @@ func TestProcessOverlayPatches_insertWithCondition(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -1000,7 +1001,7 @@ func TestProcessOverlayPatches_InsertIfNotPresentWithConditions(t *testing.T) {
 	json.Unmarshal(resourceRaw, &resource)
 	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go
index 61fc93ecea..7b294bbca9 100644
--- a/pkg/engine/mutate/patches.go
+++ b/pkg/engine/mutate/patches.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -20,21 +20,22 @@ func applyPatch(resource []byte, patchRaw []byte) ([]byte, error) {
 }
 
 //ProcessPatches applies the patches on the resource and returns the patched resource
-func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+	logger := log.WithValues("rule", rule.Name)
 	startTime := time.Now()
-	glog.V(4).Infof("started JSON patch rule %q (%v)", rule.Name, startTime)
+	logger.V(4).Info("started JSON patch", "startTime", startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished JSON patch rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finished JSON patch", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 
 	// convert to RAW
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		glog.Infof("unable to marshall resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -45,14 +46,14 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 		// JSON patch
 		patchRaw, err := json.Marshal(patch)
 		if err != nil {
-			glog.V(4).Infof("failed to marshall JSON patch %v: %v", patch, err)
+			logger.Error(err, "failed to marshal JSON patch")
 			errs = append(errs, err)
 			continue
 		}
 		patchResource, err := applyPatch(resourceRaw, patchRaw)
 		// TODO: continue on error if one of the patches fails, will add the failure event in such case
 		if err != nil && patch.Operation == "remove" {
-			glog.Info(err)
+			log.Error(err, "failed to process JSON path or patch is a 'remove' operation")
 			continue
 		}
 		if err != nil {
@@ -77,7 +78,7 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	}
 	err = patchedResource.UnmarshalJSON(resourceRaw)
 	if err != nil {
-		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
+		logger.Error(err, "failed to unmmarshal resource")
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go
index f38b68d2c4..1b617d5517 100644
--- a/pkg/engine/mutate/patches_test.go
+++ b/pkg/engine/mutate/patches_test.go
@@ -5,6 +5,7 @@ import (
 
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	types "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -41,7 +42,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(emptyRule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, emptyRule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -70,14 +71,14 @@ func makeRuleWithPatches(patches []types.Patch) types.Rule {
 
 func TestProcessPatches_EmptyDocument(t *testing.T) {
 	rule := makeRuleWithPatch(makeAddIsMutatedLabelPatch())
-	rr, _ := ProcessPatches(rule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(log.Log, rule, unstructured.Unstructured{})
 	assert.Assert(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
 
 func TestProcessPatches_AllEmpty(t *testing.T) {
 	emptyRule := types.Rule{}
-	rr, _ := ProcessPatches(emptyRule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(log.Log, emptyRule, unstructured.Unstructured{})
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -90,7 +91,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -102,7 +103,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -115,7 +116,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -129,7 +130,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) != 0)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, rr.Patches[0])
@@ -142,7 +143,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -155,7 +156,7 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 1)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, rr.Patches[0])
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 52a356dcb1..b147f5b490 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -10,8 +10,8 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/mutate"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -74,7 +74,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 				continue
 			}
 
-			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, overlay, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, overlay, patchedResource)
 			if ruleResponse.Success {
 				// - overlay pattern does not match the resource conditions
 				if ruleResponse.Patches == nil {
@@ -90,7 +90,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		// Process Patches
 		if rule.Mutation.Patches != nil {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessPatches(logger, rule, patchedResource)
 			logger.V(4).Info("patches applied successfully")
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount(&resp)
@@ -104,7 +104,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 
 		if strings.Contains(PodControllers, resource.GetKind()) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, podTemplateRule, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, podTemplateRule, patchedResource)
 			if !ruleResponse.Success {
 				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
 				continue
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index a6c9b39734..1ee8449d23 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -6,10 +6,10 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
diff --git a/pkg/engine/validate/pattern_test.go b/pkg/engine/validate/pattern_test.go
index 6783376aeb..8d8d437d2b 100644
--- a/pkg/engine/validate/pattern_test.go
+++ b/pkg/engine/validate/pattern_test.go
@@ -5,8 +5,8 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/operator"
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateValueWithPattern_Bool(t *testing.T) {
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index bf18787324..49854cb842 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -4,8 +4,8 @@ import (
 	"encoding/json"
 	"testing"
 
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateMap(t *testing.T) {
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index eb94649361..5c38dd47b3 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -12,8 +12,8 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Validate applies validation rules from policy on the resource
diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go
index 78bc599672..d7d409b8f5 100644
--- a/pkg/engine/variables/evaluate_test.go
+++ b/pkg/engine/variables/evaluate_test.go
@@ -6,7 +6,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
-	"github.com/nirmata/kyverno/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // STRINGS
diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go
index 45b0ac58f8..e01bf4f820 100644
--- a/pkg/engine/variables/variables_test.go
+++ b/pkg/engine/variables/variables_test.go
@@ -6,8 +6,8 @@ import (
 	"testing"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/log"
 	authenticationv1 "k8s.io/api/authentication/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index 33745ea81f..aae517a082 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -5,8 +5,8 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_subVars_success(t *testing.T) {
diff --git a/pkg/generate/cleanup/cleanup.go b/pkg/generate/cleanup/cleanup.go
index d25fddd44e..de1758aeba 100644
--- a/pkg/generate/cleanup/cleanup.go
+++ b/pkg/generate/cleanup/cleanup.go
@@ -1,19 +1,20 @@
 package cleanup
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
+	logger := c.log.WithValues("kind", gr.Kind, "namespace", gr.Namespace, "name", gr.Name)
 	// 1- Corresponding policy has been deleted
 	// then we dont delete the generated resources
 
 	// 2- The trigger resource is deleted, then delete the generated resources
-	if !ownerResourceExists(c.client, gr) {
-		if err := deleteGeneratedResources(c.client, gr); err != nil {
+	if !ownerResourceExists(logger, c.client, gr) {
+		if err := deleteGeneratedResources(logger, c.client, gr); err != nil {
 			return err
 		}
 		// - trigger-resource is deleted
@@ -24,25 +25,25 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
 	return nil
 }
 
-func ownerResourceExists(client *dclient.Client, gr kyverno.GenerateRequest) bool {
+func ownerResourceExists(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) bool {
 	_, err := client.GetResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name)
 	// trigger resources has been deleted
 	if apierrors.IsNotFound(err) {
 		return false
 	}
 	if err != nil {
-		glog.V(4).Infof("Failed to get resource %s/%s/%s: error : %s", gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name, err)
+		log.Error(err, "failed to get resource", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
 	}
 	// if there was an error while querying the resources we dont delete the generated resources
 	// but expect the deletion in next reconciliation loop
 	return true
 }
 
-func deleteGeneratedResources(client *dclient.Client, gr kyverno.GenerateRequest) error {
+func deleteGeneratedResources(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) error {
 	for _, genResource := range gr.Status.GeneratedResources {
 		err := client.DeleteResource(genResource.Kind, genResource.Namespace, genResource.Name, false)
 		if apierrors.IsNotFound(err) {
-			glog.V(4).Infof("resource %s/%s/%s not found, will no delete", genResource.Kind, genResource.Namespace, genResource.Name)
+			log.Error(err, "resource not foundl will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
 			continue
 		}
 		if err != nil {
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index b7cc7a2d46..2c31254219 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -3,8 +3,6 @@ package cleanup
 import (
 	"time"
 
-	"github.com/golang/glog"
-
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
@@ -181,7 +179,7 @@ func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
 	logger := c.log
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to extract key")
 		return
 	}
 	logger.V(4).Info("eneque generate request", "name", gr.Name)
diff --git a/pkg/generate/labels.go b/pkg/generate/labels.go
index 312d49c1e7..c7d67b5a55 100644
--- a/pkg/generate/labels.go
+++ b/pkg/generate/labels.go
@@ -3,8 +3,8 @@ package generate
 import (
 	"fmt"
 
-	"github.com/nirmata/kyverno/pkg/log"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func manageLabels(unstr *unstructured.Unstructured, triggerResource unstructured.Unstructured) {
diff --git a/pkg/generate/status.go b/pkg/generate/status.go
index 70d9539053..db0182f89a 100644
--- a/pkg/generate/status.go
+++ b/pkg/generate/status.go
@@ -1,9 +1,9 @@
 package generate
 
 import (
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //StatusControlInterface provides interface to update status subresource
@@ -25,10 +25,10 @@ func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string, genRe
 	gr.Status.GeneratedResources = genResources
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Failed))
+		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
 		return err
 	}
-	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Failed))
+	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Failed))
 	return nil
 }
 
@@ -41,9 +41,9 @@ func (sc StatusControl) Success(gr kyverno.GenerateRequest, genResources []kyver
 
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Completed))
+		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
 		return err
 	}
-	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Completed))
+	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Completed))
 	return nil
 }
diff --git a/pkg/log/deleg.go b/pkg/log/deleg.go
deleted file mode 100644
index 4bfee0b69b..0000000000
--- a/pkg/log/deleg.go
+++ /dev/null
@@ -1,121 +0,0 @@
-package log
-
-import (
-	"sync"
-
-	"github.com/go-logr/logr"
-)
-
-// loggerPromise knows how to populate a concrete logr.Logger
-// with options, given an actual base logger later on down the line.
-type loggerPromise struct {
-	logger        *DelegatingLogger
-	childPromises []*loggerPromise
-	promisesLock  sync.Mutex
-
-	name *string
-	tags []interface{}
-}
-
-// WithName provides a new Logger with the name appended
-func (p *loggerPromise) WithName(l *DelegatingLogger, name string) *loggerPromise {
-	res := &loggerPromise{
-		logger:       l,
-		name:         &name,
-		promisesLock: sync.Mutex{},
-	}
-
-	p.promisesLock.Lock()
-	defer p.promisesLock.Unlock()
-	p.childPromises = append(p.childPromises, res)
-	return res
-}
-
-// WithValues provides a new Logger with the tags appended
-func (p *loggerPromise) WithValues(l *DelegatingLogger, tags ...interface{}) *loggerPromise {
-	res := &loggerPromise{
-		logger:       l,
-		tags:         tags,
-		promisesLock: sync.Mutex{},
-	}
-
-	p.promisesLock.Lock()
-	defer p.promisesLock.Unlock()
-	p.childPromises = append(p.childPromises, res)
-	return res
-}
-
-// Fulfill instantiates the Logger with the provided logger
-func (p *loggerPromise) Fulfill(parentLogger logr.Logger) {
-	var logger = parentLogger
-	if p.name != nil {
-		logger = logger.WithName(*p.name)
-	}
-
-	if p.tags != nil {
-		logger = logger.WithValues(p.tags...)
-	}
-
-	p.logger.Logger = logger
-	p.logger.promise = nil
-
-	for _, childPromise := range p.childPromises {
-		childPromise.Fulfill(logger)
-	}
-}
-
-// DelegatingLogger is a logr.Logger that delegates to another logr.Logger.
-// If the underlying promise is not nil, it registers calls to sub-loggers with
-// the logging factory to be populated later, and returns a new delegating
-// logger.  It expects to have *some* logr.Logger set at all times (generally
-// a no-op logger before the promises are fulfilled).
-type DelegatingLogger struct {
-	logr.Logger
-	promise *loggerPromise
-}
-
-// WithName provides a new Logger with the name appended
-func (l *DelegatingLogger) WithName(name string) logr.Logger {
-	if l.promise == nil {
-		return l.Logger.WithName(name)
-	}
-
-	res := &DelegatingLogger{Logger: l.Logger}
-	promise := l.promise.WithName(res, name)
-	res.promise = promise
-
-	return res
-}
-
-// WithValues provides a new Logger with the tags appended
-func (l *DelegatingLogger) WithValues(tags ...interface{}) logr.Logger {
-	if l.promise == nil {
-		return l.Logger.WithValues(tags...)
-	}
-
-	res := &DelegatingLogger{Logger: l.Logger}
-	promise := l.promise.WithValues(res, tags...)
-	res.promise = promise
-
-	return res
-}
-
-// Fulfill switches the logger over to use the actual logger
-// provided, instead of the temporary initial one, if this method
-// has not been previously called.
-func (l *DelegatingLogger) Fulfill(actual logr.Logger) {
-	if l.promise != nil {
-		l.promise.Fulfill(actual)
-	}
-}
-
-// NewDelegatingLogger constructs a new DelegatingLogger which uses
-// the given logger before it's promise is fulfilled.
-func NewDelegatingLogger(initial logr.Logger) *DelegatingLogger {
-	l := &DelegatingLogger{
-		Logger:  initial,
-		promise: &loggerPromise{promisesLock: sync.Mutex{}},
-	}
-	l.promise.logger = l
-	return l
-}
diff --git a/pkg/log/log.go b/pkg/log/log.go
deleted file mode 100644
index d8ec75b46c..0000000000
--- a/pkg/log/log.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package log
-
-import (
-	"github.com/go-logr/logr"
-)
-
-// SetLogger sets a concrete logging implementation for all deferred Loggers.
-func SetLogger(l logr.Logger) {
-	Log.Fulfill(l)
-}
-
-// Log is the base logger used by kubebuilder.  It delegates
-// to another logr.Logger.  You *must* call SetLogger to
-// get any actual logging.
-var Log = NewDelegatingLogger(NullLogger{})
diff --git a/pkg/log/null.go b/pkg/log/null.go
deleted file mode 100644
index 7e806e032c..0000000000
--- a/pkg/log/null.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package log
-
-import (
-	"github.com/go-logr/logr"
-)
-
-// NB: this is the same as the null logger logr/testing,
-// but avoids accidentally adding the testing flags to
-// all binaries.
-
-// NullLogger is a logr.Logger that does nothing.
-type NullLogger struct{}
-
-var _ logr.Logger = NullLogger{}
-
-// Info implements logr.InfoLogger
-func (NullLogger) Info(_ string, _ ...interface{}) {
-	// Do nothing.
-}
-
-// Enabled implements logr.InfoLogger
-func (NullLogger) Enabled() bool {
-	return false
-}
-
-// Error implements logr.Logger
-func (NullLogger) Error(_ error, _ string, _ ...interface{}) {
-	// Do nothing.
-}
-
-// V implements logr.Logger
-func (log NullLogger) V(_ int) logr.InfoLogger {
-	return log
-}
-
-// WithName implements logr.Logger
-func (log NullLogger) WithName(_ string) logr.Logger {
-	return log
-}
-
-// WithValues implements logr.Logger
-func (log NullLogger) WithValues(_ ...interface{}) logr.Logger {
-	return log
-}
diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go
index 6042177ecf..5c81181cf8 100644
--- a/pkg/policy/actions.go
+++ b/pkg/policy/actions.go
@@ -5,10 +5,10 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
-	"github.com/nirmata/kyverno/pkg/log"
 	"github.com/nirmata/kyverno/pkg/policy/generate"
 	"github.com/nirmata/kyverno/pkg/policy/mutate"
 	"github.com/nirmata/kyverno/pkg/policy/validate"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Validation provides methods to validate a rule
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index cec13c74d7..2331359534 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -6,7 +6,7 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"github.com/nirmata/kyverno/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //ContainsUserInfo returns error is userInfo is defined
diff --git a/pkg/policy/clusterpv.go b/pkg/policy/clusterpv.go
index 0f9f2564ae..35704f72d8 100644
--- a/pkg/policy/clusterpv.go
+++ b/pkg/policy/clusterpv.go
@@ -1,15 +1,13 @@
 package policy
 
 import (
-	"fmt"
-
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	pv := obj.(*kyverno.ClusterPolicyViolation)
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -22,15 +20,15 @@ func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster Policy Violation %s added.", pv.Name)
+	logger.V(4).Info("resource added")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -44,19 +42,20 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
+	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForClusterPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(curPV.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", curPV.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster PolicyViolation %s updated", curPV.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -67,6 +66,7 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 // a DeletionFinalStateUnknown marker item.
 
 func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
+	logger := pc.log
 	pv, ok := obj.(*kyverno.ClusterPolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -75,33 +75,35 @@ func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.ClusterPolicyViolation)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 	}
+	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster PolicyViolation %s updated", pv.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.ClusterPolicyViolation) []*kyverno.ClusterPolicy {
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -113,8 +115,7 @@ func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.Clust
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
-			pv.Name, pv.Labels, policies[0].Name)
+		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/common.go b/pkg/policy/common.go
index b4d6155abc..cb99b9dd2f 100644
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@@ -3,10 +3,10 @@ package policy
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func buildPolicyLabel(policyName string) (labels.Selector, error) {
@@ -27,7 +27,7 @@ func buildPolicyLabel(policyName string) (labels.Selector, error) {
 func transformResource(resource unstructured.Unstructured) []byte {
 	data, err := resource.MarshalJSON()
 	if err != nil {
-		glog.Errorf("failed to marshall resource %v: %v", resource, err)
+		log.Log.Error(err, "failed to marshal resource")
 		return nil
 	}
 	return data
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 822f11621e..9c6887c0a8 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -148,7 +148,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 
 	// aggregator
 	// pc.statusAggregator = NewPolicyStatAggregator(kyvernoClient, pInformer)
-	pc.statusAggregator = NewPolicyStatAggregator(kyvernoClient)
+	pc.statusAggregator = NewPolicyStatAggregator(pc.log, kyvernoClient)
 
 	return &pc, nil
 }
diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go
index 828ae7806f..8dd83d1f12 100644
--- a/pkg/policy/namespacedpv.go
+++ b/pkg/policy/namespacedpv.go
@@ -1,14 +1,13 @@
 package policy
 
 import (
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	cache "k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
-	logger := pc.log
 	pv := obj.(*kyverno.PolicyViolation)
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -21,16 +20,16 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("namepaced policy violation does not belong to any active policy, will be cleanedup", "namespacePolicyViolation", pv.Name)
+		logger.V(4).Info("namepaced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			logger.Error(err, "failed to delete namespaced policy violation", "namespacedPolicyViolation", pv.Name)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		logger.V(4).Info("resource delete", "namespacePOlicyViolation", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
 
-	glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name)
+	logger.V(4).Info("resource added")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -44,19 +43,20 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
+	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForNamespacedPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no namespaced policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
+		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(curPV.Namespace, curPV.Name); err != nil {
-			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", curPV.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Namespaced Policy Violation %s deleted", curPV.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Namespaced Policy sViolation %s updated", curPV.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -64,6 +64,7 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 }
 
 func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
+	logger := pc.log
 	pv, ok := obj.(*kyverno.PolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -72,34 +73,36 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.PolicyViolation)
 		if !ok {
-			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 	}
 
+	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Namespaced Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Namespaced PolicyViolation %s updated", pv.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) []*kyverno.ClusterPolicy {
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -111,8 +114,7 @@ func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.Po
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
-			pv.Name, pv.Labels, policies[0].Name)
+		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/report.go b/pkg/policy/report.go
index 3eb7502125..a10b93ab09 100644
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
@@ -15,7 +15,7 @@ import (
 func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {
 	logger := pc.log
 	// generate Events
-	eventInfos := generateEvents(engineResponses)
+	eventInfos := generateEvents(pc.log, engineResponses)
 	pc.eventGen.Add(eventInfos...)
 	// create policy violation
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
@@ -26,26 +26,27 @@ func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineRe
 	pc.cleanUp(engineResponses)
 }
 
-func generateEvents(ers []response.EngineResponse) []event.Info {
+func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info {
 	var eventInfos []event.Info
 	for _, er := range ers {
 		if er.IsSuccesful() {
 			continue
 		}
-		eventInfos = append(eventInfos, generateEventsPerEr(er)...)
+		eventInfos = append(eventInfos, generateEventsPerEr(log, er)...)
 	}
 	return eventInfos
 }
 
-func generateEventsPerEr(er response.EngineResponse) []event.Info {
+func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
+	logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
 	var eventInfos []event.Info
-	glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
+	logger.V(4).Info("reporting results for policy")
 	for _, rule := range er.PolicyResponse.Rules {
 		if rule.Success {
 			continue
 		}
 		// generate event on resource for each failed rule
-		glog.V(4).Infof("generation event on resource '%s/%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy)
+		logger.V(4).Info("generating event on resource")
 		e := event.Info{}
 		e.Kind = er.PolicyResponse.Resource.Kind
 		e.Namespace = er.PolicyResponse.Resource.Namespace
@@ -60,7 +61,7 @@ func generateEventsPerEr(er response.EngineResponse) []event.Info {
 	}
 
 	// generate a event on policy for all failed rules
-	glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy)
+	logger.V(4).Info("generating event on policy")
 	e := event.Info{}
 	e.Kind = "ClusterPolicy"
 	e.Namespace = ""
diff --git a/pkg/policy/status.go b/pkg/policy/status.go
index 8d4beb4f02..2a10eccecf 100644
--- a/pkg/policy/status.go
+++ b/pkg/policy/status.go
@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -21,24 +21,28 @@ type PolicyStatusAggregator struct {
 	mux sync.RWMutex
 	// stores aggregated stats for policy
 	policyData map[string]PolicyStatInfo
+	// logging implementation
+	log logr.Logger
 }
 
 //NewPolicyStatAggregator returns a new policy status
-func NewPolicyStatAggregator(client *kyvernoclient.Clientset) *PolicyStatusAggregator {
+func NewPolicyStatAggregator(log logr.Logger, client *kyvernoclient.Clientset) *PolicyStatusAggregator {
 	psa := PolicyStatusAggregator{
 		startTime:  time.Now(),
 		ch:         make(chan PolicyStat),
 		policyData: map[string]PolicyStatInfo{},
+		log:        log,
 	}
 	return &psa
 }
 
 //Run begins aggregator
 func (psa *PolicyStatusAggregator) Run(workers int, stopCh <-chan struct{}) {
+	logger := psa.log
 	defer utilruntime.HandleCrash()
-	glog.V(4).Info("Started aggregator for policy status stats")
+	logger.Info("Started aggregator for policy status stats")
 	defer func() {
-		glog.V(4).Info("Shutting down aggregator for policy status stats")
+		logger.Info("Shutting down aggregator for policy status stats")
 	}()
 	for i := 0; i < workers; i++ {
 		go wait.Until(psa.process, time.Second, stopCh)
@@ -53,30 +57,31 @@ func (psa *PolicyStatusAggregator) process() {
 	// so we dont combine the results, but instead compute the execution time for
 	// mutation & validation rules separately
 	for r := range psa.ch {
-		glog.V(4).Infof("received policy stats %v", r)
+		psa.log.V(4).Info("received policy stats", "stats", r)
 		psa.aggregate(r)
 	}
 }
 
 func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
+	logger := psa.log.WithValues("policy", ps.PolicyName)
 	func() {
-		glog.V(4).Infof("write lock update policy %s", ps.PolicyName)
+		logger.V(4).Info("write lock update policy")
 		psa.mux.Lock()
 	}()
 	defer func() {
-		glog.V(4).Infof("write Unlock update policy %s", ps.PolicyName)
+		logger.V(4).Info("write unlock update policy")
 		psa.mux.Unlock()
 	}()
 
 	if len(ps.Stats.Rules) == 0 {
-		glog.V(4).Infof("ignoring stats, as no rule was applied")
+		logger.V(4).Info("ignoring stats, as no rule was applied")
 		return
 	}
 
 	info, ok := psa.policyData[ps.PolicyName]
 	if !ok {
 		psa.policyData[ps.PolicyName] = ps.Stats
-		glog.V(4).Infof("added stats for policy %s", ps.PolicyName)
+		logger.V(4).Info("added stats for policy")
 		return
 	}
 	// aggregate policy information
@@ -87,19 +92,19 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
 	var zeroDuration time.Duration
 	if info.MutationExecutionTime != zeroDuration {
 		info.MutationExecutionTime = (info.MutationExecutionTime + ps.Stats.MutationExecutionTime) / 2
-		glog.V(4).Infof("updated avg mutation time %v", info.MutationExecutionTime)
+		logger.V(4).Info("updated avg mutation time", "updatedTime", info.MutationExecutionTime)
 	} else {
 		info.MutationExecutionTime = ps.Stats.MutationExecutionTime
 	}
 	if info.ValidationExecutionTime != zeroDuration {
 		info.ValidationExecutionTime = (info.ValidationExecutionTime + ps.Stats.ValidationExecutionTime) / 2
-		glog.V(4).Infof("updated avg validation time %v", info.ValidationExecutionTime)
+		logger.V(4).Info("updated avg validation time", "updatedTime", info.ValidationExecutionTime)
 	} else {
 		info.ValidationExecutionTime = ps.Stats.ValidationExecutionTime
 	}
 	if info.GenerationExecutionTime != zeroDuration {
 		info.GenerationExecutionTime = (info.GenerationExecutionTime + ps.Stats.GenerationExecutionTime) / 2
-		glog.V(4).Infof("updated avg generation time %v", info.GenerationExecutionTime)
+		logger.V(4).Info("updated avg generation time", "updatedTime", info.GenerationExecutionTime)
 	} else {
 		info.GenerationExecutionTime = ps.Stats.GenerationExecutionTime
 	}
@@ -107,7 +112,7 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
 	info.Rules = aggregateRules(info.Rules, ps.Stats.Rules)
 	// update
 	psa.policyData[ps.PolicyName] = info
-	glog.V(4).Infof("updated stats for policy %s", ps.PolicyName)
+	logger.V(4).Info("updated stats for policy")
 }
 
 func aggregateRules(old []RuleStatinfo, update []RuleStatinfo) []RuleStatinfo {
@@ -140,29 +145,31 @@ func aggregateRules(old []RuleStatinfo, update []RuleStatinfo) []RuleStatinfo {
 
 //GetPolicyStats returns the policy stats
 func (psa *PolicyStatusAggregator) GetPolicyStats(policyName string) PolicyStatInfo {
+	logger := psa.log.WithValues("policy", policyName)
 	func() {
-		glog.V(4).Infof("read lock update policy %s", policyName)
+		logger.V(4).Info("read lock update policy")
 		psa.mux.RLock()
 	}()
 	defer func() {
-		glog.V(4).Infof("read Unlock update policy %s", policyName)
+		logger.V(4).Info("read unlock update policy")
 		psa.mux.RUnlock()
 	}()
-	glog.V(4).Infof("read stats for policy %s", policyName)
+	logger.V(4).Info("read stats for policy")
 	return psa.policyData[policyName]
 }
 
 //RemovePolicyStats rmves policy stats records
 func (psa *PolicyStatusAggregator) RemovePolicyStats(policyName string) {
+	logger := psa.log.WithValues("policy", policyName)
 	func() {
-		glog.V(4).Infof("write lock update policy %s", policyName)
+		logger.V(4).Info("write lock update policy")
 		psa.mux.Lock()
 	}()
 	defer func() {
-		glog.V(4).Infof("write Unlock update policy %s", policyName)
+		logger.V(4).Info("write unlock update policy")
 		psa.mux.Unlock()
 	}()
-	glog.V(4).Infof("removing stats for policy %s", policyName)
+	logger.V(4).Info("removing stats for policy")
 	delete(psa.policyData, policyName)
 }
 
@@ -199,7 +206,7 @@ type RuleStatinfo struct {
 
 //SendStat sends the stat information for aggregation
 func (psa *PolicyStatusAggregator) SendStat(stat PolicyStat) {
-	glog.V(4).Infof("sending policy stats: %v", stat)
+	psa.log.V(4).Info("sending policy stats", "stat", stat)
 	// Send over channel
 	psa.ch <- stat
 }
diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go
index f4b2188b2a..5c8fc0aa69 100644
--- a/pkg/policy/webhookregistration.go
+++ b/pkg/policy/webhookregistration.go
@@ -1,25 +1,25 @@
 package policy
 
 import (
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
 func (pc *PolicyController) removeResourceWebhookConfiguration() error {
+	logger := pc.log
 	var err error
 	// get all existing policies
 	policies, err := pc.pLister.List(labels.NewSelector())
 	if err != nil {
-		glog.V(4).Infof("failed to list policies: %v", err)
+		logger.Error(err, "failed to list policies")
 		return err
 	}
 
 	if len(policies) == 0 {
-		glog.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
+		logger.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
 		return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 	}
 
-	glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
+	logger.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
 
 	return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 }
diff --git a/pkg/policyviolation/builder_test.go b/pkg/policyviolation/builder_test.go
index 2498b7b5f2..a44314f9f2 100644
--- a/pkg/policyviolation/builder_test.go
+++ b/pkg/policyviolation/builder_test.go
@@ -4,8 +4,8 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index 8b974594ae..5c31fe553a 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -20,9 +20,11 @@ type clusterPV struct {
 	cpvLister kyvernolister.ClusterPolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
+	// logger
+	log logr.Logger
 }
 
-func newClusterPV(dclient *client.Client,
+func newClusterPV(log logr.Logger, dclient *client.Client,
 	cpvLister kyvernolister.ClusterPolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 ) *clusterPV {
@@ -30,6 +32,7 @@ func newClusterPV(dclient *client.Client,
 		dclient:          dclient,
 		cpvLister:        cpvLister,
 		kyvernoInterface: kyvernoInterface,
+		log:              log,
 	}
 	return &cpv
 }
@@ -51,6 +54,7 @@ func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) {
+	logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -61,7 +65,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 	pvs, err := cpv.cpvLister.List(ls)
 	if err != nil {
-		glog.Errorf("unable to list cluster policy violations : %v", err)
+		logger.Error(err, "failed to list cluster policy violations")
 		return nil, err
 	}
 
@@ -78,7 +82,8 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	var err error
-	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name)
+	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
+	logger.V(4).Info("creating new policy violation")
 	obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -90,18 +95,19 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	// create resource
 	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv)
 	if err != nil {
-		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
+		logger.Error(err, "failed to create cluster policy violation")
 		return err
 	}
-	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("cluster policy violation created")
 	return nil
 }
 
 func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) error {
+	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
+		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
 		return nil
 	}
 	// set name
@@ -113,7 +119,7 @@ func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) err
 	if err != nil {
 		return fmt.Errorf("failed to update cluster policy violation: %v", err)
 	}
-	glog.Infof("cluster policy violation updated for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("cluster policy violation created")
 
 	return nil
 }
diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go
index dfb4a704ac..b288163689 100644
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@@ -5,12 +5,12 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference {
@@ -33,7 +33,7 @@ func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstr
 	var err error
 	getResource := func() error {
 		obj, err = client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name)
-		glog.V(4).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name)
+		log.Log.V(4).Info(fmt.Sprintf("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name))
 		i++
 		return err
 	}
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index 94099fefaf..40f16484b8 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -222,10 +222,10 @@ func (gen *Generator) syncHandler(info Info) error {
 	builder := newPvBuilder()
 	if info.Resource.GetNamespace() == "" {
 		// cluster scope resource generate a clusterpolicy violation
-		handler = newClusterPV(gen.dclient, gen.cpvLister, gen.kyvernoInterface)
+		handler = newClusterPV(gen.log.WithName("ClusterPV"), gen.dclient, gen.cpvLister, gen.kyvernoInterface)
 	} else {
 		// namespaced resources generated a namespaced policy violation in the namespace of the resource
-		handler = newNamespacedPV(gen.dclient, gen.nspvLister, gen.kyvernoInterface)
+		handler = newNamespacedPV(gen.log.WithName("NamespacedPV"), gen.dclient, gen.nspvLister, gen.kyvernoInterface)
 	}
 
 	failure := false
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index 1967a0ba3f..10fa15e6d4 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -20,9 +20,11 @@ type namespacedPV struct {
 	nspvLister kyvernolister.PolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
+	// logger
+	log logr.Logger
 }
 
-func newNamespacedPV(dclient *client.Client,
+func newNamespacedPV(log logr.Logger, dclient *client.Client,
 	nspvLister kyvernolister.PolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 ) *namespacedPV {
@@ -30,6 +32,7 @@ func newNamespacedPV(dclient *client.Client,
 		dclient:          dclient,
 		nspvLister:       nspvLister,
 		kyvernoInterface: kyvernoInterface,
+		log:              log,
 	}
 	return &nspv
 }
@@ -51,6 +54,7 @@ func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
+	logger := nspv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -60,7 +64,7 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 	}
 	pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls)
 	if err != nil {
-		glog.Errorf("unable to list namespaced policy violations : %v", err)
+		logger.Error(err, "failed to list namespaced policy violations")
 		return nil, err
 	}
 
@@ -77,7 +81,8 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 
 func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	var err error
-	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
+	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
+	logger.V(4).Info("creating new policy violation")
 	obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -89,18 +94,19 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	// create resource
 	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv)
 	if err != nil {
-		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
+		logger.Error(err, "failed to create namespaced policy violation")
 		return err
 	}
-	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("namespaced policy violation created")
 	return nil
 }
 
 func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error {
+	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
+		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
 		return nil
 	}
 	// set name
@@ -111,7 +117,6 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	if err != nil {
 		return fmt.Errorf("failed to update namespaced policy violation: %v", err)
 	}
-
-	glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("namespaced policy violation created")
 	return nil
 }
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 39eaeb7257..9d8d2fb272 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -3,7 +3,6 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
-	"flag"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -19,7 +18,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/scheme"
 
-	"github.com/golang/glog"
 	"gopkg.in/yaml.v2"
 	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
 )
@@ -308,7 +306,7 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured {
 func getClient(t *testing.T, files []string) *client.Client {
 	var objects []runtime.Object
 	if files != nil {
-		glog.V(4).Infof("loading resources: %v", files)
+
 		for _, file := range files {
 			objects = loadObjects(t, file)
 		}
@@ -404,7 +402,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 		policy := kyverno.ClusterPolicy{}
 		pBytes, err := apiyaml.ToJSON(p)
 		if err != nil {
-			glog.Error(err)
+			t.Error(err)
 			continue
 		}
 
@@ -427,7 +425,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }
 
 func testScenario(t *testing.T, path string) {
-	flag.Set("logtostderr", "true")
+	// flag.Set("logtostderr", "true")
 	// flag.Set("v", "8")
 
 	scenario, err := loadScenario(t, path)
diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go
index d888cdcdc6..6fdfb91c78 100644
--- a/pkg/testrunner/utils.go
+++ b/pkg/testrunner/utils.go
@@ -4,8 +4,8 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -42,7 +42,7 @@ func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) {
 	resource := &unstructured.Unstructured{}
 	err := resource.UnmarshalJSON(data)
 	if err != nil {
-		glog.V(4).Infof("failed to unmarshall resource: %v", err)
+		log.Log.Error(err, "failed to unmarshal resource")
 		return nil, err
 	}
 	return resource, nil
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index ac089bc041..d813f07f4e 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -4,12 +4,12 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/golang/glog"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -101,7 +101,7 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
 	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
-		glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):])
+		log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
 		return false
 	}
 
@@ -117,6 +117,6 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 		}
 	}
 
-	glog.V(3).Infof("user/group '%v' info not found in request userInfo: %v", subject.Name, keys)
+	log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
 	return false
 }
diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go
index 3929c38577..16b94625ac 100644
--- a/pkg/userinfo/roleRef_test.go
+++ b/pkg/userinfo/roleRef_test.go
@@ -1,7 +1,6 @@
 package userinfo
 
 import (
-	"flag"
 	"reflect"
 	"testing"
 
@@ -153,9 +152,9 @@ func newRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.Rol
 }
 
 func Test_getRoleRefByRoleBindings(t *testing.T) {
-	flag.Parse()
-	flag.Set("logtostderr", "true")
-	flag.Set("v", "3")
+	// flag.Parse()
+	// flag.Set("logtostderr", "true")
+	// flag.Set("v", "3")
 
 	list := make([]*rbacv1.RoleBinding, 2)
 
diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go
index e1923a507c..db1e765629 100644
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	errorsapi "k8s.io/apimachinery/pkg/api/errors"
@@ -36,8 +35,9 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.VerifyMutatingWebhookServicePath)
-	glog.V(4).Infof("Debug VerifyMutatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug VerifyMutatingWebhookConfig is registered with url", "url", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationDebugName,
@@ -68,13 +68,14 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w
 	} else {
 		mutatingConfig = config.VerifyMutatingWebhookConfigurationName
 	}
-	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
+	logger := wrc.log.WithValues("name", mutatingConfig)
+	logger.V(4).Info("removing webhook configuration")
 	err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("verify webhook configuration %s, does not exits. not deleting", mutatingConfig)
+		logger.Error(err, "verify webhook configuration, does not exits. not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete verify webhook configuration %s: %v", mutatingConfig, err)
+		logger.Error(err, "failed to delete verify wwebhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted verify webhook configuration %s", mutatingConfig)
+		logger.V(4).Info("successfully deleted verify webhook configuration")
 	}
 }
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index 69ccaca885..2b1c17f6e0 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"io/ioutil"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -11,20 +10,21 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) readCaData() []byte {
+	logger := wrc.log
 	var caData []byte
 	// Check if ca is defined in the secret tls-ca
 	// assume the key and signed cert have been defined in secret tls.kyverno
 	if caData = wrc.client.ReadRootCASecret(); len(caData) != 0 {
-		glog.V(4).Infof("read CA from secret")
+		logger.V(4).Info("read CA from secret")
 		return caData
 	}
-	glog.V(4).Infof("failed to read CA from secret, reading from kubeconfig")
+	logger.V(4).Info("failed to read CA from secret, reading from kubeconfig")
 	// load the CA from kubeconfig
 	if caData = extractCA(wrc.clientConfig); len(caData) != 0 {
-		glog.V(4).Infof("read CA from kubeconfig")
+		logger.V(4).Info("read CA from kubeconfig")
 		return caData
 	}
-	glog.V(4).Infof("failed to read CA from kubeconfig")
+	logger.V(4).Info("failed to read CA from kubeconfig")
 	return nil
 }
 
@@ -46,10 +46,11 @@ func extractCA(config *rest.Config) (result []byte) {
 }
 
 func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
+	logger := wrc.log
 	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()
 
 	if err != nil {
-		glog.Errorf("Error when constructing OwnerReference, err: %v\n", err)
+		logger.Error(err, "failed to construct OwnerReference")
 		return v1.OwnerReference{}
 	}
 
@@ -61,38 +62,6 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 	}
 }
 
-// func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
-// 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
-// 	failurePolicy := admregapi.Ignore
-// 	return admregapi.Webhook{
-// 		Name: name,
-// 		ClientConfig: admregapi.WebhookClientConfig{
-// 			URL:      &url,
-// 			CABundle: caData,
-// 		},
-// 		SideEffects: &sideEffect,
-// 		Rules: []admregapi.RuleWithOperations{
-// 			admregapi.RuleWithOperations{
-// 				Operations: operationTypes,
-// 				Rule: admregapi.Rule{
-// 					APIGroups: []string{
-// 						apiGroups,
-// 					},
-// 					APIVersions: []string{
-// 						apiVersions,
-// 					},
-// 					Resources: []string{
-// 						resource,
-// 					},
-// 				},
-// 			},
-// 		},
-// 		AdmissionReviewVersions: []string{"v1beta1"},
-// 		TimeoutSeconds:          &timeoutSeconds,
-// 		FailurePolicy:           &failurePolicy,
-// 	}
-// }
-
 // debug mutating webhook
 func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go
index 1a518596a7..da9fa0fa8a 100644
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -35,8 +34,9 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 }
 
 func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
-	glog.V(4).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug PolicyValidatingWebhookConfig is registered with url ", "url", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
@@ -82,8 +82,9 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 	}
 }
 func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyMutatingWebhookServicePath)
-	glog.V(4).Infof("Debug PolicyMutatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug PolicyMutatingWebhookConfig is registered with url ", "url", url)
 
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 9edf71d1e0..8124ad39d4 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
@@ -190,7 +189,6 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration
 func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
-
 	// read CA data from
 	// 1) secret(config)
 	// 2) kubeconfig
@@ -212,8 +210,7 @@ func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration()
 	if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-
-	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
+	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
 	return nil
 }
 
@@ -243,7 +240,7 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 		return err
 	}
 
-	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
+	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
 	return nil
 }
 
@@ -252,9 +249,9 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 // Register will fail if the config exists, so there is no need to fail on error
 func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	startTime := time.Now()
-	glog.V(4).Infof("Started cleaning up webhookconfigurations")
+	wrc.log.Info("Started cleaning up webhookconfigurations")
 	defer func() {
-		glog.V(4).Infof("Finished cleaning up webhookcongfigurations (%v)", time.Since(startTime))
+		wrc.log.V(4).Info("Finished cleaning up webhookcongfigurations", "processingTime", time.Since(startTime))
 	}()
 
 	var wg sync.WaitGroup
@@ -278,13 +275,13 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 func (wrc *WebhookRegistrationClient) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceMutatingWebhookConfiguration(); err != nil {
-		glog.Error(err)
+		wrc.log.Error(err, "failed to remove resource mutating webhook configuration")
 	}
 }
 func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceValidatingWebhookConfiguration(); err != nil {
-		glog.Error(err)
+		wrc.log.Error(err, "failed to remove resource validation webhook configuration")
 	}
 }
 
@@ -299,15 +296,15 @@ func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(w
 	} else {
 		mutatingConfig = config.PolicyMutatingWebhookConfigurationName
 	}
-
-	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
+	logger := wrc.log.WithValues("name", mutatingConfig)
+	logger.V(4).Info("removing mutating webhook configuration")
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", mutatingConfig)
+		logger.Error(err, "policy mutating webhook configuration does not exist, not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete policy webhook configuration %s: %v", mutatingConfig, err)
+		logger.Error(err, "failed to delete policy mutating webhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted policy webhook configuration %s", mutatingConfig)
+		logger.V(4).Info("successfully deleted policy mutating webhook configutation")
 	}
 }
 
@@ -322,13 +319,14 @@ func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration
 	} else {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
-	glog.V(4).Infof("removing webhook configuration %s", validatingConfig)
+	logger := wrc.log.WithValues("name", validatingConfig)
+	logger.V(4).Info("removing validating webhook configuration")
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", validatingConfig)
+		logger.Error(err, "policy validating webhook configuration does not exist, not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete policy webhook configuration %s: %v", validatingConfig, err)
+		logger.Error(err, "failed to delete policy validating webhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted policy webhook configuration %s", validatingConfig)
+		logger.V(4).Info("successfully deleted policy validating webhook configutation")
 	}
 }
diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go
index dc4c6e6c95..d14657b6cb 100644
--- a/pkg/webhooks/annotations_test.go
+++ b/pkg/webhooks/annotations_test.go
@@ -4,9 +4,9 @@ import (
 	"testing"
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func newPolicyResponse(policy, rule string, patchesStr []string, success bool) response.PolicyResponse {
diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go
index f600ff8220..d887cd6ee2 100644
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@@ -7,8 +7,8 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
-	"github.com/nirmata/kyverno/pkg/log"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {

From d66bcf9636228ae3f12fdb905818d522668aa3d0 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Tue, 17 Mar 2020 17:36:48 -0700
Subject: [PATCH 010/201] update dependencies

---
 go.mod | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/go.mod b/go.mod
index 593b08fdef..a8cf46725a 100644
--- a/go.mod
+++ b/go.mod
@@ -5,39 +5,38 @@ go 1.13
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/evanphx/json-patch v4.5.0+incompatible
-	github.com/gogo/protobuf v1.3.1 // indirect
+	github.com/go-logr/logr v0.1.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect
 	github.com/googleapis/gnostic v0.3.1
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
-	github.com/ory/go-acc v0.1.0 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
-	golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 // indirect
 	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	google.golang.org/appengine v1.6.5 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.2.7
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	gopkg.in/yaml.v2 v2.2.8
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
-	k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
-	k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a
-	k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible
-	k8s.io/klog v1.0.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
+	k8s.io/api v0.17.4
+	k8s.io/apimachinery v0.17.4
+	k8s.io/cli-runtime v0.17.4
+	k8s.io/client-go v0.17.4
+	k8s.io/klog v1.0.0
+	k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
 	k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 // indirect
-	sigs.k8s.io/kustomize v2.0.3+incompatible // indirect
+	sigs.k8s.io/controller-runtime v0.5.0
 )
 
 // Added for go1.13 migration https://github.com/golang/go/issues/32805
-replace github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
+replace (
+	github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
+	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200306081859-6a048a382944
+	k8s.io/component-base => k8s.io/component-base v0.0.0-20190612130303-4062e14deebe
+)

From 36eca5e886c1ad19639dfbb75e6200afeae2aaed Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Tue, 17 Mar 2020 18:34:44 -0700
Subject: [PATCH 011/201] CI fixes

---
 pkg/auth/auth.go            | 4 +---
 pkg/engine/policyContext.go | 3 ---
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index d2ab06ffd1..8f1ef24e1e 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -49,9 +49,7 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 		return false, fmt.Errorf("failed to get the Group Version Resource for kind %s", o.kind)
 	}
 
-	var sar *authorizationv1.SelfSubjectAccessReview
-
-	sar = &authorizationv1.SelfSubjectAccessReview{
+	sar := &authorizationv1.SelfSubjectAccessReview{
 		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationv1.ResourceAttributes{
 				Namespace: o.namespace,
diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go
index 3e1f7d22aa..20dd04c52c 100644
--- a/pkg/engine/policyContext.go
+++ b/pkg/engine/policyContext.go
@@ -1,7 +1,6 @@
 package engine
 
 import (
-	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -21,6 +20,4 @@ type PolicyContext struct {
 	Client *client.Client
 	// Contexts to store resources
 	Context context.EvalInterface
-	// log
-	log logr.Logger
 }

From 58b3d6acc89a5bb20c7f5d44e1c69256a1141824 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <CWRau@CWRCoding.com>
Date: Wed, 18 Mar 2020 17:18:59 +0100
Subject: [PATCH 012/201] Add info about the kyverno AUR package

I created an AUR package for the `kyverno` cli, therefore I wanted to publish its existence for other fellow arch users
---
 documentation/kyverno-cli.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/documentation/kyverno-cli.md b/documentation/kyverno-cli.md
index 6901de2384..05ae5590dc 100644
--- a/documentation/kyverno-cli.md
+++ b/documentation/kyverno-cli.md
@@ -16,6 +16,14 @@ make cli
 mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
 ```
 
+## Install via AUR (archlinux)
+
+You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))
+
+```
+yay -S kyverno-git
+```
+
 ## Commands
 
 #### Version

From 5b02542639aa284b772bac3c4aa84e2425c35b72 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Wed, 18 Mar 2020 18:07:41 -0700
Subject: [PATCH 013/201] update docs for
 https://github.com/nirmata/kyverno/issues/740 and
 https://github.com/nirmata/kyverno/issues/741

---
 .../writing-policies-match-exclude.md         | 93 +++++++++++++++++++
 documentation/writing-policies.md             | 56 +----------
 2 files changed, 96 insertions(+), 53 deletions(-)
 create mode 100644 documentation/writing-policies-match-exclude.md

diff --git a/documentation/writing-policies-match-exclude.md b/documentation/writing-policies-match-exclude.md
new file mode 100644
index 0000000000..674d38679e
--- /dev/null
+++ b/documentation/writing-policies-match-exclude.md
@@ -0,0 +1,93 @@
+<small>*[documentation](/README.md#documentation) / Writing Policies / Match & Exclude *</small>
+
+# Match & Exclude
+
+The `match` and `exclude` filters control which resources policies are applied to. 
+
+The match / exclude clauses have the same structure, and can each contain the following elements:
+* resources: select resources by name, namespaces, kinds, and label selectors.
+* subjects: select users, user groups, and service accounts
+* roles: select namespaced roles
+* clusterroles: select cluster wide roles
+
+At least one element must be specified in a `match` block. The `kind` attribute is optional, but if it's not specified the policy rule will only be applicable to metatdata that is common across all resources kinds.
+
+When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.
+
+The following YAML provides an example for a match clause.
+
+````yaml
+apiVersion : kyverno.io/v1
+kind : ClusterPolicy
+metadata :
+  name : policy
+spec :
+  # 'enforce' to block resource request if any rules fail
+  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
+  validationFailureAction: enforce
+  # Each policy has a list of rules applied in declaration order
+  rules:
+    # Rules must have a unique name
+    - name: "check-pod-controller-labels"      
+      # Each rule matches specific resource described by "match" field.
+      match:
+        resources:
+          kinds: # Required, list of kinds
+          - Deployment
+          - StatefulSet
+          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?)
+          namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)
+          - "dev*"
+          - test
+          selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)
+              matchLabels:
+                  app: mongodb
+              matchExpressions:
+                  - {key: tier, operator: In, values: [database]}
+        # Optional, subjects to be matched
+        subjects:
+        - kind: User
+          name: mary@somecorp.com
+        # Optional, roles to be matched
+        roles:
+        # Optional, clusterroles to be matched
+        clusterroles: cluster-admin
+
+        ...
+
+````
+
+All`match` and `exclude` element must be satisfied for the resource to be selected as a candidate for the policy rule. In other words, the match and exclude conditions are evaluated using a logical AND operation.
+
+Here is an example of a rule that matches all pods, excluding pods created by using the `cluster-admin` cluster role.
+
+````yaml
+spec:
+  rules:
+    name: "match-pods-except-admin"
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      clusterroles: cluster-admin
+````
+
+This rule that matches all pods, excluding pods in the `kube-system` namespace.
+
+````yaml
+spec:
+  rules:
+    name: "match-pods-except-admin"
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      namespaces:
+      - "kube-system"
+````
+
+
+---
+<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>
diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md
index b0890dedf4..2f085f8398 100644
--- a/documentation/writing-policies.md
+++ b/documentation/writing-policies.md
@@ -8,59 +8,9 @@ The following picture shows the structure of a Kyverno Policy:
 
 Each Kyverno policy contains one or more rules. Each rule has a `match` clause, an optional `exclude` clause, and one of a `mutate`, `validate`, or `generate` clause.
 
-The match / exclude clauses have the same structure, and can contain the following elements:
-* resources: select resources by name, namespaces, kinds, and label selectors.
-* subjects: select users, user groups, and service accounts
-* roles: select namespaced roles
-* clusterroles: select cluster wide roles
-
-When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.
-
-The following YAML provides an example for a match clause.
-
-````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy
-spec :
-  # 'enforce' to block resource request if any rules fail
-  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
-  validationFailureAction: enforce
-  # Each policy has a list of rules applied in declaration order
-  rules:
-    # Rules must have a unique name
-    - name: "check-pod-controller-labels"      
-      # Each rule matches specific resource described by "match" field.
-      match:
-        resources:
-          kinds: # Required, list of kinds
-          - Deployment
-          - StatefulSet
-          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?)
-          namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)
-          - "dev*"
-          - test
-          selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)
-              matchLabels:
-                  app: mongodb
-              matchExpressions:
-                  - {key: tier, operator: In, values: [database]}
-        # Optional, subjects to be matched
-        subjects:
-        - kind: User
-          name: mary@somecorp.com
-        # Optional, roles to be matched
-        roles:
-        # Optional, clusterroles to be matched
-        clusterroles: cluster-admin
-
-        ...
-
-````
-
-Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation.
+Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. 
 
+These actions are applied to the resource in described order: mutation, validation and then generation.
 
 ---
-<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>
+<small>*Read Next >> [Validate Resources](/documentation/writing-policies-match-exclude.md)*</small>

From df76ac6848e9717b14631924b63a821b8778b4c6 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Wed, 18 Mar 2020 18:14:41 -0700
Subject: [PATCH 014/201] update README.md

---
 README.md                         | 1 +
 documentation/writing-policies.md | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f4b22dd7e0..df3ec092d1 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,7 @@ Refer to a list of curated of ***[sample policies](/samples/README.md)*** that c
 
 * [Getting Started](documentation/installation.md)
 * [Writing Policies](documentation/writing-policies.md)
+  * [Selecting Resources](/documentation/writing-policies-match-exclude.md)
   * [Validate Resources](documentation/writing-policies-validate.md)
   * [Mutate Resources](documentation/writing-policies-mutate.md)
   * [Generate Resources](documentation/writing-policies-generate.md)
diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md
index 2f085f8398..1f2e2c2cb3 100644
--- a/documentation/writing-policies.md
+++ b/documentation/writing-policies.md
@@ -13,4 +13,4 @@ Each rule can validate, mutate, or generate configurations of matching resources
 These actions are applied to the resource in described order: mutation, validation and then generation.
 
 ---
-<small>*Read Next >> [Validate Resources](/documentation/writing-policies-match-exclude.md)*</small>
+<small>*Read Next >> [Selecting Resources](/documentation/writing-policies-match-exclude.md)*</small>

From 7c5a2aa438ff17b9c92936cb9cb73de5983170d5 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 19 Mar 2020 20:45:30 +0530
Subject: [PATCH 015/201] 754 save commit

---
 pkg/openapi/validation.go      | 36 ++++++++++++++++++++++++++++++++--
 pkg/openapi/validation_test.go | 32 +++++++++++++++++++++++++++++-
 pkg/policy/validate.go         |  2 +-
 3 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 71b8fa4b43..204bb50cfc 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -1,11 +1,15 @@
 package openapi
 
 import (
+	"encoding/json"
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 	"sync"
 
+	"github.com/nirmata/kyverno/pkg/engine/utils"
+
 	"github.com/nirmata/kyverno/data"
 
 	"github.com/golang/glog"
@@ -44,10 +48,29 @@ func init() {
 	}
 }
 
-func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
+func ValidatePolicyFields(policy v1.ClusterPolicy) error {
 	openApiGlobalState.mutex.RLock()
 	defer openApiGlobalState.mutex.RUnlock()
 
+	policyRaw, err := json.Marshal(policy)
+	if err != nil {
+		return err
+	}
+
+	policyUnst, err := utils.ConvertToUnstructured(policyRaw)
+	if err != nil {
+		return err
+	}
+
+	err = ValidateResource(*policyUnst.DeepCopy(), "ClusterPolicy")
+	if err != nil {
+		return err
+	}
+
+	return validatePolicyMutation(policy)
+}
+
+func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
 		if rule.HasMutate() {
@@ -156,8 +179,17 @@ func getSchemaDocument() (*openapi_v2.Document, error) {
 
 // For crd, we do not store definition in document
 func getSchemaFromDefinitions(kind string) (proto.Schema, error) {
+	if kind == "" {
+		return nil, errors.New("invalid kind")
+	}
+
 	path := proto.NewPath(kind)
-	return (&proto.Definitions{}).ParseSchema(openApiGlobalState.definitions[kind], &path)
+	definition := openApiGlobalState.definitions[kind]
+	if definition == nil {
+		return nil, errors.New("could not find definition")
+	}
+
+	return (&proto.Definitions{}).ParseSchema(definition, &path)
 }
 
 func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 813c2ed15b..4c245b7100 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -52,7 +52,37 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 		_ = json.Unmarshal(tc.policy, &policy)
 
 		var errMessage string
-		err := ValidatePolicyMutation(policy)
+		err := validatePolicyMutation(policy)
+		if err != nil {
+			errMessage = err.Error()
+		}
+
+		if errMessage != tc.errMessage {
+			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
+		}
+	}
+
+}
+
+func Test_ValidatePolicyFields(t *testing.T) {
+
+	tcs := []struct {
+		description string
+		policy      []byte
+		errMessage  string
+	}{
+		{
+			description: "Dealing with invalid fields in the policy",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"disallow-root-user"},"validationFailureAction":"enforce","spec":{"background":false,"rules":[{"name":"validate-runAsNonRoot","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"]}},"validate":{"message":"Running as root user is not allowed. Set runAsNonRoot to true","anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}]}}]}}`),
+		},
+	}
+
+	for i, tc := range tcs {
+		policy := v1.ClusterPolicy{}
+		_ = json.Unmarshal(tc.policy, &policy)
+
+		var errMessage string
+		err := ValidatePolicyFields(policy)
 		if err != nil {
 			errMessage = err.Error()
 		}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 4789687afa..c855546622 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -82,7 +82,7 @@ func Validate(p kyverno.ClusterPolicy) error {
 		}
 	}
 
-	if err := openapi.ValidatePolicyMutation(p); err != nil {
+	if err := openapi.ValidatePolicyFields(p); err != nil {
 		return err
 	}
 

From 5aa74c2b7a8eaf3020831cc10338e597f047e22c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 20 Mar 2020 16:41:23 +0530
Subject: [PATCH 016/201] 755 exclude should not have any mandatory fields,
 currently the resource field in exclude is mandatory - which was made
 optional in this commit

---
 definitions/install.yaml       | 2 --
 definitions/install_debug.yaml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index be688d3d97..3e7825e878 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -109,8 +109,6 @@ spec:
                                         type: string
                   exclude:
                     type: object
-                    required:
-                    - resources
                     properties:
                       roles:
                         type: array
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index efc62b5a44..bf9194246d 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -109,8 +109,6 @@ spec:
                                         type: string
                   exclude:
                     type: object
-                    required:
-                    - resources
                     properties:
                       roles:
                         type: array

From fac7a15d7d69a23a2687ea77e974ee675a1b352c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 20 Mar 2020 20:23:34 +0530
Subject: [PATCH 017/201] 753 prototype changes

---
 pkg/policy/validate.go      |  97 +++++++++++++++++++++++++++++++++
 pkg/policy/validate_test.go | 106 ++++++++++++++++++++++++++++++++++++
 2 files changed, 203 insertions(+)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 4789687afa..038fe0b5e8 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -1,6 +1,7 @@
 package policy
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
@@ -52,6 +53,11 @@ func Validate(p kyverno.ClusterPolicy) error {
 			// as there are more than 1 operation in rule, not need to evaluate it further
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
+
+		if err := validateMatchExcludeConflict(rule); err != nil {
+			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
+		}
+
 		// Operation Validation
 		// Mutation
 		if rule.HasMutate() {
@@ -89,6 +95,97 @@ func Validate(p kyverno.ClusterPolicy) error {
 	return nil
 }
 
+func validateMatchExcludeConflict(rule kyverno.Rule) error {
+
+	excludeRoles := make(map[string]bool)
+	for _, role := range rule.ExcludeResources.UserInfo.Roles {
+		excludeRoles[role] = true
+	}
+
+	excludeClusterRoles := make(map[string]bool)
+	for _, clusterRoles := range rule.ExcludeResources.UserInfo.ClusterRoles {
+		excludeClusterRoles[clusterRoles] = true
+	}
+
+	excludeSubjects := make(map[string]bool)
+	for _, subject := range rule.ExcludeResources.UserInfo.Subjects {
+		subjectRaw, _ := json.Marshal(subject)
+		excludeSubjects[string(subjectRaw)] = true
+	}
+
+	excludeKinds := make(map[string]bool)
+	for _, kind := range rule.ExcludeResources.ResourceDescription.Kinds {
+		excludeKinds[kind] = true
+	}
+
+	excludeNamespaces := make(map[string]bool)
+	for _, namespace := range rule.ExcludeResources.ResourceDescription.Namespaces {
+		excludeNamespaces[namespace] = true
+	}
+
+	excludeMatchExpressions := make(map[string]bool)
+	if rule.ExcludeResources.ResourceDescription.Selector != nil {
+		for _, matchExpression := range rule.ExcludeResources.ResourceDescription.Selector.MatchExpressions {
+			matchExpressionRaw, _ := json.Marshal(matchExpression)
+			excludeMatchExpressions[string(matchExpressionRaw)] = true
+		}
+	}
+
+	for _, role := range rule.MatchResources.UserInfo.Roles {
+		if excludeRoles[role] {
+			return errors.New(fmt.Sprintf("excluding role '%v' while also matching it - please remove from both match and exclude", role))
+		}
+	}
+
+	for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
+		if excludeClusterRoles[clusterRole] {
+			return errors.New(fmt.Sprintf("excluding cluster role '%v' while also matching it - please remove from both match and exclude", clusterRole))
+		}
+	}
+
+	for _, subject := range rule.MatchResources.UserInfo.Subjects {
+		subjectRaw, _ := json.Marshal(subject)
+		if excludeSubjects[string(subjectRaw)] {
+			return errors.New(fmt.Sprintf("excluding subject '%v' while also matching it - please remove from both match and exclude", string(subjectRaw)))
+		}
+	}
+
+	if rule.MatchResources.ResourceDescription.Name != "" {
+		if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name {
+			return errors.New(fmt.Sprintf("excluding resource name '%v' while also matching it - please remove from both match and exclude", rule.MatchResources.ResourceDescription.Name))
+		}
+	}
+
+	for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
+		if excludeNamespaces[namespace] {
+			return errors.New(fmt.Sprintf("excluding resource namespace '%v' while also matching it - please remove from both match and exclude", namespace))
+		}
+	}
+
+	for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
+		if excludeKinds[kind] {
+			return errors.New(fmt.Sprintf("excluding resource kind '%v' while also matching it - please remove from both match and exclude", kind))
+		}
+	}
+
+	if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil {
+		for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
+			matchExpressionRaw, _ := json.Marshal(matchExpression)
+			if excludeMatchExpressions[string(matchExpressionRaw)] {
+				return errors.New(fmt.Sprintf("excluding resource match expression '%v' while also matching it - please remove from both match and exclude", string(matchExpressionRaw)))
+			}
+		}
+
+		for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
+			if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] == value {
+				return errors.New(fmt.Sprintf("excluding resource label '%v' while also matching it - please remove from both match and exclude", label))
+			}
+		}
+	}
+
+	return nil
+}
+
 func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
 	overlayMap, _ := rule.Mutation.Overlay.(map[string]interface{})
 	for k := range overlayMap {
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 387c87707b..9f91ab8025 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1541,3 +1541,109 @@ func Test_ruleOnlyDealsWithResourceMetaData(t *testing.T) {
 		}
 	}
 }
+
+func Test_validateMatchExcludeConflict(t *testing.T) {
+	testcases := []struct {
+		description   string
+		rule          []byte
+		expectedError bool
+	}{
+		{
+			description:   "Testing cluster roles - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"clusterroles":["something"]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing cluster roles - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"clusterroles":["something2"]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing roles - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"roles":["something"]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing roles - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"roles":["something2"]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing subjects - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"}]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing subjects - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something1"}]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing resource kind - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace1"]}}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing resource kind - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod1","Namespace1"]}}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing resource name - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"name":"something"}}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing resource name - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"name":"something1"}}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing resource namespace - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"namespaces":["something2","something1"]}}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing resource namespace - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"namespaces":["something2","something3"]}}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing resource selector label - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchLabels":{"memory":"high"}}}}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing resource selector label - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchLabels":{"memory":"high1"}}}}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Testing resource selector match expression - fail",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier","operator":"In","values":["database"]}]}}}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Testing resource selector match expression - pass",
+			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
+			expectedError: false,
+		},
+	}
+
+	for i, testcase := range testcases {
+		var rule kyverno.Rule
+		_ = json.Unmarshal(testcase.rule, &rule)
+		err := validateMatchExcludeConflict(rule)
+
+		var gotError bool
+		if err != nil {
+			gotError = true
+		} else {
+			gotError = false
+		}
+
+		if gotError != testcase.expectedError {
+			t.Errorf("Testcase [%d] failed - description - %v", i+1, testcase.description)
+		}
+	}
+}

From dfbf247ad8424bf555415a26ccbf8b63a3012c60 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 20 Mar 2020 20:35:26 +0530
Subject: [PATCH 018/201] 753 circle ci fixes

---
 pkg/policy/validate.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 038fe0b5e8..fd6acfdfb8 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -133,38 +133,38 @@ func validateMatchExcludeConflict(rule kyverno.Rule) error {
 
 	for _, role := range rule.MatchResources.UserInfo.Roles {
 		if excludeRoles[role] {
-			return errors.New(fmt.Sprintf("excluding role '%v' while also matching it - please remove from both match and exclude", role))
+			return fmt.Errorf("excluding role '%v' while also matching it - please remove from both match and exclude", role)
 		}
 	}
 
 	for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
 		if excludeClusterRoles[clusterRole] {
-			return errors.New(fmt.Sprintf("excluding cluster role '%v' while also matching it - please remove from both match and exclude", clusterRole))
+			return fmt.Errorf("excluding cluster role '%v' while also matching it - please remove from both match and exclude", clusterRole)
 		}
 	}
 
 	for _, subject := range rule.MatchResources.UserInfo.Subjects {
 		subjectRaw, _ := json.Marshal(subject)
 		if excludeSubjects[string(subjectRaw)] {
-			return errors.New(fmt.Sprintf("excluding subject '%v' while also matching it - please remove from both match and exclude", string(subjectRaw)))
+			return fmt.Errorf("excluding subject '%v' while also matching it - please remove from both match and exclude", string(subjectRaw))
 		}
 	}
 
 	if rule.MatchResources.ResourceDescription.Name != "" {
 		if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name {
-			return errors.New(fmt.Sprintf("excluding resource name '%v' while also matching it - please remove from both match and exclude", rule.MatchResources.ResourceDescription.Name))
+			return fmt.Errorf("excluding resource name '%v' while also matching it - please remove from both match and exclude", rule.MatchResources.ResourceDescription.Name)
 		}
 	}
 
 	for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
 		if excludeNamespaces[namespace] {
-			return errors.New(fmt.Sprintf("excluding resource namespace '%v' while also matching it - please remove from both match and exclude", namespace))
+			return fmt.Errorf("excluding resource namespace '%v' while also matching it - please remove from both match and exclude", namespace)
 		}
 	}
 
 	for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 		if excludeKinds[kind] {
-			return errors.New(fmt.Sprintf("excluding resource kind '%v' while also matching it - please remove from both match and exclude", kind))
+			return fmt.Errorf("excluding resource kind '%v' while also matching it - please remove from both match and exclude", kind)
 		}
 	}
 
@@ -172,13 +172,13 @@ func validateMatchExcludeConflict(rule kyverno.Rule) error {
 		for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
 			matchExpressionRaw, _ := json.Marshal(matchExpression)
 			if excludeMatchExpressions[string(matchExpressionRaw)] {
-				return errors.New(fmt.Sprintf("excluding resource match expression '%v' while also matching it - please remove from both match and exclude", string(matchExpressionRaw)))
+				return fmt.Errorf("excluding resource match expression '%v' while also matching it - please remove from both match and exclude", string(matchExpressionRaw))
 			}
 		}
 
 		for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
 			if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] == value {
-				return errors.New(fmt.Sprintf("excluding resource label '%v' while also matching it - please remove from both match and exclude", label))
+				return fmt.Errorf("excluding resource label '%v' while also matching it - please remove from both match and exclude", label)
 			}
 		}
 	}

From 6e822ece408cfff179eb1cabaaebc2692809a473 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Fri, 20 Mar 2020 09:18:15 -0700
Subject: [PATCH 019/201] fix CR

---
 pkg/engine/variables/common.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/pkg/engine/variables/common.go b/pkg/engine/variables/common.go
index 751040a03d..292b82d988 100644
--- a/pkg/engine/variables/common.go
+++ b/pkg/engine/variables/common.go
@@ -6,9 +6,5 @@ import "regexp"
 func IsVariable(element string) bool {
 	validRegex := regexp.MustCompile(variableRegex)
 	groups := validRegex.FindAllStringSubmatch(element, -1)
-	if len(groups) == 0 {
-		// there was no match
-		return false
-	}
-	return true
+	return len(groups) != 0
 }

From 90a80db74834f1902430e66cdce8b369056ae538 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Fri, 20 Mar 2020 09:52:30 -0700
Subject: [PATCH 020/201] fix scripts

---
 scripts/update-codegen.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/update-codegen.sh b/scripts/update-codegen.sh
index 686c2cdfe1..a6f56b314d 100755
--- a/scripts/update-codegen.sh
+++ b/scripts/update-codegen.sh
@@ -13,8 +13,10 @@ esac
 NIRMATA_DIR=$(dirname ${BASH_SOURCE})/..
 NIRMATA_ROOT=$(${linkutil} -f ${NIRMATA_DIR})
 
+# instructions to build project https://github.com/nirmata/kyverno/wiki/Building
+
 # get relative path to code generation script
-CODEGEN_PKG=${NIRMATA_DIR}/vendor/k8s.io/code-generator
+CODEGEN_PKG="${GOPATH}/src/k8s.io/code-generator"
 
 # get relative path of nirmata
 NIRMATA_PKG=${NIRMATA_ROOT#"${GOPATH}/src/"}

From 4320111c5c8334929174715cfa8177f4f5c18478 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Fri, 20 Mar 2020 11:43:21 -0700
Subject: [PATCH 021/201] fix logs api

---
 cmd/kyverno/main.go             |  1 -
 pkg/engine/validation.go        |  2 +-
 pkg/kyverno/apply/command.go    |  5 ++---
 pkg/kyverno/main.go             | 11 +++++++----
 pkg/kyverno/validate/command.go |  5 ++---
 pkg/openapi/crdSync.go          | 13 ++++++-------
 pkg/openapi/validation.go       |  5 ++---
 pkg/policy/existing.go          |  2 --
 pkg/policystatus/main.go        |  9 ++++-----
 pkg/webhooks/mutation.go        |  3 +--
 10 files changed, 25 insertions(+), 31 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index f55370e23f..c44308c7b4 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -57,7 +57,6 @@ func main() {
 	if err := flag.Set("v", "2"); err != nil {
 		setupLog.Error(err, "failed to set log level")
 		os.Exit(1)
-		// klog.Fatalf("failed to set log level: %v", err)
 	}
 
 	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 49ede85d0f..00c32f6791 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -233,7 +233,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 				errorStr = append(errorStr, err.Error())
 			}
 			resp.Success = false
-			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr))
 			if rule.Validation.Message == "" {
 				resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
 			} else {
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index 73fbdf1ac7..a48d2db3b4 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -11,8 +11,6 @@ import (
 
 	policy2 "github.com/nirmata/kyverno/pkg/policy"
 
-	"github.com/golang/glog"
-
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"k8s.io/client-go/discovery"
@@ -32,6 +30,7 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes/scheme"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -49,7 +48,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						glog.V(4).Info(err)
+						log.Log.Error(err, "failed to sanitize")
 						err = fmt.Errorf("Internal error")
 					}
 				}
diff --git a/pkg/kyverno/main.go b/pkg/kyverno/main.go
index d0d1163ef6..6424a57ddc 100644
--- a/pkg/kyverno/main.go
+++ b/pkg/kyverno/main.go
@@ -9,6 +9,9 @@ import (
 	"github.com/nirmata/kyverno/pkg/kyverno/apply"
 
 	"github.com/nirmata/kyverno/pkg/kyverno/version"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/spf13/cobra"
 )
@@ -19,7 +22,7 @@ func CLI() {
 		Short: "kyverno manages native policies of Kubernetes",
 	}
 
-	configureGlog(cli)
+	configurelog(cli)
 
 	commands := []*cobra.Command{
 		version.Command(),
@@ -36,9 +39,9 @@ func CLI() {
 	}
 }
 
-func configureGlog(cli *cobra.Command) {
-	flag.Parse()
-	_ = flag.Set("logtostderr", "true")
+func configurelog(cli *cobra.Command) {
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
 
 	cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
 	_ = cli.PersistentFlags().MarkHidden("alsologtostderr")
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index e606e134c0..4014189ff6 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -9,13 +9,12 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
-	"github.com/golang/glog"
-
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -27,7 +26,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						glog.V(4).Info(err)
+						log.Log.Error(err, "failed to sanitize")
 						err = fmt.Errorf("Internal error")
 					}
 				}
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index da428c2955..5eed212617 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -6,13 +6,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
-	"github.com/golang/glog"
-
 	"gopkg.in/yaml.v2"
 
 	"github.com/googleapis/gnostic/compiler"
 
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -44,12 +43,12 @@ func NewCRDSync(client *client.Client) *crdSync {
 func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
 	if err != nil {
-		glog.V(4).Infof("cannot get openapi schema: %v", err)
+		log.Log.Error(err, "cannot get openapi schema")
 	}
 
 	err = useOpenApiDocument(newDoc)
 	if err != nil {
-		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
+		log.Log.Error(err, "Could not set custom OpenApi document")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -64,7 +63,7 @@ func (c *crdSync) sync() {
 
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
-		glog.V(4).Infof("could not fetch crd's from server: %v", err)
+		log.Log.Error(err, "could not fetch crd's from server")
 		return
 	}
 
@@ -91,7 +90,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	crdName := crdDefinition.Spec.Names.Kind
 	if len(crdDefinition.Spec.Versions) < 1 {
-		glog.V(4).Infof("could not parse crd schema, no versions present")
+		log.Log.V(4).Info("could not parse crd schema, no versions present")
 		return
 	}
 
@@ -101,7 +100,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
 	if err != nil {
-		glog.V(4).Infof("could not parse crd schema:%v", err)
+		log.Log.Error(err, "could not parse crd schema:")
 		return
 	}
 
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 71b8fa4b43..21ac488c2e 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -8,8 +8,6 @@ import (
 
 	"github.com/nirmata/kyverno/data"
 
-	"github.com/golang/glog"
-
 	"github.com/nirmata/kyverno/pkg/engine"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
@@ -19,6 +17,7 @@ import (
 	"github.com/googleapis/gnostic/compiler"
 	"k8s.io/kube-openapi/pkg/util/proto"
 	"k8s.io/kube-openapi/pkg/util/proto/validation"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"gopkg.in/yaml.v2"
 )
@@ -69,7 +68,7 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 		newPolicy.Spec.Rules = rules
 		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
 		if resource == nil {
-			glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)
+			log.Log.V(4).Info(fmt.Sprintf("Cannot Validate policy: openApi definition now found for %v", kind))
 			return nil
 		}
 		newResource := unstructured.Unstructured{Object: resource}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index d01097e961..af8dfc09c6 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/golang/glog"
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
@@ -40,7 +39,6 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 		}
 
 		// apply the policy on each
-		glog.V(4).Infof("apply policy %s with resource version %s on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
 		engineResponse := applyPolicy(policy, resource, logger)
 		// get engine response for mutation & validation independently
 		engineResponses = append(engineResponses, engineResponse...)
diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go
index 3e633aaf82..b21ff2e505 100644
--- a/pkg/policystatus/main.go
+++ b/pkg/policystatus/main.go
@@ -2,16 +2,16 @@ package policystatus
 
 import (
 	"encoding/json"
+	"fmt"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
-
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Policy status implementation works in the following way,
@@ -111,8 +111,7 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) {
 			s.cache.keyToMutex.Get(statusUpdater.PolicyName()).Unlock()
 			oldStatus, _ := json.Marshal(status)
 			newStatus, _ := json.Marshal(updatedStatus)
-
-			glog.V(4).Infof("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus))
+			log.Log.V(4).Info(fmt.Sprintf("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus)))
 		case <-stopCh:
 			return
 		}
@@ -140,7 +139,7 @@ func (s *Sync) updatePolicyStatus() {
 			s.cache.dataMu.Lock()
 			delete(s.cache.data, policyName)
 			s.cache.dataMu.Unlock()
-			glog.V(4).Info(err)
+			log.Log.Error(err, "failed to update policy status")
 		}
 	}
 }
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index cd2a7dfdfd..68ca58fae1 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/openapi"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -70,7 +69,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		}
 		err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
 		if err != nil {
-			glog.V(4).Infoln(err)
+			logger.Error(err, "failed to validate resource")
 			continue
 		}
 		// gather patches

From 801c7513cbef2a6689690316690fde2ab859591e Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 00:35:05 +0530
Subject: [PATCH 022/201] golanfci-lint changes

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 cmd/initContainer/main.go                     | 15 ++-
 .../clientset/versioned/fake/register.go      |  3 +-
 pkg/config/config.go                          |  2 +-
 pkg/engine/mutate/overlay.go                  |  2 +-
 pkg/engine/mutate/overlayCondition_test.go    | 92 ++++++++++++-------
 pkg/engine/mutate/overlay_test.go             | 66 ++++++++-----
 pkg/engine/mutation_test.go                   | 16 +++-
 pkg/engine/validate/validate.go               |  2 +
 pkg/engine/validate/validate_test.go          |  9 +-
 pkg/engine/validation_test.go                 | 64 ++++++++-----
 pkg/policy/apply.go                           |  6 +-
 pkg/testrunner/scenario.go                    |  6 +-
 pkg/tls/tls.go                                |  1 +
 pkg/userinfo/roleRef_test.go                  |  7 +-
 14 files changed, 193 insertions(+), 98 deletions(-)

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 9c5a9141ba..939471df65 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -91,9 +91,18 @@ func main() {
 func init() {
 	// arguments
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.Set("logtostderr", "true")
-	flag.Set("stderrthreshold", "WARNING")
-	flag.Set("v", "2")
+	err := flag.Set("logtostderr", "true")
+	if err != nil {
+		glog.Errorf("failed to set flag", err)
+	}
+	err = flag.Set("stderrthreshold", "WARNING")
+	if err != nil {
+		glog.Errorf("failed to set flag", err)
+	}
+	err = flag.Set("v", "2")
+	if err != nil {
+		glog.Errorf("failed to set flag", err)
+	}
 	flag.Parse()
 }
 
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
index 4a90cf5ba8..482e66ffc7 100644
--- a/pkg/client/clientset/versioned/fake/register.go
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -29,7 +29,8 @@ import (
 
 var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
-var parameterCodec = runtime.NewParameterCodec(scheme)
+
+// var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	kyvernov1.AddToScheme,
 }
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 241728a2c7..fc8bf5e07c 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -85,7 +85,7 @@ func LogDefaultFlags() {
 	if err != nil {
 		glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err)
 	}
-	flag.Set("v", "2")
+	err = flag.Set("v", "2")
 	if err != nil {
 		glog.Fatalf("failed to set flag 'v' to '2':%v", err)
 	}
diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go
index 3b76f30c74..63b262f80d 100644
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@@ -409,7 +409,7 @@ func removeAnchorFromSubTree(overlay interface{}) interface{} {
 }
 
 func removeAnchroFromMap(overlay map[string]interface{}) map[string]interface{} {
-	result := make(map[string]interface{}, 0)
+	result := make(map[string]interface{})
 	for k, v := range overlay {
 		result[getRawKeyIfWrappedWithAttributes(k)] = removeAnchorFromSubTree(v)
 	}
diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index b898acfbcd..94aeed329b 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -26,9 +26,10 @@ func TestMeetConditions_NoAnchor(t *testing.T) {
 	 }`)
 	var overlay interface{}
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(overlayRaw, &overlay)
+	assert.Assert(t, reflect.DeepEqual(err, nil))
 
-	_, err := meetConditions(nil, overlay)
+	_, err = meetConditions(nil, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -78,10 +79,12 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, !reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`
@@ -99,7 +102,8 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 	   ]
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	_, overlayerr := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -136,11 +140,13 @@ func TestMeetConditions_DifferentTypes(t *testing.T) {
 	 }`)
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	// anchor exist
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/"))
 }
 
@@ -190,10 +196,12 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444")
 }
 
@@ -248,10 +256,11 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
-
-	_, err := meetConditions(resource, overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -325,10 +334,12 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -406,10 +417,12 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -440,10 +453,12 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false")
 
 	overlayRaw = []byte(`{
@@ -470,7 +485,8 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
@@ -499,7 +515,8 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
@@ -532,10 +549,12 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -562,7 +581,8 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
@@ -591,7 +611,8 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	_, err = meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value ENV_VALUE with overlay ENV_VALUE1")
@@ -649,9 +670,10 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
-
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 	path, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(path) == 0)
diff --git a/pkg/engine/mutate/overlay_test.go b/pkg/engine/mutate/overlay_test.go
index 8c062fe58d..4050c7e950 100644
--- a/pkg/engine/mutate/overlay_test.go
+++ b/pkg/engine/mutate/overlay_test.go
@@ -63,8 +63,10 @@ func TestProcessOverlayPatches_NestedListWithAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -163,8 +165,10 @@ func TestProcessOverlayPatches_InsertIntoArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -284,8 +288,10 @@ func TestProcessOverlayPatches_TestInsertToArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -367,8 +373,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -456,7 +464,8 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, err = processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
@@ -492,7 +501,8 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, err = processOverlayPatches(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /spec/template/metadata/labels/app/, [overlayError:0] Failed validating value nginx with overlay nginx1")
@@ -520,8 +530,10 @@ func TestProcessOverlayPatches_AddingAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -605,8 +617,10 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -684,7 +698,8 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, err = processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
@@ -747,8 +762,10 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -805,7 +822,8 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 	   ]
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, err = processOverlayPatches(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /subsets/0/ports/0/port/, [overlayError:0] Failed validating value 443 with overlay 444")
@@ -886,8 +904,10 @@ func TestProcessOverlayPatches_insertWithCondition(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
@@ -997,8 +1017,10 @@ func TestProcessOverlayPatches_InsertIfNotPresentWithConditions(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 278d9672f2..07f345e265 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -67,11 +67,17 @@ func Test_VariableSubstitutionOverlay(t *testing.T) {
 	expectedPatch := []byte(`{ "op": "add", "path": "/metadata/labels", "value":{"appname":"check-root-user"} }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	if err != nil {
+		t.Error(err)
+	}
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	ctx := context.NewContext()
-	ctx.AddResource(rawResource)
+	err = ctx.AddResource(rawResource)
+	if err != nil {
+		t.Error(err)
+	}
 	value, err := ctx.Query("request.object.metadata.name")
 	t.Log(value)
 	if err != nil {
@@ -139,12 +145,14 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(policyraw, &policy)
+	err := json.Unmarshal(policyraw, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go
index 9d94f07789..387c4fc37e 100644
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@@ -227,8 +227,10 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 					if keys[currentKeyIndex+1] == strconv.Itoa(i) {
 						return getValueFromPattern(resourceMap, keys, currentKeyIndex+2)
 					}
+					// TODO : SA4004: the surrounding loop is unconditionally terminated (staticcheck)
 					return nil, errors.New("Reference to non-existent place in the document")
 				}
+				return nil, nil // Just a hack to fix the lint
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case map[string]interface{}:
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index acabd87ac1..3467bacb83 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -557,7 +557,8 @@ func TestValidateMap_livenessProbeIsNull(t *testing.T) {
 
 	var pattern, resource map[string]interface{}
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
-	json.Unmarshal(rawMap, &resource)
+	err := json.Unmarshal(rawMap, &resource)
+	assert.NilError(t, err)
 
 	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
@@ -1344,8 +1345,10 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) {
 	]`)
 
 	var pattern, resource interface{}
-	json.Unmarshal(rawPattern, &pattern)
-	json.Unmarshal(rawMap, &resource)
+	err := json.Unmarshal(rawPattern, &pattern)
+	assert.NilError(t, err)
+	err = json.Unmarshal(rawMap, &resource)
+	assert.NilError(t, err)
 
 	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/0/object/0/key2/")
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index 2792723d09..b44fd30ba9 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -23,7 +23,8 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
 	}`)
 
 	var unmarshalled map[string]interface{}
-	json.Unmarshal(rawMap, &unmarshalled)
+	err := json.Unmarshal(rawMap, &unmarshalled)
+	assert.NilError(t, err)
 
 	actualMap := utils.GetAnchorsFromMap(unmarshalled)
 	assert.Equal(t, len(actualMap), 2)
@@ -114,7 +115,8 @@ func TestValidate_image_tag_fail(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -212,7 +214,8 @@ func TestValidate_image_tag_pass(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -289,7 +292,8 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -370,7 +374,8 @@ func TestValidate_host_network_port(t *testing.T) {
 	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -459,7 +464,8 @@ func TestValidate_anchor_arraymap_pass(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -547,8 +553,8 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
-
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
@@ -616,7 +622,8 @@ func TestValidate_anchor_map_notfound(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -688,7 +695,8 @@ func TestValidate_anchor_map_found_valid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -760,7 +768,8 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -834,7 +843,8 @@ func TestValidate_AnchorList_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -908,7 +918,8 @@ func TestValidate_AnchorList_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -982,7 +993,8 @@ func TestValidate_existenceAnchor_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1057,7 +1069,8 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1144,7 +1157,8 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1230,7 +1244,8 @@ func TestValidate_negationAnchor_pass(t *testing.T) {
 	 	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1297,12 +1312,14 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(policyraw, &policy)
+	err := json.Unmarshal(policyraw, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1392,7 +1409,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *t
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1482,7 +1500,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1572,7 +1591,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 32d654346c..fae7c4045d 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -32,8 +32,10 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	var err error
 	// build context
 	ctx := context.NewContext()
-	ctx.AddResource(transformResource(resource))
-
+	err = ctx.AddResource(transformResource(resource))
+	if err != nil {
+		glog.Errorf("enable to add transform resource to ctx: %v", err)
+	}
 	//MUTATION
 	engineResponse, err = mutation(policy, resource, ctx)
 	engineResponses = append(engineResponses, engineResponse)
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 39eaeb7257..b0d3430072 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -427,7 +427,11 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }
 
 func testScenario(t *testing.T, path string) {
-	flag.Set("logtostderr", "true")
+	err := flag.Set("logtostderr", "true")
+	if err != nil {
+		t.Error(err)
+		return
+	}
 	// flag.Set("v", "8")
 
 	scenario, err := loadScenario(t, path)
diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
index c91c9b922c..4acc08272d 100644
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@@ -142,5 +142,6 @@ func IsTLSPairShouldBeUpdated(tlsPair *TlsPemPair) bool {
 		return true
 	}
 
+	// TODO : should use time.Until instead of t.Sub(time.Now()) (gosimple)
 	return expirationDate.Sub(time.Now()) < timeReserveBeforeCertificateExpiration
 }
diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go
index 3929c38577..19899ee709 100644
--- a/pkg/userinfo/roleRef_test.go
+++ b/pkg/userinfo/roleRef_test.go
@@ -154,9 +154,10 @@ func newRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.Rol
 
 func Test_getRoleRefByRoleBindings(t *testing.T) {
 	flag.Parse()
-	flag.Set("logtostderr", "true")
-	flag.Set("v", "3")
-
+	err := flag.Set("logtostderr", "true")
+	assert.Assert(t, err == nil)
+	err = flag.Set("v", "3")
+	assert.Assert(t, err == nil)
 	list := make([]*rbacv1.RoleBinding, 2)
 
 	list[0] = newRoleBinding("test1", "mynamespace",

From 3726d96024e91ab126503b82d6caafd3a20c5cf4 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 00:42:50 +0530
Subject: [PATCH 023/201] Caching added to travis ci

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 .travis.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 917a026a0c..3f9676cdb2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,6 +2,11 @@ language: go
 go:
   - "1.13"
 
+cache:
+  directories:
+    - $HOME/.cache/go-build
+    - $GOPATH/pkg/mod
+  
 # safelist
 branches: 
   only:

From 4b8c3d045b7558d8240055c2b86dcc197622a820 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 01:00:28 +0530
Subject: [PATCH 024/201] Added contriuting guidlines

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 CONTRIBUTING.md | 95 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 94 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index be104b5dc2..5cde32383b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1 +1,94 @@
-See: https://github.com/nirmata/kyverno#contributing
+# Contributing to Kyverno
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+
+- [Introduction](#introduction)
+- [Contributing Code](#contributing-code)
+- [Disclosing vulnerabilities](#disclosing-vulnerabilities)
+- [Code Style](#code-style)
+- [Pull request procedure](#pull-request-procedure)
+- [Communication](#communication)
+- [Conduct](./CODE_OF_CONDUCT.md)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## Introduction
+
+Please note: We take Kyverno security and our users' trust very
+seriously. If you believe you have found a security issue in Kyverno,
+please responsibly disclose by contacting us at support@nirmata.com.
+
+First: if you're unsure or afraid of anything, just ask or submit the issue or
+pull request anyways. You won't be yelled at for giving it your best effort. The
+worst that can happen is that you'll be politely asked to change something. We
+appreciate any sort of contributions, and don't want a wall of rules to get in
+the way of that.
+
+That said, if you want to ensure that a pull request is likely to be merged,
+talk to us! You can find out our thoughts and ensure that your contribution
+won't clash or be obviated by Kyverno normal direction. A great way to
+do this is via the [Kyverno Community](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9)
+
+## Contributing Code
+
+Unless you are fixing a known bug, we **strongly** recommend discussing it with
+the core team via a GitHub issue or [in our chat](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9)
+before getting started to ensure your work is consistent with Kyverno
+roadmap and architecture.
+
+All contributions are made via pull request. Note that **all patches from all
+contributors get reviewed**. After a pull request is made other contributors
+will offer feedback, and if the patch passes review a maintainer will accept it
+with a comment. When pull requests fail testing, authors are expected to update
+their pull requests to address the failures until the tests pass and the pull
+request merges successfully.
+
+At least one review from a maintainer is required for all patches (even patches
+from maintainers).
+
+Reviewers should leave a "LGTM" comment once they are satisfied with the patch.
+If the patch was submitted by a maintainer with write access, the pull request
+should be merged by the submitter after review.
+
+## Disclosing vulnerabilities
+
+Please disclose vulnerabilities exclusively to [support@nirmata.com](mailto:support@nirmata.com). Do
+not use GitHub issues.
+
+## Code Style
+
+We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout). Please follow these guidelines when formatting source code:
+
+- Go code should match the output of `gofmt -s`
+
+## Pull request procedure
+
+To make a pull request, you will need a GitHub account; if you are unclear on
+this process, see GitHub's documentation on
+[forking](https://help.github.com/articles/fork-a-repo) and
+[pull requests](https://help.github.com/articles/using-pull-requests). Pull
+requests should be targeted at the `master` branch. Before creating a pull
+request, go through this checklist:
+
+1. Create a feature branch off of `master` so that changes do not get mixed up.
+1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local
+   changes against the `master` branch.
+1. Run the full project test suite with the `go test ./...` (or equivalent)
+   command and confirm that it passes.
+1. Run `gofmt -s` (if the project is written in Go).
+1. Ensure that each commit has a subsystem prefix (ex: `controller:`).
+
+Pull requests will be treated as "review requests," and maintainers will give
+feedback on the style and substance of the patch.
+
+Normally, all pull requests must include tests that test your change.
+Occasionally, a change will be very difficult to test for. In those cases,
+please include a note in your commit message explaining why.
+
+## Communication
+
+We use [Slack](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9). You are welcome to drop in and ask
+questions, discuss bugs, etc.
+

From 919ae10139b3a37d5f2bee34646e2ff0af62a861 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 01:03:42 +0530
Subject: [PATCH 025/201] change data location

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 {data => x/data}/swaggerDoc.go | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {data => x/data}/swaggerDoc.go (100%)

diff --git a/data/swaggerDoc.go b/x/data/swaggerDoc.go
similarity index 100%
rename from data/swaggerDoc.go
rename to x/data/swaggerDoc.go

From 69eeb34bef7afe611b4ab67a82d1562093502fed Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 02:01:50 +0530
Subject: [PATCH 026/201] codeclimate and golangci-lint added

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 .codeclimate.yml          | 18 ++++++++++++++++++
 .golangci.yml             | 17 +++++++++++++++++
 cmd/initContainer/main.go |  6 +++---
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 .codeclimate.yml
 create mode 100644 .golangci.yml

diff --git a/.codeclimate.yml b/.codeclimate.yml
new file mode 100644
index 0000000000..95a96cfddb
--- /dev/null
+++ b/.codeclimate.yml
@@ -0,0 +1,18 @@
+engines:
+  govet:
+    enabled: true
+  golint:
+    enabled: false
+  gofmt:
+    enabled: true
+
+ratings:
+  paths:
+    - "**.go"
+
+exclude_paths:
+- documentation/
+- definitions
+- gh-pages
+- samples
+- scripts
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000000..a589a168f3
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,17 @@
+linters:
+  enable:
+    - gosec
+    - errcheck
+    - gosimple
+    - bodyclose
+    - staticcheck
+  disable:
+    - ineffassign
+    - deadcode
+    - unused
+    - structcheck
+
+run:
+  skip-files:
+    - ".+_test.go"
+    - ".+_test_.+.go"
\ No newline at end of file
diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 939471df65..2a6acd193e 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -93,15 +93,15 @@ func init() {
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
 	err := flag.Set("logtostderr", "true")
 	if err != nil {
-		glog.Errorf("failed to set flag", err)
+		glog.Errorf("failed to set flag %v", err)
 	}
 	err = flag.Set("stderrthreshold", "WARNING")
 	if err != nil {
-		glog.Errorf("failed to set flag", err)
+		glog.Errorf("failed to set flag %v", err)
 	}
 	err = flag.Set("v", "2")
 	if err != nil {
-		glog.Errorf("failed to set flag", err)
+		glog.Errorf("failed to set flag %v", err)
 	}
 	flag.Parse()
 }

From 93205ecbbf09fb832adc71eb64ebbcb487e9c869 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 24 Mar 2020 08:45:44 +0530
Subject: [PATCH 027/201] 753 dummy commit

---
 pkg/policy/validate_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 9f91ab8025..810a1054fa 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1628,6 +1628,11 @@ func Test_validateMatchExcludeConflict(t *testing.T) {
 			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
 			expectedError: false,
 		},
+		//{
+		//	description:   "Testing resource selector match expression - pass",
+		//	rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
+		//	expectedError: false,
+		//},
 	}
 
 	for i, testcase := range testcases {

From 80cda4668b5dee98c31ef494bc1a7227c1cf7a31 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 24 Mar 2020 08:50:07 +0530
Subject: [PATCH 028/201] 753 dummy commit

---
 pkg/policy/validate_test.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 810a1054fa..9f91ab8025 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1628,11 +1628,6 @@ func Test_validateMatchExcludeConflict(t *testing.T) {
 			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
 			expectedError: false,
 		},
-		//{
-		//	description:   "Testing resource selector match expression - pass",
-		//	rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
-		//	expectedError: false,
-		//},
 	}
 
 	for i, testcase := range testcases {

From 4d4b2bad52efdae5ad8287e91f7db848c364cb8f Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 11:59:59 +0530
Subject: [PATCH 029/201] Added ref of contributing guidelines

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index f4b22dd7e0..55f4ea8a89 100644
--- a/README.md
+++ b/README.md
@@ -170,5 +170,6 @@ See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](htt
 Thanks for your interest in contributing!
 
   * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
+  * We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
   * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
   * Browse through the [open issues](https://github.com/nirmata/kyverno/issues)

From b3ab74d8b61309d939567d1617bc43e2da2a9c6b Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Tue, 24 Mar 2020 12:06:35 +0530
Subject: [PATCH 030/201] Update pkg path

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 pkg/openapi/validation.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 71b8fa4b43..24050421ec 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/nirmata/kyverno/data"
+	data "github.com/nirmata/kyverno/x/data"
 
 	"github.com/golang/glog"
 

From 2273033c6c4bd1105c2e6400ce031596965e22ea Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 24 Mar 2020 19:08:46 +0530
Subject: [PATCH 031/201] 754 fixed apiVersion and metadata issue

---
 pkg/openapi/crdSync.go    | 27 +++++++++++++++++++++++++++
 pkg/openapi/validation.go |  8 +++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index da428c2955..56a7580025 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -97,6 +97,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	var schema yaml.MapSlice
 	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Versions[0].Schema.OpenAPIV3Schema)
+	schemaRaw = addingDefaultFieldsToSchema(schemaRaw)
 	_ = yaml.Unmarshal(schemaRaw, &schema)
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
@@ -110,3 +111,29 @@ func parseCRD(crd unstructured.Unstructured) {
 	openApiGlobalState.kindToDefinitionName[crdName] = crdName
 	openApiGlobalState.definitions[crdName] = parsedSchema
 }
+
+// addingDefaultFieldsToSchema will add any default missing fields like apiVersion, metadata
+func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
+	var schema struct {
+		Properties map[string]interface{} `json:"properties"`
+	}
+	_ = json.Unmarshal(schemaRaw, &schema)
+
+	if schema.Properties["apiVersion"] == nil {
+		apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}`
+		apiVersionDef := make(map[string]interface{})
+		_ = json.Unmarshal([]byte(apiVersionDefRaw), &apiVersionDef)
+		schema.Properties["apiVersion"] = apiVersionDef
+	}
+
+	if schema.Properties["metadata"] == nil {
+		metadataDefRaw := `{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}`
+		metadataDef := make(map[string]interface{})
+		_ = json.Unmarshal([]byte(metadataDefRaw), &metadataDef)
+		schema.Properties["metadata"] = metadataDef
+	}
+
+	schemaWithDefaultFields, _ := json.Marshal(schema)
+
+	return schemaWithDefaultFields
+}
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 204bb50cfc..22448341ba 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -189,7 +189,13 @@ func getSchemaFromDefinitions(kind string) (proto.Schema, error) {
 		return nil, errors.New("could not find definition")
 	}
 
-	return (&proto.Definitions{}).ParseSchema(definition, &path)
+	// This was added so crd's can access
+	// normal definitions from existing schema such as
+	// `metadata` - this maybe a breaking change.
+	// Removing this may cause policy validate to stop working
+	existingDefinitions, _ := openApiGlobalState.models.(*proto.Definitions)
+
+	return (existingDefinitions).ParseSchema(definition, &path)
 }
 
 func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {

From 63aa0b0ba899aa0337df40dea06c8d1b1a272608 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Tue, 24 Mar 2020 10:32:05 -0700
Subject: [PATCH 032/201] remove glog as dependency module

---
 go.mod | 1 -
 1 file changed, 1 deletion(-)

diff --git a/go.mod b/go.mod
index a8cf46725a..f5ba937e12 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,6 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/evanphx/json-patch v4.5.0+incompatible
 	github.com/go-logr/logr v0.1.0
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect
 	github.com/googleapis/gnostic v0.3.1
 	github.com/hashicorp/golang-lru v0.5.3 // indirect

From 4cf29adccde9ed3b18a42f235ad0a8e766469e63 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 24 Mar 2020 23:12:45 +0530
Subject: [PATCH 033/201] 754 works as intended - more changes required related
 to locks .etc

---
 pkg/kyverno/apply/command.go     |  4 +-
 pkg/kyverno/validate/command.go  |  4 +-
 pkg/openapi/validation.go        |  5 ++-
 pkg/openapi/validation_test.go   | 65 +++++++++++++++++++-------------
 pkg/policy/validate.go           | 14 ++++++-
 pkg/utils/json.go                | 46 ++++++++++++++++++++++
 pkg/webhooks/policyvalidation.go | 33 ++++------------
 7 files changed, 114 insertions(+), 57 deletions(-)

diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index dd00f94ef7..95e0f241cd 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/nirmata/kyverno/pkg/utils"
+
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
 	policy2 "github.com/nirmata/kyverno/pkg/policy"
@@ -69,7 +71,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err := policy2.Validate(*policy)
+				err := policy2.Validate(utils.MarshalPolicy(*policy))
 				if err != nil {
 					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
 				}
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index bf20511e0d..dce6e7dc32 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/nirmata/kyverno/pkg/utils"
+
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
 	"github.com/golang/glog"
@@ -43,7 +45,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err = policyvalidate.Validate(*policy)
+				err = policyvalidate.Validate(utils.MarshalPolicy(*policy))
 				if err != nil {
 					fmt.Println("Policy " + policy.Name + " is invalid")
 				} else {
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 22448341ba..69f9eff330 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -48,11 +48,12 @@ func init() {
 	}
 }
 
-func ValidatePolicyFields(policy v1.ClusterPolicy) error {
+func ValidatePolicyFields(policyRaw []byte) error {
 	openApiGlobalState.mutex.RLock()
 	defer openApiGlobalState.mutex.RUnlock()
 
-	policyRaw, err := json.Marshal(policy)
+	var policy v1.ClusterPolicy
+	err := json.Unmarshal(policyRaw, &policy)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 4c245b7100..9eb1f54e3a 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -2,8 +2,11 @@ package openapi
 
 import (
 	"encoding/json"
+	"log"
 	"testing"
 
+	"github.com/nirmata/kyverno/pkg/utils"
+
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 )
 
@@ -64,32 +67,42 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 
 }
 
-func Test_ValidatePolicyFields(t *testing.T) {
+//func Test_ValidatePolicyFields(t *testing.T) {
+//
+//	tcs := []struct {
+//		description string
+//		policy      []byte
+//		errMessage  string
+//	}{
+//		{
+//			description: "Dealing with invalid fields in the policy",
+//			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"disallow-root-user"},"validationFailureAction":"enforce","spec":{"background":false,"rules":[{"name":"validate-runAsNonRoot","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"]}},"validate":{"message":"Running as root user is not allowed. Set runAsNonRoot to true","anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}]}}]}}`),
+//		},
+//	}
+//
+//	for i, tc := range tcs {
+//		policy := v1.ClusterPolicy{}
+//		_ = json.Unmarshal(tc.policy, &policy)
+//
+//		var errMessage string
+//		err := ValidatePolicyFields(policy)
+//		if err != nil {
+//			errMessage = err.Error()
+//		}
+//
+//		if errMessage != tc.errMessage {
+//			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
+//		}
+//	}
+//
+//}
 
-	tcs := []struct {
-		description string
-		policy      []byte
-		errMessage  string
-	}{
-		{
-			description: "Dealing with invalid fields in the policy",
-			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"disallow-root-user"},"validationFailureAction":"enforce","spec":{"background":false,"rules":[{"name":"validate-runAsNonRoot","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"]}},"validate":{"message":"Running as root user is not allowed. Set runAsNonRoot to true","anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}]}}]}}`),
-		},
-	}
-
-	for i, tc := range tcs {
-		policy := v1.ClusterPolicy{}
-		_ = json.Unmarshal(tc.policy, &policy)
-
-		var errMessage string
-		err := ValidatePolicyFields(policy)
-		if err != nil {
-			errMessage = err.Error()
-		}
-
-		if errMessage != tc.errMessage {
-			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
-		}
-	}
+func TestDummy(t *testing.T) {
+	var policy v1.ClusterPolicy
+	policyRaw := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"kyverno.io/v1\",\"kind\":\"ClusterPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"disallow-root-user\"},\"spec\":{\"background\":false,\"rules\":[{\"exclude\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"match\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"name\":\"validate-runAsNonRoot\",\"validate\":{\"anyPattern\":[{\"spec\":{\"securityContext\":{\"runAsNonRoot\":true}}},{\"spec\":{\"containers\":[{\"securityContext\":{\"runAsNonRoot\":true}}]}}],\"message\":\"Running as root user is not allowed. Set runAsNonRoot to true\"}}]},\"validationFailureAction\":\"enforce\"}\n","pod-policies.kyverno.io/autogen-controllers":"all"},"creationTimestamp":"2020-03-24T16:06:22Z","generation":1,"name":"disallow-root-user","uid":"54725f78-a292-4d19-a78f-a859f7539834"},"spec":{"background":false,"rules":[{"exclude":{"resources":{"kinds":["Pod"]}},"match":{"resources":{"kinds":["Pod"]}},"name":"validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}},{"exclude":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"name":"autogen-validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"template":{"spec":{"securityContext":{"runAsNonRoot":true}}}}},{"spec":{"template":{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}}],"validationFailureAction":"audit"},"validationFailureAction":"enforce"}`)
+	json.Unmarshal(policyRaw, &policy)
 
+	policyRaw1, _ := json.Marshal(policy)
+	policyRaw2 := utils.MarshalPolicy(policy)
+	log.Println(policyRaw1, policyRaw2)
 }
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index c855546622..9dec98a2c9 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -1,6 +1,7 @@
 package policy
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"reflect"
@@ -8,6 +9,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/golang/glog"
+
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -19,7 +22,14 @@ import (
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
-func Validate(p kyverno.ClusterPolicy) error {
+func Validate(policyRaw []byte) error {
+	var p kyverno.ClusterPolicy
+	err := json.Unmarshal(policyRaw, &p)
+	if err != nil {
+		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
+		return fmt.Errorf("failed to unmarshal policy admission request err %v", err)
+	}
+
 	if path, err := validateUniqueRuleName(p); err != nil {
 		return fmt.Errorf("path: spec.%s: %v", path, err)
 	}
@@ -82,7 +92,7 @@ func Validate(p kyverno.ClusterPolicy) error {
 		}
 	}
 
-	if err := openapi.ValidatePolicyFields(p); err != nil {
+	if err := openapi.ValidatePolicyFields(policyRaw); err != nil {
 		return err
 	}
 
diff --git a/pkg/utils/json.go b/pkg/utils/json.go
index 471714958f..23eec81ffb 100644
--- a/pkg/utils/json.go
+++ b/pkg/utils/json.go
@@ -1,5 +1,12 @@
 package utils
 
+import (
+	"encoding/json"
+	"reflect"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+)
+
 // JoinPatches joins array of serialized JSON patches to the single JSONPatch array
 func JoinPatches(patches [][]byte) []byte {
 	var result []byte
@@ -17,3 +24,42 @@ func JoinPatches(patches [][]byte) []byte {
 	result = append(result, []byte("\n]")...)
 	return result
 }
+
+// MarshalPolicy accurately marshals a policy to JSON,
+// normal marshal would cause empty sub structs in
+// policy to be non nil.
+// TODO This needs to be removed. A simpler way to encode and decode Policy is needed.
+func MarshalPolicy(policy v1.ClusterPolicy) []byte {
+	var rules []interface{}
+	rulesRaw, _ := json.Marshal(policy.Spec.Rules)
+	_ = json.Unmarshal(rulesRaw, &rules)
+	for i, r := range rules {
+		rule, _ := r.(map[string]interface{})
+
+		if reflect.DeepEqual(policy.Spec.Rules[i].Mutation, v1.Mutation{}) {
+			delete(rule, "mutate")
+		}
+		if reflect.DeepEqual(policy.Spec.Rules[i].Validation, v1.Validation{}) {
+			delete(rule, "validate")
+		}
+		if reflect.DeepEqual(policy.Spec.Rules[i].Generation, v1.Generation{}) {
+			delete(rule, "generate")
+		}
+
+		rules[i] = rule
+	}
+
+	var policyRepresentation = make(map[string]interface{})
+	policyRaw, _ := json.Marshal(policy)
+	_ = json.Unmarshal(policyRaw, &policyRepresentation)
+
+	specRepresentation, _ := policyRepresentation["spec"].(map[string]interface{})
+
+	specRepresentation["rules"] = rules
+
+	policyRepresentation["spec"] = specRepresentation
+
+	policyRaw, _ = json.Marshal(policyRepresentation)
+
+	return policyRaw
+}
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index fefa9a11f7..d58a22eec9 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -1,45 +1,28 @@
 package webhooks
 
 import (
-	"encoding/json"
-	"fmt"
-
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
-	"github.com/golang/glog"
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 //HandlePolicyValidation performs the validation check on policy resource
 func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	var policy *kyverno.ClusterPolicy
-	admissionResp := &v1beta1.AdmissionResponse{
-		Allowed: true,
-	}
-
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
-	raw := request.Object.Raw
-	if err := json.Unmarshal(raw, &policy); err != nil {
-		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
-		return &v1beta1.AdmissionResponse{Allowed: false,
-			Result: &metav1.Status{
-				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
-			}}
-	}
-	if err := policyvalidate.Validate(*policy); err != nil {
-		admissionResp = &v1beta1.AdmissionResponse{
+	if err := policyvalidate.Validate(request.Object.Raw); err != nil {
+		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
 				Message: err.Error(),
 			},
 		}
 	}
-	if admissionResp.Allowed {
-		// if the policy contains mutating & validation rules and it config does not exist we create one
-		// queue the request
-		ws.resourceWebhookWatcher.RegisterResourceWebhook()
+
+	// if the policy contains mutating & validation rules and it config does not exist we create one
+	// queue the request
+	ws.resourceWebhookWatcher.RegisterResourceWebhook()
+	return &v1beta1.AdmissionResponse{
+		Allowed: true,
 	}
-	return admissionResp
 }

From 66c97ef3bacda43a852c326b58e6bebce21f931d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 24 Mar 2020 23:18:46 +0530
Subject: [PATCH 034/201] 754 fixing tests

---
 pkg/openapi/validation_test.go | 21 +++++++++------------
 pkg/policy/validate_test.go    | 12 ++----------
 2 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 9eb1f54e3a..2e70accee5 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -2,11 +2,8 @@ package openapi
 
 import (
 	"encoding/json"
-	"log"
 	"testing"
 
-	"github.com/nirmata/kyverno/pkg/utils"
-
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 )
 
@@ -97,12 +94,12 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 //
 //}
 
-func TestDummy(t *testing.T) {
-	var policy v1.ClusterPolicy
-	policyRaw := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"kyverno.io/v1\",\"kind\":\"ClusterPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"disallow-root-user\"},\"spec\":{\"background\":false,\"rules\":[{\"exclude\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"match\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"name\":\"validate-runAsNonRoot\",\"validate\":{\"anyPattern\":[{\"spec\":{\"securityContext\":{\"runAsNonRoot\":true}}},{\"spec\":{\"containers\":[{\"securityContext\":{\"runAsNonRoot\":true}}]}}],\"message\":\"Running as root user is not allowed. Set runAsNonRoot to true\"}}]},\"validationFailureAction\":\"enforce\"}\n","pod-policies.kyverno.io/autogen-controllers":"all"},"creationTimestamp":"2020-03-24T16:06:22Z","generation":1,"name":"disallow-root-user","uid":"54725f78-a292-4d19-a78f-a859f7539834"},"spec":{"background":false,"rules":[{"exclude":{"resources":{"kinds":["Pod"]}},"match":{"resources":{"kinds":["Pod"]}},"name":"validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}},{"exclude":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"name":"autogen-validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"template":{"spec":{"securityContext":{"runAsNonRoot":true}}}}},{"spec":{"template":{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}}],"validationFailureAction":"audit"},"validationFailureAction":"enforce"}`)
-	json.Unmarshal(policyRaw, &policy)
-
-	policyRaw1, _ := json.Marshal(policy)
-	policyRaw2 := utils.MarshalPolicy(policy)
-	log.Println(policyRaw1, policyRaw2)
-}
+//func TestDummy(t *testing.T) {
+//	var policy v1.ClusterPolicy
+//	policyRaw := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"kyverno.io/v1\",\"kind\":\"ClusterPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"disallow-root-user\"},\"spec\":{\"background\":false,\"rules\":[{\"exclude\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"match\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"name\":\"validate-runAsNonRoot\",\"validate\":{\"anyPattern\":[{\"spec\":{\"securityContext\":{\"runAsNonRoot\":true}}},{\"spec\":{\"containers\":[{\"securityContext\":{\"runAsNonRoot\":true}}]}}],\"message\":\"Running as root user is not allowed. Set runAsNonRoot to true\"}}]},\"validationFailureAction\":\"enforce\"}\n","pod-policies.kyverno.io/autogen-controllers":"all"},"creationTimestamp":"2020-03-24T16:06:22Z","generation":1,"name":"disallow-root-user","uid":"54725f78-a292-4d19-a78f-a859f7539834"},"spec":{"background":false,"rules":[{"exclude":{"resources":{"kinds":["Pod"]}},"match":{"resources":{"kinds":["Pod"]}},"name":"validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}},{"exclude":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"name":"autogen-validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"template":{"spec":{"securityContext":{"runAsNonRoot":true}}}}},{"spec":{"template":{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}}],"validationFailureAction":"audit"},"validationFailureAction":"enforce"}`)
+//	json.Unmarshal(policyRaw, &policy)
+//
+//	policyRaw1, _ := json.Marshal(policy)
+//	policyRaw2 := utils.MarshalPolicy(policy)
+//	log.Println(policyRaw1, policyRaw2)
+//}
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 387c87707b..9082e9322a 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -732,11 +732,7 @@ func Test_Validate_Policy(t *testing.T) {
 		}
 	 }`)
 
-	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
-
-	err = Validate(policy)
+	err := Validate(rawPolicy)
 	assert.NilError(t, err)
 }
 
@@ -1093,11 +1089,7 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 	 }
 	`)
 
-	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
-
-	err = Validate(policy)
+	err := Validate(rawPolicy)
 	assert.Assert(t, err != nil)
 }
 

From 2443a9997d981b1e70554f712b5ba31f7aa6eb89 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 25 Mar 2020 02:00:30 +0530
Subject: [PATCH 035/201] 754 crds can be immidiatly validate on startup -
 changed locks so as to not timeout requests

---
 cmd/kyverno/main.go       |  2 +-
 pkg/openapi/crdSync.go    |  7 ++---
 pkg/openapi/validation.go | 66 +++++++++++++++++++--------------------
 3 files changed, 37 insertions(+), 38 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 857039b35a..7087d41832 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -252,7 +252,7 @@ func main() {
 	go grcc.Run(1, stopCh)
 	go pvgen.Run(1, stopCh)
 	go statusSync.Run(1, stopCh)
-	go openApiSync.Run(1, stopCh)
+	openApiSync.Run(1, stopCh)
 
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 56a7580025..908d2115f1 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -55,19 +55,18 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	for i := 0; i < workers; i++ {
 		go wait.Until(c.sync, time.Second*10, stopCh)
 	}
-	<-stopCh
 }
 
 func (c *crdSync) sync() {
-	openApiGlobalState.mutex.Lock()
-	defer openApiGlobalState.mutex.Unlock()
-
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
 		glog.V(4).Infof("could not fetch crd's from server: %v", err)
 		return
 	}
 
+	openApiGlobalState.mutex.Lock()
+	defer openApiGlobalState.mutex.Unlock()
+
 	deleteCRDFromPreviousSync()
 
 	for _, crd := range crds.Items {
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 69f9eff330..5f7b2ac1bd 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -71,6 +71,39 @@ func ValidatePolicyFields(policyRaw []byte) error {
 	return validatePolicyMutation(policy)
 }
 
+func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+	var err error
+
+	kind = openApiGlobalState.kindToDefinitionName[kind]
+	schema := openApiGlobalState.models.LookupModel(kind)
+	if schema == nil {
+		schema, err = getSchemaFromDefinitions(kind)
+		if err != nil || schema == nil {
+			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
+		}
+		delete(patchedResource.Object, "kind")
+	}
+
+	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
+		var errorMessages []string
+		for i := range errs {
+			errorMessages = append(errorMessages, errs[i].Error())
+		}
+
+		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
+	}
+
+	return nil
+}
+
+func GetDefinitionNameFromKind(kind string) string {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+	return openApiGlobalState.kindToDefinitionName[kind]
+}
+
 func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
@@ -112,39 +145,6 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	return nil
 }
 
-func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
-	var err error
-
-	kind = openApiGlobalState.kindToDefinitionName[kind]
-	schema := openApiGlobalState.models.LookupModel(kind)
-	if schema == nil {
-		schema, err = getSchemaFromDefinitions(kind)
-		if err != nil || schema == nil {
-			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
-		}
-		delete(patchedResource.Object, "kind")
-	}
-
-	if errs := validation.ValidateModel(patchedResource.UnstructuredContent(), schema, kind); len(errs) > 0 {
-		var errorMessages []string
-		for i := range errs {
-			errorMessages = append(errorMessages, errs[i].Error())
-		}
-
-		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
-	}
-
-	return nil
-}
-
-func GetDefinitionNameFromKind(kind string) string {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
-	return openApiGlobalState.kindToDefinitionName[kind]
-}
-
 func useOpenApiDocument(customDoc *openapi_v2.Document) error {
 	openApiGlobalState.mutex.Lock()
 	defer openApiGlobalState.mutex.Unlock()

From 2e8cb1e482b63e7a4fb4bc9323d5b6af36cbd751 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 25 Mar 2020 02:04:43 +0530
Subject: [PATCH 036/201] 754 removed uneeded tests

---
 pkg/openapi/validation_test.go | 40 ----------------------------------
 1 file changed, 40 deletions(-)

diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 2e70accee5..12fe81ca81 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -63,43 +63,3 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 	}
 
 }
-
-//func Test_ValidatePolicyFields(t *testing.T) {
-//
-//	tcs := []struct {
-//		description string
-//		policy      []byte
-//		errMessage  string
-//	}{
-//		{
-//			description: "Dealing with invalid fields in the policy",
-//			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"disallow-root-user"},"validationFailureAction":"enforce","spec":{"background":false,"rules":[{"name":"validate-runAsNonRoot","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"]}},"validate":{"message":"Running as root user is not allowed. Set runAsNonRoot to true","anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}]}}]}}`),
-//		},
-//	}
-//
-//	for i, tc := range tcs {
-//		policy := v1.ClusterPolicy{}
-//		_ = json.Unmarshal(tc.policy, &policy)
-//
-//		var errMessage string
-//		err := ValidatePolicyFields(policy)
-//		if err != nil {
-//			errMessage = err.Error()
-//		}
-//
-//		if errMessage != tc.errMessage {
-//			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
-//		}
-//	}
-//
-//}
-
-//func TestDummy(t *testing.T) {
-//	var policy v1.ClusterPolicy
-//	policyRaw := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"kyverno.io/v1\",\"kind\":\"ClusterPolicy\",\"metadata\":{\"annotations\":{},\"name\":\"disallow-root-user\"},\"spec\":{\"background\":false,\"rules\":[{\"exclude\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"match\":{\"resources\":{\"kinds\":[\"Pod\"]}},\"name\":\"validate-runAsNonRoot\",\"validate\":{\"anyPattern\":[{\"spec\":{\"securityContext\":{\"runAsNonRoot\":true}}},{\"spec\":{\"containers\":[{\"securityContext\":{\"runAsNonRoot\":true}}]}}],\"message\":\"Running as root user is not allowed. Set runAsNonRoot to true\"}}]},\"validationFailureAction\":\"enforce\"}\n","pod-policies.kyverno.io/autogen-controllers":"all"},"creationTimestamp":"2020-03-24T16:06:22Z","generation":1,"name":"disallow-root-user","uid":"54725f78-a292-4d19-a78f-a859f7539834"},"spec":{"background":false,"rules":[{"exclude":{"resources":{"kinds":["Pod"]}},"match":{"resources":{"kinds":["Pod"]}},"name":"validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"securityContext":{"runAsNonRoot":true}}},{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}},{"exclude":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"name":"autogen-validate-runAsNonRoot","validate":{"anyPattern":[{"spec":{"template":{"spec":{"securityContext":{"runAsNonRoot":true}}}}},{"spec":{"template":{"spec":{"containers":[{"securityContext":{"runAsNonRoot":true}}]}}}}],"message":"Running as root user is not allowed. Set runAsNonRoot to true"}}],"validationFailureAction":"audit"},"validationFailureAction":"enforce"}`)
-//	json.Unmarshal(policyRaw, &policy)
-//
-//	policyRaw1, _ := json.Marshal(policy)
-//	policyRaw2 := utils.MarshalPolicy(policy)
-//	log.Println(policyRaw1, policyRaw2)
-//}

From a369675e0800743a02d78736ac5bcd68b1acec98 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 25 Mar 2020 02:15:56 +0530
Subject: [PATCH 037/201] 754 removing redundant code

---
 pkg/openapi/validation.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 5f7b2ac1bd..bb724b9d0e 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -79,6 +79,7 @@ func ValidateResource(patchedResource unstructured.Unstructured, kind string) er
 	kind = openApiGlobalState.kindToDefinitionName[kind]
 	schema := openApiGlobalState.models.LookupModel(kind)
 	if schema == nil {
+		// Check if kind is a CRD
 		schema, err = getSchemaFromDefinitions(kind)
 		if err != nil || schema == nil {
 			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
@@ -108,13 +109,6 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error {
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
 		if rule.HasMutate() {
-			rule.MatchResources = v1.MatchResources{
-				UserInfo: v1.UserInfo{},
-				ResourceDescription: v1.ResourceDescription{
-					Kinds: rule.MatchResources.Kinds,
-				},
-			}
-			rule.ExcludeResources = v1.ExcludeResources{}
 			for _, kind := range rule.MatchResources.Kinds {
 				kindToRules[kind] = append(kindToRules[kind], rule)
 			}

From 63e7533a495a5b6131842897c0614cc181f07e25 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 25 Mar 2020 02:20:04 +0530
Subject: [PATCH 038/201] 754 ensuring CRD syncs before kyverno starts

---
 pkg/openapi/crdSync.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 908d2115f1..61c32c45d3 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -52,6 +52,9 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
 	}
 
+	// Sync CRD before kyverno starts
+	c.sync()
+
 	for i := 0; i < workers; i++ {
 		go wait.Until(c.sync, time.Second*10, stopCh)
 	}

From 4ae65497bfaf61145a263007092993ea464464bc Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 25 Mar 2020 10:53:03 +0530
Subject: [PATCH 039/201] 767 tested prototype

---
 cmd/kyverno/main.go              |  36 +++---
 pkg/webhooks/generate/handler.go |   1 +
 pkg/webhooks/generation.go       |   4 +-
 pkg/webhooks/mutation.go         |   6 +-
 pkg/webhooks/policyvalidation.go |   2 +-
 pkg/webhooks/server.go           | 188 ++++++++++++-------------------
 pkg/webhooks/validation.go       |   6 +-
 7 files changed, 99 insertions(+), 144 deletions(-)
 create mode 100644 pkg/webhooks/generate/handler.go

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 857039b35a..3948467639 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -219,22 +219,26 @@ func main() {
 	// -- annotations on resources with update details on mutation JSON patches
 	// -- generate policy violation resource
 	// -- generate events on policy and resource
-	server, err := webhooks.NewWebhookServer(
-		pclient,
-		client,
-		tlsPair,
-		pInformer.Kyverno().V1().ClusterPolicies(),
-		kubeInformer.Rbac().V1().RoleBindings(),
-		kubeInformer.Rbac().V1().ClusterRoleBindings(),
-		egen,
-		webhookRegistrationClient,
-		statusSync.Listener,
-		configData,
-		policyMetaStore,
-		pvgen,
-		grgen,
-		rWebhookWatcher,
-		cleanUp)
+	server, err := webhooks.NewWebhookServer(&webhooks.WebhookServer{
+		Client:                    client,
+		KyvernoClient:             pclient,
+		PLister:                   pInformer.Kyverno().V1().ClusterPolicies().Lister(),
+		PSynced:                   pInformer.Kyverno().V1().ClusterPolicies().Informer().HasSynced,
+		RbLister:                  kubeInformer.Rbac().V1().RoleBindings().Lister(),
+		RbSynced:                  kubeInformer.Rbac().V1().RoleBindings().Informer().HasSynced,
+		CrbLister:                 kubeInformer.Rbac().V1().ClusterRoleBindings().Lister(),
+		CrbSynced:                 kubeInformer.Rbac().V1().ClusterRoleBindings().Informer().HasSynced,
+		EventGen:                  egen,
+		WebhookRegistrationClient: webhookRegistrationClient,
+		StatusListener:            statusSync.Listener,
+		ConfigHandler:             configData,
+		CleanUp:                   cleanUp,
+		LastReqTime:               rWebhookWatcher.LastReqTime,
+		PvGenerator:               pvgen,
+		PMetaStore:                policyMetaStore,
+		GrGenerator:               grgen,
+		ResourceWebhookWatcher:    rWebhookWatcher,
+	}, tlsPair)
 	if err != nil {
 		glog.Fatalf("Unable to create webhook server: %v\n", err)
 	}
diff --git a/pkg/webhooks/generate/handler.go b/pkg/webhooks/generate/handler.go
new file mode 100644
index 0000000000..eb8347795a
--- /dev/null
+++ b/pkg/webhooks/generate/handler.go
@@ -0,0 +1 @@
+package generate
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 956c568cac..401b1e553e 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -66,13 +66,13 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 		if len(engineResponse.PolicyResponse.Rules) > 0 {
 			// some generate rules do apply to the resource
 			engineResponses = append(engineResponses, engineResponse)
-			ws.statusListener.Send(generateStats{
+			ws.StatusListener.Send(generateStats{
 				resp: engineResponse,
 			})
 		}
 	}
 	// Adds Generate Request to a channel(queue size 1000) to generators
-	if err := createGenerateRequest(ws.grGenerator, userRequestInfo, engineResponses...); err != nil {
+	if err := createGenerateRequest(ws.GrGenerator, userRequestInfo, engineResponses...); err != nil {
 		//TODO: send appropriate error
 		return false, "Kyverno blocked: failed to create Generate Requests"
 	}
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 1991427ebf..8469d00fde 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -63,7 +63,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
 		engineResponses = append(engineResponses, engineResponse)
-		ws.statusListener.Send(mutateStats{resp: engineResponse})
+		ws.StatusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
 			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
 			continue
@@ -91,7 +91,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// AUDIT
 	// generate violation when response fails
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
-	ws.pvGenerator.Add(pvInfos...)
+	ws.PvGenerator.Add(pvInfos...)
 	// REPORTING EVENTS
 	// Scenario 1:
 	//   some/all policies failed to apply on the resource. a policy volation is generated.
@@ -101,7 +101,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	//   create an event on the resource
 	// ADD EVENTS
 	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update))
-	ws.eventGen.Add(events...)
+	ws.EventGen.Add(events...)
 
 	// debug info
 	func() {
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index fefa9a11f7..b713731d4e 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -39,7 +39,7 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
 	if admissionResp.Allowed {
 		// if the policy contains mutating & validation rules and it config does not exist we create one
 		// queue the request
-		ws.resourceWebhookWatcher.RegisterResourceWebhook()
+		ws.ResourceWebhookWatcher.RegisterResourceWebhook()
 	}
 	return admissionResp
 }
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index b0ca988449..9cf689a677 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -13,7 +13,6 @@ import (
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
-	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@@ -27,7 +26,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks/generate"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	rbacinformer "k8s.io/client-go/informers/rbac/v1"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
 	"k8s.io/client-go/tools/cache"
 )
@@ -36,64 +34,50 @@ import (
 // MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
 type WebhookServer struct {
 	server        http.Server
-	client        *client.Client
-	kyvernoClient *kyvernoclient.Clientset
+	Client        *client.Client
+	KyvernoClient *kyvernoclient.Clientset
 	// list/get cluster policy resource
-	pLister kyvernolister.ClusterPolicyLister
+	PLister kyvernolister.ClusterPolicyLister
 	// returns true if the cluster policy store has synced atleast
-	pSynced cache.InformerSynced
+	PSynced cache.InformerSynced
 	// list/get role binding resource
-	rbLister rbaclister.RoleBindingLister
+	RbLister rbaclister.RoleBindingLister
 	// return true if role bining store has synced atleast once
-	rbSynced cache.InformerSynced
+	RbSynced cache.InformerSynced
 	// list/get cluster role binding resource
-	crbLister rbaclister.ClusterRoleBindingLister
+	CrbLister rbaclister.ClusterRoleBindingLister
 	// return true if cluster role binding store has synced atleast once
-	crbSynced cache.InformerSynced
+	CrbSynced cache.InformerSynced
 	// generate events
-	eventGen event.Interface
+	EventGen event.Interface
 	// webhook registration client
-	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
+	WebhookRegistrationClient *webhookconfig.WebhookRegistrationClient
 	// API to send policy stats for aggregation
-	statusListener policystatus.Listener
+	StatusListener policystatus.Listener
 	// helpers to validate against current loaded configuration
-	configHandler config.Interface
+	ConfigHandler config.Interface
 	// channel for cleanup notification
-	cleanUp chan<- struct{}
+	CleanUp chan<- struct{}
 	// last request time
-	lastReqTime *checker.LastReqTime
+	LastReqTime *checker.LastReqTime
 	// store to hold policy meta data for faster lookup
-	pMetaStore policystore.LookupInterface
+	PMetaStore policystore.LookupInterface
 	// policy violation generator
-	pvGenerator policyviolation.GeneratorInterface
+	PvGenerator policyviolation.GeneratorInterface
 	// generate request generator
-	grGenerator            *generate.Generator
-	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	GrGenerator            *generate.Generator
+	ResourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
 // Policy Controller and Kubernetes Client should be initialized in configuration
 func NewWebhookServer(
-	kyvernoClient *kyvernoclient.Clientset,
-	client *client.Client,
-	tlsPair *tlsutils.TlsPemPair,
-	pInformer kyvernoinformer.ClusterPolicyInformer,
-	rbInformer rbacinformer.RoleBindingInformer,
-	crbInformer rbacinformer.ClusterRoleBindingInformer,
-	eventGen event.Interface,
-	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
-	statusSync policystatus.Listener,
-	configHandler config.Interface,
-	pMetaStore policystore.LookupInterface,
-	pvGenerator policyviolation.GeneratorInterface,
-	grGenerator *generate.Generator,
-	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
-	cleanUp chan<- struct{}) (*WebhookServer, error) {
+	ws *WebhookServer,
+	tlsPair *tlsutils.TlsPemPair) (*WebhookServer, error) {
 
 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
 	}
-
 	var tlsConfig tls.Config
 	pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
 	if err != nil {
@@ -101,32 +85,12 @@ func NewWebhookServer(
 	}
 	tlsConfig.Certificates = []tls.Certificate{pair}
 
-	ws := &WebhookServer{
-		client:                    client,
-		kyvernoClient:             kyvernoClient,
-		pLister:                   pInformer.Lister(),
-		pSynced:                   pInformer.Informer().HasSynced,
-		rbLister:                  rbInformer.Lister(),
-		rbSynced:                  rbInformer.Informer().HasSynced,
-		crbLister:                 crbInformer.Lister(),
-		crbSynced:                 crbInformer.Informer().HasSynced,
-		eventGen:                  eventGen,
-		webhookRegistrationClient: webhookRegistrationClient,
-		statusListener:            statusSync,
-		configHandler:             configHandler,
-		cleanUp:                   cleanUp,
-		lastReqTime:               resourceWebhookWatcher.LastReqTime,
-		pvGenerator:               pvGenerator,
-		pMetaStore:                pMetaStore,
-		grGenerator:               grGenerator,
-		resourceWebhookWatcher:    resourceWebhookWatcher,
-	}
 	mux := http.NewServeMux()
-	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
+	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
+	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
+	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
@@ -138,64 +102,50 @@ func NewWebhookServer(
 	return ws, nil
 }
 
-// Main server endpoint for all requests
-func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
-	startTime := time.Now()
-	// for every request received on the ep update last request time,
-	// this is used to verify admission control
-	ws.lastReqTime.SetTime(time.Now())
-	admissionReview := ws.bodyToAdmissionReview(r, w)
-	if admissionReview == nil {
-		return
-	}
-	defer func() {
-		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
-	}()
-
-	admissionReview.Response = &v1beta1.AdmissionResponse{
-		Allowed: true,
-	}
-
-	// Do not process the admission requests for kinds that are in filterKinds for filtering
-	request := admissionReview.Request
-	switch r.URL.Path {
-	case config.VerifyMutatingWebhookServicePath:
-		// we do not apply filters as this endpoint is used explicitly
-		// to watch kyveno deployment and verify if admission control is enabled
-		admissionReview.Response = ws.handleVerifyRequest(request)
-	case config.MutatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handleMutateAdmissionRequest(request)
+func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		startTime := time.Now()
+		// for every request received on the ep update last request time,
+		// this is used to verify admission control
+		ws.LastReqTime.SetTime(time.Now())
+		admissionReview := ws.bodyToAdmissionReview(r, w)
+		if admissionReview == nil {
+			return
 		}
-	case config.ValidatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handleValidateAdmissionRequest(request)
-		}
-	case config.PolicyValidatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handlePolicyValidation(request)
-		}
-	case config.PolicyMutatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handlePolicyMutation(request)
-		}
-	}
-	admissionReview.Response.UID = request.UID
+		defer func() {
+			glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
+		}()
 
-	responseJSON, err := json.Marshal(admissionReview)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
-		return
-	}
+		admissionReview.Response = &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
 
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	if _, err := w.Write(responseJSON); err != nil {
-		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+		// Do not process the admission requests for kinds that are in filterKinds for filtering
+		request := admissionReview.Request
+		if filter {
+			if !ws.ConfigHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+				admissionReview.Response = handler(request)
+			}
+		} else {
+			admissionReview.Response = handler(request)
+		}
+		admissionReview.Response.UID = request.UID
+
+		responseJSON, err := json.Marshal(admissionReview)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		if _, err := w.Write(responseJSON); err != nil {
+			http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+		}
 	}
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	policies, err := ws.pMetaStore.ListAll()
+	policies, err := ws.PMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
@@ -207,7 +157,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	// getRoleRef only if policy has roles/clusterroles defined
 	startTime := time.Now()
 	if containRBACinfo(policies) {
-		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
+		roles, clusterRoles, err = userinfo.GetRoleRef(ws.RbLister, ws.CrbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
 			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
@@ -247,7 +197,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	// patch the resource with patches before handling validation rules
 	patchedResource := processResourceWithPatches(patches, request.Object.Raw)
 
-	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
+	if ws.ResourceWebhookWatcher != nil && ws.ResourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
 		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
@@ -292,7 +242,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	policies, err := ws.pMetaStore.ListAll()
+	policies, err := ws.PMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
@@ -304,7 +254,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 	// getRoleRef only if policy has roles/clusterroles defined
 	startTime := time.Now()
 	if containRBACinfo(policies) {
-		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
+		roles, clusterRoles, err = userinfo.GetRoleRef(ws.RbLister, ws.CrbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
 			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
@@ -336,7 +286,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
-	if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
+	if !cache.WaitForCacheSync(stopCh, ws.PSynced, ws.RbSynced, ws.CrbSynced) {
 		glog.Error("webhook: failed to sync informer cache")
 	}
 
@@ -351,7 +301,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
 	// max deadline: deadline*3 (set the deployment annotation as false)
-	go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
+	go ws.LastReqTime.Run(ws.PLister, ws.EventGen, ws.Client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
 
 }
 
@@ -359,7 +309,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 func (ws *WebhookServer) Stop(ctx context.Context) {
 	// cleanUp
 	// remove the static webhookconfigurations
-	go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
+	go ws.WebhookRegistrationClient.RemoveWebhookConfigurations(ws.CleanUp)
 	// shutdown http.Server with context timeout
 	err := ws.server.Shutdown(ctx)
 	if err != nil {
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 54a7fbdf3e..cbfa142167 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -71,7 +71,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			continue
 		}
 		engineResponses = append(engineResponses, engineResponse)
-		ws.statusListener.Send(validateStats{
+		ws.StatusListener.Send(validateStats{
 			resp: engineResponse,
 		})
 		if !engineResponse.IsSuccesful() {
@@ -98,7 +98,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	//   all policies were applied succesfully.
 	//   create an event on the resource
 	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update))
-	ws.eventGen.Add(events...)
+	ws.EventGen.Add(events...)
 	if blocked {
 		glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName())
 		return false, getEnforceFailureErrorMsg(engineResponses)
@@ -107,7 +107,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
-	ws.pvGenerator.Add(pvInfos...)
+	ws.PvGenerator.Add(pvInfos...)
 	// report time end
 	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name)
 	return true, ""

From a0e8a6a0d5591f8bcc0e2cde0a980f2aff12a0f2 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Thu, 26 Mar 2020 19:10:54 +0530
Subject: [PATCH 040/201] revert data loaction

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 CONTRIBUTING.md               | 65 +----------------------------------
 {x/data => api}/swaggerDoc.go |  0
 pkg/openapi/validation.go     |  2 +-
 3 files changed, 2 insertions(+), 65 deletions(-)
 rename {x/data => api}/swaggerDoc.go (100%)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5cde32383b..4ec268d2f5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,36 +1,5 @@
 # Contributing to Kyverno
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
-
-- [Introduction](#introduction)
-- [Contributing Code](#contributing-code)
-- [Disclosing vulnerabilities](#disclosing-vulnerabilities)
-- [Code Style](#code-style)
-- [Pull request procedure](#pull-request-procedure)
-- [Communication](#communication)
-- [Conduct](./CODE_OF_CONDUCT.md)
-
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
-## Introduction
-
-Please note: We take Kyverno security and our users' trust very
-seriously. If you believe you have found a security issue in Kyverno,
-please responsibly disclose by contacting us at support@nirmata.com.
-
-First: if you're unsure or afraid of anything, just ask or submit the issue or
-pull request anyways. You won't be yelled at for giving it your best effort. The
-worst that can happen is that you'll be politely asked to change something. We
-appreciate any sort of contributions, and don't want a wall of rules to get in
-the way of that.
-
-That said, if you want to ensure that a pull request is likely to be merged,
-talk to us! You can find out our thoughts and ensure that your contribution
-won't clash or be obviated by Kyverno normal direction. A great way to
-do this is via the [Kyverno Community](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9)
-
 ## Contributing Code
 
 Unless you are fixing a known bug, we **strongly** recommend discussing it with
@@ -59,36 +28,4 @@ not use GitHub issues.
 
 ## Code Style
 
-We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout). Please follow these guidelines when formatting source code:
-
-- Go code should match the output of `gofmt -s`
-
-## Pull request procedure
-
-To make a pull request, you will need a GitHub account; if you are unclear on
-this process, see GitHub's documentation on
-[forking](https://help.github.com/articles/fork-a-repo) and
-[pull requests](https://help.github.com/articles/using-pull-requests). Pull
-requests should be targeted at the `master` branch. Before creating a pull
-request, go through this checklist:
-
-1. Create a feature branch off of `master` so that changes do not get mixed up.
-1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local
-   changes against the `master` branch.
-1. Run the full project test suite with the `go test ./...` (or equivalent)
-   command and confirm that it passes.
-1. Run `gofmt -s` (if the project is written in Go).
-1. Ensure that each commit has a subsystem prefix (ex: `controller:`).
-
-Pull requests will be treated as "review requests," and maintainers will give
-feedback on the style and substance of the patch.
-
-Normally, all pull requests must include tests that test your change.
-Occasionally, a change will be very difficult to test for. In those cases,
-please include a note in your commit message explaining why.
-
-## Communication
-
-We use [Slack](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9). You are welcome to drop in and ask
-questions, discuss bugs, etc.
-
+We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout).
diff --git a/x/data/swaggerDoc.go b/api/swaggerDoc.go
similarity index 100%
rename from x/data/swaggerDoc.go
rename to api/swaggerDoc.go
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 24050421ec..44e22123d0 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"sync"
 
-	data "github.com/nirmata/kyverno/x/data"
+	data "github.com/nirmata/kyverno/api"
 
 	"github.com/golang/glog"
 

From 9885be4050ef1e49a47cfaa1744a88cab640609c Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Thu, 26 Mar 2020 19:18:00 +0530
Subject: [PATCH 041/201] revert data loaction

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 CONTRIBUTING.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4ec268d2f5..58ce3b422d 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -21,11 +21,9 @@ Reviewers should leave a "LGTM" comment once they are satisfied with the patch.
 If the patch was submitted by a maintainer with write access, the pull request
 should be merged by the submitter after review.
 
-## Disclosing vulnerabilities
-
-Please disclose vulnerabilities exclusively to [support@nirmata.com](mailto:support@nirmata.com). Do
-not use GitHub issues.
 
 ## Code Style
 
 We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout).
+
+See : https://github.com/nirmata/kyverno#contributing

From b001327a259dd31505b1c02cb50775a19177fac4 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Thu, 26 Mar 2020 20:06:20 +0530
Subject: [PATCH 042/201] remove extra documentation

---
 CONTRIBUTING.md | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 58ce3b422d..9941e08dd5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,27 +1,5 @@
 # Contributing to Kyverno
 
-## Contributing Code
-
-Unless you are fixing a known bug, we **strongly** recommend discussing it with
-the core team via a GitHub issue or [in our chat](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9)
-before getting started to ensure your work is consistent with Kyverno
-roadmap and architecture.
-
-All contributions are made via pull request. Note that **all patches from all
-contributors get reviewed**. After a pull request is made other contributors
-will offer feedback, and if the patch passes review a maintainer will accept it
-with a comment. When pull requests fail testing, authors are expected to update
-their pull requests to address the failures until the tests pass and the pull
-request merges successfully.
-
-At least one review from a maintainer is required for all patches (even patches
-from maintainers).
-
-Reviewers should leave a "LGTM" comment once they are satisfied with the patch.
-If the patch was submitted by a maintainer with write access, the pull request
-should be merged by the submitter after review.
-
-
 ## Code Style
 
 We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout).

From f94465a65315a79ebed36c4d0f76224b81836bd7 Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Thu, 26 Mar 2020 07:59:37 -0700
Subject: [PATCH 043/201] remove commented code

---
 pkg/config/config.go | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index cfbbc35f62..2d6ccdcb68 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -72,27 +72,6 @@ var (
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
 
-// //LogDefaultFlags sets default flags
-// func LogDefaultFlags(log logr.Logger) {
-// 	logger := log.WithName("LogDefaultFlags")
-// 	var err error
-// 	err = flag.Set("logtostderr", "true")
-// 	if err != nil {
-// 		logger.Error(err, "failed to set flag", "flag", "logtostderr", "value", "true")
-// 		os.Exit(1)
-// 	}
-// 	err = flag.Set("stderrthreshold", "WARNING")
-// 	if err != nil {
-// 		logger.Error(err, "failed to set flag", "flag", "stderrthreshold", "value", "WARNING")
-// 		os.Exit(1)
-// 	}
-// 	flag.Set("v", "2")
-// 	if err != nil {
-// 		logger.Error(err, "failed to set flag", "flag", "v", "value", "2")
-// 		os.Exit(1)
-// 	}
-// }
-
 //CreateClientConfig creates client config
 func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
 	logger := log.WithName("CreateClientConfig")

From 43a91393037da6d2407e428b3e94b43fecfe5c3b Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Fri, 27 Mar 2020 14:20:58 +0530
Subject: [PATCH 044/201] Fix conflict issue

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 cmd/initContainer/main.go | 21 ---------------------
 pkg/config/config.go      | 19 -------------------
 pkg/policy/apply.go       |  2 +-
 3 files changed, 1 insertion(+), 41 deletions(-)

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 358d5779d5..e9e377cb7f 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -102,27 +102,6 @@ func main() {
 	}
 }
 
-<<<<<<< HEAD
-=======
-func init() {
-	// arguments
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	err := flag.Set("logtostderr", "true")
-	if err != nil {
-		glog.Errorf("failed to set flag %v", err)
-	}
-	err = flag.Set("stderrthreshold", "WARNING")
-	if err != nil {
-		glog.Errorf("failed to set flag %v", err)
-	}
-	err = flag.Set("v", "2")
-	if err != nil {
-		glog.Errorf("failed to set flag %v", err)
-	}
-	flag.Parse()
-}
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
-
 func removeWebhookIfExists(client *client.Client, kind string, name string) error {
 	logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name)
 	var err error
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 6d3f69a0e1..2d6ccdcb68 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -71,25 +71,6 @@ var (
 	//VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
-<<<<<<< HEAD
-=======
-//LogDefaultFlags sets default glog flags
-func LogDefaultFlags() {
-	var err error
-	err = flag.Set("logtostderr", "true")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err)
-	}
-	err = flag.Set("stderrthreshold", "WARNING")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err)
-	}
-	err = flag.Set("v", "2")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'v' to '2':%v", err)
-	}
-}
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 
 //CreateClientConfig creates client config
 func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 64c1f912ef..ad60ad5d6d 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -34,7 +34,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	ctx := context.NewContext()
 	err = ctx.AddResource(transformResource(resource))
 	if err != nil {
-		glog.Errorf("enable to add transform resource to ctx: %v", err)
+		logger.Error(err, "enable to add transform resource to ctx")
 	}
 	//MUTATION
 	engineResponse, err = mutation(policy, resource, ctx, logger)

From c8733065644741bb5ebe54043b7b800c9d0f3458 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Fri, 27 Mar 2020 14:39:35 +0530
Subject: [PATCH 045/201] Fixed error

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 pkg/engine/mutate/overlayCondition_test.go | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index 1c8fc2c89e..984af52940 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -714,25 +714,13 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) {
 
 	var resource, overlay interface{}
 
-<<<<<<< HEAD
-<<<<<<< HEAD
-=======
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	err := json.Unmarshal(resourceRaw, &resource)
 	assert.NilError(t, err)
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
-	path, err := meetConditions(resource, overlay)
-<<<<<<< HEAD
-=======
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
 
 	path, err := meetConditions(log.Log, resource, overlay)
->>>>>>> 589f8ece47f95aedc4ee0decee8d29cb77b73dd6
-=======
 
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(path) == 0)
 }

From b725f1ce059a1b736b787dbe180cfe4ad77534dd Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Fri, 27 Mar 2020 15:07:14 +0530
Subject: [PATCH 046/201] Fixed Conflict

---
 pkg/engine/mutate/overlayCondition_test.go | 53 ++++------------------
 1 file changed, 9 insertions(+), 44 deletions(-)

diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index 984af52940..8da6eefee9 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -30,8 +30,7 @@ func TestMeetConditions_NoAnchor(t *testing.T) {
 	err := json.Unmarshal(overlayRaw, &overlay)
 	assert.Assert(t, reflect.DeepEqual(err, nil))
 
-
-	_, err := meetConditions(log.Log, nil, overlay)
+	_, err = meetConditions(log.Log, nil, overlay)
 
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
@@ -87,7 +86,7 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-	_, err := meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, !reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`
@@ -150,7 +149,7 @@ func TestMeetConditions_DifferentTypes(t *testing.T) {
 
 	// anchor exist
 
-	_, err := meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/"))
 }
 
@@ -205,8 +204,7 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-
-	_, err := meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444")
 }
 
@@ -261,13 +259,12 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-
 	err := json.Unmarshal(resourceRaw, &resource)
 	assert.NilError(t, err)
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-	_, err := meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
@@ -347,16 +344,8 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-<<<<<<< HEAD
-<<<<<<< HEAD
-	_, err = meetConditions(resource, overlay)
-=======
-	_, err := meetConditions(log.Log, resource, overlay)
->>>>>>> 589f8ece47f95aedc4ee0decee8d29cb77b73dd6
-=======
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -439,16 +428,8 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-<<<<<<< HEAD
-<<<<<<< HEAD
-	_, err = meetConditions(resource, overlay)
-=======
-	_, err := meetConditions(log.Log, resource, overlay)
->>>>>>> 589f8ece47f95aedc4ee0decee8d29cb77b73dd6
-=======
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -484,16 +465,8 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-<<<<<<< HEAD
-<<<<<<< HEAD
-	_, err = meetConditions(resource, overlay)
-=======
-	_, err := meetConditions(log.Log, resource, overlay)
->>>>>>> 589f8ece47f95aedc4ee0decee8d29cb77b73dd6
-=======
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false")
 
 	overlayRaw = []byte(`{
@@ -589,16 +562,8 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 	err = json.Unmarshal(overlayRaw, &overlay)
 	assert.NilError(t, err)
 
-<<<<<<< HEAD
-<<<<<<< HEAD
-	_, err = meetConditions(resource, overlay)
-=======
-	_, err := meetConditions(log.Log, resource, overlay)
->>>>>>> 589f8ece47f95aedc4ee0decee8d29cb77b73dd6
-=======
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 
->>>>>>> 010bc2b43d99e27daf8709baca5b02ac5ca10011
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{

From 6efe0252a340761362433d70adf4d88541252289 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 27 Mar 2020 19:06:06 +0530
Subject: [PATCH 047/201] 765 save commit

---
 cmd/kyverno/main.go              |   9 +-
 go.sum                           | 658 +++++++++----------------------
 pkg/kyverno/apply/command.go     |  20 +-
 pkg/kyverno/apply/helper.go      |   4 +-
 pkg/kyverno/validate/command.go  |   9 +-
 pkg/openapi/crdSync.go           |  68 ++--
 pkg/openapi/validation.go        |  76 ++--
 pkg/openapi/validation_test.go   |   4 +-
 pkg/policy/validate.go           |   4 +-
 pkg/policy/validate_test.go      |  10 +-
 pkg/webhooks/mutation.go         |   4 +-
 pkg/webhooks/policyvalidation.go |   2 +-
 pkg/webhooks/server.go           |   5 +
 13 files changed, 323 insertions(+), 550 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index c44308c7b4..82ac6c0c01 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -250,8 +250,14 @@ func main() {
 		os.Exit(1)
 	}
 
+	openAPIController, err := openapi.NewOpenAPIController()
+	if err != nil {
+		setupLog.Error(err, "Failed to create openAPIController")
+		os.Exit(1)
+	}
+
 	// Sync openAPI definitions of resources
-	openApiSync := openapi.NewCRDSync(client)
+	openApiSync := openapi.NewCRDSync(client, openAPIController)
 
 	// WEBHOOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
@@ -276,6 +282,7 @@ func main() {
 		rWebhookWatcher,
 		cleanUp,
 		log.Log.WithName("WebhookServer"),
+		openAPIController,
 	)
 	if err != nil {
 		setupLog.Error(err, "Failed to create webhook server")
diff --git a/go.sum b/go.sum
index 9b6fc04130..16a15586cf 100644
--- a/go.sum
+++ b/go.sum
@@ -2,93 +2,90 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts=
-cloud.google.com/go v0.41.0/go.mod h1:OauMR7DV8fzvZIl2qg6rkaIhD/vmgk4iwEw/h6ercmg=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0=
 git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4=
 github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
-github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.0.0 h1:0GoNN3taZV6QI81IXgCbxMyEaJDXMSIjArYBCYzVVvs=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2 h1:JCHLVE3B+kJde7bIEo5N4J+ZbLhp0J1Fs+ulyRws4gE=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
-github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
+github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/alecthomas/participle v0.2.1/go.mod h1:SW6HZGeZgSIpcUWX3fXpfZhuaWHnmoD5KCVaqSaNTkk=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.23.19/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-xray-sdk-go v0.9.4/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
 github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2/go.mod h1:RDu/qcrnpEdJC/p8tx34+YBFqqX71lB7dOX9QE+ZC4M=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
+github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
-github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
 github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cheggaaa/pb v1.0.28/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
-github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk=
-github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
-github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
-github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/coredns/coredns v1.4.0/go.mod h1:zASH/MVDgR6XZTbxvOnsZfffS+31vg6Ackf/wo1+AM0=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/bbolt v1.3.3/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.12+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/djherbis/atime v1.0.0/go.mod h1:5W+KBIuTwVGcqjIfaTwt+KSYX1o6uep8dtevevQP/f8=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v0.0.0-20180713052910-9f541cc9db5d/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
@@ -96,13 +93,16 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
 github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
-github.com/elazarl/goproxy v0.0.0-20181003060214-f58a169a71a5/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
+github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
@@ -113,209 +113,84 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
-github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
+github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
+github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
+github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
+github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1 h1:wSt/4CYxs70xbATrGXhokKF1i0tZjENLOo1ioIO13zk=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
+github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9 h1:tF+augKRWlWx0J0B7ZyyKSiTyV6E1zZe+7b3qQlcEf8=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
+github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
+github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
+github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
+github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
+github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501 h1:C1JKChikHGpXwT5UQDFaryIpDtyyGL/CR6C2kB7F1oc=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
+github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
+github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
+github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
+github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87 h1:zP3nY8Tk2E6RTkqGYrarZXuzh+ffyLDljLxCy1iJw80=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
+github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
+github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/gobuffalo/buffalo v0.12.8-0.20181004233540-fac9bb505aa8/go.mod h1:sLyT7/dceRXJUxSsE813JTQtA3Eb1vjxWfo/N//vXIY=
-github.com/gobuffalo/buffalo v0.13.0/go.mod h1:Mjn1Ba9wpIbpbrD+lIDMy99pQ0H0LiddMIIDGse7qT4=
-github.com/gobuffalo/buffalo-plugins v1.0.2/go.mod h1:pOp/uF7X3IShFHyobahTkTLZaeUXwb0GrUTb9ngJWTs=
-github.com/gobuffalo/buffalo-plugins v1.0.4/go.mod h1:pWS1vjtQ6uD17MVFWf7i3zfThrEKWlI5+PYLw/NaDB4=
-github.com/gobuffalo/buffalo-plugins v1.4.3/go.mod h1:uCzTY0woez4nDMdQjkcOYKanngeUVRO2HZi7ezmAjWY=
-github.com/gobuffalo/buffalo-plugins v1.5.1/go.mod h1:jbmwSZK5+PiAP9cC09VQOrGMZFCa/P0UMlIS3O12r5w=
-github.com/gobuffalo/buffalo-plugins v1.6.4/go.mod h1:/+N1aophkA2jZ1ifB2O3Y9yGwu6gKOVMtUmJnbg+OZI=
-github.com/gobuffalo/buffalo-plugins v1.6.5/go.mod h1:0HVkbgrVs/MnPZ/FOseDMVanCTm2RNcdM0PuXcL1NNI=
-github.com/gobuffalo/buffalo-plugins v1.6.7/go.mod h1:ZGZRkzz2PiKWHs0z7QsPBOTo2EpcGRArMEym6ghKYgk=
-github.com/gobuffalo/buffalo-plugins v1.6.9/go.mod h1:yYlYTrPdMCz+6/+UaXg5Jm4gN3xhsvsQ2ygVatZV5vw=
-github.com/gobuffalo/buffalo-plugins v1.6.11/go.mod h1:eAA6xJIL8OuynJZ8amXjRmHND6YiusVAaJdHDN1Lu8Q=
-github.com/gobuffalo/buffalo-plugins v1.8.2/go.mod h1:9te6/VjEQ7pKp7lXlDIMqzxgGpjlKoAcAANdCgoR960=
-github.com/gobuffalo/buffalo-plugins v1.8.3/go.mod h1:IAWq6vjZJVXebIq2qGTLOdlXzmpyTZ5iJG5b59fza5U=
-github.com/gobuffalo/buffalo-plugins v1.9.4/go.mod h1:grCV6DGsQlVzQwk6XdgcL3ZPgLm9BVxlBmXPMF8oBHI=
-github.com/gobuffalo/buffalo-plugins v1.10.0/go.mod h1:4osg8d9s60txLuGwXnqH+RCjPHj9K466cDFRl3PErHI=
-github.com/gobuffalo/buffalo-plugins v1.11.0/go.mod h1:rtIvAYRjYibgmWhnjKmo7OadtnxuMG5ZQLr25ozAzjg=
-github.com/gobuffalo/buffalo-pop v1.0.5/go.mod h1:Fw/LfFDnSmB/vvQXPvcXEjzP98Tc+AudyNWUBWKCwQ8=
-github.com/gobuffalo/envy v1.6.4/go.mod h1:Abh+Jfw475/NWtYMEt+hnJWRiC8INKWibIMyNt1w2Mc=
-github.com/gobuffalo/envy v1.6.5/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.6/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.7/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.8/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.9/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.10/go.mod h1:X0CFllQjTV5ogsnUrg+Oks2yTI+PU2dGYBJOEI2D1Uo=
-github.com/gobuffalo/envy v1.6.11/go.mod h1:Fiq52W7nrHGDggFPhn2ZCcHw4u/rqXkqo+i7FB6EAcg=
-github.com/gobuffalo/envy v1.6.12/go.mod h1:qJNrJhKkZpEW0glh5xP2syQHH5kgdmgsKss2Kk8PTP0=
-github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/events v1.0.3/go.mod h1:Txo8WmqScapa7zimEQIwgiJBvMECMe9gJjsKNPN3uZw=
-github.com/gobuffalo/events v1.0.7/go.mod h1:z8txf6H9jWhQ5Scr7YPLWg/cgXBRj8Q4uYI+rsVCCSQ=
-github.com/gobuffalo/events v1.0.8/go.mod h1:A5KyqT1sA+3GJiBE4QKZibse9mtOcI9nw8gGrDdqYGs=
-github.com/gobuffalo/events v1.1.3/go.mod h1:9yPGWYv11GENtzrIRApwQRMYSbUgCsZ1w6R503fCfrk=
-github.com/gobuffalo/events v1.1.4/go.mod h1:09/YRRgZHEOts5Isov+g9X2xajxdvOAcUuAHIX/O//A=
-github.com/gobuffalo/events v1.1.5/go.mod h1:3YUSzgHfYctSjEjLCWbkXP6djH2M+MLaVRzb4ymbAK0=
-github.com/gobuffalo/events v1.1.7/go.mod h1:6fGqxH2ing5XMb3EYRq9LEkVlyPGs4oO/eLzh+S8CxY=
-github.com/gobuffalo/events v1.1.8/go.mod h1:UFy+W6X6VbCWS8k2iT81HYX65dMtiuVycMy04cplt/8=
-github.com/gobuffalo/events v1.1.9/go.mod h1:/0nf8lMtP5TkgNbzYxR6Bl4GzBy5s5TebgNTdRfRbPM=
-github.com/gobuffalo/fizz v1.0.12/go.mod h1:C0sltPxpYK8Ftvf64kbsQa2yiCZY4RZviurNxXdAKwc=
-github.com/gobuffalo/flect v0.0.0-20180907193754-dc14d8acaf9f/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181002182613-4571df4b1daf/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181007231023-ae7ed6bfe683/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181018182602-fd24a256709f/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181019110701-3d6f0b585514/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181024204909-8f6be1a8c6c2/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181104133451-1f6e9779237a/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA=
-github.com/gobuffalo/flect v0.0.0-20181114183036-47375f6d8328/go.mod h1:0HvNbHdfh+WOvDSIASqJOSxTOWSxCCUF++k/Y53v9rI=
-github.com/gobuffalo/flect v0.0.0-20181210151238-24a2b68e0316/go.mod h1:en58vff74S9b99Eg42Dr+/9yPu437QjlNsO/hBYPuOk=
-github.com/gobuffalo/flect v0.0.0-20190104192022-4af577e09bf2/go.mod h1:en58vff74S9b99Eg42Dr+/9yPu437QjlNsO/hBYPuOk=
-github.com/gobuffalo/flect v0.0.0-20190117212819-a62e61d96794/go.mod h1:397QT6v05LkZkn07oJXXT6y9FCfwC8Pug0WA2/2mE9k=
-github.com/gobuffalo/genny v0.0.0-20180924032338-7af3a40f2252/go.mod h1:tUTQOogrr7tAQnhajMSH6rv1BVev34H2sa1xNHMy94g=
-github.com/gobuffalo/genny v0.0.0-20181003150629-3786a0744c5d/go.mod h1:WAd8HmjMVrnkAZbmfgH5dLBUchsZfqzp/WS5sQz+uTM=
-github.com/gobuffalo/genny v0.0.0-20181005145118-318a41a134cc/go.mod h1:WAd8HmjMVrnkAZbmfgH5dLBUchsZfqzp/WS5sQz+uTM=
-github.com/gobuffalo/genny v0.0.0-20181007153042-b8de7d566757/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA=
-github.com/gobuffalo/genny v0.0.0-20181012161047-33e5f43d83a6/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA=
-github.com/gobuffalo/genny v0.0.0-20181017160347-90a774534246/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA=
-github.com/gobuffalo/genny v0.0.0-20181024195656-51392254bf53/go.mod h1:o9GEH5gn5sCKLVB5rHFC4tq40rQ3VRUzmx6WwmaqISE=
-github.com/gobuffalo/genny v0.0.0-20181025145300-af3f81d526b8/go.mod h1:uZ1fFYvdcP8mu0B/Ynarf6dsGvp7QFIpk/QACUuFUVI=
-github.com/gobuffalo/genny v0.0.0-20181027191429-94d6cfb5c7fc/go.mod h1:x7SkrQQBx204Y+O9EwRXeszLJDTaWN0GnEasxgLrQTA=
-github.com/gobuffalo/genny v0.0.0-20181027195209-3887b7171c4f/go.mod h1:JbKx8HSWICu5zyqWOa0dVV1pbbXOHusrSzQUprW6g+w=
-github.com/gobuffalo/genny v0.0.0-20181106193839-7dcb0924caf1/go.mod h1:x61yHxvbDCgQ/7cOAbJCacZQuHgB0KMSzoYcw5debjU=
-github.com/gobuffalo/genny v0.0.0-20181107223128-f18346459dbe/go.mod h1:utQD3aKKEsdb03oR+Vi/6ztQb1j7pO10N3OBoowRcSU=
-github.com/gobuffalo/genny v0.0.0-20181114215459-0a4decd77f5d/go.mod h1:kN2KZ8VgXF9VIIOj/GM0Eo7YK+un4Q3tTreKOf0q1ng=
-github.com/gobuffalo/genny v0.0.0-20181119162812-e8ff4adce8bb/go.mod h1:BA9htSe4bZwBDJLe8CUkoqkypq3hn3+CkoHqVOW718E=
-github.com/gobuffalo/genny v0.0.0-20181127225641-2d959acc795b/go.mod h1:l54xLXNkteX/PdZ+HlgPk1qtcrgeOr3XUBBPDbH+7CQ=
-github.com/gobuffalo/genny v0.0.0-20181128191930-77e34f71ba2a/go.mod h1:FW/D9p7cEEOqxYA71/hnrkOWm62JZ5ZNxcNIVJEaWBU=
-github.com/gobuffalo/genny v0.0.0-20181203165245-fda8bcce96b1/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM=
-github.com/gobuffalo/genny v0.0.0-20181203201232-849d2c9534ea/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM=
-github.com/gobuffalo/genny v0.0.0-20181206121324-d6fb8a0dbe36/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM=
-github.com/gobuffalo/genny v0.0.0-20181207164119-84844398a37d/go.mod h1:y0ysCHGGQf2T3vOhCrGHheYN54Y/REj0ayd0Suf4C/8=
-github.com/gobuffalo/genny v0.0.0-20181211165820-e26c8466f14d/go.mod h1:sHnK+ZSU4e2feXP3PA29ouij6PUEiN+RCwECjCTB3yM=
-github.com/gobuffalo/genny v0.0.0-20190104222617-a71664fc38e7/go.mod h1:QPsQ1FnhEsiU8f+O0qKWXz2RE4TiDqLVChWkBuh1WaY=
-github.com/gobuffalo/genny v0.0.0-20190112155932-f31a84fcacf5/go.mod h1:CIaHCrSIuJ4il6ka3Hub4DR4adDrGoXGEEt2FbBxoIo=
-github.com/gobuffalo/github_flavored_markdown v1.0.4/go.mod h1:uRowCdK+q8d/RF0Kt3/DSalaIXbb0De/dmTqMQdkQ4I=
-github.com/gobuffalo/github_flavored_markdown v1.0.5/go.mod h1:U0643QShPF+OF2tJvYNiYDLDGDuQmJZXsf/bHOJPsMY=
-github.com/gobuffalo/github_flavored_markdown v1.0.7/go.mod h1:w93Pd9Lz6LvyQXEG6DktTPHkOtCbr+arAD5mkwMzXLI=
-github.com/gobuffalo/httptest v1.0.2/go.mod h1:7T1IbSrg60ankme0aDLVnEY0h056g9M1/ZvpVThtB7E=
-github.com/gobuffalo/licenser v0.0.0-20180924033006-eae28e638a42/go.mod h1:Ubo90Np8gpsSZqNScZZkVXXAo5DGhTb+WYFIjlnog8w=
-github.com/gobuffalo/licenser v0.0.0-20181025145548-437d89de4f75/go.mod h1:x3lEpYxkRG/XtGCUNkio+6RZ/dlOvLzTI9M1auIwFcw=
-github.com/gobuffalo/licenser v0.0.0-20181027200154-58051a75da95/go.mod h1:BzhaaxGd1tq1+OLKObzgdCV9kqVhbTulxOpYbvMQWS0=
-github.com/gobuffalo/licenser v0.0.0-20181109171355-91a2a7aac9a7/go.mod h1:m+Ygox92pi9bdg+gVaycvqE8RVSjZp7mWw75+K5NPHk=
-github.com/gobuffalo/licenser v0.0.0-20181128165715-cc7305f8abed/go.mod h1:oU9F9UCE+AzI/MueCKZamsezGOOHfSirltllOVeRTAE=
-github.com/gobuffalo/licenser v0.0.0-20181203160806-fe900bbede07/go.mod h1:ph6VDNvOzt1CdfaWC+9XwcBnlSTBz2j49PBwum6RFaU=
-github.com/gobuffalo/licenser v0.0.0-20181211173111-f8a311c51159/go.mod h1:ve/Ue99DRuvnTaLq2zKa6F4KtHiYf7W046tDjuGYPfM=
-github.com/gobuffalo/logger v0.0.0-20181022175615-46cfb361fc27/go.mod h1:8sQkgyhWipz1mIctHF4jTxmJh1Vxhp7mP8IqbljgJZo=
-github.com/gobuffalo/logger v0.0.0-20181027144941-73d08d2bb969/go.mod h1:7uGg2duHKpWnN4+YmyKBdLXfhopkAdVM6H3nKbyFbz8=
-github.com/gobuffalo/logger v0.0.0-20181027193913-9cf4dd0efe46/go.mod h1:7uGg2duHKpWnN4+YmyKBdLXfhopkAdVM6H3nKbyFbz8=
-github.com/gobuffalo/logger v0.0.0-20181109185836-3feeab578c17/go.mod h1:oNErH0xLe+utO+OW8ptXMSA5DkiSEDW1u3zGIt8F9Ew=
-github.com/gobuffalo/logger v0.0.0-20181117211126-8e9b89b7c264/go.mod h1:5etB91IE0uBlw9k756fVKZJdS+7M7ejVhmpXXiSFj0I=
-github.com/gobuffalo/logger v0.0.0-20181127160119-5b956e21995c/go.mod h1:+HxKANrR9VGw9yN3aOAppJKvhO05ctDi63w4mDnKv2U=
-github.com/gobuffalo/makr v1.1.5/go.mod h1:Y+o0btAH1kYAMDJW/TX3+oAXEu0bmSLLoC9mIFxtzOw=
-github.com/gobuffalo/mapi v1.0.0/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc=
-github.com/gobuffalo/meta v0.0.0-20181018155829-df62557efcd3/go.mod h1:XTTOhwMNryif3x9LkTTBO/Llrveezd71u3quLd0u7CM=
-github.com/gobuffalo/meta v0.0.0-20181018192820-8c6cef77dab3/go.mod h1:E94EPzx9NERGCY69UWlcj6Hipf2uK/vnfrF4QD0plVE=
-github.com/gobuffalo/meta v0.0.0-20181025145500-3a985a084b0a/go.mod h1:YDAKBud2FP7NZdruCSlmTmDOZbVSa6bpK7LJ/A/nlKg=
-github.com/gobuffalo/meta v0.0.0-20181114191255-b130ebedd2f7/go.mod h1:K6cRZ29ozr4Btvsqkjvg5nDFTLOgTqf03KA70Ks0ypE=
-github.com/gobuffalo/meta v0.0.0-20181127070345-0d7e59dd540b/go.mod h1:RLO7tMvE0IAKAM8wny1aN12pvEKn7EtkBLkUZR00Qf8=
-github.com/gobuffalo/meta v0.0.0-20190120163247-50bbb1fa260d/go.mod h1:KKsH44nIK2gA8p0PJmRT9GvWJUdphkDUA8AJEvFWiqM=
-github.com/gobuffalo/mw-basicauth v1.0.3/go.mod h1:dg7+ilMZOKnQFHDefUzUHufNyTswVUviCBgF244C1+0=
-github.com/gobuffalo/mw-contenttype v0.0.0-20180802152300-74f5a47f4d56/go.mod h1:7EvcmzBbeCvFtQm5GqF9ys6QnCxz2UM1x0moiWLq1No=
-github.com/gobuffalo/mw-csrf v0.0.0-20180802151833-446ff26e108b/go.mod h1:sbGtb8DmDZuDUQoxjr8hG1ZbLtZboD9xsn6p77ppcHo=
-github.com/gobuffalo/mw-forcessl v0.0.0-20180802152810-73921ae7a130/go.mod h1:JvNHRj7bYNAMUr/5XMkZaDcw3jZhUZpsmzhd//FFWmQ=
-github.com/gobuffalo/mw-i18n v0.0.0-20180802152014-e3060b7e13d6/go.mod h1:91AQfukc52A6hdfIfkxzyr+kpVYDodgAeT5cjX1UIj4=
-github.com/gobuffalo/mw-paramlogger v0.0.0-20181005191442-d6ee392ec72e/go.mod h1:6OJr6VwSzgJMqWMj7TYmRUqzNe2LXu/W1rRW4MAz/ME=
-github.com/gobuffalo/mw-tokenauth v0.0.0-20181001105134-8545f626c189/go.mod h1:UqBF00IfKvd39ni5+yI5MLMjAf4gX7cDKN/26zDOD6c=
-github.com/gobuffalo/packd v0.0.0-20181027182251-01ad393492c8/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc=
-github.com/gobuffalo/packd v0.0.0-20181027190505-aafc0d02c411/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc=
-github.com/gobuffalo/packd v0.0.0-20181027194105-7ae579e6d213/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc=
-github.com/gobuffalo/packd v0.0.0-20181031195726-c82734870264/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI=
-github.com/gobuffalo/packd v0.0.0-20181104210303-d376b15f8e96/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI=
-github.com/gobuffalo/packd v0.0.0-20181111195323-b2e760a5f0ff/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI=
-github.com/gobuffalo/packd v0.0.0-20181114190715-f25c5d2471d7/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI=
-github.com/gobuffalo/packd v0.0.0-20181124090624-311c6248e5fb/go.mod h1:Foenia9ZvITEvG05ab6XpiD5EfBHPL8A6hush8SJ0o8=
-github.com/gobuffalo/packd v0.0.0-20181207120301-c49825f8f6f4/go.mod h1:LYc0TGKFBBFTRC9dg2pcRcMqGCTMD7T2BIMP7OBuQAA=
-github.com/gobuffalo/packd v0.0.0-20181212173646-eca3b8fd6687/go.mod h1:LYc0TGKFBBFTRC9dg2pcRcMqGCTMD7T2BIMP7OBuQAA=
-github.com/gobuffalo/packr v1.13.7/go.mod h1:KkinLIn/n6+3tVXMwg6KkNvWwVsrRAz4ph+jgpk3Z24=
-github.com/gobuffalo/packr v1.15.0/go.mod h1:t5gXzEhIviQwVlNx/+3SfS07GS+cZ2hn76WLzPp6MGI=
-github.com/gobuffalo/packr v1.15.1/go.mod h1:IeqicJ7jm8182yrVmNbM6PR4g79SjN9tZLH8KduZZwE=
-github.com/gobuffalo/packr v1.19.0/go.mod h1:MstrNkfCQhd5o+Ct4IJ0skWlxN8emOq8DsoT1G98VIU=
-github.com/gobuffalo/packr v1.20.0/go.mod h1:JDytk1t2gP+my1ig7iI4NcVaXr886+N0ecUga6884zw=
-github.com/gobuffalo/packr v1.21.0/go.mod h1:H00jGfj1qFKxscFJSw8wcL4hpQtPe1PfU2wa6sg/SR0=
-github.com/gobuffalo/packr v1.22.0/go.mod h1:Qr3Wtxr3+HuQEwWqlLnNW4t1oTvK+7Gc/Rnoi/lDFvA=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.8/go.mod h1:y60QCdzwuMwO2R49fdQhsjCPv7tLQFR0ayzxxla9zes=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.9/go.mod h1:fQqADRfZpEsgkc7c/K7aMew3n4aF1Kji7+lIZeR98Fc=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.10/go.mod h1:4CWWn4I5T3v4c1OsJ55HbHlUEKNWMITG5iIkdr4Px4w=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.11/go.mod h1:JoieH/3h3U4UmatmV93QmqyPUdf4wVM9HELaHEu+3fk=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.12/go.mod h1:FV1zZTsVFi1DSCboO36Xgs4pzCZBjB/tDV9Cz/lSaR8=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.13/go.mod h1:2Mp7GhBFMdJlOK8vGfl7SYtfMP3+5roE39ejlfjw0rA=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.14/go.mod h1:06otbrNvDKO1eNQ3b8hst+1010UooI2MFg+B2Ze4MV8=
-github.com/gobuffalo/packr/v2 v2.0.0-rc.15/go.mod h1:IMe7H2nJvcKXSF90y4X1rjYIRlNMJYCxEhssBXNZwWs=
-github.com/gobuffalo/plush v3.7.16+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.20+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.21+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.22+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.23+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.30+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.31+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plush v3.7.32+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI=
-github.com/gobuffalo/plushgen v0.0.0-20181128164830-d29dcb966cb2/go.mod h1:r9QwptTFnuvSaSRjpSp4S2/4e2D3tJhARYbvEBcKSb4=
-github.com/gobuffalo/plushgen v0.0.0-20181203163832-9fc4964505c2/go.mod h1:opEdT33AA2HdrIwK1aibqnTJDVVKXC02Bar/GT1YRVs=
-github.com/gobuffalo/plushgen v0.0.0-20181207152837-eedb135bd51b/go.mod h1:Lcw7HQbEVm09sAQrCLzIxuhFbB3nAgp4c55E+UlynR0=
-github.com/gobuffalo/plushgen v0.0.0-20190104222512-177cd2b872b3/go.mod h1:tYxCozi8X62bpZyKXYHw1ncx2ZtT2nFvG42kuLwYjoc=
-github.com/gobuffalo/pop v4.8.2+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg=
-github.com/gobuffalo/pop v4.8.3+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg=
-github.com/gobuffalo/pop v4.8.4+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg=
-github.com/gobuffalo/release v1.0.35/go.mod h1:VtHFAKs61vO3wboCec5xr9JPTjYyWYcvaM3lclkc4x4=
-github.com/gobuffalo/release v1.0.38/go.mod h1:VtHFAKs61vO3wboCec5xr9JPTjYyWYcvaM3lclkc4x4=
-github.com/gobuffalo/release v1.0.42/go.mod h1:RPs7EtafH4oylgetOJpGP0yCZZUiO4vqHfTHJjSdpug=
-github.com/gobuffalo/release v1.0.52/go.mod h1:RPs7EtafH4oylgetOJpGP0yCZZUiO4vqHfTHJjSdpug=
-github.com/gobuffalo/release v1.0.53/go.mod h1:FdF257nd8rqhNaqtDWFGhxdJ/Ig4J7VcS3KL7n/a+aA=
-github.com/gobuffalo/release v1.0.54/go.mod h1:Pe5/RxRa/BE8whDpGfRqSI7D1a0evGK1T4JDm339tJc=
-github.com/gobuffalo/release v1.0.61/go.mod h1:mfIO38ujUNVDlBziIYqXquYfBF+8FDHUjKZgYC1Hj24=
-github.com/gobuffalo/release v1.0.72/go.mod h1:NP5NXgg/IX3M5XmHmWR99D687/3Dt9qZtTK/Lbwc1hU=
-github.com/gobuffalo/release v1.1.1/go.mod h1:Sluak1Xd6kcp6snkluR1jeXAogdJZpFFRzTYRs/2uwg=
-github.com/gobuffalo/release v1.1.3/go.mod h1:CuXc5/m+4zuq8idoDt1l4va0AXAn/OSs08uHOfMVr8E=
-github.com/gobuffalo/release v1.1.6/go.mod h1:18naWa3kBsqO0cItXZNJuefCKOENpbbUIqRL1g+p6z0=
-github.com/gobuffalo/shoulders v1.0.1/go.mod h1:V33CcVmaQ4gRUmHKwq1fiTXuf8Gp/qjQBUL5tHPmvbA=
-github.com/gobuffalo/syncx v0.0.0-20181120191700-98333ab04150/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
-github.com/gobuffalo/syncx v0.0.0-20181120194010-558ac7de985f/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
-github.com/gobuffalo/tags v2.0.11+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY=
-github.com/gobuffalo/tags v2.0.14+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY=
-github.com/gobuffalo/tags v2.0.15+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY=
-github.com/gobuffalo/uuid v2.0.3+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE=
-github.com/gobuffalo/uuid v2.0.4+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE=
-github.com/gobuffalo/uuid v2.0.5+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE=
-github.com/gobuffalo/validate v2.0.3+incompatible/go.mod h1:N+EtDe0J8252BgfzQUChBgfd6L93m9weay53EWFVsMM=
-github.com/gobuffalo/x v0.0.0-20181003152136-452098b06085/go.mod h1:WevpGD+5YOreDJznWevcn8NTmQEW5STSBgIkpkjzqXc=
-github.com/gobuffalo/x v0.0.0-20181007152206-913e47c59ca7/go.mod h1:9rDPXaB3kXdKWzMc4odGQQdG2e2DIEmANy5aSJ9yesY=
-github.com/gofrs/uuid v3.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/golang/gddo v0.0.0-20180828051604-96d2a289f41e/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
-github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -333,41 +208,34 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.0 h1:Jf4mxPC/ziBnoPIdpQdPJ9OeiomAUHLvxmPRSPH9m4s=
-github.com/google/uuid v1.1.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
 github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
-github.com/gopherjs/gopherjs v0.0.0-20181004151105-1babbf986f6f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY=
 github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36jkTQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.1.2/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
-github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
+github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
-github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
-github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -398,34 +266,29 @@ github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoI
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ=
-github.com/jackc/pgx v3.2.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I=
 github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmoiron/sqlx v0.0.0-20180614180643-0dae4fefe7c0/go.mod h1:IiEW3SEiiErVyFdH8NTuWjSifiEQKUoyK3LNqr2kCHU=
-github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
-github.com/joho/godotenv v1.2.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/karrick/godirwalk v1.7.5/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
-github.com/karrick/godirwalk v1.7.7/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
-github.com/karrick/godirwalk v1.7.8/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
-github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -436,45 +299,28 @@ github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgo
 github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/klauspost/readahead v1.3.1/go.mod h1:AH9juHzNH7xqdqFHrMRSHeH2Ps+vFf+kblDqzPFiLJg=
 github.com/klauspost/reedsolomon v1.9.3/go.mod h1:CwCi+NUr9pqSVktrkN+Ondf06rkhYZ/pcNv7fu+8Un4=
-github.com/konsorten/go-windows-terminal-sequences v0.0.0-20180402223658-b729f2633dfe/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/luna-duclos/instrumentedsql v1.1.2/go.mod h1:4LGbEqDnopzNAiyxPPDXhLspyunZxgPTMJBKtC6U0BQ=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
-github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5 h1:0x4qcEHDpruK6ML/m/YSlFUUu0UpRD3I2PHsNCuGnyA=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
-github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
-github.com/markbates/going v1.0.2/go.mod h1:UWCk3zm0UKefHZ7l8BNqi26UyiEMniznk8naLdTcy6c=
-github.com/markbates/grift v1.0.4/go.mod h1:wbmtW74veyx+cgfwFhlnnMWqhoz55rnHR47oMXzsyVs=
-github.com/markbates/hmax v1.0.0/go.mod h1:cOkR9dktiESxIMu+65oc/r/bdY4bE8zZw3OLhLx0X2c=
-github.com/markbates/inflect v1.0.0/go.mod h1:oTeZL2KHA7CUX6X+fovmK9OvIOFuqu0TwdQrZjLTh88=
-github.com/markbates/inflect v1.0.1/go.mod h1:uv3UVNBe5qBIfCm8O8Q+DW+S1EopeyINj+Ikhc7rnCk=
-github.com/markbates/inflect v1.0.3/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs=
-github.com/markbates/inflect v1.0.4/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs=
-github.com/markbates/oncer v0.0.0-20180924031910-e862a676800b/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/oncer v0.0.0-20180924034138-723ad0170a46/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/oncer v0.0.0-20181014194634-05fccaae8fc4/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
-github.com/markbates/refresh v1.4.10/go.mod h1:NDPHvotuZmTmesXxr95C9bjlw1/0frJwtME2dzcVKhc=
-github.com/markbates/safe v1.0.0/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
-github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
-github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9HmuCD4VeTc=
-github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w=
+github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc=
@@ -483,14 +329,9 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
-github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
-github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
-github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
-github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
 github.com/miekg/dns v1.1.8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY=
 github.com/minio/gokrb5/v7 v7.2.5/go.mod h1:z6fE6twrvMN004M+KRTHnmtfpxsBIztP0PVsak0/4f8=
@@ -505,12 +346,10 @@ github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl
 github.com/minio/sio v0.2.0/go.mod h1:nKM5GIWSrqbOZp0uhyj6M1iA0X6xQzSGtYSaTKSCut0=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/mapstructure v1.0.0/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@@ -521,11 +360,10 @@ github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
-github.com/monoculum/formam v0.0.0-20180901015400-4e68be1d79ba/go.mod h1:RKgILGEJq24YyJ2ban8EO0RUVSJlF1pGsEvoLEACr/Q=
-github.com/moul/http2curl v0.0.0-20170919181001-9ac6cf4d929b/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nats-io/gnatsd v1.4.1/go.mod h1:nqco77VO78hLCJpIcVfygDP2rPGfsEHkGTUk94uh5DQ=
 github.com/nats-io/go-nats v1.7.2/go.mod h1:+t7RHT5ApZebkrQdnn6AhQJmhJJiKAvJUio1PiiCtj0=
 github.com/nats-io/go-nats-streaming v0.4.4/go.mod h1:gfq4R3c9sKAINOpelo0gn/b9QDMBZnmrttcsNF+lqyo=
@@ -540,45 +378,26 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/nats-io/stan.go v0.4.5/go.mod h1:Ji7mK6gRZJSH1nc3ZJH6vi7zn/QnZhpR9Arm4iuzsUQ=
 github.com/ncw/directio v1.0.5/go.mod h1:rX/pKEYkOXBGOggmcyJeJGloCkleSvphPx2eV3t6ROk=
-github.com/nicksnyder/go-i18n v1.10.0/go.mod h1:HrK7VCrbOvQoUAQ7Vpy7i87N7JZZZ7R2xBGjv0j365Q=
 github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN+Ito=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=
+github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c h1:Hww8mOyEKTeON4bZn7FrlLismspbPc1teNRUVH7wLQ8=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c h1:eSfnfIuwhxZyULg1NNuZycJcYkjYVGYe7FczwQReM6U=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs=
-github.com/ory/fosite v0.29.0/go.mod h1:0atSZmXO7CAcs6NPMI/Qtot8tmZYj04Nddoold4S2h0=
-github.com/ory/go-acc v0.0.0-20181118080137-ddc355013f90/go.mod h1:sxnvPCxChFuSmTJGj8FdMupeq1BezCiEpDjTUXQ4hf4=
-github.com/ory/go-acc v0.1.0 h1:ibxdv3n2k4cqh0VXWa9RHARtbR7tcT7jsnSnmGZkDIM=
-github.com/ory/go-acc v0.1.0/go.mod h1:0omgy2aa3nDBJ45VAKeLHH8ccPBudxLeic4xiDRtug0=
-github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
-github.com/ory/gojsonreference v0.0.0-20190720135523-6b606c2d8ee8/go.mod h1:wsH1C4nIeeQClDtD5AH7kF1uTS6zWyqfjVDTmB0Em7A=
-github.com/ory/gojsonschema v1.1.1-0.20190919112458-f254ca73d5e9/go.mod h1:BNZpdJgB74KOLSsWFvzw6roXg1I6O51WO8roMmW+T7Y=
-github.com/ory/herodot v0.6.2/go.mod h1:3BOneqcyBsVybCPAJoi92KN2BpJHcmDqAMcAAaJiJow=
-github.com/ory/viper v1.5.6/go.mod h1:TYmpFpKLxjQwvT4f0QPpkOn4sDXU1kDgAwJpgLYiQ28=
-github.com/ory/x v0.0.85 h1:AslLr2Efv6f7AT1tzn0RuX+sOri6h74phSh5lSeMqC4=
-github.com/ory/x v0.0.85/go.mod h1:s44V8t3xyjWZREcU+mWlp4h302rTuM4aLXcW+y5FbQ8=
-github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
+github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
+github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/getopt v0.0.0-20180729010549-6fdd0a2c7117/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.4.0 h1:u3Z1r+oOXJIkxqw34zVhyPgjBsm6X2wn21NWs/HfSeg=
-github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
@@ -586,205 +405,147 @@ github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20190704165056-9c2d0518ed81/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rjeczalik/notify v0.9.2/go.mod h1:aErll2f0sUX9PXZnVNyeiObbmTlk5jnMoCa4QEjJeqM=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/go-internal v1.0.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
-github.com/rubenv/sql-migrate v0.0.0-20190212093014-1007f53448d7/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4=
-github.com/santhosh-tekuri/jsonschema/v2 v2.1.0/go.mod h1:yzJzKUGV4RbWqWIBBP4wSOBqavX5saE02yirLS0OTyg=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/secure-io/sio-go v0.3.0/go.mod h1:D3KmXgKETffyYxBdFRN+Hpd2WzhzqS0EQwT3XWsAcBU=
-github.com/segmentio/analytics-go v3.0.1+incompatible/go.mod h1:C7CYBtQWk4vRk2RyLu0qOcbHJ18E3F1HV2C/8JvKN48=
-github.com/segmentio/backo-go v0.0.0-20160424052352-204274ad699c/go.mod h1:kJ9mm9YmoWSkk+oQ+5Cj8DEoRCX2JT6As4kEtIIOp1M=
-github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shirou/gopsutil v2.18.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
-github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
-github.com/shurcooL/highlight_diff v0.0.0-20170515013008-09bb4053de1b/go.mod h1:ZpfEhSmds4ytuByIcDnOLkTHGUI6KNqRNPDLHDk+mUU=
-github.com/shurcooL/highlight_go v0.0.0-20170515013102-78fb10f4a5f8/go.mod h1:UDKB5a1T23gOMUJrI+uSuH0VRDStOiUVSjBTRDVBVag=
-github.com/shurcooL/octicon v0.0.0-20180602230221-c42b0e3b24d9/go.mod h1:eWdoE5JD4R5UVWDucdOPg1g2fqQRq78IQa9zlOV1vpQ=
-github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.1.0/go.mod h1:zrgwTnHtNr00buQ1vSptGe8m1f/BbgsPukg8qsT7A+A=
-github.com/sirupsen/logrus v1.1.1/go.mod h1:zrgwTnHtNr00buQ1vSptGe8m1f/BbgsPukg8qsT7A+A=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/skyrings/skyring-common v0.0.0-20160929130248-d1c0bb1cbd5e/go.mod h1:d8hQseuYt4rJoOo21lFzYJdhMjmDqLY++ayArbgYjWI=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v0.0.0-20190401211740-f487f9de1cd3/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
-github.com/smartystreets/goconvey v0.0.0-20180222194500-ef6db91d284a/go.mod h1:XDJAKZRPZ1CvBcN2aX5YOUTYGHki24fSF0Iv48Ibg0s=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
-github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.0/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
 github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
-github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.2.1/go.mod h1:P4AexN0a+C9tGAnUFNwDMYYZv3pjFuvmeiMyKRaNVlI=
-github.com/spf13/viper v1.3.1/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/subosito/gotenv v1.1.1/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5 h1:hNna6Fi0eP1f2sMBe/rJicDmaHmoXGe1Ta84FPYHLuE=
 github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5/go.mod h1:f1SCnEOt6sc3fOJfPQDRDzHOtSXuTtnz0ImG9kPRDV0=
-github.com/tidwall/gjson v1.3.2/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls=
 github.com/tidwall/gjson v1.3.5/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls=
 github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/sjson v1.0.4/go.mod h1:bURseu1nuBkFpIES5cz6zBtjmYeOQmEESshn7VpF15Y=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
-github.com/uber/jaeger-client-go v2.15.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
-github.com/uber/jaeger-lib v1.5.0/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go v1.1.5-pre/go.mod h1:FwP/aQVg39TXzItUBMwnWp9T9gPQnXw4Poh4/oBQZ/0=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI=
-github.com/unrolled/secure v0.0.0-20180918153822-f340ee86eb8b/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
-github.com/unrolled/secure v0.0.0-20181005190816-ff9db2ff917f/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
-github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
+github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
+github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c/go.mod h1:UrdRz5enIKZ63MEE3IF9l2/ebyx59GyGgPi+tICQdmM=
-github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
+go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-golang.org/x/crypto v0.0.0-20180830192347-182538f80094/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181001203147-e3636079e1a4/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181024171144-74cb1d3d52f4/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181025113841-85e1b3f9139a/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181106171534-e4dc69e5b2fd/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181127143415-eb0de9b17e85/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190102171810-8d7daa0c54b3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
-golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180816102801-aaf60122140d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180921000356-2f5d2388922f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180926154720-4dfa2610cdf3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181102091132-c10e9556a7bc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20181003184128-c57b0facaced/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -796,46 +557,29 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180831094639-fa5fdf94c789/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180906133057-8cf3aee42992/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180921163948-d47a0f339242/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180926160741-c2ed4eda69e7/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180927150500-dad3d9fb7b6e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181005133103-4497e2df6f9e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181011152604-fa43e7bc11ba/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181022134430-8a28ead16f52/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181024145615-5cd93ef61a7c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181025063200-d989b31c8746/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026064943-731415f00dce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181106135930-3a76605856fd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190102155601-82a175fd1598/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190116161447-11f53e031339/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191105231009-c1f44814a5cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 h1:gZpLHxUX5BdYLA08Lj4YCJNN/jk7KtquiArPoeX0WvA=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -844,93 +588,60 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181003024731-2f84ea8ef872/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181006002542-f60d9635b16a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181008205924-a2b3f7f249e9/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181013182035-5e66757b835f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181017214349-06f26fdaaa28/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181024171208-a2dc47679d30/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181026183834-f60e5f99f081/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181105230042-78dc5bac0cac/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181107215632-34b416bd17b3/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181114190951-94339b83286c/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181119130350-139d099f6620/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181127195227-b4e97c0ed882/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181127232545-e782529d0ddd/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181203210056-e5f3ab76ea4b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181205224935-3576414c54a4/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181206194817-bcd4e47d0288/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181207183836-8bc39b988060/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181212172921-837e80568c09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190102213336-ca9055ed7d04/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190104182027-498d95493402/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190111214448-fc1d57b08d7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190118193359-16909d206f00/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
+golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190513181449-d00d292a067c/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/genproto v0.0.0-20190626174449-989357319d63/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/genproto v0.0.0-20190708153700-3bdd9d9f5532/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
-gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw=
+gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -941,46 +652,65 @@ gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mN
 gopkg.in/jcmturner/gokrb5.v7 v7.2.3/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM=
 gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8=
 gopkg.in/ldap.v3 v3.0.3/go.mod h1:oxD7NyBuxchC+SgJDE1Q5Od05eGt29SDQVBmV+HYbzw=
-gopkg.in/mail.v2 v2.0.0-20180731213649-a0242b2233b4/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/olivere/elastic.v5 v5.0.80/go.mod h1:uhHoB4o3bvX5sorxBU29rPcmBQdV2Qfg0FBrx5D6pV0=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.1.9/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHOQNO0=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
-gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
-k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
-k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
-k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible h1:bK03DJulJi9j05gwnXUufcs2j7h4M85YFvJ0dIlQ9k4=
-k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
+k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo=
+k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
+k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs=
+k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
+k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
+k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
+k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
+k8s.io/cli-runtime v0.17.4 h1:ZIJdxpBEszZqUhydrCoiI5rLXS2J/1AF5xFok2QJ9bc=
+k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc=
+k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
+k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
+k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
+k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
+k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 h1:sz6xjn8QP74104YNmJpzLbJ+a3ZtHt0tkD0g8vpdWNw=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo=
+sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8=
 sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbLXqhyOyX0=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index a48d2db3b4..842b70eb7d 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
 	policy2 "github.com/nirmata/kyverno/pkg/policy"
@@ -67,8 +69,13 @@ func Command() *cobra.Command {
 				}
 			}
 
+			openAPIController, err := openapi.NewOpenAPIController()
+			if err != nil {
+				return err
+			}
+
 			for _, policy := range policies {
-				err := policy2.Validate(*policy, nil, true)
+				err := policy2.Validate(*policy, nil, true, openAPIController)
 				if err != nil {
 					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
 				}
@@ -82,7 +89,7 @@ func Command() *cobra.Command {
 				}
 			}
 
-			resources, err := getResources(policies, resourcePaths, dClient)
+			resources, err := getResources(policies, resourcePaths, dClient, openAPIController)
 			if err != nil {
 				return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error())
 			}
@@ -110,7 +117,7 @@ func Command() *cobra.Command {
 	return cmd
 }
 
-func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) {
+func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient discovery.CachedDiscoveryInterface, openAPIController *openapi.Controller) ([]*unstructured.Unstructured, error) {
 	var resources []*unstructured.Unstructured
 	var err error
 
@@ -129,7 +136,7 @@ func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 			resourceTypes = append(resourceTypes, kind)
 		}
 
-		resources, err = getResourcesOfTypeFromCluster(resourceTypes, dClient)
+		resources, err = getResourcesOfTypeFromCluster(resourceTypes, dClient, openAPIController)
 		if err != nil {
 			return nil, err
 		}
@@ -147,11 +154,12 @@ func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 	return resources, nil
 }
 
-func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) {
+func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.CachedDiscoveryInterface, openAPIController *openapi.Controller) ([]*unstructured.Unstructured, error) {
 	var resources []*unstructured.Unstructured
 
 	for _, kind := range resourceTypes {
-		endpoint, err := getListEndpointForKind(kind)
+		// TODO use lister interface
+		endpoint, err := getListEndpointForKind(kind, openAPIController)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/kyverno/apply/helper.go b/pkg/kyverno/apply/helper.go
index 04dc142a9a..4ad4b1b6d3 100644
--- a/pkg/kyverno/apply/helper.go
+++ b/pkg/kyverno/apply/helper.go
@@ -7,9 +7,9 @@ import (
 	"github.com/nirmata/kyverno/pkg/openapi"
 )
 
-func getListEndpointForKind(kind string) (string, error) {
+func getListEndpointForKind(kind string, openAPIController *openapi.Controller) (string, error) {
 
-	definitionName := openapi.GetDefinitionNameFromKind(kind)
+	definitionName := openAPIController.GetDefinitionNameFromKind(kind)
 	definitionNameWithoutPrefix := strings.Replace(definitionName, "io.k8s.", "", -1)
 
 	parts := strings.Split(definitionNameWithoutPrefix, ".")
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index 4014189ff6..7c68b02877 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
@@ -41,8 +43,13 @@ func Command() *cobra.Command {
 				}
 			}
 
+			openAPIController, err := openapi.NewOpenAPIController()
+			if err != nil {
+				return err
+			}
+
 			for _, policy := range policies {
-				err = policyvalidate.Validate(*policy, nil, true)
+				err = policyvalidate.Validate(*policy, nil, true, openAPIController)
 				if err != nil {
 					fmt.Println("Policy " + policy.Name + " is invalid")
 				} else {
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 5eed212617..33386aa3ad 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -2,6 +2,7 @@ package openapi
 
 import (
 	"encoding/json"
+	"fmt"
 	"time"
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -17,26 +18,19 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 )
 
-type crdDefinition struct {
-	Spec struct {
-		Names struct {
-			Kind string `json:"kind"`
-		} `json:"names"`
-		Versions []struct {
-			Schema struct {
-				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
-			} `json:"schema"`
-		} `json:"versions"`
-	} `json:"spec"`
-}
-
 type crdSync struct {
-	client *client.Client
+	client     *client.Client
+	controller *Controller
 }
 
-func NewCRDSync(client *client.Client) *crdSync {
+func NewCRDSync(client *client.Client, controller *Controller) *crdSync {
+	if controller == nil {
+		panic(fmt.Errorf("nil controller sent into crd sync"))
+	}
+
 	return &crdSync{
-		client: client,
+		controller: controller,
+		client:     client,
 	}
 }
 
@@ -46,7 +40,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 		log.Log.Error(err, "cannot get openapi schema")
 	}
 
-	err = useOpenApiDocument(newDoc)
+	err = c.controller.useOpenApiDocument(newDoc)
 	if err != nil {
 		log.Log.Error(err, "Could not set custom OpenApi document")
 	}
@@ -58,8 +52,8 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 }
 
 func (c *crdSync) sync() {
-	openApiGlobalState.mutex.Lock()
-	defer openApiGlobalState.mutex.Unlock()
+	c.controller.mutex.Lock()
+	defer c.controller.mutex.Unlock()
 
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
@@ -67,24 +61,36 @@ func (c *crdSync) sync() {
 		return
 	}
 
-	deleteCRDFromPreviousSync()
+	c.controller.deleteCRDFromPreviousSync()
 
 	for _, crd := range crds.Items {
-		parseCRD(crd)
+		c.controller.parseCRD(crd)
 	}
 }
 
-func deleteCRDFromPreviousSync() {
-	for _, crd := range openApiGlobalState.crdList {
-		delete(openApiGlobalState.kindToDefinitionName, crd)
-		delete(openApiGlobalState.definitions, crd)
+func (o *Controller) deleteCRDFromPreviousSync() {
+	for _, crd := range o.crdList {
+		delete(o.kindToDefinitionName, crd)
+		delete(o.definitions, crd)
 	}
 
-	openApiGlobalState.crdList = []string{}
+	o.crdList = []string{}
 }
 
-func parseCRD(crd unstructured.Unstructured) {
-	var crdDefinition crdDefinition
+func (o *Controller) parseCRD(crd unstructured.Unstructured) {
+	var crdDefinition struct {
+		Spec struct {
+			Names struct {
+				Kind string `json:"kind"`
+			} `json:"names"`
+			Versions []struct {
+				Schema struct {
+					OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+				} `json:"schema"`
+			} `json:"versions"`
+		} `json:"spec"`
+	}
+
 	crdRaw, _ := json.Marshal(crd.Object)
 	_ = json.Unmarshal(crdRaw, &crdDefinition)
 
@@ -104,8 +110,8 @@ func parseCRD(crd unstructured.Unstructured) {
 		return
 	}
 
-	openApiGlobalState.crdList = append(openApiGlobalState.crdList, crdName)
+	o.crdList = append(o.crdList, crdName)
 
-	openApiGlobalState.kindToDefinitionName[crdName] = crdName
-	openApiGlobalState.definitions[crdName] = parsedSchema
+	o.kindToDefinitionName[crdName] = crdName
+	o.definitions[crdName] = parsedSchema
 }
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 6f708d0333..6487c503e1 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -22,7 +22,7 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
-var openApiGlobalState struct {
+type Controller struct {
 	mutex                sync.RWMutex
 	document             *openapi_v2.Document
 	definitions          map[string]*openapi_v2.Schema
@@ -31,21 +31,25 @@ var openApiGlobalState struct {
 	models               proto.Models
 }
 
-func init() {
+func NewOpenAPIController() (*Controller, error) {
+	controller := &Controller{}
+
 	defaultDoc, err := getSchemaDocument()
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
 
-	err = useOpenApiDocument(defaultDoc)
+	err = controller.useOpenApiDocument(defaultDoc)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
+
+	return controller, nil
 }
 
-func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
+func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
+	o.mutex.RLock()
+	defer o.mutex.RUnlock()
 
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
@@ -66,7 +70,7 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 	for kind, rules := range kindToRules {
 		newPolicy := *policy.DeepCopy()
 		newPolicy.Spec.Rules = rules
-		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
+		resource, _ := o.generateEmptyResource(o.definitions[o.kindToDefinitionName[kind]]).(map[string]interface{})
 		if resource == nil {
 			log.Log.V(4).Info(fmt.Sprintf("Cannot Validate policy: openApi definition now found for %v", kind))
 			return nil
@@ -78,7 +82,7 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 		if err != nil {
 			return err
 		}
-		err = ValidateResource(*patchedResource.DeepCopy(), kind)
+		err = o.ValidateResource(*patchedResource.DeepCopy(), kind)
 		if err != nil {
 			return err
 		}
@@ -87,15 +91,15 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 	return nil
 }
 
-func ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
+func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
+	o.mutex.RLock()
+	defer o.mutex.RUnlock()
 	var err error
 
-	kind = openApiGlobalState.kindToDefinitionName[kind]
-	schema := openApiGlobalState.models.LookupModel(kind)
+	kind = o.kindToDefinitionName[kind]
+	schema := o.models.LookupModel(kind)
 	if schema == nil {
-		schema, err = getSchemaFromDefinitions(kind)
+		schema, err = o.getSchemaFromDefinitions(kind)
 		if err != nil || schema == nil {
 			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
 		}
@@ -114,28 +118,28 @@ func ValidateResource(patchedResource unstructured.Unstructured, kind string) er
 	return nil
 }
 
-func GetDefinitionNameFromKind(kind string) string {
-	openApiGlobalState.mutex.RLock()
-	defer openApiGlobalState.mutex.RUnlock()
-	return openApiGlobalState.kindToDefinitionName[kind]
+func (o *Controller) GetDefinitionNameFromKind(kind string) string {
+	o.mutex.RLock()
+	defer o.mutex.RUnlock()
+	return o.kindToDefinitionName[kind]
 }
 
-func useOpenApiDocument(customDoc *openapi_v2.Document) error {
-	openApiGlobalState.mutex.Lock()
-	defer openApiGlobalState.mutex.Unlock()
+func (o *Controller) useOpenApiDocument(customDoc *openapi_v2.Document) error {
+	o.mutex.Lock()
+	defer o.mutex.Unlock()
 
-	openApiGlobalState.document = customDoc
+	o.document = customDoc
 
-	openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
-	openApiGlobalState.kindToDefinitionName = make(map[string]string)
-	for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
-		openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
+	o.definitions = make(map[string]*openapi_v2.Schema)
+	o.kindToDefinitionName = make(map[string]string)
+	for _, definition := range o.document.GetDefinitions().AdditionalProperties {
+		o.definitions[definition.GetName()] = definition.GetValue()
 		path := strings.Split(definition.GetName(), ".")
-		openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
+		o.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
 	}
 
 	var err error
-	openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
+	o.models, err = proto.NewOpenAPIData(o.document)
 	if err != nil {
 		return err
 	}
@@ -154,17 +158,17 @@ func getSchemaDocument() (*openapi_v2.Document, error) {
 }
 
 // For crd, we do not store definition in document
-func getSchemaFromDefinitions(kind string) (proto.Schema, error) {
+func (o *Controller) getSchemaFromDefinitions(kind string) (proto.Schema, error) {
 	path := proto.NewPath(kind)
-	return (&proto.Definitions{}).ParseSchema(openApiGlobalState.definitions[kind], &path)
+	return (&proto.Definitions{}).ParseSchema(o.definitions[kind], &path)
 }
 
-func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
+func (o *Controller) generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
 
 	types := kindSchema.GetType().GetValue()
 
 	if kindSchema.GetXRef() != "" {
-		return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
+		return o.generateEmptyResource(o.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
 	}
 
 	if len(types) != 1 {
@@ -188,7 +192,7 @@ func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
 		wg.Add(len(properties))
 		for _, property := range properties {
 			go func(property *openapi_v2.NamedSchema) {
-				prop := generateEmptyResource(property.GetValue())
+				prop := o.generateEmptyResource(property.GetValue())
 				mutex.Lock()
 				props[property.GetName()] = prop
 				mutex.Unlock()
@@ -200,7 +204,7 @@ func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
 	case "array":
 		var array []interface{}
 		for _, schema := range kindSchema.GetItems().GetSchema() {
-			array = append(array, generateEmptyResource(schema))
+			array = append(array, o.generateEmptyResource(schema))
 		}
 		return array
 	case "string":
diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 813c2ed15b..3472810554 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -47,12 +47,14 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 		},
 	}
 
+	o, _ := NewOpenAPIController()
+
 	for i, tc := range tcs {
 		policy := v1.ClusterPolicy{}
 		_ = json.Unmarshal(tc.policy, &policy)
 
 		var errMessage string
-		err := ValidatePolicyMutation(policy)
+		err := o.ValidatePolicyMutation(policy)
 		if err != nil {
 			errMessage = err.Error()
 		}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 4fbe44ad81..5b8d8590a7 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -17,7 +17,7 @@ import (
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
-func Validate(p kyverno.ClusterPolicy, client *dclient.Client, mock bool) error {
+func Validate(p kyverno.ClusterPolicy, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error {
 	if path, err := validateUniqueRuleName(p); err != nil {
 		return fmt.Errorf("path: spec.%s: %v", path, err)
 	}
@@ -68,7 +68,7 @@ func Validate(p kyverno.ClusterPolicy, client *dclient.Client, mock bool) error
 		}
 	}
 
-	if err := openapi.ValidatePolicyMutation(p); err != nil {
+	if err := openAPIController.ValidatePolicyMutation(p); err != nil {
 		return err
 	}
 
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 4d1e4f12af..6dc3d42cfb 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"testing"
 
+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"gotest.tools/assert"
 )
@@ -373,7 +375,9 @@ func Test_Validate_Policy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = Validate(policy, nil, true)
+	openAPIController, _ := openapi.NewOpenAPIController()
+
+	err = Validate(policy, nil, true, openAPIController)
 	assert.NilError(t, err)
 }
 
@@ -519,7 +523,9 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = Validate(policy, nil, true)
+	openAPIController, _ := openapi.NewOpenAPIController()
+
+	err = Validate(policy, nil, true, openAPIController)
 	assert.Assert(t, err != nil)
 }
 
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 68ca58fae1..0afdefa90a 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -5,8 +5,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/nirmata/kyverno/pkg/openapi"
-
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -67,7 +65,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
-		err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
+		err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
 		if err != nil {
 			logger.Error(err, "failed to validate resource")
 			continue
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index 176a00c7ad..493b290c4b 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -28,7 +28,7 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
 				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
 			}}
 	}
-	if err := policyvalidate.Validate(*policy, ws.client, false); err != nil {
+	if err := policyvalidate.Validate(*policy, ws.client, false, ws.openAPIController); err != nil {
 		admissionResp = &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index fbc8788d0b..f7db0d888f 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/nirmata/kyverno/pkg/openapi"
+
 	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
@@ -70,6 +72,7 @@ type WebhookServer struct {
 	grGenerator            *generate.Generator
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
 	log                    logr.Logger
+	openAPIController      *openapi.Controller
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
@@ -91,6 +94,7 @@ func NewWebhookServer(
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
 	cleanUp chan<- struct{},
 	log logr.Logger,
+	openAPIController *openapi.Controller,
 ) (*WebhookServer, error) {
 
 	if tlsPair == nil {
@@ -124,6 +128,7 @@ func NewWebhookServer(
 		grGenerator:               grGenerator,
 		resourceWebhookWatcher:    resourceWebhookWatcher,
 		log:                       log,
+		openAPIController:         openAPIController,
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)

From 29f56e292a07327aaa41fa409713921a48ed440c Mon Sep 17 00:00:00 2001
From: shivkumar dudhani <shivkumar@nirmata.com>
Date: Fri, 27 Mar 2020 08:22:05 -0700
Subject: [PATCH 048/201] use klog as logger for event broadcasting

---
 pkg/event/controller.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index 0125397c8d..a33e50f756 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -17,6 +17,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog"
 )
 
 //Generator generate events
@@ -66,7 +67,7 @@ func initRecorder(client *client.Client, eventSource Source, log logr.Logger) re
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(log.Info)
+	eventBroadcaster.StartLogging(klog.Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		log.Error(err, "failed to get event interface for logging")

From 39f75db43568c62e8a933542105c6642f6e3ce0c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 28 Mar 2020 16:30:18 +0530
Subject: [PATCH 049/201] 754 merge conflicts

---
 .codeclimate.yml                              |  18 +
 .golangci.yml                                 |  17 +
 .travis.yml                                   |   5 +
 CONTRIBUTING.md                               |   8 +-
 README.md                                     |   1 +
 {data => api}/swaggerDoc.go                   |   0
 cmd/initContainer/main.go                     |  80 ++-
 cmd/kyverno/main.go                           | 110 ++--
 definitions/install.yaml                      |   2 -
 definitions/install_debug.yaml                |   2 -
 go.mod                                        |  32 +-
 go.sum                                        | 185 ++++++
 pkg/api/kyverno/v1/zz_generated.deepcopy.go   |   8 +-
 pkg/auth/auth.go                              | 108 ++++
 pkg/auth/auth_test.go                         |  48 ++
 pkg/checker/checker.go                        |  41 +-
 pkg/checker/status.go                         |  26 +-
 pkg/client/clientset/versioned/clientset.go   |   7 +
 .../versioned/fake/clientset_generated.go     |   7 +-
 .../clientset/versioned/fake/register.go      |   3 +-
 .../typed/kyverno/v1/kyverno_client.go        |   3 +-
 pkg/config/config.go                          |  28 +-
 pkg/config/dynamicconfig.go                   |  39 +-
 pkg/dclient/certificates.go                   |  37 +-
 pkg/dclient/client.go                         |  32 +-
 pkg/engine/anchor/anchor.go                   |  15 +-
 pkg/engine/context/context.go                 |  19 +-
 pkg/engine/context/evaluate.go                |   7 +-
 pkg/engine/forceMutate.go                     |   5 +-
 pkg/engine/generation.go                      |  18 +-
 pkg/engine/mutate/overlay.go                  |  38 +-
 pkg/engine/mutate/overlayCondition.go         |  27 +-
 pkg/engine/mutate/overlayCondition_test.go    | 111 ++--
 pkg/engine/mutate/overlay_test.go             |  93 +--
 pkg/engine/mutate/patches.go                  |  17 +-
 pkg/engine/mutate/patches_test.go             |  19 +-
 pkg/engine/mutation.go                        |  41 +-
 pkg/engine/mutation_test.go                   |  16 +-
 pkg/engine/utils.go                           |   5 +-
 pkg/engine/validate/pattern.go                |  76 +--
 pkg/engine/validate/pattern_test.go           | 113 ++--
 pkg/engine/validate/validate.go               |  54 +-
 pkg/engine/validate/validate_test.go          |  52 +-
 pkg/engine/validation.go                      |  55 +-
 pkg/engine/validation_test.go                 |  64 +-
 pkg/engine/variables/common.go                |  10 +
 pkg/engine/variables/evaluate.go              |  11 +-
 pkg/engine/variables/evaluate_test.go         |  61 +-
 pkg/engine/variables/operator/equal.go        |  40 +-
 pkg/engine/variables/operator/notequal.go     |  39 +-
 pkg/engine/variables/operator/operator.go     |  12 +-
 pkg/engine/variables/variables_test.go        |  19 +-
 pkg/engine/variables/vars.go                  |  34 +-
 pkg/engine/variables/vars_test.go             |   7 +-
 pkg/event/controller.go                       |  53 +-
 pkg/generate/cleanup/cleanup.go               |  15 +-
 pkg/generate/cleanup/controller.go            |  51 +-
 pkg/generate/controller.go                    |  45 +-
 pkg/generate/generate.go                      |  65 +-
 pkg/generate/labels.go                        |   6 +-
 pkg/generate/report.go                        |   5 +-
 pkg/generate/status.go                        |  10 +-
 pkg/kyverno/apply/command.go                  |   7 +-
 pkg/kyverno/main.go                           |  11 +-
 pkg/kyverno/validate/command.go               |   7 +-
 pkg/openapi/crdSync.go                        |  13 +-
 pkg/openapi/validation.go                     |   8 +-
 pkg/policy/actions.go                         |  61 ++
 pkg/policy/apply.go                           |  46 +-
 pkg/policy/background.go                      |  11 +-
 pkg/policy/cleanup.go                         |  44 +-
 pkg/policy/clusterpv.go                       |  39 +-
 pkg/policy/common.go                          |   4 +-
 pkg/policy/common/common.go                   |  85 +++
 pkg/policy/controller.go                      |  53 +-
 pkg/policy/existing.go                        |  60 +-
 pkg/policy/generate/auth.go                   |  74 +++
 pkg/policy/generate/fake.go                   |  21 +
 pkg/policy/generate/fake/auth.go              |  31 +
 pkg/policy/generate/validate.go               | 151 +++++
 pkg/policy/generate/validate_test.go          |  89 +++
 pkg/policy/mutate/validate.go                 |  63 ++
 pkg/policy/mutate/validate_test.go            | 151 +++++
 pkg/policy/namespacedpv.go                    |  38 +-
 pkg/policy/report.go                          |  33 +-
 pkg/policy/validate.go                        | 223 +------
 pkg/policy/validate/validate.go               |  61 ++
 pkg/policy/validate/validate_test.go          | 381 ++++++++++++
 pkg/policy/validate_test.go                   | 582 +-----------------
 pkg/policy/webhookregistration.go             |   8 +-
 pkg/policystatus/main.go                      |   9 +-
 pkg/policystore/policystore.go                |  16 +-
 pkg/policyviolation/builder.go                |   7 +-
 pkg/policyviolation/builder_test.go           |   3 +-
 pkg/policyviolation/clusterpv.go              |  22 +-
 pkg/policyviolation/common.go                 |   4 +-
 pkg/policyviolation/generator.go              |  41 +-
 pkg/policyviolation/namespacedpv.go           |  22 +-
 pkg/testrunner/scenario.go                    |   9 +-
 pkg/testrunner/utils.go                       |   4 +-
 pkg/tls/tls.go                                |   1 +
 pkg/userinfo/roleRef.go                       |   6 +-
 pkg/userinfo/roleRef_test.go                  |   8 +-
 pkg/utils/util.go                             |  15 +-
 pkg/version/version.go                        |  10 +-
 pkg/webhookconfig/checker.go                  |  21 +-
 pkg/webhookconfig/common.go                   | 128 +++-
 pkg/webhookconfig/policy.go                   |  23 +-
 pkg/webhookconfig/registration.go             |  59 +-
 pkg/webhookconfig/resource.go                 |  37 +-
 pkg/webhookconfig/rwebhookregister.go         |  35 +-
 pkg/webhooks/admission_test.go                |   1 -
 pkg/webhooks/annotations.go                   |  22 +-
 pkg/webhooks/annotations_test.go              |  13 +-
 pkg/webhooks/checker.go                       |   5 +-
 pkg/webhooks/common.go                        |  13 +-
 pkg/webhooks/generate/generate.go             |  30 +-
 pkg/webhooks/generation.go                    |  13 +-
 pkg/webhooks/mutation.go                      |  38 +-
 pkg/webhooks/policymutation.go                |  50 +-
 pkg/webhooks/policymutation_test.go           |  15 +-
 pkg/webhooks/policyvalidation.go              |   3 +-
 pkg/webhooks/report.go                        |   7 +-
 pkg/webhooks/server.go                        |  57 +-
 pkg/webhooks/validation.go                    |  33 +-
 scripts/update-codegen.sh                     |   4 +-
 126 files changed, 3203 insertions(+), 2111 deletions(-)
 create mode 100644 .codeclimate.yml
 create mode 100644 .golangci.yml
 rename {data => api}/swaggerDoc.go (100%)
 create mode 100644 pkg/auth/auth.go
 create mode 100644 pkg/auth/auth_test.go
 create mode 100644 pkg/engine/variables/common.go
 create mode 100644 pkg/policy/actions.go
 create mode 100644 pkg/policy/common/common.go
 create mode 100644 pkg/policy/generate/auth.go
 create mode 100644 pkg/policy/generate/fake.go
 create mode 100644 pkg/policy/generate/fake/auth.go
 create mode 100644 pkg/policy/generate/validate.go
 create mode 100644 pkg/policy/generate/validate_test.go
 create mode 100644 pkg/policy/mutate/validate.go
 create mode 100644 pkg/policy/mutate/validate_test.go
 create mode 100644 pkg/policy/validate/validate.go
 create mode 100644 pkg/policy/validate/validate_test.go
 delete mode 100644 pkg/webhooks/admission_test.go

diff --git a/.codeclimate.yml b/.codeclimate.yml
new file mode 100644
index 0000000000..95a96cfddb
--- /dev/null
+++ b/.codeclimate.yml
@@ -0,0 +1,18 @@
+engines:
+  govet:
+    enabled: true
+  golint:
+    enabled: false
+  gofmt:
+    enabled: true
+
+ratings:
+  paths:
+    - "**.go"
+
+exclude_paths:
+- documentation/
+- definitions
+- gh-pages
+- samples
+- scripts
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000000..a589a168f3
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,17 @@
+linters:
+  enable:
+    - gosec
+    - errcheck
+    - gosimple
+    - bodyclose
+    - staticcheck
+  disable:
+    - ineffassign
+    - deadcode
+    - unused
+    - structcheck
+
+run:
+  skip-files:
+    - ".+_test.go"
+    - ".+_test_.+.go"
\ No newline at end of file
diff --git a/.travis.yml b/.travis.yml
index 917a026a0c..3f9676cdb2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,6 +2,11 @@ language: go
 go:
   - "1.13"
 
+cache:
+  directories:
+    - $HOME/.cache/go-build
+    - $GOPATH/pkg/mod
+  
 # safelist
 branches: 
   only:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index be104b5dc2..9941e08dd5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1 +1,7 @@
-See: https://github.com/nirmata/kyverno#contributing
+# Contributing to Kyverno
+
+## Code Style
+
+We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout).
+
+See : https://github.com/nirmata/kyverno#contributing
diff --git a/README.md b/README.md
index df3ec092d1..2335a3b78f 100644
--- a/README.md
+++ b/README.md
@@ -171,5 +171,6 @@ See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](htt
 Thanks for your interest in contributing!
 
   * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
+  * We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
   * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
   * Browse through the [open issues](https://github.com/nirmata/kyverno/issues)
diff --git a/data/swaggerDoc.go b/api/swaggerDoc.go
similarity index 100%
rename from data/swaggerDoc.go
rename to api/swaggerDoc.go
diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 9c5a9141ba..e9e377cb7f 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -5,23 +5,27 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"os"
 	"regexp"
 	"strconv"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/signal"
 	"k8s.io/apimachinery/pkg/api/errors"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
 	kubeconfig string
+	setupLog   = log.Log.WithName("setup")
 )
 
 const (
@@ -30,20 +34,30 @@ const (
 )
 
 func main() {
-	defer glog.Flush()
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
+	// arguments
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	if err := flag.Set("v", "2"); err != nil {
+		klog.Fatalf("failed to set log level: %v", err)
+	}
+	flag.Parse()
+
 	// os signal handler
 	stopCh := signal.SetupSignalHandler()
 	// create client config
 	clientConfig, err := createClientConfig(kubeconfig)
 	if err != nil {
-		glog.Fatalf("Error building kubeconfig: %v\n", err)
+		setupLog.Error(err, "Failed to build kubeconfig")
+		os.Exit(1)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh)
+	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 
 	// Exit for unsupported version of kubernetes cluster
@@ -78,53 +92,46 @@ func main() {
 	for err := range merge(done, stopCh, p1, p2) {
 		if err != nil {
 			failure = true
-			glog.Errorf("failed to cleanup: %v", err)
+			log.Log.Error(err, "failed to cleanup resource")
 		}
 	}
 	// if there is any failure then we fail process
 	if failure {
-		glog.Errorf("failed to cleanup webhook configurations")
+		log.Log.Info("failed to cleanup webhook configurations")
 		os.Exit(1)
 	}
 }
 
-func init() {
-	// arguments
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.Set("logtostderr", "true")
-	flag.Set("stderrthreshold", "WARNING")
-	flag.Set("v", "2")
-	flag.Parse()
-}
-
 func removeWebhookIfExists(client *client.Client, kind string, name string) error {
+	logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name)
 	var err error
 	// Get resource
 	_, err = client.GetResource(kind, "", name)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("%s(%s) not found", name, kind)
+		logger.V(4).Info("resource not found")
 		return nil
 	}
 	if err != nil {
-		glog.Errorf("failed to get resource %s(%s)", name, kind)
+		logger.Error(err, "failed to get resource")
 		return err
 	}
 	// Delete resource
 	err = client.DeleteResource(kind, "", name, false)
 	if err != nil {
-		glog.Errorf("failed to delete resource %s(%s)", name, kind)
+		logger.Error(err, "failed to delete resource")
 		return err
 	}
-	glog.Infof("cleaned up resource %s(%s)", name, kind)
+	logger.Info("removed the resource")
 	return nil
 }
 
 func createClientConfig(kubeconfig string) (*rest.Config, error) {
+	logger := log.Log
 	if kubeconfig == "" {
-		glog.Info("Using in-cluster configuration")
+		logger.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	glog.Infof("Using configuration from '%s'", kubeconfig)
+	logger.Info(fmt.Sprintf("Using configuration from '%s'", kubeconfig))
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
 
@@ -163,6 +170,7 @@ func gen(done <-chan struct{}, stopCh <-chan struct{}, requests ...request) <-ch
 
 // processes the requests
 func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}, requests <-chan request) <-chan error {
+	logger := log.Log.WithName("process")
 	out := make(chan error)
 	go func() {
 		defer close(out)
@@ -170,10 +178,10 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 			select {
 			case out <- removeWebhookIfExists(client, req.kind, req.name):
 			case <-done:
-				println("done process")
+				logger.Info("done")
 				return
 			case <-stopCh:
-				println("shutting down process")
+				logger.Info("shutting down")
 				return
 			}
 		}
@@ -183,6 +191,7 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 
 // waits for all processes to be complete and merges result
 func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan error) <-chan error {
+	logger := log.Log.WithName("merge")
 	var wg sync.WaitGroup
 	out := make(chan error)
 	// gets the output from each process
@@ -192,10 +201,10 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 			select {
 			case out <- err:
 			case <-done:
-				println("done merge")
+				logger.Info("done")
 				return
 			case <-stopCh:
-				println("shutting down merge")
+				logger.Info("shutting down")
 				return
 			}
 		}
@@ -215,30 +224,37 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 }
 
 func isVersionSupported(client *client.Client) {
+	logger := log.Log
 	serverVersion, err := client.DiscoveryClient.GetServerVersion()
 	if err != nil {
-		glog.Fatalf("Failed to get kubernetes server version: %v\n", err)
+		logger.Error(err, "Failed to get kubernetes server version")
+		os.Exit(1)
 	}
 	exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`)
 	groups := exp.FindAllStringSubmatch(serverVersion.String(), -1)
 	if len(groups) != 1 || len(groups[0]) != 4 {
-		glog.Fatalf("Failed to extract kubernetes server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	// convert string to int
 	// assuming the version are always intergers
 	major, err := strconv.Atoi(groups[0][1])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes major server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	minor, err := strconv.Atoi(groups[0][2])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes minor server version: %v.err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	sub, err := strconv.Atoi(groups[0][3])
 	if err != nil {
-		glog.Fatalf("Failed to extract kubernetes sub minor server version:%v. err %v\n", serverVersion, err)
+		logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 	if major <= 1 && minor <= 12 && sub < 7 {
-		glog.Fatalf("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", serverVersion)
+		logger.Info("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", "serverVersion", serverVersion)
+		os.Exit(1)
 	}
 }
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 7087d41832..3bb05a3b39 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -3,11 +3,12 @@ package main
 import (
 	"context"
 	"flag"
+	"fmt"
+	"os"
 	"time"
 
 	"github.com/nirmata/kyverno/pkg/openapi"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"
@@ -27,6 +28,9 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks"
 	webhookgenerate "github.com/nirmata/kyverno/pkg/webhooks/generate"
 	kubeinformers "k8s.io/client-go/informers"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
@@ -38,20 +42,38 @@ var (
 	// will be removed in future and the configuration will be set only via configmaps
 	filterK8Resources string
 	// User FQDN as CSR CN
-	fqdncn bool
+	fqdncn   bool
+	setupLog = log.Log.WithName("setup")
 )
 
 func main() {
-	defer glog.Flush()
-	version.PrintVersionInfo()
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
+	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
+	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
+	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
+	if err := flag.Set("v", "2"); err != nil {
+		setupLog.Error(err, "failed to set log level")
+		os.Exit(1)
+	}
+
+	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
+	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
+
+	flag.Parse()
+
+	version.PrintVersionInfo(log.Log)
 	// cleanUp Channel
 	cleanUp := make(chan struct{})
 	//  handle os signals
 	stopCh := signal.SetupSignalHandler()
 	// CLIENT CONFIG
-	clientConfig, err := config.CreateClientConfig(kubeconfig)
+	clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log)
 	if err != nil {
-		glog.Fatalf("Error building kubeconfig: %v\n", err)
+		setupLog.Error(err, "Failed to build kubeconfig")
+		os.Exit(1)
 	}
 
 	// KYVENO CRD CLIENT
@@ -60,29 +82,33 @@ func main() {
 	//		- PolicyViolation
 	pclient, err := kyvernoclient.NewForConfig(clientConfig)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
 	// - invalidate local cache of registered resource every 10 seconds
-	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
+	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
 	if err != nil {
-		glog.Fatalf("Error creating client: %v\n", err)
+		setupLog.Error(err, "Failed to create client")
+		os.Exit(1)
 	}
 	// CRD CHECK
 	// - verify if the CRD for Policy & PolicyViolation are available
-	if !utils.CRDInstalled(client.DiscoveryClient) {
-		glog.Fatalf("Required CRDs unavailable")
+	if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
+		setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
+		os.Exit(1)
 	}
 	// KUBERNETES CLIENT
 	kubeClient, err := utils.NewKubeClient(clientConfig)
 	if err != nil {
-		glog.Fatalf("Error creating kubernetes client: %v\n", err)
+		setupLog.Error(err, "Failed to create kubernetes client")
+		os.Exit(1)
 	}
 
 	// TODO(shuting): To be removed for v1.2.0
-	utils.CleanupOldCrd(client)
+	utils.CleanupOldCrd(client, log.Log)
 
 	// KUBERNETES RESOURCES INFORMER
 	// watches namespace resource
@@ -99,16 +125,18 @@ func main() {
 		clientConfig,
 		client,
 		serverIP,
-		int32(webhookTimeout))
+		int32(webhookTimeout),
+		log.Log)
 
 	// Resource Mutating Webhook Watcher
-	lastReqTime := checker.NewLastReqTime()
+	lastReqTime := checker.NewLastReqTime(log.Log.WithName("LastReqTime"))
 	rWebhookWatcher := webhookconfig.NewResourceWebhookRegister(
 		lastReqTime,
 		kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(),
 		kubeInformer.Admissionregistration().V1beta1().ValidatingWebhookConfigurations(),
 		webhookRegistrationClient,
 		runValidationInMutatingWebhook,
+		log.Log.WithName("ResourceWebhookRegister"),
 	)
 
 	// KYVERNO CRD INFORMER
@@ -127,16 +155,19 @@ func main() {
 	configData := config.NewConfigData(
 		kubeClient,
 		kubeInformer.Core().V1().ConfigMaps(),
-		filterK8Resources)
+		filterK8Resources,
+		log.Log.WithName("ConfigData"),
+	)
 
 	// Policy meta-data store
-	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies())
+	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies(), log.Log.WithName("PolicyStore"))
 
 	// EVENT GENERATOR
 	// - generate event with retry mechanism
 	egen := event.NewEventGenerator(
 		client,
-		pInformer.Kyverno().V1().ClusterPolicies())
+		pInformer.Kyverno().V1().ClusterPolicies(),
+		log.Log.WithName("EventGenerator"))
 
 	// Policy Status Handler - deals with all logic related to policy status
 	statusSync := policystatus.NewSync(
@@ -149,7 +180,9 @@ func main() {
 		client,
 		pInformer.Kyverno().V1().ClusterPolicyViolations(),
 		pInformer.Kyverno().V1().PolicyViolations(),
-		statusSync.Listener)
+		statusSync.Listener,
+		log.Log.WithName("PolicyViolationGenerator"),
+	)
 
 	// POLICY CONTROLLER
 	// - reconciliation policy and policy violation
@@ -165,13 +198,16 @@ func main() {
 		egen,
 		pvgen,
 		policyMetaStore,
-		rWebhookWatcher)
+		rWebhookWatcher,
+		log.Log.WithName("PolicyController"),
+	)
 	if err != nil {
-		glog.Fatalf("error creating policy controller: %v\n", err)
+		setupLog.Error(err, "Failed to create policy controller")
+		os.Exit(1)
 	}
 
 	// GENERATE REQUEST GENERATOR
-	grgen := webhookgenerate.NewGenerator(pclient, stopCh)
+	grgen := webhookgenerate.NewGenerator(pclient, stopCh, log.Log.WithName("GenerateRequestGenerator"))
 
 	// GENERATE CONTROLLER
 	// - applies generate rules on resources based on generate requests created by webhook
@@ -184,6 +220,7 @@ func main() {
 		pvgen,
 		kubedynamicInformer,
 		statusSync.Listener,
+		log.Log.WithName("GenerateController"),
 	)
 	// GENERATE REQUEST CLEANUP
 	// -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout
@@ -193,12 +230,14 @@ func main() {
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		pInformer.Kyverno().V1().GenerateRequests(),
 		kubedynamicInformer,
+		log.Log.WithName("GenerateCleanUpController"),
 	)
 
 	// CONFIGURE CERTIFICATES
 	tlsPair, err := client.InitTLSPemPair(clientConfig, fqdncn)
 	if err != nil {
-		glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
+		setupLog.Error(err, "Failed to initialize TLS key/certificate pair")
+		os.Exit(1)
 	}
 
 	// WEBHOOK REGISTRATION
@@ -207,7 +246,8 @@ func main() {
 	// resource webhook confgiuration is generated dynamically in the webhook server and policy controller
 	// based on the policy resources created
 	if err = webhookRegistrationClient.Register(); err != nil {
-		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
+		setupLog.Error(err, "Failed to register Admission webhooks")
+		os.Exit(1)
 	}
 
 	// Sync openAPI definitions of resources
@@ -234,9 +274,12 @@ func main() {
 		pvgen,
 		grgen,
 		rWebhookWatcher,
-		cleanUp)
+		cleanUp,
+		log.Log.WithName("WebhookServer"),
+	)
 	if err != nil {
-		glog.Fatalf("Unable to create webhook server: %v\n", err)
+		setupLog.Error(err, "Failed to create webhook server")
+		os.Exit(1)
 	}
 	// Start the components
 	pInformer.Start(stopCh)
@@ -274,18 +317,5 @@ func main() {
 	// resource cleanup
 	// remove webhook configurations
 	<-cleanUp
-	glog.Info("successful shutdown of kyverno controller")
-}
-
-func init() {
-	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
-	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
-	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
-
-	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
-	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
-	config.LogDefaultFlags()
-	flag.Parse()
+	setupLog.Info("Kyverno shutdown successful")
 }
diff --git a/definitions/install.yaml b/definitions/install.yaml
index be688d3d97..3e7825e878 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -109,8 +109,6 @@ spec:
                                         type: string
                   exclude:
                     type: object
-                    required:
-                    - resources
                     properties:
                       roles:
                         type: array
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index efc62b5a44..bf9194246d 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -109,8 +109,6 @@ spec:
                                         type: string
                   exclude:
                     type: object
-                    required:
-                    - resources
                     properties:
                       roles:
                         type: array
diff --git a/go.mod b/go.mod
index 593b08fdef..f5ba937e12 100644
--- a/go.mod
+++ b/go.mod
@@ -5,39 +5,37 @@ go 1.13
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/evanphx/json-patch v4.5.0+incompatible
-	github.com/gogo/protobuf v1.3.1 // indirect
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/go-logr/logr v0.1.0
 	github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect
 	github.com/googleapis/gnostic v0.3.1
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
-	github.com/ory/go-acc v0.1.0 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/spf13/cobra v0.0.5
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
-	golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 // indirect
 	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	google.golang.org/appengine v1.6.5 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.2.7
+	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	gopkg.in/yaml.v2 v2.2.8
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
-	k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
-	k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a
-	k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible
-	k8s.io/klog v1.0.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
+	k8s.io/api v0.17.4
+	k8s.io/apimachinery v0.17.4
+	k8s.io/cli-runtime v0.17.4
+	k8s.io/client-go v0.17.4
+	k8s.io/klog v1.0.0
+	k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
 	k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 // indirect
-	sigs.k8s.io/kustomize v2.0.3+incompatible // indirect
+	sigs.k8s.io/controller-runtime v0.5.0
 )
 
 // Added for go1.13 migration https://github.com/golang/go/issues/32805
-replace github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
+replace (
+	github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
+	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200306081859-6a048a382944
+	k8s.io/component-base => k8s.io/component-base v0.0.0-20190612130303-4062e14deebe
+)
diff --git a/go.sum b/go.sum
index 9b6fc04130..99c5af7f3b 100644
--- a/go.sum
+++ b/go.sum
@@ -15,6 +15,13 @@ github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiU
 github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
@@ -26,21 +33,29 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.0.0 h1:0GoNN3taZV6QI81IXgCbxMyEaJDXMSIjArYBCYzVVvs=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2 h1:JCHLVE3B+kJde7bIEo5N4J+ZbLhp0J1Fs+ulyRws4gE=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/alecthomas/participle v0.2.1/go.mod h1:SW6HZGeZgSIpcUWX3fXpfZhuaWHnmoD5KCVaqSaNTkk=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.23.19/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-xray-sdk-go v0.9.4/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04=
@@ -50,6 +65,7 @@ github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NR
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
 github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
@@ -64,6 +80,7 @@ github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk=
+github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
 github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -73,11 +90,16 @@ github.com/coreos/bbolt v1.3.3/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.12+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -85,9 +107,13 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/djherbis/atime v1.0.0/go.mod h1:5W+KBIuTwVGcqjIfaTwt+KSYX1o6uep8dtevevQP/f8=
+github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v0.0.0-20180713052910-9f541cc9db5d/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
@@ -96,9 +122,14 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
 github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
+github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy v0.0.0-20181003060214-f58a169a71a5/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
+github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
@@ -113,21 +144,68 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
+github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
+github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
+github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
+github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
+github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
+github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
+github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1 h1:wSt/4CYxs70xbATrGXhokKF1i0tZjENLOo1ioIO13zk=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
+github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
+github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
+github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9 h1:tF+augKRWlWx0J0B7ZyyKSiTyV6E1zZe+7b3qQlcEf8=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
+github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
+github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
+github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
+github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
+github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
+github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
+github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
+github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501 h1:C1JKChikHGpXwT5UQDFaryIpDtyyGL/CR6C2kB7F1oc=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
+github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
+github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
+github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
+github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
+github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
+github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
+github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87 h1:zP3nY8Tk2E6RTkqGYrarZXuzh+ffyLDljLxCy1iJw80=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
+github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
+github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
+github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -301,14 +379,18 @@ github.com/gobuffalo/x v0.0.0-20181003152136-452098b06085/go.mod h1:WevpGD+5YOre
 github.com/gobuffalo/x v0.0.0-20181007152206-913e47c59ca7/go.mod h1:9rDPXaB3kXdKWzMc4odGQQdG2e2DIEmANy5aSJ9yesY=
 github.com/gofrs/uuid v3.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/gddo v0.0.0-20180828051604-96d2a289f41e/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
@@ -333,6 +415,7 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -341,11 +424,13 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OI
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.0 h1:Jf4mxPC/ziBnoPIdpQdPJ9OeiomAUHLvxmPRSPH9m4s=
 github.com/google/uuid v1.1.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
 github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20181004151105-1babbf986f6f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -358,9 +443,12 @@ github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36j
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.1.2/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
 github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
+github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
@@ -368,6 +456,7 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -399,6 +488,8 @@ github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvh
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
@@ -415,7 +506,10 @@ github.com/joho/godotenv v1.2.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -445,11 +539,14 @@ github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/luna-duclos/instrumentedsql v1.1.2/go.mod h1:4LGbEqDnopzNAiyxPPDXhLspyunZxgPTMJBKtC6U0BQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
@@ -457,6 +554,12 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5 h1:0x4qcEHDpruK6ML/m/YSlFUUu0UpRD3I2PHsNCuGnyA=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
+github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/going v1.0.2/go.mod h1:UWCk3zm0UKefHZ7l8BNqi26UyiEMniznk8naLdTcy6c=
@@ -483,6 +586,7 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@@ -525,7 +629,9 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/monoculum/formam v0.0.0-20180901015400-4e68be1d79ba/go.mod h1:RKgILGEJq24YyJ2ban8EO0RUVSJlF1pGsEvoLEACr/Q=
 github.com/moul/http2curl v0.0.0-20170919181001-9ac6cf4d929b/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nats-io/gnatsd v1.4.1/go.mod h1:nqco77VO78hLCJpIcVfygDP2rPGfsEHkGTUk94uh5DQ=
 github.com/nats-io/go-nats v1.7.2/go.mod h1:+t7RHT5ApZebkrQdnn6AhQJmhJJiKAvJUio1PiiCtj0=
 github.com/nats-io/go-nats-streaming v0.4.4/go.mod h1:gfq4R3c9sKAINOpelo0gn/b9QDMBZnmrttcsNF+lqyo=
@@ -545,15 +651,21 @@ github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=
+github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c h1:Hww8mOyEKTeON4bZn7FrlLismspbPc1teNRUVH7wLQ8=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c h1:eSfnfIuwhxZyULg1NNuZycJcYkjYVGYe7FczwQReM6U=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -591,10 +703,12 @@ github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -602,10 +716,12 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q
 github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20190704165056-9c2d0518ed81/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -666,6 +782,7 @@ github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb6
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -677,6 +794,7 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
@@ -690,6 +808,7 @@ github.com/tidwall/gjson v1.3.5/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJH
 github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/sjson v1.0.4/go.mod h1:bURseu1nuBkFpIES5cz6zBtjmYeOQmEESshn7VpF15Y=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
@@ -701,8 +820,10 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT
 github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI=
 github.com/unrolled/secure v0.0.0-20180918153822-f340ee86eb8b/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
 github.com/unrolled/secure v0.0.0-20181005190816-ff9db2ff917f/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
+github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
+github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -712,6 +833,10 @@ github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c/go.mod h1:UrdRz5enIKZ63M
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
+go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
+go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
@@ -734,15 +859,22 @@ golang.org/x/crypto v0.0.0-20181127143415-eb0de9b17e85/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190102171810-8d7daa0c54b3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -771,16 +903,22 @@ golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -822,9 +960,11 @@ golang.org/x/sys v0.0.0-20190102155601-82a175fd1598/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190116161447-11f53e031339/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -832,8 +972,10 @@ golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191105231009-c1f44814a5cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 h1:gZpLHxUX5BdYLA08Lj4YCJNN/jk7KtquiArPoeX0WvA=
@@ -844,6 +986,7 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
@@ -875,6 +1018,7 @@ golang.org/x/tools v0.0.0-20190104182027-498d95493402/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190111214448-fc1d57b08d7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190118193359-16909d206f00/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -884,9 +1028,14 @@ golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
+golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -918,6 +1067,7 @@ google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiq
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
@@ -925,12 +1075,15 @@ gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUy
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
 gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw=
+gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -942,6 +1095,7 @@ gopkg.in/jcmturner/gokrb5.v7 v7.2.3/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuv
 gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8=
 gopkg.in/ldap.v3 v3.0.3/go.mod h1:oxD7NyBuxchC+SgJDE1Q5Od05eGt29SDQVBmV+HYbzw=
 gopkg.in/mail.v2 v2.0.0-20180731213649-a0242b2233b4/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/olivere/elastic.v5 v5.0.80/go.mod h1:uhHoB4o3bvX5sorxBU29rPcmBQdV2Qfg0FBrx5D6pV0=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.1.9/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -955,6 +1109,8 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -963,24 +1119,53 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
+k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
+k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo=
+k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
+k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
+k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
+k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
+k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
+k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
+k8s.io/cli-runtime v0.17.4 h1:ZIJdxpBEszZqUhydrCoiI5rLXS2J/1AF5xFok2QJ9bc=
+k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc=
+k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
+k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
+k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible h1:bK03DJulJi9j05gwnXUufcs2j7h4M85YFvJ0dIlQ9k4=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
+k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
+k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
+k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
+k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
+k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 h1:sz6xjn8QP74104YNmJpzLbJ+a3ZtHt0tkD0g8vpdWNw=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo=
+sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8=
 sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbLXqhyOyX0=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
+sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
index d4d7cc6820..ff1a7c63e4 100644
--- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
@@ -74,7 +74,7 @@ func (in *ClusterPolicy) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicy, len(*in))
@@ -135,7 +135,7 @@ func (in *ClusterPolicyViolation) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyViolationList) DeepCopyInto(out *ClusterPolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicyViolation, len(*in))
@@ -241,7 +241,7 @@ func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext {
 func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]GenerateRequest, len(*in))
@@ -420,7 +420,7 @@ func (in *PolicyViolation) DeepCopyObject() runtime.Object {
 func (in *PolicyViolationList) DeepCopyInto(out *PolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	out.ListMeta = in.ListMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]PolicyViolation, len(*in))
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
new file mode 100644
index 0000000000..8f1ef24e1e
--- /dev/null
+++ b/pkg/auth/auth.go
@@ -0,0 +1,108 @@
+package auth
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/go-logr/logr"
+	client "github.com/nirmata/kyverno/pkg/dclient"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+//CanIOptions provides utility ti check if user has authorization for the given operation
+type CanIOptions struct {
+	namespace string
+	verb      string
+	kind      string
+	client    *client.Client
+	log       logr.Logger
+}
+
+//NewCanI returns a new instance of operation access controler evaluator
+func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions {
+	o := CanIOptions{
+		client: client,
+		log:    log,
+	}
+
+	o.namespace = namespace
+	o.kind = kind
+	o.verb = verb
+
+	return &o
+}
+
+//RunAccessCheck checks if the caller can perform the operation
+// - operation is a combination of namespace, kind, verb
+// - can only evaluate a single verb
+// - group version resource is determined from the kind using the discovery client REST mapper
+// - If disallowed, the reason and evaluationError is avialable in the logs
+// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
+func (o *CanIOptions) RunAccessCheck() (bool, error) {
+	// get GroupVersionResource from RESTMapper
+	// get GVR from kind
+	gvr := o.client.DiscoveryClient.GetGVRFromKind(o.kind)
+	if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) {
+		// cannot find GVR
+		return false, fmt.Errorf("failed to get the Group Version Resource for kind %s", o.kind)
+	}
+
+	sar := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Namespace: o.namespace,
+				Verb:      o.verb,
+				Group:     gvr.Group,
+				Resource:  gvr.Resource,
+			},
+		},
+	}
+	// Set self subject access review
+	// - namespace
+	// - verb
+	// - resource
+	// - subresource
+	logger := o.log.WithValues("kind", sar.Kind, "namespace", sar.Namespace, "name", sar.Name)
+
+	// Create the Resource
+	resp, err := o.client.CreateResource("SelfSubjectAccessReview", "", sar, false)
+	if err != nil {
+		logger.Error(err, "failed to create resource")
+		return false, err
+	}
+
+	// status.allowed
+	allowed, ok, err := unstructured.NestedBool(resp.Object, "status", "allowed")
+	if !ok {
+		if err != nil {
+			logger.Error(err, "failed to get the field", "field", "status.allowed")
+		}
+		logger.Info("field not found", "field", "status.allowed")
+	}
+
+	if !allowed {
+		// status.reason
+		reason, ok, err := unstructured.NestedString(resp.Object, "status", "reason")
+		if !ok {
+			if err != nil {
+				logger.Error(err, "failed to get the field", "field", "status.reason")
+			}
+			logger.Info("field not found", "field", "status.reason")
+		}
+		// status.evaluationError
+		evaluationError, ok, err := unstructured.NestedString(resp.Object, "status", "evaludationError")
+		if !ok {
+			if err != nil {
+				logger.Error(err, "failed to get the field", "field", "status.evaluationError")
+			}
+			logger.Info("field not found", "field", "status.evaluationError")
+		}
+
+		// Reporting ? (just logs)
+		logger.Info("disallowed operation", "reason", reason, "evaluationError", evaluationError)
+	}
+
+	return allowed, nil
+}
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
new file mode 100644
index 0000000000..6dbc800285
--- /dev/null
+++ b/pkg/auth/auth_test.go
@@ -0,0 +1,48 @@
+package auth
+
+// import (
+// 	"testing"
+// 	"time"
+
+// 	"github.com/golang/glog"
+// 	"github.com/nirmata/kyverno/pkg/config"
+// 	dclient "github.com/nirmata/kyverno/pkg/dclient"
+// 	"github.com/nirmata/kyverno/pkg/signal"
+// )
+
+// func Test_Auth_pass(t *testing.T) {
+// 	// needs running cluster
+// 	var kubeconfig string
+// 	stopCh := signal.SetupSignalHandler()
+// 	kubeconfig = "/Users/shivd/.kube/config"
+// 	clientConfig, err := config.CreateClientConfig(kubeconfig)
+// 	if err != nil {
+// 		glog.Fatalf("Error building kubeconfig: %v\n", err)
+// 	}
+
+// 	// DYNAMIC CLIENT
+// 	// - client for all registered resources
+// 	// - invalidate local cache of registered resource every 10 seconds
+// 	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
+// 	if err != nil {
+// 		glog.Fatalf("Error creating client: %v\n", err)
+// 	}
+
+// 	// Can i authenticate
+
+// 	kind := "Deployment"
+// 	namespace := "default"
+// 	verb := "test"
+// 	canI := NewCanI(client, kind, namespace, verb)
+// 	ok, err := canI.RunAccessCheck()
+// 	if err != nil {
+// 		t.Error(err)
+// 	}
+// 	if ok {
+// 		t.Log("allowed")
+// 	} else {
+// 		t.Log("notallowed")
+// 	}
+// 	t.FailNow()
+
+// }
diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go
index 762776dffd..16b8276d40 100644
--- a/pkg/checker/checker.go
+++ b/pkg/checker/checker.go
@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
@@ -20,8 +20,9 @@ const (
 
 // LastReqTime stores the lastrequest times for incoming api-requests
 type LastReqTime struct {
-	t  time.Time
-	mu sync.RWMutex
+	t   time.Time
+	mu  sync.RWMutex
+	log logr.Logger
 }
 
 //Time returns the lastrequest time
@@ -39,16 +40,17 @@ func (t *LastReqTime) SetTime(tm time.Time) {
 }
 
 //NewLastReqTime returns a new instance of LastRequestTime store
-func NewLastReqTime() *LastReqTime {
+func NewLastReqTime(log logr.Logger) *LastReqTime {
 	return &LastReqTime{
-		t: time.Now(),
+		t:   time.Now(),
+		log: log,
 	}
 }
 
-func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister) bool {
+func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister, log logr.Logger) bool {
 	policies, err := pLister.ListResources(labels.NewSelector())
 	if err != nil {
-		glog.Error()
+		log.Error(err, "failed to list cluster policies")
 	}
 	for _, policy := range policies {
 		if policy.HasMutateOrValidateOrGenerate() {
@@ -62,15 +64,16 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic
 
 //Run runs the checker and verify the resource update
 func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) {
-	glog.V(2).Infof("starting default resync for webhook checker with resync time %d nanoseconds", defaultResync)
+	logger := t.log
+	logger.V(2).Info("tarting default resync for webhook checker", "resyncTime", defaultResync)
 	maxDeadline := deadline * time.Duration(MaxRetryCount)
 	ticker := time.NewTicker(defaultResync)
 	/// interface to update and increment kyverno webhook status via annotations
-	statuscontrol := NewVerifyControl(client, eventGen)
+	statuscontrol := NewVerifyControl(client, eventGen, logger.WithName("StatusControl"))
 	// send the initial update status
-	if checkIfPolicyWithMutateAndGenerateExists(pLister) {
+	if checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
 		if err := statuscontrol.SuccessStatus(); err != nil {
-			glog.Error(err)
+			logger.Error(err, "failed to set 'success' status")
 		}
 	}
 
@@ -84,36 +87,36 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev
 		case <-ticker.C:
 			// if there are no policies then we dont have a webhook on resource.
 			// we indirectly check if the resource
-			if !checkIfPolicyWithMutateAndGenerateExists(pLister) {
+			if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
 				continue
 			}
 			// get current time
 			timeDiff := time.Since(t.Time())
 			if timeDiff > maxDeadline {
-				glog.Infof("failed to receive any request for more than %v ", maxDeadline)
-				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				logger.Info("request exceeded max deadline", "deadline", maxDeadline)
+				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// set the status unavailable
 				if err := statuscontrol.FailedStatus(); err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to set 'failed' status")
 				}
 				continue
 			}
 			if timeDiff > deadline {
-				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// send request to update the kyverno deployment
 				if err := statuscontrol.IncrementAnnotation(); err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to increment annotation")
 				}
 				continue
 			}
 			// if the status was false before then we update it to true
 			// send request to update the kyverno deployment
 			if err := statuscontrol.SuccessStatus(); err != nil {
-				glog.Error(err)
+				logger.Error(err, "failed to update success status")
 			}
 		case <-stopCh:
 			// handler termination signal
-			glog.V(2).Infof("stopping default resync for webhook checker")
+			logger.V(2).Info("stopping default resync for webhook checker")
 			return
 		}
 	}
diff --git a/pkg/checker/status.go b/pkg/checker/status.go
index 39b19189dd..110abf8eef 100644
--- a/pkg/checker/status.go
+++ b/pkg/checker/status.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 )
@@ -29,6 +29,7 @@ type StatusInterface interface {
 type StatusControl struct {
 	client   *dclient.Client
 	eventGen event.Interface
+	log      logr.Logger
 }
 
 //SuccessStatus ...
@@ -42,20 +43,22 @@ func (vc StatusControl) FailedStatus() error {
 }
 
 // NewVerifyControl ...
-func NewVerifyControl(client *dclient.Client, eventGen event.Interface) *StatusControl {
+func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr.Logger) *StatusControl {
 	return &StatusControl{
 		client:   client,
 		eventGen: eventGen,
+		log:      log,
 	}
 }
 
 func (vc StatusControl) setStatus(status string) error {
-	glog.Infof("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status)
+	logger := vc.log
+	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status))
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
+		logger.Error(err, "failed to get deployment resource")
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -67,7 +70,7 @@ func (vc StatusControl) setStatus(status string) error {
 	if ok {
 		// annotatiaion is present
 		if webhookAction == status {
-			glog.V(4).Infof("annotation %s already set to '%s'", annWebhookStats, status)
+			logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStats, status))
 			return nil
 		}
 	}
@@ -77,7 +80,7 @@ func (vc StatusControl) setStatus(status string) error {
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annWebhookStats, deployName, deployNamespace, err)
+		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annWebhookStats, deployName, deployNamespace))
 		return err
 	}
 	// create event on kyverno deployment
@@ -97,12 +100,13 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) {
 
 //IncrementAnnotation ...
 func (vc StatusControl) IncrementAnnotation() error {
-	glog.Infof("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter)
+	logger := vc.log
+	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter))
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
+		logger.Error(err, "failed to get deployment %s in namespace %s", deployName, deployNamespace)
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -112,18 +116,18 @@ func (vc StatusControl) IncrementAnnotation() error {
 	}
 	counter, err := strconv.Atoi(ann[annCounter])
 	if err != nil {
-		glog.V(4).Infof("failed to parse string: %v", err)
+		logger.Error(err, "Failed to parse string")
 		return err
 	}
 	// increment counter
 	counter++
 	ann[annCounter] = strconv.Itoa(counter)
-	glog.Infof("incrementing annotation %s counter to %d", annCounter, counter)
+	logger.Info("incrementing annotation", "old", annCounter, "new", counter)
 	deploy.SetAnnotations(ann)
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annCounter, deployName, deployNamespace, err)
+		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace))
 		return err
 	}
 	return nil
diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go
index 5fbce444ff..8aa7b0e529 100644
--- a/pkg/client/clientset/versioned/clientset.go
+++ b/pkg/client/clientset/versioned/clientset.go
@@ -19,6 +19,8 @@ limitations under the License.
 package versioned
 
 import (
+	"fmt"
+
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -51,9 +53,14 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 }
 
 // NewForConfig creates a new Clientset for the given config.
+// If config's RateLimiter is not set and QPS and Burst are acceptable,
+// NewForConfig will generate a rate-limiter in configShallowCopy.
 func NewForConfig(c *rest.Config) (*Clientset, error) {
 	configShallowCopy := *c
 	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		if configShallowCopy.Burst <= 0 {
+			return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
+		}
 		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
 	}
 	var cs Clientset
diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go
index 215b1d997a..c3264dcb64 100644
--- a/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -41,7 +41,7 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 		}
 	}
 
-	cs := &Clientset{}
+	cs := &Clientset{tracker: o}
 	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
@@ -63,12 +63,17 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 type Clientset struct {
 	testing.Fake
 	discovery *fakediscovery.FakeDiscovery
+	tracker   testing.ObjectTracker
 }
 
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	return c.discovery
 }
 
+func (c *Clientset) Tracker() testing.ObjectTracker {
+	return c.tracker
+}
+
 var _ clientset.Interface = &Clientset{}
 
 // KyvernoV1 retrieves the KyvernoV1Client
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
index 4a90cf5ba8..482e66ffc7 100644
--- a/pkg/client/clientset/versioned/fake/register.go
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -29,7 +29,8 @@ import (
 
 var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
-var parameterCodec = runtime.NewParameterCodec(scheme)
+
+// var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	kyvernov1.AddToScheme,
 }
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
index 54d8944680..8c1b5a0ea8 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
@@ -21,7 +21,6 @@ package v1
 import (
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
-	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	rest "k8s.io/client-go/rest"
 )
 
@@ -86,7 +85,7 @@ func setConfigDefaults(config *rest.Config) error {
 	gv := v1.SchemeGroupVersion
 	config.GroupVersion = &gv
 	config.APIPath = "/apis"
-	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
 
 	if config.UserAgent == "" {
 		config.UserAgent = rest.DefaultKubernetesUserAgent()
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 241728a2c7..2d6ccdcb68 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,9 +1,7 @@
 package config
 
 import (
-	"flag"
-
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
 )
@@ -74,29 +72,13 @@ var (
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
 
-//LogDefaultFlags sets default glog flags
-func LogDefaultFlags() {
-	var err error
-	err = flag.Set("logtostderr", "true")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err)
-	}
-	err = flag.Set("stderrthreshold", "WARNING")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err)
-	}
-	flag.Set("v", "2")
-	if err != nil {
-		glog.Fatalf("failed to set flag 'v' to '2':%v", err)
-	}
-}
-
 //CreateClientConfig creates client config
-func CreateClientConfig(kubeconfig string) (*rest.Config, error) {
+func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
+	logger := log.WithName("CreateClientConfig")
 	if kubeconfig == "" {
-		glog.Info("Using in-cluster configuration")
+		logger.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	glog.V(4).Infof("Using configuration from '%s'", kubeconfig)
+	logger.V(4).Info("Using specified kubeconfig", "kubeconfig", kubeconfig)
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go
index 6bf624e7bb..1787f67bd9 100644
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@@ -1,14 +1,13 @@
 package config
 
 import (
-	"fmt"
 	"os"
 	"reflect"
 	"regexp"
 	"strings"
 	"sync"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	v1 "k8s.io/api/core/v1"
 	informers "k8s.io/client-go/informers/core/v1"
@@ -31,6 +30,7 @@ type ConfigData struct {
 	filters []k8Resource
 	// hasynced
 	cmSycned cache.InformerSynced
+	log      logr.Logger
 }
 
 // ToFilter checks if the given resource is set to be filtered in the configuration
@@ -51,20 +51,21 @@ type Interface interface {
 }
 
 // NewConfigData ...
-func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string) *ConfigData {
+func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string, log logr.Logger) *ConfigData {
 	// environment var is read at start only
 	if cmNameEnv == "" {
-		glog.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
+		log.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
 	}
 	cd := ConfigData{
 		client:   rclient,
 		cmName:   os.Getenv(cmNameEnv),
 		cmSycned: cmInformer.Informer().HasSynced,
+		log:      log,
 	}
 	//TODO: this has been added to backward support command line arguments
 	// will be removed in future and the configuration will be set only via configmaps
 	if filterK8Resources != "" {
-		glog.Info("Init configuration from commandline arguments")
+		cd.log.Info("init configuration from commandline arguments")
 		cd.initFilters(filterK8Resources)
 	}
 
@@ -78,9 +79,10 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
 
 //Run checks syncing
 func (cd *ConfigData) Run(stopCh <-chan struct{}) {
+	logger := cd.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, cd.cmSycned) {
-		glog.Error("configuration: failed to sync informer cache")
+		logger.Info("configuration: failed to sync informer cache")
 	}
 }
 
@@ -103,16 +105,17 @@ func (cd *ConfigData) updateCM(old, cur interface{}) {
 }
 
 func (cd *ConfigData) deleteCM(obj interface{}) {
+	logger := cd.log
 	cm, ok := obj.(*v1.ConfigMap)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("failed to get object from tombstone")
 			return
 		}
 		_, ok = tombstone.Obj.(*v1.ConfigMap)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj))
+			logger.Info("Tombstone contained object that is not a ConfigMap", "object", obj)
 			return
 		}
 	}
@@ -125,19 +128,20 @@ func (cd *ConfigData) deleteCM(obj interface{}) {
 }
 
 func (cd *ConfigData) load(cm v1.ConfigMap) {
+	logger := cd.log.WithValues("name", cm.Name, "namespace", cm.Namespace)
 	if cm.Data == nil {
-		glog.V(4).Infof("Configuration: No data defined in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: No data defined in ConfigMap")
 		return
 	}
 	// get resource filters
 	filters, ok := cm.Data["resourceFilters"]
 	if !ok {
-		glog.V(4).Infof("Configuration: No resourceFilters defined in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
 		return
 	}
 	// filters is a string
 	if filters == "" {
-		glog.V(4).Infof("Configuration: resourceFilters is empty in ConfigMap %s", cm.Name)
+		logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
 		return
 	}
 	// parse and load the configuration
@@ -146,11 +150,10 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 
 	newFilters := parseKinds(filters)
 	if reflect.DeepEqual(newFilters, cd.filters) {
-		glog.V(4).Infof("Configuration: resourceFilters did not change in ConfigMap %s", cm.Name)
+		logger.V(4).Info("resourceFilters did not change")
 		return
 	}
-	glog.V(4).Infof("Configuration: Old resource filters %v", cd.filters)
-	glog.Infof("Configuration: New resource filters to %v", newFilters)
+	logger.V(4).Info(" Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
@@ -158,20 +161,20 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 //TODO: this has been added to backward support command line arguments
 // will be removed in future and the configuration will be set only via configmaps
 func (cd *ConfigData) initFilters(filters string) {
+	logger := cd.log
 	// parse and load the configuration
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 
 	newFilters := parseKinds(filters)
-	glog.Infof("Configuration: Init resource filters to %v", newFilters)
+	logger.Info("Init resource filters", "filters", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
 
 func (cd *ConfigData) unload(cm v1.ConfigMap) {
-	// TODO pick one msg
-	glog.Infof("Configuration: ConfigMap %s deleted, removing configuration filters", cm.Name)
-	glog.Infof("Configuration: Removing all resource filters as ConfigMap %s deleted", cm.Name)
+	logger := cd.log
+	logger.Info("ConfigMap deleted, removing configuration filters", "name", cm.Name, "namespace", cm.Namespace)
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 	cd.filters = []k8Resource{}
diff --git a/pkg/dclient/certificates.go b/pkg/dclient/certificates.go
index 76b3cda819..125dc7cec3 100644
--- a/pkg/dclient/certificates.go
+++ b/pkg/dclient/certificates.go
@@ -6,7 +6,6 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	tls "github.com/nirmata/kyverno/pkg/tls"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -19,13 +18,14 @@ import (
 // Created pair is stored in cluster's secret.
 // Returns struct with key/certificate pair.
 func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.TlsPemPair, error) {
+	logger := c.log
 	certProps, err := c.GetTLSCertProps(configuration)
 	if err != nil {
 		return nil, err
 	}
 	tlsPair := c.ReadTlsPair(certProps)
 	if tls.IsTLSPairShouldBeUpdated(tlsPair) {
-		glog.Info("Generating new key/certificate pair for TLS")
+		logger.Info("Generating new key/certificate pair for TLS")
 		tlsPair, err = c.generateTLSPemPair(certProps, fqdncn)
 		if err != nil {
 			return nil, err
@@ -35,8 +35,7 @@ func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.T
 		}
 		return tlsPair, nil
 	}
-
-	glog.Infoln("Using existing TLS key/certificate pair")
+	logger.Info("Using existing TLS key/certificate pair")
 	return tlsPair, nil
 }
 
@@ -71,6 +70,7 @@ func (c *Client) generateTLSPemPair(props tls.TlsCertificateProps, fqdncn bool)
 
 // Submits and approves certificate request, returns request which need to be fetched
 func (c *Client) submitAndApproveCertificateRequest(req *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
+	logger := c.log.WithName("submitAndApproveCertificateRequest")
 	certClient, err := c.GetCSRInterface()
 	if err != nil {
 		return nil, err
@@ -86,7 +86,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 			if err != nil {
 				return nil, fmt.Errorf("Unable to delete existing certificate request: %v", err)
 			}
-			glog.Info("Old certificate request is deleted")
+			logger.Info("Old certificate request is deleted")
 			break
 		}
 	}
@@ -95,7 +95,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, err
 	}
-	glog.Infof("Certificate request %s is created", unstrRes.GetName())
+	logger.Info("Certificate request created", "name", unstrRes.GetName())
 
 	res, err := convertToCSR(unstrRes)
 	if err != nil {
@@ -110,7 +110,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, fmt.Errorf("Unable to approve certificate request: %v", err)
 	}
-	glog.Infof("Certificate request %s is approved", res.ObjectMeta.Name)
+	logger.Info("Certificate request is approved", "name", res.ObjectMeta.Name)
 
 	return res, nil
 }
@@ -144,9 +144,10 @@ func (c *Client) fetchCertificateFromRequest(req *certificates.CertificateSignin
 
 //ReadRootCASecret returns the RootCA from the pre-defined secret
 func (c *Client) ReadRootCASecret() (result []byte) {
+	logger := c.log.WithName("ReadRootCASecret")
 	certProps, err := c.GetTLSCertProps(c.clientConfig)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get TLS Cert Properties")
 		return result
 	}
 	sname := generateRootCASecretName(certProps)
@@ -156,16 +157,16 @@ func (c *Client) ReadRootCASecret() (result []byte) {
 	}
 	tlsca, err := convertToSecret(stlsca)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to convert secret", "name", sname, "namespace", certProps.Namespace)
 		return result
 	}
 
 	result = tlsca.Data[rootCAKey]
 	if len(result) == 0 {
-		glog.Warningf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name)
+		logger.Info("root CA certificate not found in secret", "name", tlsca.Name, "namespace", certProps.Namespace)
 		return result
 	}
-	glog.V(4).Infof("using CA bundle defined in secret %s/%s to validate the webhook's server certificate", certProps.Namespace, tlsca.Name)
+	logger.V(4).Info("using CA bundle defined in secret to validate the webhook's server certificate", "name", tlsca.Name, "namespace", certProps.Namespace)
 	return result
 }
 
@@ -174,10 +175,11 @@ const rootCAKey string = "rootCA.crt"
 
 //ReadTlsPair Reads the pair of TLS certificate and key from the specified secret.
 func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
+	logger := c.log.WithName("ReadTlsPair")
 	sname := generateTLSPairSecretName(props)
 	unstrSecret, err := c.GetResource(Secrets, props.Namespace, sname)
 	if err != nil {
-		glog.Warningf("Unable to get secret %s/%s: %s", props.Namespace, sname, err)
+		logger.Error(err, "Failed to get secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 
@@ -188,7 +190,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		sname := generateRootCASecretName(props)
 		_, err := c.GetResource(Secrets, props.Namespace, sname)
 		if err != nil {
-			glog.Errorf("Root CA secret %s/%s is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", props.Namespace, sname)
+			logger.Error(err, "Root CA secret is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", "name", sname, "namespace", props.Namespace)
 			return nil
 		}
 	}
@@ -201,11 +203,11 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		PrivateKey:  secret.Data[v1.TLSPrivateKeyKey],
 	}
 	if len(pemPair.Certificate) == 0 {
-		glog.Warningf("TLS Certificate not found in secret %s/%s", props.Namespace, sname)
+		logger.Info("TLS Certificate not found in secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 	if len(pemPair.PrivateKey) == 0 {
-		glog.Warningf("TLS PrivateKey not found in secret %s/%s", props.Namespace, sname)
+		logger.Info("TLS PrivateKey not found in secret", "name", sname, "namespace", props.Namespace)
 		return nil
 	}
 	return &pemPair
@@ -214,6 +216,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 //WriteTlsPair Writes the pair of TLS certificate and key to the specified secret.
 // Updates existing secret or creates new one.
 func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPemPair) error {
+	logger := c.log.WithName("WriteTlsPair")
 	name := generateTLSPairSecretName(props)
 	_, err := c.GetResource(Secrets, props.Namespace, name)
 	if err != nil {
@@ -235,7 +238,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 
 		_, err := c.CreateResource(Secrets, props.Namespace, secret, false)
 		if err == nil {
-			glog.Infof("Secret %s is created", name)
+			logger.Info("secret created", "name", name, "namespace", props.Namespace)
 		}
 		return err
 	}
@@ -251,7 +254,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 	if err != nil {
 		return err
 	}
-	glog.Infof("Secret %s is updated", name)
+	logger.Info("secret updated", "name", name, "namespace", props.Namespace)
 	return nil
 }
 
diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index 6cacaeaf9a..557059bc15 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -5,9 +5,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-logr/logr"
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
-
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	apps "k8s.io/api/apps/v1"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -32,13 +31,15 @@ import (
 //Client enables interaction with k8 resource
 type Client struct {
 	client          dynamic.Interface
+	log             logr.Logger
 	clientConfig    *rest.Config
 	kclient         kubernetes.Interface
 	DiscoveryClient IDiscovery
 }
 
 //NewClient creates new instance of client
-func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}) (*Client, error) {
+func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}, log logr.Logger) (*Client, error) {
+
 	dclient, err := dynamic.NewForConfig(config)
 	if err != nil {
 		return nil, err
@@ -51,9 +52,10 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}
 		client:       dclient,
 		clientConfig: config,
 		kclient:      kclient,
+		log:          log.WithName("Client"),
 	}
 	// Set discovery client
-	discoveryClient := ServerPreferredResources{memory.NewMemCacheClient(kclient.Discovery())}
+	discoveryClient := ServerPreferredResources{cachedClient: memory.NewMemCacheClient(kclient.Discovery()), log: client.log}
 	// client will invalidate registered resources cache every x seconds,
 	// As there is no way to identify if the registered resource is available or not
 	// we will be invalidating the local cache, so the next request get a fresh cache
@@ -189,7 +191,6 @@ func (c *Client) UpdateStatusResource(kind string, namespace string, obj interfa
 func convertToUnstructured(obj interface{}) *unstructured.Unstructured {
 	unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&obj)
 	if err != nil {
-		glog.Errorf("Unable to convert : %v", err)
 		return nil
 	}
 	return &unstructured.Unstructured{Object: unstructuredObj}
@@ -228,22 +229,24 @@ func (c *Client) SetDiscovery(discoveryClient IDiscovery) {
 //ServerPreferredResources stores the cachedClient instance for discovery client
 type ServerPreferredResources struct {
 	cachedClient discovery.CachedDiscoveryInterface
+	log          logr.Logger
 }
 
 //Poll will keep invalidate the local cache
 func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struct{}) {
+	logger := c.log.WithName("Poll")
 	// start a ticker
 	ticker := time.NewTicker(resync)
 	defer func() { ticker.Stop() }()
-	glog.Infof("Starting registered resources sync: every %d seconds", resync)
+	logger.Info("starting registered resources sync", "period", resync)
 	for {
 		select {
 		case <-stopCh:
-			glog.Info("Stopping registered resources sync")
+			logger.Info("stopping registered resources sync")
 			return
 		case <-ticker.C:
 			// set cache as stale
-			glog.V(6).Info("invalidating local client cache for registered resources")
+			logger.V(6).Info("invalidating local client cache for registered resources")
 			c.cachedClient.Invalidate()
 		}
 	}
@@ -261,12 +264,12 @@ func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error)
 func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource {
 	var gvr schema.GroupVersionResource
 	var err error
-	gvr, err = loadServerResources(kind, c.cachedClient)
+	gvr, err = loadServerResources(kind, c.cachedClient, c.log)
 	if err != nil && !c.cachedClient.Fresh() {
 
 		// invalidate cahce & re-try once more
 		c.cachedClient.Invalidate()
-		gvr, err = loadServerResources(kind, c.cachedClient)
+		gvr, err = loadServerResources(kind, c.cachedClient, c.log)
 		if err == nil {
 			return gvr
 		}
@@ -279,11 +282,12 @@ func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) {
 	return c.cachedClient.ServerVersion()
 }
 
-func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (schema.GroupVersionResource, error) {
-	serverresources, err := cdi.ServerPreferredResources()
+func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log logr.Logger) (schema.GroupVersionResource, error) {
+	logger := log.WithName("loadServerResources")
 	emptyGVR := schema.GroupVersionResource{}
+	serverresources, err := cdi.ServerPreferredResources()
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get registered preferred resources")
 		return emptyGVR, err
 	}
 	for _, serverresource := range serverresources {
@@ -293,7 +297,7 @@ func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (sche
 			if resource.Kind == k && !strings.Contains(resource.Name, "/") {
 				gv, err := schema.ParseGroupVersion(serverresource.GroupVersion)
 				if err != nil {
-					glog.Error(err)
+					logger.Error(err, "failed to parse groupVersion from schema", "groupVersion", serverresource.GroupVersion)
 					return emptyGVR, err
 				}
 				return gv.WithResource(resource.Name), nil
diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go
index 2d81a068ec..9dccab3577 100644
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@@ -4,7 +4,8 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //ValidationHandler for element processes
@@ -12,7 +13,7 @@ type ValidationHandler interface {
 	Handle(handler resourceElementHandler, resourceMap map[string]interface{}, originPattern interface{}) (string, error)
 }
 
-type resourceElementHandler = func(resourceElement, patternElement, originPattern interface{}, path string) (string, error)
+type resourceElementHandler = func(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error)
 
 //CreateElementHandler factory to process elements
 func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler {
@@ -82,7 +83,7 @@ func (eh EqualityHandler) Handle(handler resourceElementHandler, resourceMap map
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(value, eh.pattern, originPattern, currentPath)
+		returnPath, err := handler(log.Log, value, eh.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -115,7 +116,7 @@ func (dh DefaultHandler) Handle(handler resourceElementHandler, resourceMap map[
 	} else if dh.pattern == "*" && resourceMap[dh.element] == nil {
 		return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element)
 	} else {
-		path, err := handler(resourceMap[dh.element], dh.pattern, originPattern, currentPath)
+		path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath)
 		if err != nil {
 			return path, err
 		}
@@ -146,7 +147,7 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(value, ch.pattern, originPattern, currentPath)
+		returnPath, err := handler(log.Log, value, ch.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -194,7 +195,6 @@ func (eh ExistenceHandler) Handle(handler resourceElementHandler, resourceMap ma
 			}
 			return validateExistenceListResource(handler, typedResource, typedPatternMap, originPattern, currentPath)
 		default:
-			glog.Error("Invalid type: Existence ^ () anchor can be used only on list/array type resource")
 			return currentPath, fmt.Errorf("Invalid resource type %T: Existence ^ () anchor can be used only on list/array type resource", value)
 		}
 	}
@@ -206,10 +206,9 @@ func validateExistenceListResource(handler resourceElementHandler, resourceList
 	// if non satisfy then throw an error
 	for i, resourceElement := range resourceList {
 		currentPath := path + strconv.Itoa(i) + "/"
-		_, err := handler(resourceElement, patternMap, originPattern, currentPath)
+		_, err := handler(log.Log, resourceElement, patternMap, originPattern, currentPath)
 		if err == nil {
 			// condition is satisfied, dont check further
-			glog.V(4).Infof("Existence check satisfied at path %s, for pattern %v", currentPath, patternMap)
 			return "", nil
 		}
 	}
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index 05805a0a91..163e81fef0 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -6,8 +6,9 @@ import (
 	"sync"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Interface to manage context operations
@@ -33,6 +34,7 @@ type Context struct {
 	mu            sync.RWMutex
 	jsonRaw       []byte
 	whiteListVars []string
+	log           logr.Logger
 }
 
 //NewContext returns a new context
@@ -42,6 +44,7 @@ func NewContext(whiteListVars ...string) *Context {
 		// data:    map[string]interface{}{},
 		jsonRaw:       []byte(`{}`), // empty json struct
 		whiteListVars: whiteListVars,
+		log:           log.Log.WithName("context"),
 	}
 	return &ctx
 }
@@ -54,7 +57,7 @@ func (ctx *Context) AddJSON(dataRaw []byte) error {
 	// merge json
 	ctx.jsonRaw, err = jsonpatch.MergePatch(ctx.jsonRaw, dataRaw)
 	if err != nil {
-		glog.V(4).Infof("failed to merge JSON data: %v", err)
+		ctx.log.Error(err, "failed to merge JSON data")
 		return err
 	}
 	return nil
@@ -66,7 +69,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 	// unmarshall the resource struct
 	var data interface{}
 	if err := json.Unmarshal(dataRaw, &data); err != nil {
-		glog.V(4).Infof("failed to unmarshall the context data: %v", err)
+		ctx.log.Error(err, "failed to unmarshall the resource")
 		return err
 	}
 
@@ -82,7 +85,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the resource")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -98,7 +101,7 @@ func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the UserInfo")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -118,8 +121,6 @@ func (ctx *Context) AddSA(userName string) error {
 	// filter namespace
 	groups := strings.Split(sa, ":")
 	if len(groups) >= 2 {
-		glog.V(4).Infof("serviceAccount namespace: %s", groups[0])
-		glog.V(4).Infof("serviceAccount name: %s", groups[1])
 		saName = groups[1]
 		saNamespace = groups[0]
 	}
@@ -131,7 +132,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNameRaw, err := json.Marshal(saNameObj)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the SA")
 		return err
 	}
 	if err := ctx.AddJSON(saNameRaw); err != nil {
@@ -145,7 +146,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNsRaw, err := json.Marshal(saNsObj)
 	if err != nil {
-		glog.V(4).Infof("failed to marshall the updated context data")
+		ctx.log.Error(err, "failed to marshal the SA namespace")
 		return err
 	}
 	if err := ctx.AddJSON(saNsRaw); err != nil {
diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go
index 78f9643497..f15a8a1e17 100644
--- a/pkg/engine/context/evaluate.go
+++ b/pkg/engine/context/evaluate.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/golang/glog"
 	jmespath "github.com/jmespath/go-jmespath"
 )
 
@@ -19,7 +18,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 	// compile the query
 	queryPath, err := jmespath.Compile(query)
 	if err != nil {
-		glog.V(4).Infof("incorrect query %s: %v", query, err)
+		ctx.log.Error(err, "incorrect query", "query", query)
 		return emptyResult, fmt.Errorf("incorrect query %s: %v", query, err)
 	}
 	// search
@@ -28,13 +27,13 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 
 	var data interface{}
 	if err := json.Unmarshal(ctx.jsonRaw, &data); err != nil {
-		glog.V(4).Infof("failed to unmarshall context: %v", err)
+		ctx.log.Error(err, "failed to unmarshal context")
 		return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err)
 	}
 
 	result, err := queryPath.Search(data)
 	if err != nil {
-		glog.V(4).Infof("failed to search query %s: %v", query, err)
+		ctx.log.Error(err, "failed to search query", "query", query)
 		return emptyResult, fmt.Errorf("failed to search query %s: %v", query, err)
 	}
 	return result, nil
diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go
index 14ba42c468..9453109742 100644
--- a/pkg/engine/forceMutate.go
+++ b/pkg/engine/forceMutate.go
@@ -12,6 +12,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) {
@@ -57,7 +58,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
 		if mutation.Overlay != nil {
 			overlay := mutation.Overlay
 			if ctx != nil {
-				if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
+				if overlay, err = variables.SubstituteVars(log.Log, ctx, overlay); err != nil {
 					return unstructured.Unstructured{}, err
 				}
 			} else {
@@ -72,7 +73,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
 
 		if rule.Mutation.Patches != nil {
 			var resp response.RuleResponse
-			resp, resource = mutate.ProcessPatches(rule, resource)
+			resp, resource = mutate.ProcessPatches(log.Log, rule, resource)
 			if !resp.Success {
 				return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
 			}
diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 0f8cea1937..552bbc3a4d 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -3,12 +3,14 @@ package engine
 import (
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Generate checks for validity of generate rule on the resource
@@ -20,10 +22,11 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) {
 	resource := policyContext.NewResource
 	admissionInfo := policyContext.AdmissionInfo
 	ctx := policyContext.Context
-	return filterRules(policy, resource, admissionInfo, ctx)
+	logger := log.Log.WithName("Generate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+	return filterRules(policy, resource, admissionInfo, ctx, logger)
 }
 
-func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) *response.RuleResponse {
+func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) *response.RuleResponse {
 	if !rule.HasGenerate() {
 		return nil
 	}
@@ -31,15 +34,14 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	startTime := time.Now()
 
 	if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-		glog.V(4).Infof(err.Error())
 		return nil
 	}
 	// operate on the copy of the conditions, as we perform variable substitution
 	copyConditions := copyConditions(rule.Conditions)
 
 	// evaluate pre-conditions
-	if !variables.EvaluateConditions(ctx, copyConditions) {
-		glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+	if !variables.EvaluateConditions(log, ctx, copyConditions) {
+		log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
 		return nil
 	}
 	// build rule Response
@@ -53,7 +55,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	}
 }
 
-func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) response.EngineResponse {
+func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) response.EngineResponse {
 	resp := response.EngineResponse{
 		PolicyResponse: response.PolicyResponse{
 			Policy: policy.Name,
@@ -66,7 +68,7 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	}
 
 	for _, rule := range policy.Spec.Rules {
-		if ruleResp := filterRule(rule, resource, admissionInfo, ctx); ruleResp != nil {
+		if ruleResp := filterRule(rule, resource, admissionInfo, ctx, log); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
 	}
diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go
index 3b76f30c74..5e4982260e 100644
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@@ -10,51 +10,53 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	jsonpatch "github.com/evanphx/json-patch"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 )
 
 // ProcessOverlay processes mutation overlay on the resource
-func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
 	startTime := time.Now()
-	glog.V(4).Infof("started applying overlay rule %q (%v)", ruleName, startTime)
+	logger := log.WithValues("rule", ruleName)
+	logger.V(4).Info("started applying overlay rule ", "startTime", startTime)
 	resp.Name = ruleName
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished applying overlay rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finished applying overlay rule", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 
-	patches, overlayerr := processOverlayPatches(resource.UnstructuredContent(), overlay)
+	patches, overlayerr := processOverlayPatches(logger, resource.UnstructuredContent(), overlay)
 	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// condition key is not present in the resource, don't apply this rule
 		// consider as success
 		case conditionNotPresent:
-			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			logger.V(3).Info("skip applying rule")
 			resp.Success = true
 			return resp, resource
 		// conditions are not met, don't apply this rule
 		case conditionFailure:
-			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
+			logger.V(3).Info("skip applying rule")
 			//TODO: send zero response and not consider this as applied?
 			resp.Success = true
 			resp.Message = overlayerr.ErrorMsg()
 			return resp, resource
 		// rule application failed
 		case overlayFailure:
-			glog.Errorf("Resource %s/%s/%s: failed to process overlay: %v in the rule %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg(), ruleName)
+			logger.Info("failed to process overlay")
 			resp.Success = false
 			resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg())
 			return resp, resource
 		default:
-			glog.Errorf("Resource %s/%s/%s: Unknown type of error: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.Error())
+			logger.Info("failed to process overlay")
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Unknown type of error: %v", overlayerr.Error())
 			return resp, resource
@@ -70,7 +72,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		glog.Infof("unable to marshall resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -79,7 +81,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
 	if err != nil {
 		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
-		glog.V(2).Infof("%s, patches=%s", msg, string(utils.JoinPatches(patches)))
+		logger.V(2).Info("applying patches", "patches", string(utils.JoinPatches(patches)))
 		resp.Success = false
 		resp.Message = msg
 		return resp, resource
@@ -87,7 +89,7 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
-		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
+		logger.Error(err, "failed to unmarshal resource")
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
@@ -101,17 +103,17 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.
 	return resp, patchedResource
 }
 
-func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) {
-	if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
+func processOverlayPatches(log logr.Logger, resource, overlay interface{}) ([][]byte, overlayError) {
+	if path, overlayerr := meetConditions(log, resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// anchor key does not exist in the resource, skip applying policy
 		case conditionNotPresent:
-			glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path)
+			log.V(4).Info("skip applying policy", "path", path, "error", overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, condition tag not present: %v at %s", overlayerr.ErrorMsg(), path))
 		// anchor key is not satisfied in the resource, skip applying policy
 		case conditionFailure:
 			// anchor key is not satisfied in the resource, skip applying policy
-			glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr)
+			log.V(4).Info("failed to validate condition", "path", path, "error", overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, conditions are not met at %s, %v", path, overlayerr))
 		}
 	}
@@ -383,7 +385,7 @@ func prepareJSONValue(overlay interface{}) string {
 	overlayWithoutAnchors := removeAnchorFromSubTree(overlay)
 	jsonOverlay, err := json.Marshal(overlayWithoutAnchors)
 	if err != nil || hasOnlyAnchors(overlay) {
-		glog.V(3).Info(err)
+		log.Log.Error(err, "failed to marshall withoutanchors or has only anchors")
 		return ""
 	}
 
@@ -409,7 +411,7 @@ func removeAnchorFromSubTree(overlay interface{}) interface{} {
 }
 
 func removeAnchroFromMap(overlay map[string]interface{}) map[string]interface{} {
-	result := make(map[string]interface{}, 0)
+	result := make(map[string]interface{})
 	for k, v := range overlay {
 		result[getRawKeyIfWrappedWithAttributes(k)] = removeAnchorFromSubTree(v)
 	}
diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go
index 134cc23cc0..56b19de4e9 100755
--- a/pkg/engine/mutate/overlayCondition.go
+++ b/pkg/engine/mutate/overlayCondition.go
@@ -5,17 +5,18 @@ import (
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-func meetConditions(resource, overlay interface{}) (string, overlayError) {
-	return checkConditions(resource, overlay, "/")
+func meetConditions(log logr.Logger, resource, overlay interface{}) (string, overlayError) {
+	return checkConditions(log, resource, overlay, "/")
 }
 
 // resource and overlay should be the same type
-func checkConditions(resource, overlay interface{}, path string) (string, overlayError) {
+func checkConditions(log logr.Logger, resource, overlay interface{}, path string) (string, overlayError) {
 	// overlay has no anchor, return true
 	if !hasNestedAnchors(overlay) {
 		return "", overlayError{}
@@ -26,7 +27,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla
 	// condition never be true in this case
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
 		if hasNestedAnchors(overlay) {
-			glog.V(4).Infof("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource)
+			log.V(4).Info(fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource))
 			return path, newOverlayError(conditionFailure,
 				fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T %v, resource %T %v", path, overlay, overlay, resource, resource))
 
@@ -44,7 +45,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla
 	default:
 		// anchor on non map/array is invalid:
 		// - anchor defined on values
-		glog.Warningln("Found invalid conditional anchor: anchor defined on values")
+		log.Info("Found invalid conditional anchor: anchor defined on values")
 		return "", overlayError{}
 	}
 }
@@ -68,12 +69,12 @@ func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}, path st
 
 func checkConditionOnArray(resource, overlay []interface{}, path string) (string, overlayError) {
 	if 0 == len(overlay) {
-		glog.Infof("Mutate overlay pattern is empty, path %s", path)
+		log.Log.V(4).Info("Mutate overlay pattern is empty", "path", path)
 		return "", overlayError{}
 	}
 
 	if reflect.TypeOf(resource[0]) != reflect.TypeOf(overlay[0]) {
-		glog.V(4).Infof("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])
+		log.Log.V(4).Info(fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
 		return path, newOverlayError(conditionFailure,
 			fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
 	}
@@ -111,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
 // resource - A: B2
 func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) {
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
-		glog.V(4).Infof("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
+		log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
 		return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource))
 	}
 
@@ -139,8 +140,8 @@ func compareOverlay(resource, overlay interface{}, path string) (string, overlay
 			}
 		}
 	case string, float64, int, int64, bool, nil:
-		if !validate.ValidateValueWithPattern(resource, overlay) {
-			glog.V(4).Infof("Mutate rule: failed validating value %v with overlay %v", resource, overlay)
+		if !validate.ValidateValueWithPattern(log.Log, resource, overlay) {
+			log.Log.V(4).Info(fmt.Sprintf("Mutate rule: failed validating value %v with overlay %v", resource, overlay))
 			return path, newOverlayError(conditionFailure, fmt.Sprintf("Failed validating value %v with overlay %v", resource, overlay))
 		}
 	default:
@@ -165,7 +166,7 @@ func validateNonAnchorOverlayMap(resourceMap, overlayWithoutAnchor map[string]in
 				continue
 			}
 		}
-		if newPath, err := checkConditions(resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
+		if newPath, err := checkConditions(log.Log, resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
 			return newPath, err
 		}
 	}
@@ -179,7 +180,7 @@ func checkConditionsOnArrayOfSameTypes(resource, overlay []interface{}, path str
 	default:
 		for i, overlayElement := range overlay {
 			curPath := path + strconv.Itoa(i) + "/"
-			path, err := checkConditions(resource[i], overlayElement, curPath)
+			path, err := checkConditions(log.Log, resource[i], overlayElement, curPath)
 			if !reflect.DeepEqual(err, overlayError{}) {
 				return path, err
 			}
diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index b898acfbcd..8da6eefee9 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestMeetConditions_NoAnchor(t *testing.T) {
@@ -26,9 +27,11 @@ func TestMeetConditions_NoAnchor(t *testing.T) {
 	 }`)
 	var overlay interface{}
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(overlayRaw, &overlay)
+	assert.Assert(t, reflect.DeepEqual(err, nil))
+
+	_, err = meetConditions(log.Log, nil, overlay)
 
-	_, err := meetConditions(nil, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -78,10 +81,12 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, !reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`
@@ -99,9 +104,10 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 	   ]
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, overlayerr := meetConditions(resource, overlay)
+	_, overlayerr := meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 }
 
@@ -136,11 +142,14 @@ func TestMeetConditions_DifferentTypes(t *testing.T) {
 	 }`)
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
 	// anchor exist
-	_, err := meetConditions(resource, overlay)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/"))
 }
 
@@ -190,10 +199,12 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err := meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444")
 }
 
@@ -248,10 +259,13 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 
-	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -325,10 +339,13 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 
-	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -406,10 +423,13 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 
-	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -440,10 +460,13 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 
-	_, err := meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false")
 
 	overlayRaw = []byte(`{
@@ -470,9 +493,10 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -499,9 +523,10 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -532,10 +557,13 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	_, err = meetConditions(log.Log, resource, overlay)
 
-	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -562,9 +590,10 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -591,9 +620,10 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	_, err = meetConditions(resource, overlay)
+	_, err = meetConditions(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value ENV_VALUE with overlay ENV_VALUE1")
 }
 
@@ -649,10 +679,13 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
+
+	path, err := meetConditions(log.Log, resource, overlay)
 
-	path, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(path) == 0)
 }
diff --git a/pkg/engine/mutate/overlay_test.go b/pkg/engine/mutate/overlay_test.go
index 8c062fe58d..a7c8890039 100644
--- a/pkg/engine/mutate/overlay_test.go
+++ b/pkg/engine/mutate/overlay_test.go
@@ -8,6 +8,7 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {
@@ -63,10 +64,12 @@ func TestProcessOverlayPatches_NestedListWithAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -163,10 +166,12 @@ func TestProcessOverlayPatches_InsertIntoArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -284,10 +289,12 @@ func TestProcessOverlayPatches_TestInsertToArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -367,10 +374,12 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -456,9 +465,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -492,9 +502,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /spec/template/metadata/labels/app/, [overlayError:0] Failed validating value nginx with overlay nginx1")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -520,10 +531,12 @@ func TestProcessOverlayPatches_AddingAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -605,10 +618,12 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -684,9 +699,10 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 		}
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -747,10 +763,12 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -805,9 +823,10 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 	   ]
 	}`)
 
-	json.Unmarshal(overlayRaw, &overlay)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, err = processOverlayPatches(resource, overlay)
+	patches, err = processOverlayPatches(log.Log, resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /subsets/0/ports/0/port/, [overlayError:0] Failed validating value 443 with overlay 444")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -886,10 +905,12 @@ func TestProcessOverlayPatches_insertWithCondition(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -997,10 +1018,12 @@ func TestProcessOverlayPatches_InsertIfNotPresentWithConditions(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	json.Unmarshal(resourceRaw, &resource)
-	json.Unmarshal(overlayRaw, &overlay)
+	err := json.Unmarshal(resourceRaw, &resource)
+	assert.NilError(t, err)
+	err = json.Unmarshal(overlayRaw, &overlay)
+	assert.NilError(t, err)
 
-	patches, overlayerr := processOverlayPatches(resource, overlay)
+	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go
index 61fc93ecea..7b294bbca9 100644
--- a/pkg/engine/mutate/patches.go
+++ b/pkg/engine/mutate/patches.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -20,21 +20,22 @@ func applyPatch(resource []byte, patchRaw []byte) ([]byte, error) {
 }
 
 //ProcessPatches applies the patches on the resource and returns the patched resource
-func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+	logger := log.WithValues("rule", rule.Name)
 	startTime := time.Now()
-	glog.V(4).Infof("started JSON patch rule %q (%v)", rule.Name, startTime)
+	logger.V(4).Info("started JSON patch", "startTime", startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished JSON patch rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finished JSON patch", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 
 	// convert to RAW
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		glog.Infof("unable to marshall resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -45,14 +46,14 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 		// JSON patch
 		patchRaw, err := json.Marshal(patch)
 		if err != nil {
-			glog.V(4).Infof("failed to marshall JSON patch %v: %v", patch, err)
+			logger.Error(err, "failed to marshal JSON patch")
 			errs = append(errs, err)
 			continue
 		}
 		patchResource, err := applyPatch(resourceRaw, patchRaw)
 		// TODO: continue on error if one of the patches fails, will add the failure event in such case
 		if err != nil && patch.Operation == "remove" {
-			glog.Info(err)
+			log.Error(err, "failed to process JSON path or patch is a 'remove' operation")
 			continue
 		}
 		if err != nil {
@@ -77,7 +78,7 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	}
 	err = patchedResource.UnmarshalJSON(resourceRaw)
 	if err != nil {
-		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
+		logger.Error(err, "failed to unmmarshal resource")
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go
index f38b68d2c4..1b617d5517 100644
--- a/pkg/engine/mutate/patches_test.go
+++ b/pkg/engine/mutate/patches_test.go
@@ -5,6 +5,7 @@ import (
 
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	types "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -41,7 +42,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(emptyRule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, emptyRule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -70,14 +71,14 @@ func makeRuleWithPatches(patches []types.Patch) types.Rule {
 
 func TestProcessPatches_EmptyDocument(t *testing.T) {
 	rule := makeRuleWithPatch(makeAddIsMutatedLabelPatch())
-	rr, _ := ProcessPatches(rule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(log.Log, rule, unstructured.Unstructured{})
 	assert.Assert(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
 
 func TestProcessPatches_AllEmpty(t *testing.T) {
 	emptyRule := types.Rule{}
-	rr, _ := ProcessPatches(emptyRule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(log.Log, emptyRule, unstructured.Unstructured{})
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -90,7 +91,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -102,7 +103,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -115,7 +116,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -129,7 +130,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) != 0)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, rr.Patches[0])
@@ -142,7 +143,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -155,7 +156,7 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 1)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, rr.Patches[0])
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index d1fab46211..b147f5b490 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -5,12 +5,13 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/mutate"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -28,26 +29,25 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	policy := policyContext.Policy
 	resource := policyContext.NewResource
 	ctx := policyContext.Context
-
+	logger := log.Log.WithName("Mutate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+	logger.V(4).Info("start processing", "startTime", startTime)
 	startMutateResultResponse(&resp, policy, resource)
-	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
-	defer endMutateResultResponse(&resp, startTime)
+	defer endMutateResultResponse(logger, &resp, startTime)
 
 	patchedResource := policyContext.NewResource
 	for _, rule := range policy.Spec.Rules {
 		var ruleResponse response.RuleResponse
+		logger := logger.WithValues("rule", rule.Name)
 		//TODO: to be checked before calling the resources as well
 		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
 			continue
 		}
-		startTime := time.Now()
-		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
-			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
+			logger.V(4).Info("resource fails the match description")
 			continue
 		}
 
@@ -55,8 +55,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(ctx, copyConditions) {
-			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+		if !variables.EvaluateConditions(logger, ctx, copyConditions) {
+			logger.V(4).Info("resource fails the preconditions")
 			continue
 		}
 
@@ -66,7 +66,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			overlay := mutation.Overlay
 			// subsiitue the variables
 			var err error
-			if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
+			if overlay, err = variables.SubstituteVars(logger, ctx, overlay); err != nil {
 				// variable subsitution failed
 				ruleResponse.Success = false
 				ruleResponse.Message = err.Error()
@@ -74,15 +74,13 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 				continue
 			}
 
-			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, overlay, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, overlay, patchedResource)
 			if ruleResponse.Success {
 				// - overlay pattern does not match the resource conditions
 				if ruleResponse.Patches == nil {
-					glog.V(4).Infof(ruleResponse.Message)
 					continue
 				}
-
-				glog.V(4).Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+				logger.V(4).Info("overlay applied succesfully")
 			}
 
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
@@ -92,8 +90,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		// Process Patches
 		if rule.Mutation.Patches != nil {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)
-			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+			ruleResponse, patchedResource = mutate.ProcessPatches(logger, rule, patchedResource)
+			logger.V(4).Info("patches applied successfully")
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount(&resp)
 		}
@@ -106,14 +104,14 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 
 		if strings.Contains(PodControllers, resource.GetKind()) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, podTemplateRule, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, podTemplateRule, patchedResource)
 			if !ruleResponse.Success {
-				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
+				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
 				continue
 			}
 
 			if ruleResponse.Success && ruleResponse.Patches != nil {
-				glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
+				logger.V(2).Info("inserted annotation for podTemplate")
 				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			}
 		}
@@ -137,10 +135,9 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	// TODO(shuting): set response with mutationFailureAction
 }
 
-func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) {
+func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	glog.V(4).Infof("finished applying mutation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
-	glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
+	logger.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
 }
 
 // podTemplateRule mutate pod template with annotation
diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 278d9672f2..07f345e265 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -67,11 +67,17 @@ func Test_VariableSubstitutionOverlay(t *testing.T) {
 	expectedPatch := []byte(`{ "op": "add", "path": "/metadata/labels", "value":{"appname":"check-root-user"} }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	if err != nil {
+		t.Error(err)
+	}
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	ctx := context.NewContext()
-	ctx.AddResource(rawResource)
+	err = ctx.AddResource(rawResource)
+	if err != nil {
+		t.Error(err)
+	}
 	value, err := ctx.Query("request.object.metadata.name")
 	t.Log(value)
 	if err != nil {
@@ -139,12 +145,14 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(policyraw, &policy)
+	err := json.Unmarshal(policyraw, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index c97b2eccb8..1ee8449d23 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -9,8 +9,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-
-	"github.com/golang/glog"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -53,7 +52,7 @@ func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
 func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
 	selector, err := metav1.LabelSelectorAsSelector(labelSelector)
 	if err != nil {
-		glog.Error(err)
+		log.Log.Error(err, "failed to build label selector")
 		return false, err
 	}
 
diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go
index e7b37283bd..7779f9b6ca 100644
--- a/pkg/engine/validate/pattern.go
+++ b/pkg/engine/validate/pattern.go
@@ -1,12 +1,13 @@
 package validate
 
 import (
+	"fmt"
 	"math"
 	"regexp"
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 	apiresource "k8s.io/apimachinery/pkg/api/resource"
@@ -21,52 +22,52 @@ const (
 )
 
 // ValidateValueWithPattern validates value with operators and wildcards
-func ValidateValueWithPattern(value, pattern interface{}) bool {
+func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool {
 	switch typedPattern := pattern.(type) {
 	case bool:
 		typedValue, ok := value.(bool)
 		if !ok {
-			glog.V(4).Infof("Expected bool, found %T", value)
+			log.V(4).Info("Expected type bool", "type", fmt.Sprintf("%T", value), "value", value)
 			return false
 		}
 		return typedPattern == typedValue
 	case int:
-		return validateValueWithIntPattern(value, int64(typedPattern))
+		return validateValueWithIntPattern(log, value, int64(typedPattern))
 	case int64:
-		return validateValueWithIntPattern(value, typedPattern)
+		return validateValueWithIntPattern(log, value, typedPattern)
 	case float64:
-		return validateValueWithFloatPattern(value, typedPattern)
+		return validateValueWithFloatPattern(log, value, typedPattern)
 	case string:
-		return validateValueWithStringPatterns(value, typedPattern)
+		return validateValueWithStringPatterns(log, value, typedPattern)
 	case nil:
-		return validateValueWithNilPattern(value)
+		return validateValueWithNilPattern(log, value)
 	case map[string]interface{}:
 		// TODO: check if this is ever called?
-		return validateValueWithMapPattern(value, typedPattern)
+		return validateValueWithMapPattern(log, value, typedPattern)
 	case []interface{}:
 		// TODO: check if this is ever called?
-		glog.Warning("Arrays as patterns are not supported")
+		log.Info("arrays as patterns is not supported")
 		return false
 	default:
-		glog.Warningf("Unknown type as pattern: %v", typedPattern)
+		log.Info("Unkown type", "type", fmt.Sprintf("%T", typedPattern), "value", typedPattern)
 		return false
 	}
 }
 
-func validateValueWithMapPattern(value interface{}, typedPattern map[string]interface{}) bool {
+func validateValueWithMapPattern(log logr.Logger, value interface{}, typedPattern map[string]interface{}) bool {
 	// verify the type of the resource value is map[string]interface,
 	// we only check for existence of object, not the equality of content and value
 	//TODO: check if adding
 	_, ok := value.(map[string]interface{})
 	if !ok {
-		glog.Warningf("Expected map[string]interface{}, found %T\n", value)
+		log.Info("Expected type map[string]interface{}", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 	return true
 }
 
 // Handler for int values during validation process
-func validateValueWithIntPattern(value interface{}, pattern int64) bool {
+func validateValueWithIntPattern(log logr.Logger, value interface{}, pattern int64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		return int64(typedValue) == pattern
@@ -78,38 +79,38 @@ func validateValueWithIntPattern(value interface{}, pattern int64) bool {
 			return int64(typedValue) == pattern
 		}
 
-		glog.Warningf("Expected int, found float: %f\n", typedValue)
+		log.Info("Expected type int", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case string:
 		// extract int64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num == pattern
 	default:
-		glog.Warningf("Expected int, found: %T\n", value)
+		log.Info("Expected type int", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for float values during validation process
-func validateValueWithFloatPattern(value interface{}, pattern float64) bool {
+func validateValueWithFloatPattern(log logr.Logger, value interface{}, pattern float64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int(pattern) == value
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case int64:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int64(pattern) == value
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 		return false
 	case float64:
 		return typedValue == pattern
@@ -117,18 +118,18 @@ func validateValueWithFloatPattern(value interface{}, pattern float64) bool {
 		// extract float64 from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num == pattern
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		log.Info("Expected type float", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for nil values during validation process
-func validateValueWithNilPattern(value interface{}) bool {
+func validateValueWithNilPattern(log logr.Logger, value interface{}) bool {
 	switch typed := value.(type) {
 	case float64:
 		return typed == 0.0
@@ -143,20 +144,20 @@ func validateValueWithNilPattern(value interface{}) bool {
 	case nil:
 		return true
 	case map[string]interface{}, []interface{}:
-		glog.Warningf("Maps and arrays could not be checked with nil pattern")
+		log.Info("Maps and arrays could not be checked with nil pattern")
 		return false
 	default:
-		glog.Warningf("Unknown type as value when checking for nil pattern: %T\n", value)
+		log.Info("Unknown type as value when checking for nil pattern", "type", fmt.Sprintf("%T", value), "value", value)
 		return false
 	}
 }
 
 // Handler for pattern values during validation process
-func validateValueWithStringPatterns(value interface{}, pattern string) bool {
+func validateValueWithStringPatterns(log logr.Logger, value interface{}, pattern string) bool {
 	statements := strings.Split(pattern, "|")
 	for _, statement := range statements {
 		statement = strings.Trim(statement, " ")
-		if validateValueWithStringPattern(value, statement) {
+		if validateValueWithStringPattern(log, value, statement) {
 			return true
 		}
 	}
@@ -166,24 +167,24 @@ func validateValueWithStringPatterns(value interface{}, pattern string) bool {
 
 // Handler for single pattern value during validation process
 // Detects if pattern has a number
-func validateValueWithStringPattern(value interface{}, pattern string) bool {
+func validateValueWithStringPattern(log logr.Logger, value interface{}, pattern string) bool {
 	operator := operator.GetOperatorFromStringPattern(pattern)
 	pattern = pattern[len(operator):]
 	number, str := getNumberAndStringPartsFromPattern(pattern)
 
 	if "" == number {
-		return validateString(value, str, operator)
+		return validateString(log, value, str, operator)
 	}
 
-	return validateNumberWithStr(value, pattern, operator)
+	return validateNumberWithStr(log, value, pattern, operator)
 }
 
 // Handler for string values
-func validateString(value interface{}, pattern string, operatorVariable operator.Operator) bool {
+func validateString(log logr.Logger, value interface{}, pattern string, operatorVariable operator.Operator) bool {
 	if operator.NotEqual == operatorVariable || operator.Equal == operatorVariable {
 		strValue, ok := value.(string)
 		if !ok {
-			glog.Warningf("Expected string, found %T\n", value)
+			log.Info("Expected type string", "type", fmt.Sprintf("%T", value), "value", value)
 			return false
 		}
 
@@ -195,17 +196,16 @@ func validateString(value interface{}, pattern string, operatorVariable operator
 
 		return wildcardResult
 	}
-
-	glog.Warningf("Operators >, >=, <, <= are not applicable to strings")
+	log.Info("Operators >, >=, <, <= are not applicable to strings")
 	return false
 }
 
 // validateNumberWithStr compares quantity if pattern type is quantity
 //  or a wildcard match to pattern string
-func validateNumberWithStr(value interface{}, pattern string, operator operator.Operator) bool {
+func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
 	typedValue, err := convertToString(value)
 	if err != nil {
-		glog.Warning(err)
+		log.Error(err, "failed to convert to string")
 		return false
 	}
 
@@ -214,7 +214,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator.
 	if err == nil {
 		valueQuan, err := apiresource.ParseQuantity(typedValue)
 		if err != nil {
-			glog.Warningf("Invalid quantity in resource %s, err: %v\n", typedValue, err)
+			log.Error(err, "invalid quantity in resource", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
 			return false
 		}
 
@@ -223,7 +223,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator.
 
 	// 2. wildcard match
 	if !wildcard.Match(pattern, typedValue) {
-		glog.Warningf("Value '%s' has not passed wildcard check: %s", typedValue, pattern)
+		log.Info("value failed wildcard check", "type", fmt.Sprintf("%T", typedValue), "value", typedValue, "check", pattern)
 		return false
 	}
 	return true
diff --git a/pkg/engine/validate/pattern_test.go b/pkg/engine/validate/pattern_test.go
index 8ee4e34881..8d8d437d2b 100644
--- a/pkg/engine/validate/pattern_test.go
+++ b/pkg/engine/validate/pattern_test.go
@@ -6,13 +6,14 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateValueWithPattern_Bool(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(true, true))
-	assert.Assert(t, !ValidateValueWithPattern(true, false))
-	assert.Assert(t, !ValidateValueWithPattern(false, true))
-	assert.Assert(t, ValidateValueWithPattern(false, false))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, true, true))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, true, false))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, false, true))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, false, false))
 }
 
 func TestValidateString_AsteriskTest(t *testing.T) {
@@ -20,8 +21,8 @@ func TestValidateString_AsteriskTest(t *testing.T) {
 	value := "anything"
 	empty := ""
 
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
-	assert.Assert(t, validateString(empty, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, empty, pattern, operator.Equal))
 }
 
 func TestValidateString_LeftAsteriskTest(t *testing.T) {
@@ -29,32 +30,32 @@ func TestValidateString_LeftAsteriskTest(t *testing.T) {
 	value := "leftright"
 	right := "right"
 
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
-	assert.Assert(t, validateString(right, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, right, pattern, operator.Equal))
 
 	value = "leftmiddle"
 	middle := "middle"
 
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
-	assert.Assert(t, !validateString(middle, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, middle, pattern, operator.Equal))
 }
 
 func TestValidateString_MiddleAsteriskTest(t *testing.T) {
 	pattern := "ab*ba"
 	value := "abbeba"
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
 
 	value = "abbca"
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
 }
 
 func TestValidateString_QuestionMark(t *testing.T) {
 	pattern := "ab?ba"
 	value := "abbba"
-	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
 
 	value = "abbbba"
-	assert.Assert(t, !validateString(value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
 }
 
 func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
@@ -76,7 +77,7 @@ func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
@@ -98,7 +99,7 @@ func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, !ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, !ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
@@ -120,7 +121,7 @@ func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
@@ -142,7 +143,7 @@ func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
@@ -164,7 +165,7 @@ func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
@@ -186,77 +187,77 @@ func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_StringsLogicalOr(t *testing.T) {
 	pattern := "192.168.88.1 | 10.100.11.*"
 	value := "10.100.11.54"
-	assert.Assert(t, ValidateValueWithPattern(value, pattern))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, value, pattern))
 }
 
 func TestValidateValueWithPattern_EqualTwoFloats(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(7.0, 7.000))
+	assert.Assert(t, ValidateValueWithPattern(log.Log, 7.0, 7.000))
 }
 
 func TestValidateValueWithNilPattern_NullPatternStringValue(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern("value"))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, "value"))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultString(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(""))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, ""))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultFloat(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(0.0))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, 0.0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternFloat(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(0.1))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, 0.1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultInt(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(0))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, 0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternInt(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(1))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, 1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultBool(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(false))
+	assert.Assert(t, validateValueWithNilPattern(log.Log, false))
 }
 
 func TestValidateValueWithNilPattern_NullPatternTrueBool(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(true))
+	assert.Assert(t, !validateValueWithNilPattern(log.Log, true))
 }
 
 func TestValidateValueWithFloatPattern_FloatValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.9914, 7.9914))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.9914, 7.9914))
 }
 
 func TestValidateValueWithFloatPattern_FloatValueNotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(7.9914, 7.99141))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.9914, 7.99141))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFractionIntValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7, 7.000000))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7.000000))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7))
+	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWitFraction(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(7.000001, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.000001, 7))
 }
 
 func TestValidateValueWithIntPattern_NotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(8, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 8, 7))
 }
 
 func TestGetNumberAndStringPartsFromPattern_NumberAndString(t *testing.T) {
@@ -290,35 +291,35 @@ func TestGetNumberAndStringPartsFromPattern_Empty(t *testing.T) {
 }
 
 func TestValidateNumberWithStr_LessFloatAndInt(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr(7.00001, "7.000001", operator.More))
-	assert.Assert(t, validateNumberWithStr(7.00001, "7", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7.000001", operator.More))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7", operator.NotEqual))
 
-	assert.Assert(t, validateNumberWithStr(7.0000, "7", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr(6.000000001, "6", operator.Less))
+	assert.Assert(t, validateNumberWithStr(log.Log, 7.0000, "7", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, 6.000000001, "6", operator.Less))
 }
 
 func TestValidateQuantity_InvalidQuantity(t *testing.T) {
-	assert.Assert(t, !validateNumberWithStr("1024Gi", "", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr("gii", "1024Gi", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "1024Gi", "", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "gii", "1024Gi", operator.Equal))
 }
 
 func TestValidateQuantity_Equal(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr("1024Gi", "1024Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("1024Mi", "1Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("0.2", "200m", operator.Equal))
-	assert.Assert(t, validateNumberWithStr("500", "500", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr("2048", "1024", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(1024, "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1024Gi", "1024Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1024Mi", "1Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", "200m", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, "500", "500", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(log.Log, "2048", "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(log.Log, 1024, "1024", operator.Equal))
 }
 
 func TestValidateQuantity_Operation(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr("1Gi", "1000Mi", operator.More))
-	assert.Assert(t, validateNumberWithStr("1G", "1Gi", operator.Less))
-	assert.Assert(t, validateNumberWithStr("500m", "0.5", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr("1", "500m", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr("0.5", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1Gi", "1000Mi", operator.More))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1G", "1Gi", operator.Less))
+	assert.Assert(t, validateNumberWithStr(log.Log, "500m", "0.5", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "1", "500m", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.5", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.NotEqual))
 }
 
 func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go
index 9d94f07789..6e3d40da7d 100644
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@@ -8,15 +8,15 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 )
 
 // ValidateResourceWithPattern is a start of element-by-element validation process
 // It assumes that validation is started from root, so "/" is passed
-func ValidateResourceWithPattern(resource, pattern interface{}) (string, error) {
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+func ValidateResourceWithPattern(log logr.Logger, resource, pattern interface{}) (string, error) {
+	path, err := validateResourceElement(log, resource, pattern, pattern, "/")
 	if err != nil {
 		return path, err
 	}
@@ -27,44 +27,44 @@ func ValidateResourceWithPattern(resource, pattern interface{}) (string, error)
 // validateResourceElement detects the element type (map, array, nil, string, int, bool, float)
 // and calls corresponding handler
 // Pattern tree and resource tree can have different structure. In this case validation fails
-func validateResourceElement(resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
+func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
 	var err error
 	switch typedPatternElement := patternElement.(type) {
 	// map
 	case map[string]interface{}:
 		typedResourceElement, ok := resourceElement.(map[string]interface{})
 		if !ok {
-			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
+			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
 			return path, fmt.Errorf("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
 		}
 
-		return validateMap(typedResourceElement, typedPatternElement, originPattern, path)
+		return validateMap(log, typedResourceElement, typedPatternElement, originPattern, path)
 	// array
 	case []interface{}:
 		typedResourceElement, ok := resourceElement.([]interface{})
 		if !ok {
-			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
+			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
 			return path, fmt.Errorf("Validation rule Failed at path %s, resource does not satisfy the expected overlay pattern", path)
 		}
 
-		return validateArray(typedResourceElement, typedPatternElement, originPattern, path)
+		return validateArray(log, typedResourceElement, typedPatternElement, originPattern, path)
 	// elementary values
 	case string, float64, int, int64, bool, nil:
 		/*Analyze pattern */
 		if checkedPattern := reflect.ValueOf(patternElement); checkedPattern.Kind() == reflect.String {
 			if isStringIsReference(checkedPattern.String()) { //check for $ anchor
-				patternElement, err = actualizePattern(originPattern, checkedPattern.String(), path)
+				patternElement, err = actualizePattern(log, originPattern, checkedPattern.String(), path)
 				if err != nil {
 					return path, err
 				}
 			}
 		}
-		if !ValidateValueWithPattern(resourceElement, patternElement) {
+		if !ValidateValueWithPattern(log, resourceElement, patternElement) {
 			return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
 		}
 
 	default:
-		glog.V(4).Infof("Pattern contains unknown type %T. Path: %s", patternElement, path)
+		log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement))
 		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
 	}
 	return "", nil
@@ -72,7 +72,7 @@ func validateResourceElement(resourceElement, patternElement, originPattern inte
 
 // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap
 // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement
-func validateMap(resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
+func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
 	// check if there is anchor in pattern
 	// Phase 1 : Evaluate all the anchors
 	// Phase 2 : Evaluate non-anchors
@@ -91,7 +91,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int
 		if err != nil {
 			// If Conditional anchor fails then we dont process the resources
 			if anchor.IsConditionAnchor(key) {
-				glog.V(4).Infof("condition anchor did not satisfy, wont process the resources: %s", err)
+				log.Error(err, "condition anchor did not satisfy, wont process the resource")
 				return "", nil
 			}
 			return handlerPath, err
@@ -109,7 +109,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int
 	return "", nil
 }
 
-func validateArray(resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
+func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
 
 	if 0 == len(patternArray) {
 		return path, fmt.Errorf("Pattern Array empty")
@@ -119,7 +119,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 	case map[string]interface{}:
 		// This is special case, because maps in arrays can have anchors that must be
 		// processed with the special way affecting the entire array
-		path, err := validateArrayOfMaps(resourceArray, typedPatternElement, originPattern, path)
+		path, err := validateArrayOfMaps(log, resourceArray, typedPatternElement, originPattern, path)
 		if err != nil {
 			return path, err
 		}
@@ -127,7 +127,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 		// In all other cases - detect type and handle each array element with validateResourceElement
 		for i, patternElement := range patternArray {
 			currentPath := path + strconv.Itoa(i) + "/"
-			path, err := validateResourceElement(resourceArray[i], patternElement, originPattern, currentPath)
+			path, err := validateResourceElement(log, resourceArray[i], patternElement, originPattern, currentPath)
 			if err != nil {
 				return path, err
 			}
@@ -137,7 +137,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte
 	return "", nil
 }
 
-func actualizePattern(origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
+func actualizePattern(log logr.Logger, origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
 	var foundValue interface{}
 
 	referencePattern = strings.Trim(referencePattern, "$()")
@@ -155,7 +155,7 @@ func actualizePattern(origPattern interface{}, referencePattern, absolutePath st
 	// value :=
 	actualPath := formAbsolutePath(referencePattern, absolutePath)
 
-	valFromReference, err := getValueFromReference(origPattern, actualPath)
+	valFromReference, err := getValueFromReference(log, origPattern, actualPath)
 	if err != nil {
 		return err, nil
 	}
@@ -196,15 +196,15 @@ func formAbsolutePath(referencePath, absolutePath string) string {
 }
 
 //Prepares original pattern, path to value, and call traverse function
-func getValueFromReference(origPattern interface{}, reference string) (interface{}, error) {
+func getValueFromReference(log logr.Logger, origPattern interface{}, reference string) (interface{}, error) {
 	originalPatternMap := origPattern.(map[string]interface{})
 	reference = reference[1:]
 	statements := strings.Split(reference, "/")
 
-	return getValueFromPattern(originalPatternMap, statements, 0)
+	return getValueFromPattern(log, originalPatternMap, statements, 0)
 }
 
-func getValueFromPattern(patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
+func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
 
 	for key, pattern := range patternMap {
 		rawKey := getRawKeyIfWrappedWithAttributes(key)
@@ -221,19 +221,21 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 				for i, value := range typedPattern {
 					resourceMap, ok := value.(map[string]interface{})
 					if !ok {
-						glog.V(4).Infof("Pattern and resource have different structures. Expected %T, found %T", pattern, value)
+						log.V(4).Info("Pattern and resource have different structures.", "expected", fmt.Sprintf("%T", pattern), "current", fmt.Sprintf("%T", value))
 						return nil, fmt.Errorf("Validation rule failed, resource does not have expected pattern %v", patternMap)
 					}
 					if keys[currentKeyIndex+1] == strconv.Itoa(i) {
-						return getValueFromPattern(resourceMap, keys, currentKeyIndex+2)
+						return getValueFromPattern(log, resourceMap, keys, currentKeyIndex+2)
 					}
+					// TODO : SA4004: the surrounding loop is unconditionally terminated (staticcheck)
 					return nil, errors.New("Reference to non-existent place in the document")
 				}
+				return nil, nil // Just a hack to fix the lint
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case map[string]interface{}:
 			if keys[currentKeyIndex] == rawKey {
-				return getValueFromPattern(typedPattern, keys, currentKeyIndex+1)
+				return getValueFromPattern(log, typedPattern, keys, currentKeyIndex+1)
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case string, float64, int, int64, bool, nil:
@@ -251,12 +253,12 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
 
 // validateArrayOfMaps gets anchors from pattern array map element, applies anchors logic
 // and then validates each map due to the pattern
-func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
+func validateArrayOfMaps(log logr.Logger, resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
 	for i, resourceElement := range resourceMapArray {
 		// check the types of resource element
 		// expect it to be map, but can be anything ?:(
 		currentPath := path + strconv.Itoa(i) + "/"
-		returnpath, err := validateResourceElement(resourceElement, patternMap, originPattern, currentPath)
+		returnpath, err := validateResourceElement(log, resourceElement, patternMap, originPattern, currentPath)
 		if err != nil {
 			return returnpath, err
 		}
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index acabd87ac1..7f916239e0 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateMap(t *testing.T) {
@@ -100,7 +101,7 @@ func TestValidateMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -196,7 +197,7 @@ func TestValidateMap_AsteriskForInt(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	t.Log(path)
 	assert.NilError(t, err)
 }
@@ -289,7 +290,7 @@ func TestValidateMap_AsteriskForMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -377,7 +378,7 @@ func TestValidateMap_AsteriskForArray(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -468,7 +469,7 @@ func TestValidateMap_AsteriskFieldIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/template/spec/containers/0/")
 	assert.Assert(t, err != nil)
 }
@@ -557,9 +558,10 @@ func TestValidateMap_livenessProbeIsNull(t *testing.T) {
 
 	var pattern, resource map[string]interface{}
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
-	json.Unmarshal(rawMap, &resource)
+	err := json.Unmarshal(rawMap, &resource)
+	assert.NilError(t, err)
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -649,7 +651,7 @@ func TestValidateMap_livenessProbeIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(resource, pattern, pattern, "/")
+	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -695,7 +697,7 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	// assert.Equal(t, path, "/1/object/0/key2/")
 	// assert.NilError(t, err)
@@ -730,7 +732,7 @@ func TestValidateMapElement_OneElementInArrayPass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -784,7 +786,7 @@ func TestValidateMap_CorrectRelativePathInConfig(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -838,7 +840,7 @@ func TestValidateMap_RelativePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -892,7 +894,7 @@ func TestValidateMap_OnlyAnchorsInPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -946,7 +948,7 @@ func TestValidateMap_MalformedReferenceOnlyDolarMark(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1000,7 +1002,7 @@ func TestValidateMap_RelativePathWithParentheses(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -1054,7 +1056,7 @@ func TestValidateMap_MalformedPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1108,7 +1110,7 @@ func TestValidateMap_AbosolutePathExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1149,7 +1151,7 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1191,7 +1193,7 @@ func TestValidateMap_AbsolutePathToMetadata_fail(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/image/")
 	assert.Assert(t, err != nil)
 }
@@ -1245,7 +1247,7 @@ func TestValidateMap_AbosolutePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1276,7 +1278,7 @@ func TestActualizePattern_GivenRelativePathThatExists(t *testing.T) {
 
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 
-	pattern, err := actualizePattern(pattern, referencePath, absolutePath)
+	pattern, err := actualizePattern(log.Log, pattern, referencePath, absolutePath)
 
 	assert.Assert(t, err == nil)
 }
@@ -1344,10 +1346,12 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) {
 	]`)
 
 	var pattern, resource interface{}
-	json.Unmarshal(rawPattern, &pattern)
-	json.Unmarshal(rawMap, &resource)
+	err := json.Unmarshal(rawPattern, &pattern)
+	assert.NilError(t, err)
+	err = json.Unmarshal(rawMap, &resource)
+	assert.NilError(t, err)
 
-	path, err := validateResourceElement(resource, pattern, pattern, "/")
+	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/0/object/0/key2/")
 	assert.Assert(t, err != nil)
 }
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index fc4e89bf1c..00c32f6791 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
@@ -13,6 +13,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/validate"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Validate applies validation rules from policy on the resource
@@ -23,17 +24,18 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	oldR := policyContext.OldResource
 	ctx := policyContext.Context
 	admissionInfo := policyContext.AdmissionInfo
+	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name, "kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
 
 	// policy information
-	glog.V(4).Infof("started applying validation rules of policy %q (%v)", policy.Name, startTime)
+	logger.V(4).Info("start processing", "startTime", startTime)
 
 	// Process new & old resource
 	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
 		// Create Mode
 		// Operate on New Resource only
-		resp := validateResource(ctx, policy, newR, admissionInfo)
+		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
 		startResultResponse(resp, policy, newR)
-		defer endResultResponse(resp, startTime)
+		defer endResultResponse(logger, resp, startTime)
 		// set PatchedResource with origin resource if empty
 		// in order to create policy violation
 		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
@@ -44,14 +46,14 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	// Update Mode
 	// Operate on New and Old Resource only
 	// New resource
-	oldResponse := validateResource(ctx, policy, oldR, admissionInfo)
-	newResponse := validateResource(ctx, policy, newR, admissionInfo)
+	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
+	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
 
 	// if the old and new response is same then return empty response
 	if !isSameResponse(oldResponse, newResponse) {
 		// there are changes send response
 		startResultResponse(newResponse, policy, newR)
-		defer endResultResponse(newResponse, startTime)
+		defer endResultResponse(logger, newResponse, startTime)
 		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
 			newResponse.PatchedResource = newR
 		}
@@ -73,10 +75,9 @@ func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPo
 	resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction
 }
 
-func endResultResponse(resp *response.EngineResponse, startTime time.Time) {
+func endResultResponse(log logr.Logger, resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	glog.V(4).Infof("Finished applying validation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
-	glog.V(4).Infof("Validation Rules appplied successfully count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
+	log.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
 }
 
 func incrementAppliedCount(resp *response.EngineResponse) {
@@ -84,20 +85,18 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue
 		}
-		startTime := time.Now()
-		glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
+			log.V(4).Info("resource fails the match description")
 			continue
 		}
 
@@ -105,13 +104,13 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(ctx, copyConditions) {
-			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
+		if !variables.EvaluateConditions(log, ctx, copyConditions) {
+			log.V(4).Info("resource fails the preconditions")
 			continue
 		}
 
 		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-			ruleResponse := validatePatterns(ctx, resource, rule)
+			ruleResponse := validatePatterns(log, ctx, resource, rule)
 			incrementAppliedCount(resp)
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 		}
@@ -159,14 +158,15 @@ func isSameRules(oldRules []response.RuleResponse, newRules []response.RuleRespo
 }
 
 // validatePatterns validate pattern and anyPattern
-func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
+func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
 	startTime := time.Now()
-	glog.V(4).Infof("started applying validation rule %q (%v)", rule.Name, startTime)
+	logger := log.WithValues("rule", rule.Name)
+	logger.V(4).Info("start processing rule", "startTime", startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Validation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		glog.V(4).Infof("finished applying validation rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finshed processing", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
 	// work on a copy of validation rule
 	validationRule := rule.Validation.DeepCopy()
@@ -176,7 +176,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 		// substitute variables in the pattern
 		pattern := validationRule.Pattern
 		var err error
-		if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
+		if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
 			// variable subsitution failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed. '%s'",
@@ -184,7 +184,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 			return resp
 		}
 
-		if path, err := validate.ValidateResourceWithPattern(resource.Object, pattern); err != nil {
+		if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
 			// validation failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed at path '%s'",
@@ -192,7 +192,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 			return resp
 		}
 		// rule application successful
-		glog.V(4).Infof("rule %s pattern validated successfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+		logger.V(4).Info("successfully processed rule")
 		resp.Success = true
 		resp.Message = fmt.Sprintf("Validation rule '%s' succeeded.", rule.Name)
 		return resp
@@ -203,19 +203,18 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 		var failedAnyPatternsErrors []error
 		var err error
 		for idx, pattern := range validationRule.AnyPattern {
-			if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
+			if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
 				// variable subsitution failed
 				failedSubstitutionsErrors = append(failedSubstitutionsErrors, err)
 				continue
 			}
-			_, err := validate.ValidateResourceWithPattern(resource.Object, pattern)
+			_, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern)
 			if err == nil {
 				resp.Success = true
 				resp.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded.", rule.Name, idx)
 				return resp
 			}
-			glog.V(4).Infof("Validation error: %s; Validation rule %s anyPattern[%d] for %s/%s/%s",
-				rule.Validation.Message, rule.Name, idx, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+			logger.V(4).Info(fmt.Sprintf("validation rule failed for anyPattern[%d]", idx), "message", rule.Validation.Message)
 			patternErr := fmt.Errorf("anyPattern[%d] failed; %s", idx, err)
 			failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr)
 		}
@@ -234,7 +233,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu
 				errorStr = append(errorStr, err.Error())
 			}
 			resp.Success = false
-			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr))
 			if rule.Validation.Message == "" {
 				resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
 			} else {
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index 5a77d81b69..fb6f272966 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -23,7 +23,8 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
 	}`)
 
 	var unmarshalled map[string]interface{}
-	json.Unmarshal(rawMap, &unmarshalled)
+	err := json.Unmarshal(rawMap, &unmarshalled)
+	assert.NilError(t, err)
 
 	actualMap := utils.GetAnchorsFromMap(unmarshalled)
 	assert.Equal(t, len(actualMap), 2)
@@ -114,7 +115,8 @@ func TestValidate_image_tag_fail(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -212,7 +214,8 @@ func TestValidate_image_tag_pass(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -289,7 +292,8 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -370,7 +374,8 @@ func TestValidate_host_network_port(t *testing.T) {
 	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -459,7 +464,8 @@ func TestValidate_anchor_arraymap_pass(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -547,8 +553,8 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
-
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
@@ -616,7 +622,8 @@ func TestValidate_anchor_map_notfound(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -688,7 +695,8 @@ func TestValidate_anchor_map_found_valid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -760,7 +768,8 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -834,7 +843,8 @@ func TestValidate_AnchorList_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -908,7 +918,8 @@ func TestValidate_AnchorList_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -982,7 +993,8 @@ func TestValidate_existenceAnchor_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1057,7 +1069,8 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1144,7 +1157,8 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1230,7 +1244,8 @@ func TestValidate_negationAnchor_pass(t *testing.T) {
 	 	 `)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(rawPolicy, &policy)
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1297,12 +1312,14 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	json.Unmarshal(policyraw, &policy)
+	err := json.Unmarshal(policyraw, &policy)
+	assert.NilError(t, err)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1392,7 +1409,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *t
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1482,7 +1500,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1572,7 +1591,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	ctx.AddResource(resourceRaw)
+	err = ctx.AddResource(resourceRaw)
+	assert.NilError(t, err)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/engine/variables/common.go b/pkg/engine/variables/common.go
new file mode 100644
index 0000000000..292b82d988
--- /dev/null
+++ b/pkg/engine/variables/common.go
@@ -0,0 +1,10 @@
+package variables
+
+import "regexp"
+
+//IsVariable returns true if the element contains a 'valid' variable {{}}
+func IsVariable(element string) bool {
+	validRegex := regexp.MustCompile(variableRegex)
+	groups := validRegex.FindAllStringSubmatch(element, -1)
+	return len(groups) != 0
+}
diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go
index 519a909d01..d0ebf7ed74 100644
--- a/pkg/engine/variables/evaluate.go
+++ b/pkg/engine/variables/evaluate.go
@@ -1,16 +1,16 @@
 package variables
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables/operator"
 )
 
 //Evaluate evaluates the condition
-func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool {
+func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition) bool {
 	// get handler for the operator
-	handle := operator.CreateOperatorHandler(ctx, condition.Operator, SubstituteVars)
+	handle := operator.CreateOperatorHandler(log, ctx, condition.Operator, SubstituteVars)
 	if handle == nil {
 		return false
 	}
@@ -18,11 +18,10 @@ func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool {
 }
 
 //EvaluateConditions evaluates multiple conditions
-func EvaluateConditions(ctx context.EvalInterface, conditions []kyverno.Condition) bool {
+func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition) bool {
 	// AND the conditions
 	for _, condition := range conditions {
-		if !Evaluate(ctx, condition) {
-			glog.V(4).Infof("condition %v failed", condition)
+		if !Evaluate(log, ctx, condition) {
 			return false
 		}
 	}
diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go
index 33b3a4f2b7..d7d409b8f5 100644
--- a/pkg/engine/variables/evaluate_test.go
+++ b/pkg/engine/variables/evaluate_test.go
@@ -6,6 +6,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // STRINGS
@@ -18,7 +19,7 @@ func Test_Eval_Equal_Const_String_Pass(t *testing.T) {
 		Value:    "name",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -32,7 +33,7 @@ func Test_Eval_Equal_Const_String_Fail(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -46,7 +47,7 @@ func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -60,7 +61,7 @@ func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) {
 		Value:    "name",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -76,7 +77,7 @@ func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) {
 		Value:    true,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -90,7 +91,7 @@ func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) {
 		Value:    false,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -104,7 +105,7 @@ func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) {
 		Value:    false,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -118,7 +119,7 @@ func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) {
 		Value:    true,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -133,7 +134,7 @@ func Test_Eval_Equal_Const_int_Pass(t *testing.T) {
 		Value:    1,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -147,7 +148,7 @@ func Test_Eval_Equal_Const_int_Fail(t *testing.T) {
 		Value:    2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -161,7 +162,7 @@ func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) {
 		Value:    2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -175,7 +176,7 @@ func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) {
 		Value:    1,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -190,7 +191,7 @@ func Test_Eval_Equal_Const_int64_Pass(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -204,7 +205,7 @@ func Test_Eval_Equal_Const_int64_Fail(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -218,7 +219,7 @@ func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -232,7 +233,7 @@ func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -248,7 +249,7 @@ func Test_Eval_Equal_Const_float64_Pass(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -262,7 +263,7 @@ func Test_Eval_Equal_Const_float64_Fail(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -276,7 +277,7 @@ func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -290,7 +291,7 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -320,7 +321,7 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -348,7 +349,7 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -376,7 +377,7 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -404,7 +405,7 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -434,7 +435,7 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -460,7 +461,7 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -486,7 +487,7 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -512,7 +513,7 @@ func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -545,7 +546,7 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) {
 		Value:    "temp",
 	}
 
-	if !Evaluate(ctx, condition) {
+	if !Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -576,7 +577,7 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) {
 		Value:    "temp1",
 	}
 
-	if Evaluate(ctx, condition) {
+	if Evaluate(log.Log, ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go
index 81ea80c621..1bc181f0f8 100644
--- a/pkg/engine/variables/operator/equal.go
+++ b/pkg/engine/variables/operator/equal.go
@@ -1,19 +1,21 @@
 package operator
 
 import (
+	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewEqualHandler returns handler to manage Equal operations
-func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return EqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
+		log:        log,
 	}
 }
 
@@ -21,6 +23,7 @@ func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionH
 type EqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
+	log        logr.Logger
 }
 
 //Evaluate evaluates expression with Equal Operator
@@ -28,14 +31,14 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = eh.subHandler(eh.ctx, key); err != nil {
+	if key, err = eh.subHandler(eh.log, eh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
+		eh.log.Error(err, "Failed to resolve variable", "variable", key)
 		return false
 	}
-	if value, err = eh.subHandler(eh.ctx, value); err != nil {
+	if value, err = eh.subHandler(eh.log, eh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
+		eh.log.Error(err, "Failed to resolve variable", "variable", value)
 		return false
 	}
 
@@ -56,7 +59,7 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return eh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		glog.Errorf("Unsupported type %v", typedKey)
+		eh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
 		return false
 	}
 }
@@ -65,7 +68,7 @@ func (eh EqualHandler) validateValueWithSlicePattern(key []interface{}, value in
 	if val, ok := value.([]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
+	eh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -73,7 +76,7 @@ func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, v
 	if val, ok := value.(map[string]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
+	eh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -81,7 +84,8 @@ func (eh EqualHandler) validateValuewithStringPattern(key string, value interfac
 	if val, ok := value.(string); ok {
 		return key == val
 	}
-	glog.Warningf("Expected string, %v is of type %T", value, value)
+
+	eh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -92,25 +96,25 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 		if key == math.Trunc(key) {
 			return int(key) == typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) == typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case float64:
 		return typedValue == key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			eh.log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num == key
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		eh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return false
@@ -119,7 +123,7 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		glog.Error("Expected bool, found %V", value)
+		eh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return key == typedValue
@@ -136,18 +140,18 @@ func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{})
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) == key
 		}
-		glog.Warningf("Expected int, found float: %f", typedValue)
+		eh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			eh.log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num == key
 	default:
-		glog.Warningf("Expected int, %v is of type %T", value, value)
+		eh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/notequal.go b/pkg/engine/variables/operator/notequal.go
index 9af9e891f3..ce9b4e87f8 100644
--- a/pkg/engine/variables/operator/notequal.go
+++ b/pkg/engine/variables/operator/notequal.go
@@ -1,19 +1,21 @@
 package operator
 
 import (
+	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewNotEqualHandler returns handler to manage NotEqual operations
-func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewNotEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return NotEqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
+		log:        log,
 	}
 }
 
@@ -21,6 +23,7 @@ func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstituti
 type NotEqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
+	log        logr.Logger
 }
 
 //Evaluate evaluates expression with NotEqual Operator
@@ -28,14 +31,14 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = neh.subHandler(neh.ctx, key); err != nil {
+	if key, err = neh.subHandler(neh.log, neh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
+		neh.log.Error(err, "Failed to resolve variable", "variable", key)
 		return false
 	}
-	if value, err = neh.subHandler(neh.ctx, value); err != nil {
+	if value, err = neh.subHandler(neh.log, neh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
+		neh.log.Error(err, "Failed to resolve variable", "variable", value)
 		return false
 	}
 	// key and value need to be of same type
@@ -55,7 +58,7 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return neh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		glog.Error("Unsupported type %V", typedKey)
+		neh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
 		return false
 	}
 }
@@ -64,7 +67,7 @@ func (neh NotEqualHandler) validateValueWithSlicePattern(key []interface{}, valu
 	if val, ok := value.([]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
+	neh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -72,7 +75,7 @@ func (neh NotEqualHandler) validateValueWithMapPattern(key map[string]interface{
 	if val, ok := value.(map[string]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
+	neh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -80,7 +83,7 @@ func (neh NotEqualHandler) validateValuewithStringPattern(key string, value inte
 	if val, ok := value.(string); ok {
 		return key != val
 	}
-	glog.Warningf("Expected string, %v is of type %T", value, value)
+	neh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
@@ -91,25 +94,25 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 		if key == math.Trunc(key) {
 			return int(key) != typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) != typedValue
 		}
-		glog.Warningf("Expected float, found int: %d\n", typedValue)
+		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
 	case float64:
 		return typedValue != key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse float64 from string: %v", err)
+			neh.log.Error(err, "Failed to parse float64 from string")
 			return false
 		}
 		return float64Num != key
 	default:
-		glog.Warningf("Expected float, found: %T\n", value)
+		neh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return false
@@ -118,7 +121,7 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 func (neh NotEqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		glog.Error("Expected bool, found %V", value)
+		neh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 	return key != typedValue
@@ -135,18 +138,18 @@ func (neh NotEqualHandler) validateValuewithIntPattern(key int64, value interfac
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) != key
 		}
-		glog.Warningf("Expected int, found float: %f\n", typedValue)
+		neh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			glog.Warningf("Failed to parse int64 from string: %v", err)
+			neh.log.Error(err, "Failed to parse int64 from string")
 			return false
 		}
 		return int64Num != key
 	default:
-		glog.Warningf("Expected int, %v is of type %T", value, value)
+		neh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go
index 2b3f9ce7a1..adafe69982 100644
--- a/pkg/engine/variables/operator/operator.go
+++ b/pkg/engine/variables/operator/operator.go
@@ -1,7 +1,7 @@
 package operator
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
@@ -17,17 +17,17 @@ type OperatorHandler interface {
 }
 
 //VariableSubstitutionHandler defines the handler function for variable substitution
-type VariableSubstitutionHandler = func(ctx context.EvalInterface, pattern interface{}) (interface{}, error)
+type VariableSubstitutionHandler = func(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error)
 
 //CreateOperatorHandler returns the operator handler based on the operator used in condition
-func CreateOperatorHandler(ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
+func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
 	switch op {
 	case kyverno.Equal:
-		return NewEqualHandler(ctx, subHandler)
+		return NewEqualHandler(log, ctx, subHandler)
 	case kyverno.NotEqual:
-		return NewNotEqualHandler(ctx, subHandler)
+		return NewNotEqualHandler(log, ctx, subHandler)
 	default:
-		glog.Errorf("unsupported operator: %s", string(op))
+		log.Info("operator not supported", "operator", string(op))
 	}
 	return nil
 }
diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go
index 6d2eb7c60c..e01bf4f820 100644
--- a/pkg/engine/variables/variables_test.go
+++ b/pkg/engine/variables/variables_test.go
@@ -7,6 +7,7 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
@@ -84,7 +85,7 @@ func Test_variablesub1(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -174,7 +175,7 @@ func Test_variablesub_multiple(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -261,7 +262,7 @@ func Test_variablesubstitution(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -322,7 +323,7 @@ func Test_variableSubstitutionValue(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -380,7 +381,7 @@ func Test_variableSubstitutionValueOperatorNotEqual(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -439,7 +440,7 @@ func Test_variableSubstitutionValueFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Log("expected to fails")
 		t.Fail()
 	}
@@ -497,7 +498,7 @@ func Test_variableSubstitutionObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -561,7 +562,7 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Error(err)
 	}
 
@@ -620,7 +621,7 @@ func Test_variableSubstitutionMultipleObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 4c336f2ede..59fd8f7fd5 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
@@ -17,9 +17,9 @@ const (
 
 //SubstituteVars replaces the variables with the values defined in the context
 // - if any variable is invaid or has nil value, it is considered as a failed varable substitution
-func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
+func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
 	errs := []error{}
-	pattern = subVars(ctx, pattern, "", &errs)
+	pattern = subVars(log, ctx, pattern, "", &errs)
 	if len(errs) == 0 {
 		// no error while parsing the pattern
 		return pattern, nil
@@ -27,40 +27,40 @@ func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}
 	return pattern, fmt.Errorf("%v", errs)
 }
 
-func subVars(ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
+func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
 	switch typedPattern := pattern.(type) {
 	case map[string]interface{}:
-		return subMap(ctx, typedPattern, path, errs)
+		return subMap(log, ctx, typedPattern, path, errs)
 	case []interface{}:
-		return subArray(ctx, typedPattern, path, errs)
+		return subArray(log, ctx, typedPattern, path, errs)
 	case string:
-		return subValR(ctx, typedPattern, path, errs)
+		return subValR(log, ctx, typedPattern, path, errs)
 	default:
 		return pattern
 	}
 }
 
-func subMap(ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
+func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
 	for key, patternElement := range patternMap {
 		curPath := path + "/" + key
-		value := subVars(ctx, patternElement, curPath, errs)
+		value := subVars(log, ctx, patternElement, curPath, errs)
 		patternMap[key] = value
 
 	}
 	return patternMap
 }
 
-func subArray(ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
+func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
 	for idx, patternElement := range patternList {
 		curPath := path + "/" + strconv.Itoa(idx)
-		value := subVars(ctx, patternElement, curPath, errs)
+		value := subVars(log, ctx, patternElement, curPath, errs)
 		patternList[idx] = value
 	}
 	return patternList
 }
 
 // subValR resolves the variables if defined
-func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
 
 	// variable values can be scalar values(string,int, float) or they can be obects(map,slice)
 	// - {{variable}}
@@ -73,7 +73,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 	// since this might be a potential place for error, required better error reporting and handling
 
 	// object values are only suported for single variable substitution
-	if ok, retVal := processIfSingleVariable(ctx, valuePattern, path, errs); ok {
+	if ok, retVal := processIfSingleVariable(log, ctx, valuePattern, path, errs); ok {
 		return retVal
 	}
 	// var emptyInterface interface{}
@@ -82,7 +82,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 	for {
 		valueStr := valuePattern
 		if len(failedVars) != 0 {
-			glog.Info("some failed variables short-circuiting")
+			log.Info("failed to resolve variablesl short-circuiting")
 			break
 		}
 		// get variables at this level
@@ -123,7 +123,7 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 				continue
 			}
 			// if type is not scalar then consider this as a failed variable
-			glog.Infof("variable %s resolves to non-scalar value %v. Non-Scalar values are not supported for nested variables", k, v)
+			log.Info("variable resolves to non-scalar value. Non-Scalar values are not supported for nested variables", "variable", k, "value", v)
 			failedVars = append(failedVars, k)
 		}
 		valuePattern = newVal
@@ -143,10 +143,10 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 // if the value can be evaluted return the value
 // -> return value can be scalar or object type
 // -> if the variable is not present in the context then add an error and dont process further
-func processIfSingleVariable(ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
+func processIfSingleVariable(log logr.Logger, ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
 	valueStr, ok := valuePattern.(string)
 	if !ok {
-		glog.Infof("failed to convert %v to string", valuePattern)
+		log.Info("failed to convert to string", "pattern", valuePattern)
 		return false, nil
 	}
 	// get variables at this level
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index 171c62ace4..aae517a082 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_subVars_success(t *testing.T) {
@@ -64,7 +65,7 @@ func Test_subVars_success(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, pattern); err != nil {
+	if _, err := SubstituteVars(log.Log, ctx, pattern); err != nil {
 		t.Error(err)
 	}
 }
@@ -125,7 +126,7 @@ func Test_subVars_failed(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(ctx, pattern); err == nil {
+	if _, err := SubstituteVars(log.Log, ctx, pattern); err == nil {
 		t.Error("error is expected")
 	}
 }
@@ -152,5 +153,5 @@ func Test_SubvarRecursive(t *testing.T) {
 	ctx := context.NewContext()
 	assert.Assert(t, ctx.AddResource(resourceRaw))
 	errs := []error{}
-	subValR(ctx, string(patternRaw), "/", &errs)
+	subValR(log.Log, ctx, string(patternRaw), "/", &errs)
 }
diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index aa98d09e42..a33e50f756 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -3,7 +3,7 @@ package event
 import (
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -17,6 +17,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog"
 )
 
 //Generator generate events
@@ -34,6 +35,7 @@ type Generator struct {
 	admissionCtrRecorder record.EventRecorder
 	// events generated at namespaced policy controller to process 'generate' rule
 	genPolicyRecorder record.EventRecorder
+	log               logr.Logger
 }
 
 //Interface to generate event
@@ -42,32 +44,33 @@ type Interface interface {
 }
 
 //NewEventGenerator to generate a new event controller
-func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer) *Generator {
+func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer, log logr.Logger) *Generator {
 
 	gen := Generator{
 		client:               client,
 		pLister:              pInformer.Lister(),
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), eventWorkQueueName),
 		pSynced:              pInformer.Informer().HasSynced,
-		policyCtrRecorder:    initRecorder(client, PolicyController),
-		admissionCtrRecorder: initRecorder(client, AdmissionController),
-		genPolicyRecorder:    initRecorder(client, GeneratePolicyController),
+		policyCtrRecorder:    initRecorder(client, PolicyController, log),
+		admissionCtrRecorder: initRecorder(client, AdmissionController, log),
+		genPolicyRecorder:    initRecorder(client, GeneratePolicyController, log),
+		log:                  log,
 	}
 	return &gen
 }
 
-func initRecorder(client *client.Client, eventSource Source) record.EventRecorder {
+func initRecorder(client *client.Client, eventSource Source, log logr.Logger) record.EventRecorder {
 	// Initliaze Event Broadcaster
 	err := scheme.AddToScheme(scheme.Scheme)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to add to scheme")
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(glog.V(4).Infof)
+	eventBroadcaster.StartLogging(klog.Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
-		glog.Error(err) // TODO: add more specific error
+		log.Error(err, "failed to get event interface for logging")
 		return nil
 	}
 	eventBroadcaster.StartRecordingToSink(
@@ -81,11 +84,12 @@ func initRecorder(client *client.Client, eventSource Source) record.EventRecorde
 
 //Add queues an event for generation
 func (gen *Generator) Add(infos ...Info) {
+	logger := gen.log
 	for _, info := range infos {
 		if info.Name == "" {
 			// dont create event for resources with generateName
 			// as the name is not generated yet
-			glog.V(4).Infof("received info %v, not creating an event as the resource has not been assigned a name yet", info)
+			logger.V(4).Info("not creating an event as the resource has not been assigned a name yet", "kind", info.Kind, "name", info.Name, "namespace", info.Namespace)
 			continue
 		}
 		gen.queue.Add(info)
@@ -94,12 +98,14 @@ func (gen *Generator) Add(infos ...Info) {
 
 // Run begins generator
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
+	logger := gen.log
 	defer utilruntime.HandleCrash()
-	glog.Info("Starting event generator")
-	defer glog.Info("Shutting down event generator")
+
+	logger.Info("start")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pSynced) {
-		glog.Error("event generator: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -114,24 +120,25 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
+	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
 	}
 	// This controller retries if something goes wrong. After that, it stops trying.
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.Warningf("Error syncing events %v(re-queuing request, the resource might not have been created yet): %v", key, err)
+		logger.Error(err, "Error syncing events;re-queuing request,the resource might not have been created yet", "key", key)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
-	glog.Error(err)
-	glog.Warningf("Dropping the key out of the queue: %v", err)
+	logger.Error(err, "dropping the key out of queue", "key", key)
 }
 
 func (gen *Generator) processNextWorkItem() bool {
+	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -144,7 +151,7 @@ func (gen *Generator) processNextWorkItem() bool {
 
 		if key, ok = obj.(Info); !ok {
 			gen.queue.Forget(obj)
-			glog.Warningf("Expecting type info by got %v\n", obj)
+			logger.Info("Incorrect type; expected type 'info'", "obj", obj)
 			return nil
 		}
 		err := gen.syncHandler(key)
@@ -152,13 +159,14 @@ func (gen *Generator) processNextWorkItem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to process next work item")
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(key Info) error {
+	logger := gen.log
 	var robj runtime.Object
 	var err error
 	switch key.Kind {
@@ -166,13 +174,13 @@ func (gen *Generator) syncHandler(key Info) error {
 		//TODO: policy is clustered resource so wont need namespace
 		robj, err = gen.pLister.Get(key.Name)
 		if err != nil {
-			glog.V(4).Infof("Error creating event: unable to get policy %s, will retry ", key.Name)
+			logger.Error(err, "failed to get policy", "name", key.Name)
 			return err
 		}
 	default:
 		robj, err = gen.client.GetResource(key.Kind, key.Namespace, key.Name)
 		if err != nil {
-			glog.V(4).Infof("Error creating event: unable to get resource %s/%s/%s, will retry ", key.Kind, key.Namespace, key.Name)
+			logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
 			return err
 		}
 	}
@@ -192,13 +200,14 @@ func (gen *Generator) syncHandler(key Info) error {
 	case GeneratePolicyController:
 		gen.genPolicyRecorder.Event(robj, eventType, key.Reason, key.Message)
 	default:
-		glog.Info("info.source not defined for the event generator request")
+		logger.Info("info.source not defined for the request")
 	}
 	return nil
 }
 
 //NewEvent builds a event creation request
 func NewEvent(
+	log logr.Logger,
 	rkind,
 	rapiVersion,
 	rnamespace,
@@ -209,7 +218,7 @@ func NewEvent(
 	args ...interface{}) Info {
 	msgText, err := getEventMsg(message, args...)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to get event message")
 	}
 	return Info{
 		Kind:      rkind,
diff --git a/pkg/generate/cleanup/cleanup.go b/pkg/generate/cleanup/cleanup.go
index d25fddd44e..de1758aeba 100644
--- a/pkg/generate/cleanup/cleanup.go
+++ b/pkg/generate/cleanup/cleanup.go
@@ -1,19 +1,20 @@
 package cleanup
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
+	logger := c.log.WithValues("kind", gr.Kind, "namespace", gr.Namespace, "name", gr.Name)
 	// 1- Corresponding policy has been deleted
 	// then we dont delete the generated resources
 
 	// 2- The trigger resource is deleted, then delete the generated resources
-	if !ownerResourceExists(c.client, gr) {
-		if err := deleteGeneratedResources(c.client, gr); err != nil {
+	if !ownerResourceExists(logger, c.client, gr) {
+		if err := deleteGeneratedResources(logger, c.client, gr); err != nil {
 			return err
 		}
 		// - trigger-resource is deleted
@@ -24,25 +25,25 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
 	return nil
 }
 
-func ownerResourceExists(client *dclient.Client, gr kyverno.GenerateRequest) bool {
+func ownerResourceExists(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) bool {
 	_, err := client.GetResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name)
 	// trigger resources has been deleted
 	if apierrors.IsNotFound(err) {
 		return false
 	}
 	if err != nil {
-		glog.V(4).Infof("Failed to get resource %s/%s/%s: error : %s", gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name, err)
+		log.Error(err, "failed to get resource", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
 	}
 	// if there was an error while querying the resources we dont delete the generated resources
 	// but expect the deletion in next reconciliation loop
 	return true
 }
 
-func deleteGeneratedResources(client *dclient.Client, gr kyverno.GenerateRequest) error {
+func deleteGeneratedResources(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) error {
 	for _, genResource := range gr.Status.GeneratedResources {
 		err := client.DeleteResource(genResource.Kind, genResource.Namespace, genResource.Name, false)
 		if apierrors.IsNotFound(err) {
-			glog.V(4).Infof("resource %s/%s/%s not found, will no delete", genResource.Kind, genResource.Namespace, genResource.Name)
+			log.Error(err, "resource not foundl will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
 			continue
 		}
 		if err != nil {
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index 396058a346..2c31254219 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -1,11 +1,9 @@
 package cleanup
 
 import (
-	"fmt"
 	"time"
 
-	"github.com/golang/glog"
-
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -53,6 +51,7 @@ type Controller struct {
 	//TODO: list of generic informers
 	// only support Namespaces for deletion of resource
 	nsInformer informers.GenericInformer
+	log        logr.Logger
 }
 
 //NewController returns a new controller instance to manage generate-requests
@@ -62,6 +61,7 @@ func NewController(
 	pInformer kyvernoinformer.ClusterPolicyInformer,
 	grInformer kyvernoinformer.GenerateRequestInformer,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
+	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		kyvernoClient: kyvernoclient,
@@ -70,6 +70,7 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:           workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"),
 		dynamicInformer: dynamicInformer,
+		log:             log,
 	}
 	c.control = Control{client: kyvernoclient}
 	c.enqueueGR = c.enqueue
@@ -102,10 +103,11 @@ func NewController(
 }
 
 func (c *Controller) deleteGenericResource(obj interface{}) {
+	logger := c.log
 	r := obj.(*unstructured.Unstructured)
 	grs, err := c.grLister.GetGenerateRequestsForResource(r.GetKind(), r.GetNamespace(), r.GetName())
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", r.GetKind(), r.GetNamespace(), r.GetName(), err)
+		logger.Error(err, "failed to get generate request CR for resource", "kind", r.GetKind(), "namespace", r.GetNamespace(), "name", r.GetName())
 		return
 	}
 	// re-evaluate the GR as the resource was deleted
@@ -115,26 +117,27 @@ func (c *Controller) deleteGenericResource(obj interface{}) {
 }
 
 func (c *Controller) deletePolicy(obj interface{}) {
+	logger := c.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("ouldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("Tombstone contained object that is not a Generate Request", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting Policy %s", p.Name)
+	logger.V(4).Info("deleting policy", "name", p.Name)
 	// clean up the GR
 	// Get the corresponding GR
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(p.Name)
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for policy %s: %v", p.Name, err)
+		logger.Error(err, "failed to generate request CR for the policy", "name", p.Name)
 		return
 	}
 	for _, gr := range grs {
@@ -153,44 +156,46 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
+	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("ombstone contained object that is not a Generate Request", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting GR %s", gr.Name)
+	logger.V(4).Info("deleting Generate Request CR", "name", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
+	logger := c.log
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to extract key")
 		return
 	}
-	glog.V(4).Infof("cleanup enqueu: %v", gr.Name)
+	logger.V(4).Info("eneque generate request", "name", gr.Name)
 	c.queue.Add(key)
 }
 
 //Run starts the generate-request re-conciliation loop
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
+	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
-
-	glog.Info("Starting generate-policy-cleanup controller")
-	defer glog.Info("Shutting down generate-policy-cleanup controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		glog.Error("generate-policy-cleanup controller: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -219,31 +224,33 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
+	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
+		logger.Error(err, "failed to sync generate request", "key", key)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
+	logger.Error(err, "dropping generate request out of the queue", "key", key)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
+	logger := c.log.WithValues("key", key)
 	var err error
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
+	logger.Info("started syncing generate request", "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished syncying generate request", "processingTIme", time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if errors.IsNotFound(err) {
-		glog.Infof("Generate Request %s has been deleted", key)
+		logger.Info("generate request has been deleted")
 		return nil
 	}
 	if err != nil {
diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go
index d40ed2af0d..b848609177 100644
--- a/pkg/generate/controller.go
+++ b/pkg/generate/controller.go
@@ -1,10 +1,9 @@
 package generate
 
 import (
-	"fmt"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -57,9 +56,9 @@ type Controller struct {
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory
 	//TODO: list of generic informers
 	// only support Namespaces for re-evalutation on resource updates
-	nsInformer informers.GenericInformer
-
+	nsInformer           informers.GenericInformer
 	policyStatusListener policystatus.Listener
+	log                  logr.Logger
 }
 
 //NewController returns an instance of the Generate-Request Controller
@@ -72,6 +71,7 @@ func NewController(
 	pvGenerator policyviolation.GeneratorInterface,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
 	policyStatus policystatus.Listener,
+	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		client:        client,
@@ -82,6 +82,7 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"),
 		dynamicInformer:      dynamicInformer,
+		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	c.statusControl = StatusControl{client: kyvernoclient}
@@ -117,11 +118,12 @@ func NewController(
 }
 
 func (c *Controller) updateGenericResource(old, cur interface{}) {
+	logger := c.log
 	curR := cur.(*unstructured.Unstructured)
 
 	grs, err := c.grLister.GetGenerateRequestsForResource(curR.GetKind(), curR.GetNamespace(), curR.GetName())
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", curR.GetKind(), curR.GetNamespace(), curR.GetName(), err)
+		logger.Error(err, "failed to get generate request CR for the resoource", "kind", curR.GetKind(), "name", curR.GetName(), "namespace", curR.GetNamespace())
 		return
 	}
 	// re-evaluate the GR as the resource was updated
@@ -134,13 +136,14 @@ func (c *Controller) updateGenericResource(old, cur interface{}) {
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		glog.Error(err)
+		c.log.Error(err, "failed to extract name")
 		return
 	}
 	c.queue.Add(key)
 }
 
 func (c *Controller) updatePolicy(old, cur interface{}) {
+	logger := c.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	if oldP.ResourceVersion == curP.ResourceVersion {
@@ -148,11 +151,11 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
-	glog.V(4).Infof("Updating Policy %s", oldP.Name)
+	logger.V(4).Info("updating policy", "name", oldP.Name)
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(curP.Name)
 	if err != nil {
-		glog.Errorf("failed to Generate Requests for policy %s: %v", curP.Name, err)
+		logger.Error(err, "failed to generate request for policy", "name", curP.Name)
 		return
 	}
 	// re-evaluate the GR as the policy was updated
@@ -183,34 +186,36 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
+	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
+			logger.Info("tombstone contained object that is not a Generate Request CR", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting GR %s", gr.Name)
+	logger.Info("deleting generate request", "name", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 //Run ...
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
+	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
-	glog.Info("Starting generate-policy controller")
-	defer glog.Info("Shutting down generate-policy controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		glog.Error("generate-policy controller: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -239,27 +244,29 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
+	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
+		logger.Error(err, "failed to sync generate request", "key", key)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
+	logger.Error(err, "Dropping generate request from the queue", "key", key)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
+	logger := c.log
 	var err error
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
+	logger.Info("started sync", "key", key, "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished sync", "key", key, "processingTime", time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -268,7 +275,7 @@ func (c *Controller) syncGenerateRequest(key string) error {
 
 	gr, err := c.grLister.Get(grName)
 	if err != nil {
-		glog.V(4).Info(err)
+		logger.Error(err, "failed to list generate requests")
 		return err
 	}
 	return c.processGR(gr)
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index bff1dbbca6..9f3edc4bc8 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -17,6 +17,7 @@ import (
 )
 
 func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
+	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	var err error
 	var resource *unstructured.Unstructured
 	var genResources []kyverno.ResourceSpec
@@ -24,45 +25,46 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
 	resource, err = getResource(c.client, gr.Spec.Resource)
 	if err != nil {
 		// Dont update status
-		glog.V(4).Infof("resource does not exist or is yet to be created, requeuing: %v", err)
+		logger.Error(err, "resource does not exist or is yet to be created, requeueing")
 		return err
 	}
 	// 2 - Apply the generate policy on the resource
 	genResources, err = c.applyGenerate(*resource, *gr)
 	// 3 - Report Events
-	reportEvents(err, c.eventGen, *gr, *resource)
+	reportEvents(logger, err, c.eventGen, *gr, *resource)
 	// 4 - Update Status
 	return updateStatus(c.statusControl, *gr, err, genResources)
 }
 
 func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
+	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	// Get the list of rules to be applied
 	// get policy
 	policy, err := c.pLister.Get(gr.Spec.Policy)
 	if err != nil {
-		glog.V(4).Infof("policy %s not found: %v", gr.Spec.Policy, err)
+		logger.Error(err, "policy not found")
 		return nil, nil
 	}
 	// build context
 	ctx := context.NewContext()
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
-		glog.V(4).Infof("failed to marshal resource: %v", err)
+		logger.Error(err, "failed to marshal resource")
 		return nil, err
 	}
 	err = ctx.AddResource(resourceRaw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context: %v", err)
+		logger.Error(err, "failed to load resource in context")
 		return nil, err
 	}
 	err = ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context: %v", err)
+		logger.Error(err, "failed to load SA in context")
 		return nil, err
 	}
 	err = ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load serviceAccount in context: %v", err)
+		logger.Error(err, "failed to load UserInfo in context")
 		return nil, err
 	}
 
@@ -76,12 +78,12 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 	// check if the policy still applies to the resource
 	engineResponse := engine.Generate(policyContext)
 	if len(engineResponse.PolicyResponse.Rules) == 0 {
-		glog.V(4).Infof("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
+		logger.V(4).Info("policy does not apply to resource")
 		return nil, fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
 	}
 
 	// Apply the generate rule on resource
-	return c.applyGeneratePolicy(policyContext, gr)
+	return c.applyGeneratePolicy(logger, policyContext, gr)
 }
 
 func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error {
@@ -93,7 +95,7 @@ func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateReque
 	return statusControl.Success(gr, genResources)
 }
 
-func (c *Controller) applyGeneratePolicy(policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
+func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
 	// List of generatedResources
 	var genResources []kyverno.ResourceSpec
 	// Get the response as the actions to be performed on the resource
@@ -113,9 +115,8 @@ func (c *Controller) applyGeneratePolicy(policyContext engine.PolicyContext, gr
 		if !rule.HasGenerate() {
 			continue
 		}
-
 		startTime := time.Now()
-		genResource, err := applyRule(c.client, rule, resource, ctx, processExisting)
+		genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting)
 		if err != nil {
 			return nil, err
 		}
@@ -172,7 +173,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str
 	return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
 }
 
-func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
+func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
 	var rdata map[string]interface{}
 	var err error
 	var mode ResourceMode
@@ -187,7 +188,7 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	// format : {{<variable_name}}
 	// - if there is variables that are not defined the context -> results in error and rule is not applied
 	// - valid variables are replaced with the values
-	if _, err := variables.SubstituteVars(ctx, genUnst.Object); err != nil {
+	if _, err := variables.SubstituteVars(log, ctx, genUnst.Object); err != nil {
 		return noGenResource, err
 	}
 	genKind, _, err := unstructured.NestedString(genUnst.Object, "kind")
@@ -219,9 +220,9 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	}
 
 	if genData != nil {
-		rdata, mode, err = manageData(genKind, genNamespace, genName, genData, client, resource)
+		rdata, mode, err = manageData(log, genKind, genNamespace, genName, genData, client, resource)
 	} else {
-		rdata, mode, err = manageClone(genKind, genNamespace, genName, genCopy, client, resource)
+		rdata, mode, err = manageClone(log, genKind, genNamespace, genName, genCopy, client, resource)
 	}
 	if err != nil {
 		return noGenResource, err
@@ -248,38 +249,38 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.
 	// - app.kubernetes.io/managed-by: kyverno
 	// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
 	manageLabels(newResource, resource)
-
+	logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
 	if mode == Create {
 		// Reset resource version
 		newResource.SetResourceVersion("")
 		// Create the resource
-		glog.V(4).Infof("Creating new resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("creating new resource")
 		_, err = client.CreateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to create resource
 			return noGenResource, err
 		}
-		glog.V(4).Infof("Created new resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("created new resource")
 
 	} else if mode == Update {
-		glog.V(4).Infof("Updating existing resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("updating existing resource")
 		// Update the resource
 		_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to update resource
 			return noGenResource, err
 		}
-		glog.V(4).Infof("Updated existing resource %s/%s/%s", genKind, genNamespace, genName)
+		logger.V(4).Info("updated new resource")
 	}
 
 	return newGenResource, nil
 }
 
-func manageData(kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageData(log logr.Logger, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	obj, err := client.GetResource(kind, namespace, name)
 	if apierrors.IsNotFound(err) {
-		glog.V(4).Infof("Resource %s/%s/%s does not exists, will try to create", kind, namespace, name)
+		log.Error(err, "resource does not exist, will try to create", "genKind", kind, "genNamespace", namespace, "genName", name)
 		return data, Create, nil
 	}
 	if err != nil {
@@ -288,18 +289,17 @@ func manageData(kind, namespace, name string, data map[string]interface{}, clien
 		return nil, Skip, err
 	}
 	// Resource exists; verfiy the content of the resource
-	err = checkResource(data, obj)
+	err = checkResource(log, data, obj)
 	if err == nil {
 		// Existing resource does contain the mentioned configuration in spec, skip processing the resource as it is already in expected state
 		return nil, Skip, nil
 	}
-
-	glog.V(4).Infof("Resource %s/%s/%s exists but missing required configuration, will try to update", kind, namespace, name)
+	log.Info("to be generated resoruce already exists, but is missing the specifeid configurations, will try to update", "genKind", kind, "genNamespace", namespace, "genName", name)
 	return data, Update, nil
 
 }
 
-func manageClone(kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageClone(log logr.Logger, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	_, err := client.GetResource(kind, namespace, name)
 	if err == nil {
@@ -308,6 +308,7 @@ func manageClone(kind, namespace, name string, clone map[string]interface{}, cli
 	}
 	//TODO: check this
 	if !apierrors.IsNotFound(err) {
+		log.Error(err, "reference/clone resource is not found", "genKind", kind, "genNamespace", namespace, "genName", name)
 		//something wrong while fetching resource
 		return nil, Skip, err
 	}
@@ -325,8 +326,6 @@ func manageClone(kind, namespace, name string, clone map[string]interface{}, cli
 		// attempting to clone it self, this will fail -> short-ciruit it
 		return nil, Skip, nil
 	}
-
-	glog.V(4).Infof("check if resource %s/%s/%s exists", kind, newRNs, newRName)
 	// check if the resource as reference in clone exists?
 	obj, err := client.GetResource(kind, newRNs, newRName)
 	if err != nil {
@@ -349,10 +348,10 @@ const (
 	Update = "UPDATE"
 )
 
-func checkResource(newResourceSpec interface{}, resource *unstructured.Unstructured) error {
+func checkResource(log logr.Logger, newResourceSpec interface{}, resource *unstructured.Unstructured) error {
 	// check if the resource spec if a subset of the resource
-	if path, err := validate.ValidateResourceWithPattern(resource.Object, newResourceSpec); err != nil {
-		glog.V(4).Infof("Failed to match the resource at path %s: err %v", path, err)
+	if path, err := validate.ValidateResourceWithPattern(log, resource.Object, newResourceSpec); err != nil {
+		log.Error(err, "Failed to match the resource ", "path", path)
 		return err
 	}
 	return nil
diff --git a/pkg/generate/labels.go b/pkg/generate/labels.go
index 282caf55fa..c7d67b5a55 100644
--- a/pkg/generate/labels.go
+++ b/pkg/generate/labels.go
@@ -3,8 +3,8 @@ package generate
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func manageLabels(unstr *unstructured.Unstructured, triggerResource unstructured.Unstructured) {
@@ -30,7 +30,7 @@ func managedBy(labels map[string]string) {
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			glog.Infof("resource managed by %s, kyverno wont over-ride the label", val)
+			log.Log.Info(fmt.Sprintf("resource managed by %s, kyverno wont over-ride the label", val))
 			return
 		}
 	}
@@ -46,7 +46,7 @@ func generatedBy(labels map[string]string, triggerResource unstructured.Unstruct
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			glog.Infof("resource generated by %s, kyverno wont over-ride the label", val)
+			log.Log.Info(fmt.Sprintf("resource generated by %s, kyverno wont over-ride the label", val))
 			return
 		}
 	}
diff --git a/pkg/generate/report.go b/pkg/generate/report.go
index eaa5939e41..f9d24fcc10 100644
--- a/pkg/generate/report.go
+++ b/pkg/generate/report.go
@@ -3,13 +3,13 @@ package generate
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/event"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
+func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
 	if err == nil {
 		// Success Events
 		// - resource -> policy rule applied successfully
@@ -18,7 +18,6 @@ func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateReques
 		eventGen.Add(events...)
 		return
 	}
-	glog.V(4).Infof("reporing events for %v", err)
 	events := failedEvents(err, gr, resource)
 	eventGen.Add(events...)
 }
diff --git a/pkg/generate/status.go b/pkg/generate/status.go
index 70d9539053..db0182f89a 100644
--- a/pkg/generate/status.go
+++ b/pkg/generate/status.go
@@ -1,9 +1,9 @@
 package generate
 
 import (
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //StatusControlInterface provides interface to update status subresource
@@ -25,10 +25,10 @@ func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string, genRe
 	gr.Status.GeneratedResources = genResources
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Failed))
+		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
 		return err
 	}
-	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Failed))
+	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Failed))
 	return nil
 }
 
@@ -41,9 +41,9 @@ func (sc StatusControl) Success(gr kyverno.GenerateRequest, genResources []kyver
 
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Completed))
+		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
 		return err
 	}
-	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Completed))
+	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Completed))
 	return nil
 }
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index 95e0f241cd..26023c43e1 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -13,8 +13,6 @@ import (
 
 	policy2 "github.com/nirmata/kyverno/pkg/policy"
 
-	"github.com/golang/glog"
-
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"k8s.io/client-go/discovery"
@@ -34,6 +32,7 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes/scheme"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -51,7 +50,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						glog.V(4).Info(err)
+						log.Log.Error(err, "failed to sanitize")
 						err = fmt.Errorf("Internal error")
 					}
 				}
@@ -71,7 +70,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err := policy2.Validate(utils.MarshalPolicy(*policy))
+				err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true)
 				if err != nil {
 					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
 				}
diff --git a/pkg/kyverno/main.go b/pkg/kyverno/main.go
index d0d1163ef6..6424a57ddc 100644
--- a/pkg/kyverno/main.go
+++ b/pkg/kyverno/main.go
@@ -9,6 +9,9 @@ import (
 	"github.com/nirmata/kyverno/pkg/kyverno/apply"
 
 	"github.com/nirmata/kyverno/pkg/kyverno/version"
+	"k8s.io/klog"
+	"k8s.io/klog/klogr"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/spf13/cobra"
 )
@@ -19,7 +22,7 @@ func CLI() {
 		Short: "kyverno manages native policies of Kubernetes",
 	}
 
-	configureGlog(cli)
+	configurelog(cli)
 
 	commands := []*cobra.Command{
 		version.Command(),
@@ -36,9 +39,9 @@ func CLI() {
 	}
 }
 
-func configureGlog(cli *cobra.Command) {
-	flag.Parse()
-	_ = flag.Set("logtostderr", "true")
+func configurelog(cli *cobra.Command) {
+	klog.InitFlags(nil)
+	log.SetLogger(klogr.New())
 
 	cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
 	_ = cli.PersistentFlags().MarkHidden("alsologtostderr")
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index dce6e7dc32..82863aa397 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -11,13 +11,12 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
-	"github.com/golang/glog"
-
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -29,7 +28,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						glog.V(4).Info(err)
+						log.Log.Error(err, "failed to sanitize")
 						err = fmt.Errorf("Internal error")
 					}
 				}
@@ -45,7 +44,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err = policyvalidate.Validate(utils.MarshalPolicy(*policy))
+				err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true)
 				if err != nil {
 					fmt.Println("Policy " + policy.Name + " is invalid")
 				} else {
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 61c32c45d3..2c8f3023e4 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -6,13 +6,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
-	"github.com/golang/glog"
-
 	"gopkg.in/yaml.v2"
 
 	"github.com/googleapis/gnostic/compiler"
 
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -44,12 +43,12 @@ func NewCRDSync(client *client.Client) *crdSync {
 func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
 	if err != nil {
-		glog.V(4).Infof("cannot get openapi schema: %v", err)
+		log.Log.Error(err, "cannot get openapi schema")
 	}
 
 	err = useOpenApiDocument(newDoc)
 	if err != nil {
-		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
+		log.Log.Error(err, "Could not set custom OpenApi document")
 	}
 
 	// Sync CRD before kyverno starts
@@ -63,7 +62,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 func (c *crdSync) sync() {
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
-		glog.V(4).Infof("could not fetch crd's from server: %v", err)
+		log.Log.Error(err, "could not fetch crd's from server")
 		return
 	}
 
@@ -93,7 +92,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	crdName := crdDefinition.Spec.Names.Kind
 	if len(crdDefinition.Spec.Versions) < 1 {
-		glog.V(4).Infof("could not parse crd schema, no versions present")
+		log.Log.V(4).Info("could not parse crd schema, no versions present")
 		return
 	}
 
@@ -104,7 +103,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
 	if err != nil {
-		glog.V(4).Infof("could not parse crd schema:%v", err)
+		log.Log.Error(err, "could not parse crd schema:")
 		return
 	}
 
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index bb724b9d0e..01ea226b0f 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -8,12 +8,9 @@ import (
 	"strings"
 	"sync"
 
+	data "github.com/nirmata/kyverno/api"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 
-	"github.com/nirmata/kyverno/data"
-
-	"github.com/golang/glog"
-
 	"github.com/nirmata/kyverno/pkg/engine"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
@@ -23,6 +20,7 @@ import (
 	"github.com/googleapis/gnostic/compiler"
 	"k8s.io/kube-openapi/pkg/util/proto"
 	"k8s.io/kube-openapi/pkg/util/proto/validation"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"gopkg.in/yaml.v2"
 )
@@ -120,7 +118,7 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error {
 		newPolicy.Spec.Rules = rules
 		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
 		if resource == nil {
-			glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)
+			log.Log.V(4).Info(fmt.Sprintf("Cannot Validate policy: openApi definition now found for %v", kind))
 			return nil
 		}
 		newResource := unstructured.Unstructured{Object: resource}
diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go
new file mode 100644
index 0000000000..4442113cd4
--- /dev/null
+++ b/pkg/policy/actions.go
@@ -0,0 +1,61 @@
+package policy
+
+import (
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/policy/generate"
+	"github.com/nirmata/kyverno/pkg/policy/mutate"
+	"github.com/nirmata/kyverno/pkg/policy/validate"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+//Validation provides methods to validate a rule
+type Validation interface {
+	Validate() (string, error)
+}
+
+//validateAction performs validation on the rule actions
+// - Mutate
+// - Validation
+// - Generate
+func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bool) error {
+	var checker Validation
+
+	// Mutate
+	if rule.HasMutate() {
+		checker = mutate.NewMutateFactory(rule.Mutation)
+		if path, err := checker.Validate(); err != nil {
+			return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err)
+		}
+	}
+
+	// Validate
+	if rule.HasValidate() {
+		checker = validate.NewValidateFactory(rule.Validation)
+		if path, err := checker.Validate(); err != nil {
+			return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err)
+		}
+	}
+
+	// Generate
+	if rule.HasGenerate() {
+		//TODO: this check is there to support offline validations
+		// generate uses selfSubjectReviews to verify actions
+		// this need to modified to use different implementation for online and offline mode
+		if mock {
+			checker = generate.NewFakeGenerate(rule.Generation)
+			if path, err := checker.Validate(); err != nil {
+				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
+			}
+		} else {
+			checker = generate.NewGenerateFactory(client, rule.Generation, log.Log)
+			if path, err := checker.Validate(); err != nil {
+				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 32d654346c..ad60ad5d6d 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -19,12 +19,12 @@ import (
 
 // applyPolicy applies policy on a resource
 //TODO: generation rules
-func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (responses []response.EngineResponse) {
+func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
 	startTime := time.Now()
 
-	glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime)
+	logger.Info("start applying policy", "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime))
+		logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime))
 	}()
 
 	var engineResponses []response.EngineResponse
@@ -32,13 +32,15 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	var err error
 	// build context
 	ctx := context.NewContext()
-	ctx.AddResource(transformResource(resource))
-
+	err = ctx.AddResource(transformResource(resource))
+	if err != nil {
+		logger.Error(err, "enable to add transform resource to ctx")
+	}
 	//MUTATION
-	engineResponse, err = mutation(policy, resource, ctx)
+	engineResponse, err = mutation(policy, resource, ctx, logger)
 	engineResponses = append(engineResponses, engineResponse)
 	if err != nil {
-		glog.Errorf("unable to process mutation rules: %v", err)
+		logger.Error(err, "failed to process mutation rule")
 	}
 
 	//VALIDATION
@@ -48,52 +50,52 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	//TODO: GENERATION
 	return engineResponses
 }
-func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface) (response.EngineResponse, error) {
+func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface, log logr.Logger) (response.EngineResponse, error) {
 
 	engineResponse := engine.Mutate(engine.PolicyContext{Policy: policy, NewResource: resource, Context: ctx})
 	if !engineResponse.IsSuccesful() {
-		glog.V(4).Infof("mutation had errors reporting them")
+		log.V(4).Info("failed to apply mutation rules; reporting them")
 		return engineResponse, nil
 	}
 	// Verify if the JSON pathes returned by the Mutate are already applied to the resource
 	if reflect.DeepEqual(resource, engineResponse.PatchedResource) {
 		// resources matches
-		glog.V(4).Infof("resource %s/%s/%s satisfies policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
+		log.V(4).Info("resource already satisfys the policy")
 		return engineResponse, nil
 	}
-	return getFailedOverallRuleInfo(resource, engineResponse)
+	return getFailedOverallRuleInfo(resource, engineResponse, log)
 }
 
 // getFailedOverallRuleInfo gets detailed info for over-all mutation failure
-func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse) (response.EngineResponse, error) {
+func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse, log logr.Logger) (response.EngineResponse, error) {
 	rawResource, err := resource.MarshalJSON()
 	if err != nil {
-		glog.V(4).Infof("unable to marshal resource: %v\n", err)
+		log.Error(err, "faield to marshall resource")
 		return response.EngineResponse{}, err
 	}
 
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
-		glog.V(4).Infof("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
+		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
 		if len(rule.Patches) == 0 {
 			continue
 		}
 		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
 		if err != nil {
-			glog.V(4).Infof("unable to decode patch %s: %v", rule.Patches, err)
+			log.Error(err, "failed to decode JSON patch", "patches", rule.Patches)
 			return response.EngineResponse{}, err
 		}
 
 		// apply the patches returned by mutate to the original resource
 		patchedResource, err := patch.Apply(rawResource)
 		if err != nil {
-			glog.V(4).Infof("unable to apply patch %s: %v", rule.Patches, err)
+			log.Error(err, "failed to apply JSON patch", "patches", rule.Patches)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
-			glog.V(4).Infof("policy %s rule %s condition not satisfied by existing resource", engineResponse.PolicyResponse.Policy, rule.Name)
+			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches))
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches, log))
 		}
 	}
 	return engineResponse, nil
@@ -105,14 +107,14 @@ type jsonPatch struct {
 	Value interface{} `json:"value"`
 }
 
-func extractPatchPath(patches [][]byte) string {
+func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	var resultPath []string
 	// extract the patch path and value
 	for _, patch := range patches {
-		glog.V(4).Infof("expected json patch not found in resource: %s", string(patch))
+		log.V(4).Info("expected json patch not found in resource", "patch", string(patch))
 		var data jsonPatch
 		if err := json.Unmarshal(patch, &data); err != nil {
-			glog.V(4).Infof("Failed to decode the generated patch %v: Error %v", string(patch), err)
+			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
 			continue
 		}
 		resultPath = append(resultPath, data.Path)
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 423fc51c4d..2331359534 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -6,6 +6,7 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //ContainsUserInfo returns error is userInfo is defined
@@ -35,23 +36,23 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
 		filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
-			if condition.Key, err = variables.SubstituteVars(ctx, condition.Key); err != nil {
+			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
 			}
 
-			if condition.Value, err = variables.SubstituteVars(ctx, condition.Value); err != nil {
+			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
 			}
 		}
 
-		if rule.Mutation.Overlay, err = variables.SubstituteVars(ctx, rule.Mutation.Overlay); err != nil {
+		if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/mutate/overlay", idx)
 		}
-		if rule.Validation.Pattern, err = variables.SubstituteVars(ctx, rule.Validation.Pattern); err != nil {
+		if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/pattern", idx)
 		}
 		for idx2, pattern := range rule.Validation.AnyPattern {
-			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(ctx, pattern); err != nil {
+			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
 			}
 		}
diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go
index 6a41c579ba..40394c2785 100644
--- a/pkg/policy/cleanup.go
+++ b/pkg/policy/cleanup.go
@@ -4,57 +4,71 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
+func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
+	for _, er := range ers {
+		if !er.IsSuccesful() {
+			continue
+		}
+		if len(er.PolicyResponse.Rules) == 0 {
+			continue
+		}
+		// clean up after the policy has been corrected
+		pc.cleanUpPolicyViolation(er.PolicyResponse)
+	}
+}
+
 func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) {
+	logger := pc.log
 	// - check if there is violation on resource (label:Selector)
 	if pResponse.Resource.Namespace == "" {
-		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name)
+		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger)
 		if err != nil {
-			glog.Errorf("failed to cleanUp violations: %v", err)
+			logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name)
 			return
 		}
 
 		if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
 			return
 		}
-
-		glog.V(4).Infof("cleanup cluster violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey())
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("failed to delete cluster policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err)
+			logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name)
+		} else {
+			logger.Info("deleted cluster policy violation", "name", pv.Name)
 		}
-
 		return
 	}
 
 	// namespace policy violation
-	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name)
+	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name)
 		return
 	}
 
 	if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) {
 		return
 	}
-	glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", nspv.Name, pResponse.Resource.Namespace, nspv.Spec.ResourceSpec.ToKey())
 	if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {
-		glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", nspv.Name, nspv.Spec.ResourceSpec.ToKey(), err)
+		logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
+	} else {
+		logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
 	}
 }
 
 // Wont do the claiming of objects, just lookup based on selectors
-func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string) (kyverno.ClusterPolicyViolation, error) {
+func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) {
 	var err error
 	// Check Violation on resource
 	pvs, err := pvLister.List(labels.Everything())
 	if err != nil {
-		glog.V(2).Infof("unable to list policy violations : %v", err)
+		log.Error(err, "failed to list cluster policy violations")
 		return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)
 	}
 
@@ -69,10 +83,10 @@ func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyNam
 	return kyverno.ClusterPolicyViolation{}, nil
 }
 
-func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string) (kyverno.PolicyViolation, error) {
+func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) {
 	nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything())
 	if err != nil {
-		glog.V(2).Infof("failed to list namespaced pv: %v", err)
+		log.Error(err, "failed to list namespaced policy violation")
 		return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
 	}
 
diff --git a/pkg/policy/clusterpv.go b/pkg/policy/clusterpv.go
index 0f9f2564ae..35704f72d8 100644
--- a/pkg/policy/clusterpv.go
+++ b/pkg/policy/clusterpv.go
@@ -1,15 +1,13 @@
 package policy
 
 import (
-	"fmt"
-
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	pv := obj.(*kyverno.ClusterPolicyViolation)
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -22,15 +20,15 @@ func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster Policy Violation %s added.", pv.Name)
+	logger.V(4).Info("resource added")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -44,19 +42,20 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
+	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForClusterPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(curPV.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", curPV.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster PolicyViolation %s updated", curPV.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -67,6 +66,7 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 // a DeletionFinalStateUnknown marker item.
 
 func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
+	logger := pc.log
 	pv, ok := obj.(*kyverno.ClusterPolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -75,33 +75,35 @@ func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.ClusterPolicyViolation)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 	}
+	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Cluster PolicyViolation %s updated", pv.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.ClusterPolicyViolation) []*kyverno.ClusterPolicy {
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -113,8 +115,7 @@ func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.Clust
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
-			pv.Name, pv.Labels, policies[0].Name)
+		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/common.go b/pkg/policy/common.go
index b4d6155abc..cb99b9dd2f 100644
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@@ -3,10 +3,10 @@ package policy
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func buildPolicyLabel(policyName string) (labels.Selector, error) {
@@ -27,7 +27,7 @@ func buildPolicyLabel(policyName string) (labels.Selector, error) {
 func transformResource(resource unstructured.Unstructured) []byte {
 	data, err := resource.MarshalJSON()
 	if err != nil {
-		glog.Errorf("failed to marshall resource %v: %v", resource, err)
+		log.Log.Error(err, "failed to marshal resource")
 		return nil
 	}
 	return data
diff --git a/pkg/policy/common/common.go b/pkg/policy/common/common.go
new file mode 100644
index 0000000000..35bc132007
--- /dev/null
+++ b/pkg/policy/common/common.go
@@ -0,0 +1,85 @@
+package common
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+)
+
+//ValidatePattern validates the pattern
+func ValidatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	switch typedPatternElement := patternElement.(type) {
+	case map[string]interface{}:
+		return validateMap(typedPatternElement, path, supportedAnchors)
+	case []interface{}:
+		return validateArray(typedPatternElement, path, supportedAnchors)
+	case string, float64, int, int64, bool, nil:
+		//TODO? check operator
+		return "", nil
+	default:
+		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
+	}
+}
+func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	// check if anchors are defined
+	for key, value := range patternMap {
+		// if key is anchor
+		// check regex () -> this is anchor
+		// ()
+		// single char ()
+		re, err := regexp.Compile(`^.?\(.+\)$`)
+		if err != nil {
+			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
+		}
+
+		matched := re.MatchString(key)
+		// check the type of anchor
+		if matched {
+			// some type of anchor
+			// check if valid anchor
+			if !checkAnchors(key, supportedAnchors) {
+				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
+			}
+
+			// addition check for existence anchor
+			// value must be of type list
+			if anchor.IsExistenceAnchor(key) {
+				typedValue, ok := value.([]interface{})
+				if !ok {
+					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
+				}
+				// validate there is only one entry in the list
+				if len(typedValue) == 0 || len(typedValue) > 1 {
+					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
+				}
+			}
+		}
+		// lets validate the values now :)
+		if errPath, err := ValidatePattern(value, path+"/"+key, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	for i, patternElement := range patternArray {
+		currentPath := path + strconv.Itoa(i) + "/"
+		// lets validate the values now :)
+		if errPath, err := ValidatePattern(patternElement, currentPath, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
+	for _, f := range supportedAnchors {
+		if f(key) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index d303bebf52..2a471a37fe 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -1,10 +1,9 @@
 package policy
 
 import (
-	"fmt"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
@@ -72,6 +71,7 @@ type PolicyController struct {
 	pvGenerator policyviolation.GeneratorInterface
 	// resourceWebhookWatcher queues the webhook creation request, creates the webhook
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	log                    logr.Logger
 }
 
 // NewPolicyController create a new PolicyController
@@ -84,10 +84,11 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
 	pMetaStore policystore.UpdateInterface,
-	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister) (*PolicyController, error) {
+	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
+	log logr.Logger) (*PolicyController, error) {
 	// Event broad caster
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartLogging(log.Info)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		return nil, err
@@ -104,6 +105,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 		pMetaStore:             pMetaStore,
 		pvGenerator:            pvGenerator,
 		resourceWebhookWatcher: resourceWebhookWatcher,
+		log:                    log,
 	}
 
 	pc.pvControl = RealPVControl{Client: kyvernoClient, Recorder: pc.eventRecorder}
@@ -145,6 +147,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 }
 
 func (pc *PolicyController) addPolicy(obj interface{}) {
+	logger := pc.log
 	p := obj.(*kyverno.ClusterPolicy)
 	// Only process policies that are enabled for "background" execution
 	// policy.spec.background -> "True"
@@ -168,19 +171,19 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 			return
 		}
 	}
-
-	glog.V(4).Infof("Adding Policy %s", p.Name)
+	logger.V(4).Info("adding policy", "name", p.Name)
 	pc.enqueuePolicy(p)
 }
 
 func (pc *PolicyController) updatePolicy(old, cur interface{}) {
+	logger := pc.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	// TODO: optimize this : policy meta-store
 	// Update policy-> (remove,add)
 	err := pc.pMetaStore.UnRegister(*oldP)
 	if err != nil {
-		glog.Infof("Failed to unregister policy %s", oldP.Name)
+		logger.Error(err, "failed to unregister policy", "name", oldP.Name)
 	}
 	pc.pMetaStore.Register(*curP)
 
@@ -203,28 +206,29 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 			return
 		}
 	}
-	glog.V(4).Infof("Updating Policy %s", oldP.Name)
+	logger.V(4).Info("updating policy", "name", oldP.Name)
 	pc.enqueuePolicy(curP)
 }
 
 func (pc *PolicyController) deletePolicy(obj interface{}) {
+	logger := pc.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
+			logger.Info("couldnt get object from tomstone", "obj", obj)
 			return
 		}
 		p, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			glog.Info(fmt.Errorf("Tombstone contained object that is not a Policy %#v", obj))
+			logger.Info("tombstone container object that is not a policy", "obj", obj)
 			return
 		}
 	}
-	glog.V(4).Infof("Deleting Policy %s", p.Name)
+	logger.V(4).Info("deleting policy", "name", p.Name)
 	// Unregister from policy meta-store
 	if err := pc.pMetaStore.UnRegister(*p); err != nil {
-		glog.Infof("failed to unregister policy %s", p.Name)
+		logger.Error(err, "failed to unregister policy", "name", p.Name)
 	}
 	// we process policies that are not set of background processing as we need to perform policy violation
 	// cleanup when a policy is deleted.
@@ -232,9 +236,10 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 }
 
 func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
+	logger := pc.log
 	key, err := cache.MetaNamespaceKeyFunc(policy)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to enqueu policy")
 		return
 	}
 	pc.queue.Add(key)
@@ -242,15 +247,16 @@ func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
 
 // Run begins watching and syncing.
 func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
+	logger := pc.log
 
 	defer utilruntime.HandleCrash()
 	defer pc.queue.ShutDown()
 
-	glog.Info("Starting policy controller")
-	defer glog.Info("Shutting down policy controller")
+	logger.Info("starting")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced) {
-		glog.Error("failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 		return
 	}
 
@@ -285,31 +291,33 @@ func (pc *PolicyController) processNextWorkItem() bool {
 }
 
 func (pc *PolicyController) handleErr(err error, key interface{}) {
+	logger := pc.log
 	if err == nil {
 		pc.queue.Forget(key)
 		return
 	}
 
 	if pc.queue.NumRequeues(key) < maxRetries {
-		glog.V(2).Infof("Error syncing Policy %v: %v", key, err)
+		logger.Error(err, "failed to sync policy", "key", key)
 		pc.queue.AddRateLimited(key)
 		return
 	}
 
 	utilruntime.HandleError(err)
-	glog.V(2).Infof("Dropping policy %q out of the queue: %v", key, err)
+	logger.V(2).Info("dropping policy out of queue", "key", key)
 	pc.queue.Forget(key)
 }
 
 func (pc *PolicyController) syncPolicy(key string) error {
+	logger := pc.log
 	startTime := time.Now()
-	glog.V(4).Infof("Started syncing policy %q (%v)", key, startTime)
+	logger.V(4).Info("started syncing policy", "key", key, "startTime", startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy %q (%v)", key, time.Since(startTime))
+		logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime))
 	}()
 	policy, err := pc.pLister.Get(key)
 	if errors.IsNotFound(err) {
-		glog.V(2).Infof("Policy %v has been deleted", key)
+		logger.V(2).Info("policy deleted", "key", key)
 		// delete cluster policy violation
 		if err := pc.deleteClusterPolicyViolations(key); err != nil {
 			return err
@@ -322,8 +330,7 @@ func (pc *PolicyController) syncPolicy(key string) error {
 		// remove webhook configurations if there are no policies
 		if err := pc.removeResourceWebhookConfiguration(); err != nil {
 			// do not fail, if unable to delete resource webhook config
-			glog.V(4).Infof("failed to remove resource webhook configuration: %v", err)
-			glog.Errorln(err)
+			logger.Error(err, "failed to remove resource webhook configurations")
 		}
 		return nil
 	}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 97c09affac..af8dfc09c6 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -5,7 +5,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
@@ -19,27 +19,27 @@ import (
 )
 
 func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []response.EngineResponse {
+	logger := pc.log.WithValues("policy", policy.Name)
 	// Parse through all the resources
 	// drops the cache after configured rebuild time
 	pc.rm.Drop()
 	var engineResponses []response.EngineResponse
 	// get resource that are satisfy the resource description defined in the rules
-	resourceMap := listResources(pc.client, policy, pc.configHandler)
+	resourceMap := listResources(pc.client, policy, pc.configHandler, logger)
 	for _, resource := range resourceMap {
 		// pre-processing, check if the policy and resource version has been processed before
 		if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {
-			glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
+			logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 			continue
 		}
 
 		// skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied
-		if skipPodApplication(resource) {
+		if skipPodApplication(resource, logger) {
 			continue
 		}
 
 		// apply the policy on each
-		glog.V(4).Infof("apply policy %s with resource version %s on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
-		engineResponse := applyPolicy(policy, resource)
+		engineResponse := applyPolicy(policy, resource, logger)
 		// get engine response for mutation & validation independently
 		engineResponses = append(engineResponses, engineResponse...)
 		// post-processing, register the resource as processed
@@ -48,36 +48,26 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 	return engineResponses
 }
 
-func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface) map[string]unstructured.Unstructured {
+func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
 	// key uid
 	resourceMap := map[string]unstructured.Unstructured{}
 
 	for _, rule := range policy.Spec.Rules {
 		// resources that match
 		for _, k := range rule.MatchResources.Kinds {
-			// if kindIsExcluded(k, rule.ExcludeResources.Kinds) {
-			// 	glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k)
-			// 	continue
-			// }
 			var namespaces []string
-			if k == "Namespace" {
-				// TODO
-				// this is handled by generator controller
-				glog.V(4).Infof("skipping processing policy %s rule %s for kind Namespace", policy.Name, rule.Name)
-				continue
-			}
 			if len(rule.MatchResources.Namespaces) > 0 {
 				namespaces = append(namespaces, rule.MatchResources.Namespaces...)
-				glog.V(4).Infof("namespaces specified for inclusion: %v", rule.MatchResources.Namespaces)
+				log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
 			} else {
-				glog.V(4).Infof("processing policy %s rule %s, namespace not defined, getting all namespaces ", policy.Name, rule.Name)
+				log.V(4).Info("processing all namespaces", "rule", rule.Name)
 				// get all namespaces
-				namespaces = getAllNamespaces(client)
+				namespaces = getAllNamespaces(client, log)
 			}
 
 			// get resources in the namespaces
 			for _, ns := range namespaces {
-				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler)
+				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
 				mergeresources(resourceMap, rMap)
 			}
 
@@ -86,16 +76,16 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
 	return resourceMap
 }
 
-func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface) map[string]unstructured.Unstructured {
+func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}
 	// merge include and exclude label selector values
 	ls := rule.MatchResources.Selector
 	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
-	glog.V(4).Infof("get resources for kind %s, namespace %s, selector %v", kind, namespace, rule.MatchResources.Selector)
+	log.V(4).Info("list resources to be processed")
 	list, err := client.ListResource(kind, namespace, ls)
 	if err != nil {
-		glog.Infof("unable to get resources: err %v", err)
+		log.Error(err, "failed to list resources", "kind", kind)
 		return nil
 	}
 	// filter based on name
@@ -103,7 +93,6 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {
-				glog.V(4).Infof("skipping resource %s/%s due to include condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
 				continue
 			}
 		}
@@ -118,12 +107,11 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 
 	// exclude the resources
 	// skip resources to be filtered
-	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler)
-	//	glog.V(4).Infof("resource map: %v", resourceMap)
+	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler, log)
 	return resourceMap
 }
 
-func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface) {
+func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface, log logr.Logger) {
 	if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) {
 		return
 	}
@@ -154,7 +142,7 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
 		// if the label selector is incorrect, should be fail or
 		if err != nil {
-			glog.Error(err)
+			log.Error(err, "failed to build label selector")
 			return Skip
 		}
 		if selector.Matches(labels.Set(labelsMap)) {
@@ -205,8 +193,6 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		}
 		// exclude the filtered resources
 		if configHandler.ToFilter(resource.GetKind(), resource.GetNamespace(), resource.GetName()) {
-			//TODO: improve the text
-			glog.V(4).Infof("excluding resource %s/%s/%s as its satisfies the filtered resources", resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			delete(included, uid)
 			continue
 		}
@@ -244,12 +230,13 @@ func mergeresources(a, b map[string]unstructured.Unstructured) {
 	}
 }
 
-func getAllNamespaces(client *client.Client) []string {
+func getAllNamespaces(client *client.Client, log logr.Logger) []string {
+
 	var namespaces []string
 	// get all namespaces
 	nsList, err := client.ListResource("Namespace", "", nil)
 	if err != nil {
-		glog.Error(err)
+		log.Error(err, "failed to list namespaces")
 		return namespaces
 	}
 	for _, ns := range nsList.Items {
@@ -291,14 +278,11 @@ type resourceManager interface {
 //TODO: or drop based on the size
 func (rm *ResourceManager) Drop() {
 	timeSince := time.Since(rm.time)
-	glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince)
-	glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second)
 	if timeSince > time.Duration(rm.rebuildTime)*time.Second {
 		rm.mux.Lock()
 		defer rm.mux.Unlock()
 		rm.data = map[string]interface{}{}
 		rm.time = time.Now()
-		glog.V(4).Infof("dropping cache at time %v", rm.time)
 	}
 }
 
@@ -327,14 +311,14 @@ func buildKey(policy, pv, kind, ns, name, rv string) string {
 	return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv
 }
 
-func skipPodApplication(resource unstructured.Unstructured) bool {
+func skipPodApplication(resource unstructured.Unstructured, log logr.Logger) bool {
 	if resource.GetKind() != "Pod" {
 		return false
 	}
 
 	annotation := resource.GetAnnotations()
 	if _, ok := annotation[engine.PodTemplateAnnotation]; ok {
-		glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod/%s/%s", resource.GetNamespace(), resource.GetName())
+		log.V(4).Info("Policies already processed on pod controllers, skip processing policy on Pod", "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
 		return true
 	}
 
diff --git a/pkg/policy/generate/auth.go b/pkg/policy/generate/auth.go
new file mode 100644
index 0000000000..3da64a4289
--- /dev/null
+++ b/pkg/policy/generate/auth.go
@@ -0,0 +1,74 @@
+package generate
+
+import (
+	"github.com/go-logr/logr"
+	"github.com/nirmata/kyverno/pkg/auth"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+)
+
+//Operations provides methods to performing operations on resource
+type Operations interface {
+	// CanICreate returns 'true' if self can 'create' resource
+	CanICreate(kind, namespace string) (bool, error)
+	// CanIUpdate returns 'true' if self can 'update' resource
+	CanIUpdate(kind, namespace string) (bool, error)
+	// CanIDelete returns 'true' if self can 'delete' resource
+	CanIDelete(kind, namespace string) (bool, error)
+	// CanIGet returns 'true' if self can 'get' resource
+	CanIGet(kind, namespace string) (bool, error)
+}
+
+//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
+type Auth struct {
+	client *dclient.Client
+	log    logr.Logger
+}
+
+//NewAuth returns a new instance of Auth for operations
+func NewAuth(client *dclient.Client, log logr.Logger) *Auth {
+	a := Auth{
+		client: client,
+		log:    log,
+	}
+	return &a
+}
+
+// CanICreate returns 'true' if self can 'create' resource
+func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "create", a.log)
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIUpdate returns 'true' if self can 'update' resource
+func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "update", a.log)
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIDelete returns 'true' if self can 'delete' resource
+func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log)
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
+
+// CanIGet returns 'true' if self can 'get' resource
+func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
+	canI := auth.NewCanI(a.client, kind, namespace, "get", a.log)
+	ok, err := canI.RunAccessCheck()
+	if err != nil {
+		return false, err
+	}
+	return ok, nil
+}
diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go
new file mode 100644
index 0000000000..0d561c7a94
--- /dev/null
+++ b/pkg/policy/generate/fake.go
@@ -0,0 +1,21 @@
+package generate
+
+import (
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/policy/generate/fake"
+)
+
+//FakeGenerate provides implementation for generate rule processing
+// with mocks/fakes for cluster interactions
+type FakeGenerate struct {
+	Generate
+}
+
+//NewFakeGenerate returns a new instance of generatecheck that uses
+// fake/mock implementation for operation access(always returns true)
+func NewFakeGenerate(rule kyverno.Generation) *FakeGenerate {
+	g := FakeGenerate{}
+	g.rule = rule
+	g.authCheck = fake.NewFakeAuth()
+	return &g
+}
diff --git a/pkg/policy/generate/fake/auth.go b/pkg/policy/generate/fake/auth.go
new file mode 100644
index 0000000000..3e7467bf06
--- /dev/null
+++ b/pkg/policy/generate/fake/auth.go
@@ -0,0 +1,31 @@
+package fake
+
+//FakeAuth providers implementation for testing, retuning true for all operations
+type FakeAuth struct {
+}
+
+//NewFakeAuth returns a new instance of Fake Auth that returns true for each operation
+func NewFakeAuth() *FakeAuth {
+	a := FakeAuth{}
+	return &a
+}
+
+// CanICreate returns 'true'
+func (a *FakeAuth) CanICreate(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIUpdate returns 'true'
+func (a *FakeAuth) CanIUpdate(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIDelete returns 'true'
+func (a *FakeAuth) CanIDelete(kind, namespace string) (bool, error) {
+	return true, nil
+}
+
+// CanIGet returns 'true'
+func (a *FakeAuth) CanIGet(kind, namespace string) (bool, error) {
+	return true, nil
+}
diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go
new file mode 100644
index 0000000000..460842ea98
--- /dev/null
+++ b/pkg/policy/generate/validate.go
@@ -0,0 +1,151 @@
+package generate
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/go-logr/logr"
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/engine/variables"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Generate provides implementation to validate 'generate' rule
+type Generate struct {
+	// rule to hold 'generate' rule specifications
+	rule kyverno.Generation
+	// authCheck to check access for operations
+	authCheck Operations
+	//logger
+	log logr.Logger
+}
+
+//NewGenerateFactory returns a new instance of Generate validation checker
+func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log logr.Logger) *Generate {
+	g := Generate{
+		rule:      rule,
+		authCheck: NewAuth(client, log),
+		log:       log,
+	}
+
+	return &g
+}
+
+//Validate validates the 'generate' rule
+func (g *Generate) Validate() (string, error) {
+	rule := g.rule
+	if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("clone or data are required")
+	}
+	if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
+	}
+	kind, name, namespace := rule.Kind, rule.Name, rule.Namespace
+
+	if name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if kind == "" {
+		return "kind", fmt.Errorf("kind cannot be empty")
+	}
+	// Can I generate resource
+
+	if !reflect.DeepEqual(rule.Clone, kyverno.CloneFrom{}) {
+		if path, err := g.validateClone(rule.Clone, kind); err != nil {
+			return fmt.Sprintf("clone.%s", path), err
+		}
+	}
+	if rule.Data != nil {
+		//TODO: is this required ?? as anchors can only be on pattern and not resource
+		// we can add this check by not sure if its needed here
+		if path, err := common.ValidatePattern(rule.Data, "/", []anchor.IsAnchor{}); err != nil {
+			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
+		}
+	}
+
+	// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
+	// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
+	// instuctions to modify the RBAC for kyverno are mentioned at https://github.com/nirmata/kyverno/blob/master/documentation/installation.md
+	// - operations required: create/update/delete/get
+	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
+	if err := g.canIGenerate(kind, namespace); err != nil {
+		return "", err
+	}
+	return "", nil
+}
+
+func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, error) {
+	if c.Name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if c.Namespace == "" {
+		return "namespace", fmt.Errorf("namespace cannot be empty")
+	}
+	namespace := c.Namespace
+	// Skip if there is variable defined
+	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
+		// GET
+		ok, err := g.authCheck.CanIGet(kind, namespace)
+		if err != nil {
+			return "", err
+		}
+		if !ok {
+			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+	} else {
+		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+	}
+	return "", nil
+}
+
+//canIGenerate returns a error if kyverno cannot perform oprations
+func (g *Generate) canIGenerate(kind, namespace string) error {
+	// Skip if there is variable defined
+	authCheck := g.authCheck
+	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
+		// CREATE
+		ok, err := authCheck.CanICreate(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+		// UPDATE
+		ok, err = authCheck.CanIUpdate(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+		// GET
+		ok, err = authCheck.CanIGet(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+
+		// DELETE
+		ok, err = authCheck.CanIDelete(kind, namespace)
+		if err != nil {
+			// machinery error
+			return err
+		}
+		if !ok {
+			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
+		}
+
+	} else {
+		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+	}
+
+	return nil
+}
diff --git a/pkg/policy/generate/validate_test.go b/pkg/policy/generate/validate_test.go
new file mode 100644
index 0000000000..631aac6ed3
--- /dev/null
+++ b/pkg/policy/generate/validate_test.go
@@ -0,0 +1,89 @@
+package generate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_Generate(t *testing.T) {
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "podSelector": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var genRule kyverno.Generation
+	err := json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker := NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Generate_HasAnchors(t *testing.T) {
+	var err error
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "(podSelector)": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var genRule kyverno.Generation
+	err = json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker := NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	rawGenerate = []byte(`
+	{
+		"kind": "ConfigMap",
+		"name": "copied-cm",
+		"clone": {
+		   "^(namespace)": "default",
+		   "name": "game"
+		}
+	 }`)
+
+	err = json.Unmarshal(rawGenerate, &genRule)
+	assert.NilError(t, err)
+	checker = NewFakeGenerate(genRule)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
new file mode 100644
index 0000000000..6a24c3d388
--- /dev/null
+++ b/pkg/policy/mutate/validate.go
@@ -0,0 +1,63 @@
+package mutate
+
+import (
+	"errors"
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Mutate provides implementation to validate 'mutate' rule
+type Mutate struct {
+	// rule to hold 'mutate' rule specifications
+	rule kyverno.Mutation
+}
+
+//NewMutateFactory returns a new instance of Mutate validation checker
+func NewMutateFactory(rule kyverno.Mutation) *Mutate {
+	m := Mutate{
+		rule: rule,
+	}
+	return &m
+}
+
+//Validate validates the 'mutate' rule
+func (m *Mutate) Validate() (string, error) {
+	rule := m.rule
+	// JSON Patches
+	if len(rule.Patches) != 0 {
+		for i, patch := range rule.Patches {
+			if err := validatePatch(patch); err != nil {
+				return fmt.Sprintf("patch[%d]", i), err
+			}
+		}
+	}
+	// Overlay
+	if rule.Overlay != nil {
+		path, err := common.ValidatePattern(rule.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
+		if err != nil {
+			return path, err
+		}
+	}
+	return "", nil
+}
+
+// Validate if all mandatory PolicyPatch fields are set
+func validatePatch(pp kyverno.Patch) error {
+	if pp.Path == "" {
+		return errors.New("JSONPatch field 'path' is mandatory")
+	}
+	if pp.Operation == "add" || pp.Operation == "replace" {
+		if pp.Value == nil {
+			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
+		}
+
+		return nil
+	} else if pp.Operation == "remove" {
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
+}
diff --git a/pkg/policy/mutate/validate_test.go b/pkg/policy/mutate/validate_test.go
new file mode 100644
index 0000000000..84ff0e59b7
--- /dev/null
+++ b/pkg/policy/mutate/validate_test.go
@@ -0,0 +1,151 @@
+package mutate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		  "spec": {
+			"(serviceAccountName)": "*",
+			"automountServiceAccountToken": false
+		  }
+		}
+	  }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "+(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_Mismatched(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "^(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutateExistence kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutateExistence)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutateExistence)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateEqual kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "=(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateEqual)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutateEqual)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateNegation kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "X(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateNegation)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutateEqual)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Mutate_Unsupported(t *testing.T) {
+	var err error
+	var mutate kyverno.Mutation
+	// case 1
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "!(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker := NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "~(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	checker = NewMutateFactory(mutate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go
index 654343d7df..8dd83d1f12 100644
--- a/pkg/policy/namespacedpv.go
+++ b/pkg/policy/namespacedpv.go
@@ -1,13 +1,13 @@
 package policy
 
 import (
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	cache "k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	pv := obj.(*kyverno.PolicyViolation)
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -20,15 +20,16 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("namepaced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("PolicyViolation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name)
+
+	logger.V(4).Info("resource added")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -42,19 +43,20 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
+	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForNamespacedPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no namespaced policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
+		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(curPV.Namespace, curPV.Name); err != nil {
-			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", curPV.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Namespaced Policy Violation %s deleted", curPV.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Namespaced Policy sViolation %s updated", curPV.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -62,6 +64,7 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 }
 
 func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
+	logger := pc.log
 	pv, ok := obj.(*kyverno.PolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -70,34 +73,36 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.PolicyViolation)
 		if !ok {
-			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			logger.Info("Couldn't get object from tombstone", "obj", obj)
 			return
 		}
 	}
 
+	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", pv.Name, err)
+			logger.Error(err, "failed to delete resource")
 			return
 		}
-		glog.V(4).Infof("Namespaced Policy Violation %s deleted", pv.Name)
+		logger.V(4).Info("resource deleted")
 		return
 	}
-	glog.V(4).Infof("Namespaced PolicyViolation %s updated", pv.Name)
+	logger.V(4).Info("resource updated")
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) []*kyverno.ClusterPolicy {
+	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -109,8 +114,7 @@ func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.Po
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
-			pv.Name, pv.Labels, policies[0].Name)
+		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/report.go b/pkg/policy/report.go
index 3614da9b32..476e07abb9 100644
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
@@ -13,11 +13,12 @@ import (
 // - has violation -> report
 // - no violation -> cleanup policy violations
 func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {
+	logger := pc.log
 	// generate Events
-	eventInfos := generateEvents(engineResponses)
+	eventInfos := generateEvents(pc.log, engineResponses)
 	pc.eventGen.Add(eventInfos...)
 	// create policy violation
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	for i := range pvInfos {
 		pvInfos[i].FromSync = true
 	}
@@ -29,39 +30,27 @@ func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineRe
 	pc.cleanUp(engineResponses)
 }
 
-func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
-	for _, er := range ers {
-		if !er.IsSuccesful() {
-			continue
-		}
-		if len(er.PolicyResponse.Rules) == 0 {
-			continue
-		}
-		// clean up after the policy has been corrected
-		pc.cleanUpPolicyViolation(er.PolicyResponse)
-	}
-}
-
-func generateEvents(ers []response.EngineResponse) []event.Info {
+func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info {
 	var eventInfos []event.Info
 	for _, er := range ers {
 		if er.IsSuccesful() {
 			continue
 		}
-		eventInfos = append(eventInfos, generateEventsPerEr(er)...)
+		eventInfos = append(eventInfos, generateEventsPerEr(log, er)...)
 	}
 	return eventInfos
 }
 
-func generateEventsPerEr(er response.EngineResponse) []event.Info {
+func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
+	logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
 	var eventInfos []event.Info
-	glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
+	logger.V(4).Info("reporting results for policy")
 	for _, rule := range er.PolicyResponse.Rules {
 		if rule.Success {
 			continue
 		}
 		// generate event on resource for each failed rule
-		glog.V(4).Infof("generation event on resource '%s/%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy)
+		logger.V(4).Info("generating event on resource")
 		e := event.Info{}
 		e.Kind = er.PolicyResponse.Resource.Kind
 		e.Namespace = er.PolicyResponse.Resource.Namespace
@@ -76,7 +65,7 @@ func generateEventsPerEr(er response.EngineResponse) []event.Info {
 	}
 
 	// generate a event on policy for all failed rules
-	glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy)
+	logger.V(4).Info("generating event on policy")
 	e := event.Info{}
 	e.Kind = "ClusterPolicy"
 	e.Namespace = ""
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 9dec98a2c9..cffa69fe68 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -5,16 +5,12 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
-	"regexp"
-	"strconv"
 	"strings"
 
-	"github.com/golang/glog"
-
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -22,11 +18,10 @@ import (
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
-func Validate(policyRaw []byte) error {
+func Validate(policyRaw []byte, client *dclient.Client, mock bool) error {
 	var p kyverno.ClusterPolicy
 	err := json.Unmarshal(policyRaw, &p)
 	if err != nil {
-		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
 		return fmt.Errorf("failed to unmarshal policy admission request err %v", err)
 	}
 
@@ -62,24 +57,12 @@ func Validate(policyRaw []byte) error {
 			// as there are more than 1 operation in rule, not need to evaluate it further
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
-		// Operation Validation
-		// Mutation
-		if rule.HasMutate() {
-			if path, err := validateMutation(rule.Mutation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", i, path, err)
-			}
-		}
-		// Validation
-		if rule.HasValidate() {
-			if path, err := validateValidation(rule.Validation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", i, path, err)
-			}
-		}
-		// Generation
-		if rule.HasGenerate() {
-			if path, err := validateGeneration(rule.Generation); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", i, path, err)
-			}
+		// validate rule actions
+		// - Mutate
+		// - Validate
+		// - Generate
+		if err := validateActions(i, rule, client, mock); err != nil {
+			return err
 		}
 
 		// If a rules match block does not match any kind,
@@ -278,193 +261,3 @@ func validateResourceDescription(rd kyverno.ResourceDescription) error {
 	}
 	return nil
 }
-
-func validateMutation(m kyverno.Mutation) (string, error) {
-	// JSON Patches
-	if len(m.Patches) != 0 {
-		for i, patch := range m.Patches {
-			if err := validatePatch(patch); err != nil {
-				return fmt.Sprintf("patch[%d]", i), err
-			}
-		}
-	}
-	// Overlay
-	if m.Overlay != nil {
-		path, err := validatePattern(m.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
-		if err != nil {
-			return path, err
-		}
-	}
-	return "", nil
-}
-
-// Validate if all mandatory PolicyPatch fields are set
-func validatePatch(pp kyverno.Patch) error {
-	if pp.Path == "" {
-		return errors.New("JSONPatch field 'path' is mandatory")
-	}
-	if pp.Operation == "add" || pp.Operation == "replace" {
-		if pp.Value == nil {
-			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
-		}
-
-		return nil
-	} else if pp.Operation == "remove" {
-		return nil
-	}
-
-	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
-}
-
-func validateValidation(v kyverno.Validation) (string, error) {
-	if err := validateOverlayPattern(v); err != nil {
-		// no need to proceed ahead
-		return "", err
-	}
-
-	if v.Pattern != nil {
-		if path, err := validatePattern(v.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-			return fmt.Sprintf("pattern.%s", path), err
-		}
-	}
-
-	if len(v.AnyPattern) != 0 {
-		for i, pattern := range v.AnyPattern {
-			if path, err := validatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
-			}
-		}
-	}
-	return "", nil
-}
-
-// validateOverlayPattern checks one of pattern/anyPattern must exist
-func validateOverlayPattern(v kyverno.Validation) error {
-	if v.Pattern == nil && len(v.AnyPattern) == 0 {
-		return fmt.Errorf("a pattern or anyPattern must be specified")
-	}
-
-	if v.Pattern != nil && len(v.AnyPattern) != 0 {
-		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
-	}
-
-	return nil
-}
-
-// Validate returns error if generator is configured incompletely
-func validateGeneration(gen kyverno.Generation) (string, error) {
-
-	if gen.Data == nil && gen.Clone == (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("clone or data are required")
-	}
-	if gen.Data != nil && gen.Clone != (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
-	}
-	// check kind is non empty
-	// check name is non empty
-	if gen.Name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if gen.Kind == "" {
-		return "kind", fmt.Errorf("kind cannot be empty")
-	}
-	if !reflect.DeepEqual(gen.Clone, kyverno.CloneFrom{}) {
-		if path, err := validateClone(gen.Clone); err != nil {
-			return fmt.Sprintf("clone.%s", path), err
-		}
-	}
-	if gen.Data != nil {
-		//TODO: is this required ?? as anchors can only be on pattern and not resource
-		// we can add this check by not sure if its needed here
-		if path, err := validatePattern(gen.Data, "/", []anchor.IsAnchor{}); err != nil {
-			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
-		}
-	}
-	return "", nil
-}
-
-func validateClone(c kyverno.CloneFrom) (string, error) {
-	if c.Name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if c.Namespace == "" {
-		return "namespace", fmt.Errorf("namespace cannot be empty")
-	}
-	return "", nil
-}
-
-func validatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	switch typedPatternElement := patternElement.(type) {
-	case map[string]interface{}:
-		return validateMap(typedPatternElement, path, supportedAnchors)
-	case []interface{}:
-		return validateArray(typedPatternElement, path, supportedAnchors)
-	case string, float64, int, int64, bool, nil:
-		//TODO? check operator
-		return "", nil
-	default:
-		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
-	}
-}
-
-func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	// check if anchors are defined
-	for key, value := range patternMap {
-		// if key is anchor
-		// check regex () -> this is anchor
-		// ()
-		// single char ()
-		re, err := regexp.Compile(`^.?\(.+\)$`)
-		if err != nil {
-			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
-		}
-
-		matched := re.MatchString(key)
-		// check the type of anchor
-		if matched {
-			// some type of anchor
-			// check if valid anchor
-			if !checkAnchors(key, supportedAnchors) {
-				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
-			}
-
-			// addition check for existence anchor
-			// value must be of type list
-			if anchor.IsExistenceAnchor(key) {
-				typedValue, ok := value.([]interface{})
-				if !ok {
-					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
-				}
-				// validate there is only one entry in the list
-				if len(typedValue) == 0 || len(typedValue) > 1 {
-					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
-				}
-			}
-		}
-		// lets validate the values now :)
-		if errPath, err := validatePattern(value, path+"/"+key, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	for i, patternElement := range patternArray {
-		currentPath := path + strconv.Itoa(i) + "/"
-		// lets validate the values now :)
-		if errPath, err := validatePattern(patternElement, currentPath, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
-	for _, f := range supportedAnchors {
-		if f(key) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
new file mode 100644
index 0000000000..3889f9f163
--- /dev/null
+++ b/pkg/policy/validate/validate.go
@@ -0,0 +1,61 @@
+package validate
+
+import (
+	"fmt"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
+	"github.com/nirmata/kyverno/pkg/policy/common"
+)
+
+// Validate provides implementation to validate 'validate' rule
+type Validate struct {
+	// rule to hold 'validate' rule specifications
+	rule kyverno.Validation
+}
+
+//NewValidateFactory returns a new instance of Mutate validation checker
+func NewValidateFactory(rule kyverno.Validation) *Validate {
+	m := Validate{
+		rule: rule,
+	}
+	return &m
+}
+
+//Validate validates the 'validate' rule
+func (v *Validate) Validate() (string, error) {
+	rule := v.rule
+	if err := v.validateOverlayPattern(); err != nil {
+		// no need to proceed ahead
+		return "", err
+	}
+
+	if rule.Pattern != nil {
+		if path, err := common.ValidatePattern(rule.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+			return fmt.Sprintf("pattern.%s", path), err
+		}
+	}
+
+	if len(rule.AnyPattern) != 0 {
+		for i, pattern := range rule.AnyPattern {
+			if path, err := common.ValidatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
+			}
+		}
+	}
+	return "", nil
+}
+
+// validateOverlayPattern checks one of pattern/anyPattern must exist
+func (v *Validate) validateOverlayPattern() error {
+	rule := v.rule
+	if rule.Pattern == nil && len(rule.AnyPattern) == 0 {
+		return fmt.Errorf("a pattern or anyPattern must be specified")
+	}
+
+	if rule.Pattern != nil && len(rule.AnyPattern) != 0 {
+		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
+	}
+
+	return nil
+}
diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go
new file mode 100644
index 0000000000..ee83204707
--- /dev/null
+++ b/pkg/policy/validate/validate_test.go
@@ -0,0 +1,381 @@
+package validate
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_Validate_OverlayPattern_Empty(t *testing.T) {
+	rawValidation := []byte(`
+   {}`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+ 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
+      }
+	`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  }
+		],
+		"pattern": {
+		  "spec": {
+			"containers": [
+			  {
+				"name": "*",
+				"securityContext": {
+				  "allowPrivilegeEscalation": false,
+				  "privileged": false
+				}
+			  }
+			]
+		  }
+		}
+	  }`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+func Test_Validate_OverlayPattern_Valid(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  },
+		  {
+			"spec": {
+			  "containers": [
+				{
+				  "name": "*",
+				  "securityContext": {
+					"allowPrivilegeEscalation": false,
+					"privileged": false
+				  }
+				}
+			  ]
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "template": {
+				"spec": {
+				  "containers": [
+					{
+					  "^(securityContext)": {
+						"runAsNonRoot": true
+					  }
+					}
+				  ]
+				}
+			  }
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
+	rawValidation := []byte(`{
+		"message": "validate container security contexts",
+		"pattern": {
+		  "spec": {
+			"template": {
+			  "spec": {
+				"containers": [
+				  {
+					"securityContext": {
+					  "allowPrivilegeEscalation": "^(false)"
+					}
+				  }
+				]
+			  }
+			}
+		  }
+		}
+	  }
+	  		  `)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
+	var err error
+	var validation kyverno.Validation
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		   {
+			  "spec": {
+				 "template": {
+					"spec": {
+					   "^(containers)": [
+						  {
+							 "securityContext": {
+								"runAsNonRoot": "true"
+							 }
+						  }
+					   ]
+					}
+				 }
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+	rawValidation = []byte(`
+	{
+		"message": "validate container security contexts",
+		"pattern": {
+		   "spec": {
+			  "template": {
+				 "spec": {
+					"^(containers)": [
+					   {
+						  "securityContext": {
+							 "allowPrivilegeEscalation": "false"
+						  }
+					   }
+					]
+				 }
+			  }
+		   }
+		}
+	 }	`)
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	checker = NewValidateFactory(validation)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
+
+func Test_Validate_Validate_ValidAnchor(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+	var rawValidate []byte
+	// case 1
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"anyPattern": [
+		    {
+			  "spec": {
+				 "securityContext": {
+					"(runAsNonRoot)": true
+				 }
+			  }
+		   },
+		   {
+			  "spec": {
+				 "^(containers)": [
+					{
+					   "name": "*",
+					   "securityContext": {
+						  "runAsNonRoot": true
+					   }
+					}
+				 ]
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+
+	// case 2
+	validate = kyverno.Validation{}
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "=(securityContext)": {
+				 "runAsNonRoot": "true"
+			  }
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker = NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Validate_Mismatched(t *testing.T) {
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "+(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	 }`)
+
+	var validate kyverno.Validation
+	err := json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Validate_Unsupported(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+
+	// case 1
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "!(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	checker := NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "~(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	checker = NewValidateFactory(validate)
+	if _, err := checker.Validate(); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 9082e9322a..bd239995cc 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -287,369 +287,6 @@ func Test_Validate_ResourceDescription_InvalidSelector(t *testing.T) {
 	assert.Assert(t, err != nil)
 }
 
-func Test_Validate_OverlayPattern_Empty(t *testing.T) {
-	rawValidation := []byte(`
-   {}`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
- 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
-      }
-	`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  }
-		],
-		"pattern": {
-		  "spec": {
-			"containers": [
-			  {
-				"name": "*",
-				"securityContext": {
-				  "allowPrivilegeEscalation": false,
-				  "privileged": false
-				}
-			  }
-			]
-		  }
-		}
-	  }`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Valid(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  },
-		  {
-			"spec": {
-			  "containers": [
-				{
-				  "name": "*",
-				  "securityContext": {
-					"allowPrivilegeEscalation": false,
-					"privileged": false
-				  }
-				}
-			  ]
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.NilError(t, err)
-	}
-
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "template": {
-				"spec": {
-				  "containers": [
-					{
-					  "^(securityContext)": {
-						"runAsNonRoot": true
-					  }
-					}
-				  ]
-				}
-			  }
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
-	rawValidation := []byte(`{
-		"message": "validate container security contexts",
-		"pattern": {
-		  "spec": {
-			"template": {
-			  "spec": {
-				"containers": [
-				  {
-					"securityContext": {
-					  "allowPrivilegeEscalation": "^(false)"
-					}
-				  }
-				]
-			  }
-			}
-		  }
-		}
-	  }
-	  		  `)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
-	var err error
-	var validation kyverno.Validation
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		   {
-			  "spec": {
-				 "template": {
-					"spec": {
-					   "^(containers)": [
-						  {
-							 "securityContext": {
-								"runAsNonRoot": "true"
-							 }
-						  }
-					   ]
-					}
-				 }
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-	rawValidation = []byte(`
-	{
-		"message": "validate container security contexts",
-		"pattern": {
-		   "spec": {
-			  "template": {
-				 "spec": {
-					"^(containers)": [
-					   {
-						  "securityContext": {
-							 "allowPrivilegeEscalation": "false"
-						  }
-					   }
-					]
-				 }
-			  }
-		   }
-		}
-	 }	`)
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validation); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
-func Test_Validate_Validate_ValidAnchor(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-	var rawValidate []byte
-	// case 1
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"anyPattern": [
-		    {
-			  "spec": {
-				 "securityContext": {
-					"(runAsNonRoot)": true
-				 }
-			  }
-		   },
-		   {
-			  "spec": {
-				 "^(containers)": [
-					{
-					   "name": "*",
-					   "securityContext": {
-						  "runAsNonRoot": true
-					   }
-					}
-				 ]
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.NilError(t, err)
-	}
-
-	// case 2
-	validate = kyverno.Validation{}
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "=(securityContext)": {
-				 "runAsNonRoot": "true"
-			  }
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Validate_Mismatched(t *testing.T) {
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "+(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	 }`)
-
-	var validate kyverno.Validation
-	err := json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Validate_Unsupported(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-
-	// case 1
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "!(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "~(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	if _, err := validateValidation(validate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
 func Test_Validate_Policy(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -732,225 +369,10 @@ func Test_Validate_Policy(t *testing.T) {
 		}
 	 }`)
 
-	err := Validate(rawPolicy)
+	err := Validate(rawPolicy, nil, true)
 	assert.NilError(t, err)
 }
 
-func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		  "spec": {
-			"(serviceAccountName)": "*",
-			"automountServiceAccountToken": false
-		  }
-		}
-	  }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-	if _, err := validateMutation(mutate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "+(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_Mismatched(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "^(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutateExistence kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutateExistence)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateExistence); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateEqual kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "=(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateEqual)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateEqual); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateNegation kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "X(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateNegation)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutateEqual); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Mutate_Unsupported(t *testing.T) {
-	var err error
-	var mutate kyverno.Mutation
-	// case 1
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "!(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "~(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	if _, err := validateMutation(mutate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Generate(t *testing.T) {
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "podSelector": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	var generate kyverno.Generation
-	err := json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Generate_HasAnchors(t *testing.T) {
-	var err error
-	var generate kyverno.Generation
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "(podSelector)": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	rawGenerate = []byte(`
-	{
-		"kind": "ConfigMap",
-		"name": "copied-cm",
-		"clone": {
-		   "^(namespace)": "default",
-		   "name": "game"
-		}
-	 }`)
-
-	errNew := json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, errNew)
-	err = json.Unmarshal(rawGenerate, &generate)
-	assert.NilError(t, err)
-	if _, err := validateGeneration(generate); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
 func Test_Validate_ErrorFormat(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -1089,7 +511,7 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 	 }
 	`)
 
-	err := Validate(rawPolicy)
+	err := Validate(rawPolicy, nil, true)
 	assert.Assert(t, err != nil)
 }
 
diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go
index f4b2188b2a..5c8fc0aa69 100644
--- a/pkg/policy/webhookregistration.go
+++ b/pkg/policy/webhookregistration.go
@@ -1,25 +1,25 @@
 package policy
 
 import (
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
 func (pc *PolicyController) removeResourceWebhookConfiguration() error {
+	logger := pc.log
 	var err error
 	// get all existing policies
 	policies, err := pc.pLister.List(labels.NewSelector())
 	if err != nil {
-		glog.V(4).Infof("failed to list policies: %v", err)
+		logger.Error(err, "failed to list policies")
 		return err
 	}
 
 	if len(policies) == 0 {
-		glog.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
+		logger.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
 		return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 	}
 
-	glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
+	logger.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
 
 	return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 }
diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go
index 3e633aaf82..b21ff2e505 100644
--- a/pkg/policystatus/main.go
+++ b/pkg/policystatus/main.go
@@ -2,16 +2,16 @@ package policystatus
 
 import (
 	"encoding/json"
+	"fmt"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
-
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Policy status implementation works in the following way,
@@ -111,8 +111,7 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) {
 			s.cache.keyToMutex.Get(statusUpdater.PolicyName()).Unlock()
 			oldStatus, _ := json.Marshal(status)
 			newStatus, _ := json.Marshal(updatedStatus)
-
-			glog.V(4).Infof("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus))
+			log.Log.V(4).Info(fmt.Sprintf("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus)))
 		case <-stopCh:
 			return
 		}
@@ -140,7 +139,7 @@ func (s *Sync) updatePolicyStatus() {
 			s.cache.dataMu.Lock()
 			delete(s.cache.data, policyName)
 			s.cache.dataMu.Unlock()
-			glog.V(4).Info(err)
+			log.Log.Error(err, "failed to update policy status")
 		}
 	}
 }
diff --git a/pkg/policystore/policystore.go b/pkg/policystore/policystore.go
index f8a8e30874..0ecfd5ea32 100644
--- a/pkg/policystore/policystore.go
+++ b/pkg/policystore/policystore.go
@@ -3,12 +3,11 @@ package policystore
 import (
 	"sync"
 
-	"k8s.io/apimachinery/pkg/labels"
-
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 
@@ -24,6 +23,7 @@ type PolicyStore struct {
 	pLister kyvernolister.ClusterPolicyLister
 	// returns true if the cluster policy store has been synced at least once
 	pSynched cache.InformerSynced
+	log      logr.Logger
 }
 
 //UpdateInterface provides api to update policies
@@ -40,25 +40,29 @@ type LookupInterface interface {
 }
 
 // NewPolicyStore returns a new policy store
-func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore {
+func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,
+	log logr.Logger) *PolicyStore {
 	ps := PolicyStore{
 		data:     make(kindMap),
 		pLister:  pInformer.Lister(),
 		pSynched: pInformer.Informer().HasSynced,
+		log:      log,
 	}
 	return &ps
 }
 
 //Run checks syncing
 func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
+	logger := ps.log
 	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
-		glog.Error("policy meta store: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 }
 
 //Register a new policy
 func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
-	glog.V(4).Infof("adding resources %s", policy.Name)
+	logger := ps.log
+	logger.V(4).Info("adding policy", "name", policy.Name)
 	ps.mu.Lock()
 	defer ps.mu.Unlock()
 	var pmap policyMap
diff --git a/pkg/policyviolation/builder.go b/pkg/policyviolation/builder.go
index 1de366eb66..da556697be 100644
--- a/pkg/policyviolation/builder.go
+++ b/pkg/policyviolation/builder.go
@@ -3,24 +3,23 @@ package policyviolation
 import (
 	"fmt"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 )
 
 //GeneratePVsFromEngineResponse generate Violations from engine responses
-func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) {
+func GeneratePVsFromEngineResponse(ers []response.EngineResponse, log logr.Logger) (pvInfos []Info) {
 	for _, er := range ers {
 		// ignore creation of PV for resources that are yet to be assigned a name
 		if er.PolicyResponse.Resource.Name == "" {
-			glog.V(4).Infof("resource %v, has not been assigned a name, not creating a policy violation for it", er.PolicyResponse.Resource)
+			log.V(4).Info("resource does no have a name assigned yet, not creating a policy violation", "resource", er.PolicyResponse.Resource)
 			continue
 		}
 		// skip when response succeed
 		if er.IsSuccesful() {
 			continue
 		}
-		glog.V(4).Infof("Building policy violation for engine response %v", er)
 		// build policy violation info
 		pvInfos = append(pvInfos, buildPVInfo(er))
 	}
diff --git a/pkg/policyviolation/builder_test.go b/pkg/policyviolation/builder_test.go
index bd3f8c97f0..a44314f9f2 100644
--- a/pkg/policyviolation/builder_test.go
+++ b/pkg/policyviolation/builder_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
@@ -52,6 +53,6 @@ func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
 		},
 	}
 
-	pvInfos := GeneratePVsFromEngineResponse(ers)
+	pvInfos := GeneratePVsFromEngineResponse(ers, log.Log)
 	assert.Assert(t, len(pvInfos) == 1)
 }
diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index c9336f8059..4cb26ea216 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -21,11 +21,13 @@ type clusterPV struct {
 	cpvLister kyvernolister.ClusterPolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
+	// logger
+	log logr.Logger
 	// update policy stats with violationCount
 	policyStatusListener policystatus.Listener
 }
 
-func newClusterPV(dclient *client.Client,
+func newClusterPV(log logr.Logger, dclient *client.Client,
 	cpvLister kyvernolister.ClusterPolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 	policyStatus policystatus.Listener,
@@ -34,6 +36,7 @@ func newClusterPV(dclient *client.Client,
 		dclient:              dclient,
 		cpvLister:            cpvLister,
 		kyvernoInterface:     kyvernoInterface,
+		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &cpv
@@ -56,6 +59,7 @@ func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) {
+	logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -66,7 +70,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 	pvs, err := cpv.cpvLister.List(ls)
 	if err != nil {
-		glog.Errorf("unable to list cluster policy violations : %v", err)
+		logger.Error(err, "failed to list cluster policy violations")
 		return nil, err
 	}
 
@@ -83,7 +87,8 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	var err error
-	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name)
+	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
+	logger.V(4).Info("creating new policy violation")
 	obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -95,7 +100,7 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	// create resource
 	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv)
 	if err != nil {
-		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
+		logger.Error(err, "failed to create cluster policy violation")
 		return err
 	}
 
@@ -103,15 +108,16 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
 
-	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("cluster policy violation created")
 	return nil
 }
 
 func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) error {
+	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
+		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
 		return nil
 	}
 	// set name
@@ -123,7 +129,7 @@ func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) err
 	if err != nil {
 		return fmt.Errorf("failed to update cluster policy violation: %v", err)
 	}
-	glog.Infof("cluster policy violation updated for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("cluster policy violation created")
 
 	if newPv.Annotations["fromSync"] != "true" {
 		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go
index 6f077b25b8..e2211edb13 100644
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@@ -5,13 +5,13 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference {
@@ -34,7 +34,7 @@ func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstr
 	var err error
 	getResource := func() error {
 		obj, err = client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name)
-		glog.V(4).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name)
+		log.Log.V(4).Info(fmt.Sprintf("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name))
 		i++
 		return err
 	}
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index db5ca63fcd..ed3ffe76a2 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
@@ -38,6 +38,7 @@ type Generator struct {
 	// returns true if the cluster policy store has been synced at least once
 	pvSynced cache.InformerSynced
 	// returns true if the namespaced cluster policy store has been synced at at least once
+	log                  logr.Logger
 	nspvSynced           cache.InformerSynced
 	queue                workqueue.RateLimitingInterface
 	dataStore            *dataStore
@@ -107,7 +108,8 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
 	dclient *dclient.Client,
 	pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
 	nspvInformer kyvernoinformer.PolicyViolationInformer,
-	policyStatus policystatus.Listener) *Generator {
+	policyStatus policystatus.Listener,
+	log logr.Logger) *Generator {
 	gen := Generator{
 		kyvernoInterface:     client.KyvernoV1(),
 		dclient:              dclient,
@@ -117,6 +119,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
 		nspvSynced:           nspvInformer.Informer().HasSynced,
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
 		dataStore:            newDataStore(),
+		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &gen
@@ -135,18 +138,18 @@ func (gen *Generator) enqueue(info Info) {
 func (gen *Generator) Add(infos ...Info) {
 	for _, info := range infos {
 		gen.enqueue(info)
-		glog.V(3).Infof("Added policy violation: %s", info.toKey())
 	}
 }
 
 // Run starts the workers
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
+	logger := gen.log
 	defer utilruntime.HandleCrash()
-	glog.Info("Start policy violation generator")
-	defer glog.Info("Shutting down policy violation generator")
+	logger.Info("start")
+	defer logger.Info("shutting down")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pvSynced, gen.nspvSynced) {
-		glog.Error("policy violation generator: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -161,6 +164,7 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
+	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
@@ -168,23 +172,22 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 
 	// retires requests if there is error
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.V(4).Infof("Error syncing policy violation %v: %v", key, err)
+		logger.Error(err, "failed to sync policy violation", "key", key)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
-	glog.Error(err)
 	// remove from data store
 	if keyHash, ok := key.(string); ok {
 		gen.dataStore.delete(keyHash)
 	}
-
-	glog.Warningf("Dropping the key out of the queue: %v", err)
+	logger.Error(err, "dropping key out of the queue", "key", key)
 }
 
 func (gen *Generator) processNextWorkitem() bool {
+	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -196,7 +199,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		var ok bool
 		if keyHash, ok = obj.(string); !ok {
 			gen.queue.Forget(obj)
-			glog.Warningf("Expecting type string but got %v\n", obj)
+			logger.Info("incorrect type; expecting type 'string'", "obj", obj)
 			return nil
 		}
 		// lookup data store
@@ -204,7 +207,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		if reflect.DeepEqual(info, Info{}) {
 			// empty key
 			gen.queue.Forget(obj)
-			glog.Warningf("Got empty key %v\n", obj)
+			logger.Info("empty key")
 			return nil
 		}
 		err := gen.syncHandler(info)
@@ -212,22 +215,22 @@ func (gen *Generator) processNextWorkitem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		glog.Error(err)
+		logger.Error(err, "failed to process item")
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(info Info) error {
-	glog.V(4).Infof("received info:%v", info)
+	logger := gen.log
 	var handler pvGenerator
 	builder := newPvBuilder()
 	if info.Resource.GetNamespace() == "" {
 		// cluster scope resource generate a clusterpolicy violation
-		handler = newClusterPV(gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener)
+		handler = newClusterPV(gen.log.WithName("ClusterPV"), gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener)
 	} else {
 		// namespaced resources generated a namespaced policy violation in the namespace of the resource
-		handler = newNamespacedPV(gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener)
+		handler = newNamespacedPV(gen.log.WithName("NamespacedPV"), gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener)
 	}
 
 	failure := false
@@ -240,12 +243,12 @@ func (gen *Generator) syncHandler(info Info) error {
 	}
 
 	// Create Policy Violations
-	glog.V(3).Infof("Creating policy violation: %s", info.toKey())
+	logger.V(4).Info("creating policy violation", "key", info.toKey())
 	if err := handler.create(pv); err != nil {
 		failure = true
-		glog.V(3).Infof("Failed to create policy violation: %v", err)
+		logger.Error(err, "failed to create policy violation")
 	} else {
-		glog.V(3).Infof("Policy violation created: %s", info.toKey())
+		logger.Info("created policy violation", "key", info.toKey())
 	}
 
 	if failure {
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index ff32748d0b..3b0202c6df 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -21,11 +21,13 @@ type namespacedPV struct {
 	nspvLister kyvernolister.PolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
+	// logger
+	log logr.Logger
 	// update policy status with violationCount
 	policyStatusListener policystatus.Listener
 }
 
-func newNamespacedPV(dclient *client.Client,
+func newNamespacedPV(log logr.Logger, dclient *client.Client,
 	nspvLister kyvernolister.PolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 	policyStatus policystatus.Listener,
@@ -34,6 +36,7 @@ func newNamespacedPV(dclient *client.Client,
 		dclient:              dclient,
 		nspvLister:           nspvLister,
 		kyvernoInterface:     kyvernoInterface,
+		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &nspv
@@ -56,6 +59,7 @@ func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
+	logger := nspv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -65,7 +69,7 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 	}
 	pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls)
 	if err != nil {
-		glog.Errorf("unable to list namespaced policy violations : %v", err)
+		logger.Error(err, "failed to list namespaced policy violations")
 		return nil, err
 	}
 
@@ -82,7 +86,8 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 
 func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	var err error
-	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
+	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
+	logger.V(4).Info("creating new policy violation")
 	obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -94,22 +99,23 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	// create resource
 	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv)
 	if err != nil {
-		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
+		logger.Error(err, "failed to create namespaced policy violation")
 		return err
 	}
 
 	if newPv.Annotations["fromSync"] != "true" {
 		nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
-	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("namespaced policy violation created")
 	return nil
 }
 
 func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error {
+	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
+		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
 		return nil
 	}
 	// set name
@@ -124,6 +130,6 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	if newPv.Annotations["fromSync"] != "true" {
 		nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
-	glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
+	logger.Info("namespaced policy violation created")
 	return nil
 }
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 39eaeb7257..6ca1ed583a 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -3,7 +3,6 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
-	"flag"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -19,7 +18,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/scheme"
 
-	"github.com/golang/glog"
 	"gopkg.in/yaml.v2"
 	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
 )
@@ -308,7 +306,7 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured {
 func getClient(t *testing.T, files []string) *client.Client {
 	var objects []runtime.Object
 	if files != nil {
-		glog.V(4).Infof("loading resources: %v", files)
+
 		for _, file := range files {
 			objects = loadObjects(t, file)
 		}
@@ -404,7 +402,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 		policy := kyverno.ClusterPolicy{}
 		pBytes, err := apiyaml.ToJSON(p)
 		if err != nil {
-			glog.Error(err)
+			t.Error(err)
 			continue
 		}
 
@@ -427,7 +425,8 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }
 
 func testScenario(t *testing.T, path string) {
-	flag.Set("logtostderr", "true")
+
+	// flag.Set("logtostderr", "true")
 	// flag.Set("v", "8")
 
 	scenario, err := loadScenario(t, path)
diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go
index d888cdcdc6..6fdfb91c78 100644
--- a/pkg/testrunner/utils.go
+++ b/pkg/testrunner/utils.go
@@ -4,8 +4,8 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -42,7 +42,7 @@ func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) {
 	resource := &unstructured.Unstructured{}
 	err := resource.UnmarshalJSON(data)
 	if err != nil {
-		glog.V(4).Infof("failed to unmarshall resource: %v", err)
+		log.Log.Error(err, "failed to unmarshal resource")
 		return nil, err
 	}
 	return resource, nil
diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
index c91c9b922c..4acc08272d 100644
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@@ -142,5 +142,6 @@ func IsTLSPairShouldBeUpdated(tlsPair *TlsPemPair) bool {
 		return true
 	}
 
+	// TODO : should use time.Until instead of t.Sub(time.Now()) (gosimple)
 	return expirationDate.Sub(time.Now()) < timeReserveBeforeCertificateExpiration
 }
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index ac089bc041..d813f07f4e 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -4,12 +4,12 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/golang/glog"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -101,7 +101,7 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
 	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
-		glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):])
+		log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
 		return false
 	}
 
@@ -117,6 +117,6 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 		}
 	}
 
-	glog.V(3).Infof("user/group '%v' info not found in request userInfo: %v", subject.Name, keys)
+	log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
 	return false
 }
diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go
index 3929c38577..003bbe2cd6 100644
--- a/pkg/userinfo/roleRef_test.go
+++ b/pkg/userinfo/roleRef_test.go
@@ -1,7 +1,6 @@
 package userinfo
 
 import (
-	"flag"
 	"reflect"
 	"testing"
 
@@ -153,9 +152,10 @@ func newRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.Rol
 }
 
 func Test_getRoleRefByRoleBindings(t *testing.T) {
-	flag.Parse()
-	flag.Set("logtostderr", "true")
-	flag.Set("v", "3")
+
+	// flag.Parse()
+	// flag.Set("logtostderr", "true")
+	// flag.Set("v", "3")
 
 	list := make([]*rbacv1.RoleBinding, 2)
 
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index c6c41f4be0..5fe0602e71 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -3,8 +3,7 @@ package utils
 import (
 	"reflect"
 
-	"github.com/golang/glog"
-
+	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -59,14 +58,15 @@ func Btoi(b bool) int {
 }
 
 //CRDInstalled to check if the CRD is installed or not
-func CRDInstalled(discovery client.IDiscovery) bool {
+func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
+	logger := log.WithName("CRDInstalled")
 	check := func(kind string) bool {
 		gvr := discovery.GetGVRFromKind(kind)
 		if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
-			glog.Errorf("%s CRD not installed", kind)
+			logger.Info("CRD not installed", "kind", kind)
 			return false
 		}
-		glog.Infof("CRD %s found ", kind)
+		logger.Info("CRD found", "kind", kind)
 		return true
 	}
 	if !check("ClusterPolicy") || !check("ClusterPolicyViolation") || !check("PolicyViolation") {
@@ -77,11 +77,12 @@ func CRDInstalled(discovery client.IDiscovery) bool {
 
 //CleanupOldCrd deletes any existing NamespacedPolicyViolation resources in cluster
 // If resource violates policy, new Violations will be generated
-func CleanupOldCrd(client *dclient.Client) {
+func CleanupOldCrd(client *dclient.Client, log logr.Logger) {
+	logger := log.WithName("CleanupOldCrd")
 	gvr := client.DiscoveryClient.GetGVRFromKind("NamespacedPolicyViolation")
 	if !reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
 		if err := client.DeleteResource("CustomResourceDefinition", "", "namespacedpolicyviolations.kyverno.io", false); err != nil {
-			glog.Infof("Failed to remove previous CRD namespacedpolicyviolations: %v", err)
+			logger.Error(err, "Failed to remove prevous CRD", "kind", "namespacedpolicyviolation")
 		}
 	}
 }
diff --git a/pkg/version/version.go b/pkg/version/version.go
index ef768a35bf..8d9303d204 100644
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,7 +1,7 @@
 package version
 
 import (
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 )
 
 // These fields are set during an official build
@@ -13,8 +13,8 @@ var (
 )
 
 //PrintVersionInfo displays the kyverno version - git version
-func PrintVersionInfo() {
-	glog.Infof("Kyverno version: %s\n", BuildVersion)
-	glog.Infof("Kyverno BuildHash: %s\n", BuildHash)
-	glog.Infof("Kyverno BuildTime: %s\n", BuildTime)
+func PrintVersionInfo(log logr.Logger) {
+	log.Info("Kyverno", "Version", BuildVersion)
+	log.Info("Kyverno", "BuildHash", BuildHash)
+	log.Info("Kyverno", "BuildTime", BuildTime)
 }
diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go
index ee85f36c35..db1e765629 100644
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	errorsapi "k8s.io/apimachinery/pkg/api/errors"
@@ -19,8 +18,8 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.VerifyMutatingWebhookName,
 				config.VerifyMutatingWebhookServicePath,
 				caData,
@@ -36,14 +35,15 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.VerifyMutatingWebhookServicePath)
-	glog.V(4).Infof("Debug VerifyMutatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug VerifyMutatingWebhookConfig is registered with url", "url", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.VerifyMutatingWebhookName,
 				url,
 				caData,
@@ -68,13 +68,14 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w
 	} else {
 		mutatingConfig = config.VerifyMutatingWebhookConfigurationName
 	}
-	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
+	logger := wrc.log.WithValues("name", mutatingConfig)
+	logger.V(4).Info("removing webhook configuration")
 	err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("verify webhook configuration %s, does not exits. not deleting", mutatingConfig)
+		logger.Error(err, "verify webhook configuration, does not exits. not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete verify webhook configuration %s: %v", mutatingConfig, err)
+		logger.Error(err, "failed to delete verify wwebhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted verify webhook configuration %s", mutatingConfig)
+		logger.V(4).Info("successfully deleted verify webhook configuration")
 	}
 }
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index d73fcafb13..2b1c17f6e0 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"io/ioutil"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -11,20 +10,21 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) readCaData() []byte {
+	logger := wrc.log
 	var caData []byte
 	// Check if ca is defined in the secret tls-ca
 	// assume the key and signed cert have been defined in secret tls.kyverno
 	if caData = wrc.client.ReadRootCASecret(); len(caData) != 0 {
-		glog.V(4).Infof("read CA from secret")
+		logger.V(4).Info("read CA from secret")
 		return caData
 	}
-	glog.V(4).Infof("failed to read CA from secret, reading from kubeconfig")
+	logger.V(4).Info("failed to read CA from secret, reading from kubeconfig")
 	// load the CA from kubeconfig
 	if caData = extractCA(wrc.clientConfig); len(caData) != 0 {
-		glog.V(4).Infof("read CA from kubeconfig")
+		logger.V(4).Info("read CA from kubeconfig")
 		return caData
 	}
-	glog.V(4).Infof("failed to read CA from kubeconfig")
+	logger.V(4).Info("failed to read CA from kubeconfig")
 	return nil
 }
 
@@ -46,10 +46,11 @@ func extractCA(config *rest.Config) (result []byte) {
 }
 
 func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
+	logger := wrc.log
 	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()
 
 	if err != nil {
-		glog.Errorf("Error when constructing OwnerReference, err: %v\n", err)
+		logger.Error(err, "failed to construct OwnerReference")
 		return v1.OwnerReference{}
 	}
 
@@ -61,10 +62,11 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 	}
 }
 
-func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+// debug mutating webhook
+func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.Webhook{
+	return admregapi.MutatingWebhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			URL:      &url,
@@ -93,10 +95,116 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou
 	}
 }
 
-func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.Webhook{
+	return admregapi.ValidatingWebhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			URL:      &url,
+			CABundle: caData,
+		},
+		SideEffects: &sideEffect,
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		AdmissionReviewVersions: []string{"v1beta1"},
+		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
+	}
+}
+
+// func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+// 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+// 	failurePolicy := admregapi.Ignore
+// 	return admregapi.Webhook{
+// 		Name: name,
+// 		ClientConfig: admregapi.WebhookClientConfig{
+// 			Service: &admregapi.ServiceReference{
+// 				Namespace: config.KubePolicyNamespace,
+// 				Name:      config.WebhookServiceName,
+// 				Path:      &servicePath,
+// 			},
+// 			CABundle: caData,
+// 		},
+// 		SideEffects: &sideEffect,
+// 		Rules: []admregapi.RuleWithOperations{
+// 			admregapi.RuleWithOperations{
+// 				Operations: operationTypes,
+// 				Rule: admregapi.Rule{
+// 					APIGroups: []string{
+// 						apiGroups,
+// 					},
+// 					APIVersions: []string{
+// 						apiVersions,
+// 					},
+// 					Resources: []string{
+// 						resource,
+// 					},
+// 				},
+// 			},
+// 		},
+// 		AdmissionReviewVersions: []string{"v1beta1"},
+// 		TimeoutSeconds:          &timeoutSeconds,
+// 		FailurePolicy:           &failurePolicy,
+// 	}
+// }
+
+// mutating webhook
+func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
+	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
+	return admregapi.MutatingWebhook{
+		Name: name,
+		ClientConfig: admregapi.WebhookClientConfig{
+			Service: &admregapi.ServiceReference{
+				Namespace: config.KubePolicyNamespace,
+				Name:      config.WebhookServiceName,
+				Path:      &servicePath,
+			},
+			CABundle: caData,
+		},
+		SideEffects: &sideEffect,
+		Rules: []admregapi.RuleWithOperations{
+			admregapi.RuleWithOperations{
+				Operations: operationTypes,
+				Rule: admregapi.Rule{
+					APIGroups: []string{
+						apiGroups,
+					},
+					APIVersions: []string{
+						apiVersions,
+					},
+					Resources: []string{
+						resource,
+					},
+				},
+			},
+		},
+		AdmissionReviewVersions: []string{"v1beta1"},
+		TimeoutSeconds:          &timeoutSeconds,
+		FailurePolicy:           &failurePolicy,
+	}
+}
+
+// validating webhook
+func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
+	sideEffect := admregapi.SideEffectClassNoneOnDryRun
+	failurePolicy := admregapi.Ignore
+	return admregapi.ValidatingWebhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			Service: &admregapi.ServiceReference{
diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go
index d1798a54e5..da9fa0fa8a 100644
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,8 +17,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateValidatingWebhook(
 				config.PolicyValidatingWebhookName,
 				config.PolicyValidatingWebhookServicePath,
 				caData,
@@ -35,15 +34,16 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 }
 
 func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
-	glog.V(4).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug PolicyValidatingWebhookConfig is registered with url ", "url", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateDebugValidatingWebhook(
 				config.PolicyValidatingWebhookName,
 				url,
 				caData,
@@ -66,8 +66,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.PolicyMutatingWebhookName,
 				config.PolicyMutatingWebhookServicePath,
 				caData,
@@ -82,15 +82,16 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 	}
 }
 func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyMutatingWebhookServicePath)
-	glog.V(4).Infof("Debug PolicyMutatingWebhookConfig is registered with url %s\n", url)
+	logger.V(4).Info("Debug PolicyMutatingWebhookConfig is registered with url ", "url", url)
 
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.PolicyMutatingWebhookName,
 				url,
 				caData,
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 8db0cba73c..8124ad39d4 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -2,10 +2,11 @@ package webhookconfig
 
 import (
 	"errors"
+	"fmt"
 	"sync"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
@@ -27,6 +28,7 @@ type WebhookRegistrationClient struct {
 	// serverIP should be used if running Kyverno out of clutser
 	serverIP       string
 	timeoutSeconds int32
+	log            logr.Logger
 }
 
 // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
@@ -34,19 +36,22 @@ func NewWebhookRegistrationClient(
 	clientConfig *rest.Config,
 	client *client.Client,
 	serverIP string,
-	webhookTimeout int32) *WebhookRegistrationClient {
+	webhookTimeout int32,
+	log logr.Logger) *WebhookRegistrationClient {
 	return &WebhookRegistrationClient{
 		clientConfig:   clientConfig,
 		client:         client,
 		serverIP:       serverIP,
 		timeoutSeconds: webhookTimeout,
+		log:            log.WithName("WebhookRegistrationClient"),
 	}
 }
 
 // Register creates admission webhooks configs on cluster
 func (wrc *WebhookRegistrationClient) Register() error {
+	logger := wrc.log.WithName("Register")
 	if wrc.serverIP != "" {
-		glog.Infof("Registering webhook with url https://%s\n", wrc.serverIP)
+		logger.Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP))
 	}
 
 	// For the case if cluster already has this configs
@@ -88,6 +93,7 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<-
 // used to forward request to kyverno webhooks to apply policeis
 // Mutationg webhook is be used for Mutating purpose
 func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error {
+	logger := wrc.log
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
 
@@ -108,16 +114,17 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 	}
 	_, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		glog.V(4).Infof("resource mutating webhook configuration %s, already exists. not creating one", config.Name)
+		logger.V(4).Info("resource mutating webhook configuration already exists. not creating one", "name", config.Name)
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to create resource mutating webhook configuration %s: %v", config.Name, err)
+		logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name)
 		return err
 	}
 	return nil
 }
 
+//CreateResourceValidatingWebhookConfiguration ...
 func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.ValidatingWebhookConfiguration
@@ -134,14 +141,15 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati
 		// clientConfig - service
 		config = wrc.constructValidatingWebhookConfig(caData)
 	}
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	_, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		glog.V(4).Infof("resource validating webhook configuration %s, already exists. not creating one", config.Name)
+		logger.V(4).Info("resource already exists. not create one")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to create resource validating webhook configuration %s: %v", config.Name, err)
+		logger.Error(err, "failed to create resource")
 		return err
 	}
 	return nil
@@ -168,20 +176,19 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration
 		// clientConfig - service
 		config = wrc.contructPolicyValidatingWebhookConfig(caData)
 	}
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	// create validating webhook configuration resource
 	if _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-
-	glog.V(4).Infof("created Validating Webhook Configuration %s ", config.Name)
+	logger.V(4).Info("created resource")
 	return nil
 }
 
 func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
-
 	// read CA data from
 	// 1) secret(config)
 	// 2) kubeconfig
@@ -203,8 +210,7 @@ func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration()
 	if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-
-	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
+	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
 	return nil
 }
 
@@ -234,7 +240,7 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 		return err
 	}
 
-	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
+	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
 	return nil
 }
 
@@ -243,9 +249,9 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 // Register will fail if the config exists, so there is no need to fail on error
 func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	startTime := time.Now()
-	glog.V(4).Infof("Started cleaning up webhookconfigurations")
+	wrc.log.Info("Started cleaning up webhookconfigurations")
 	defer func() {
-		glog.V(4).Infof("Finished cleaning up webhookcongfigurations (%v)", time.Since(startTime))
+		wrc.log.V(4).Info("Finished cleaning up webhookcongfigurations", "processingTime", time.Since(startTime))
 	}()
 
 	var wg sync.WaitGroup
@@ -269,13 +275,13 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 func (wrc *WebhookRegistrationClient) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceMutatingWebhookConfiguration(); err != nil {
-		glog.Error(err)
+		wrc.log.Error(err, "failed to remove resource mutating webhook configuration")
 	}
 }
 func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceValidatingWebhookConfiguration(); err != nil {
-		glog.Error(err)
+		wrc.log.Error(err, "failed to remove resource validation webhook configuration")
 	}
 }
 
@@ -290,15 +296,15 @@ func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(w
 	} else {
 		mutatingConfig = config.PolicyMutatingWebhookConfigurationName
 	}
-
-	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
+	logger := wrc.log.WithValues("name", mutatingConfig)
+	logger.V(4).Info("removing mutating webhook configuration")
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", mutatingConfig)
+		logger.Error(err, "policy mutating webhook configuration does not exist, not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete policy webhook configuration %s: %v", mutatingConfig, err)
+		logger.Error(err, "failed to delete policy mutating webhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted policy webhook configuration %s", mutatingConfig)
+		logger.V(4).Info("successfully deleted policy mutating webhook configutation")
 	}
 }
 
@@ -313,13 +319,14 @@ func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration
 	} else {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
-	glog.V(4).Infof("removing webhook configuration %s", validatingConfig)
+	logger := wrc.log.WithValues("name", validatingConfig)
+	logger.V(4).Info("removing validating webhook configuration")
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", validatingConfig)
+		logger.Error(err, "policy validating webhook configuration does not exist, not deleting")
 	} else if err != nil {
-		glog.Errorf("failed to delete policy webhook configuration %s: %v", validatingConfig, err)
+		logger.Error(err, "failed to delete policy validating webhook configuration")
 	} else {
-		glog.V(4).Infof("successfully deleted policy webhook configuration %s", validatingConfig)
+		logger.V(4).Info("successfully deleted policy validating webhook configutation")
 	}
 }
diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go
index 090c33636a..050517da0a 100644
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@@ -3,7 +3,6 @@ package webhookconfig
 import (
 	"fmt"
 
-	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -11,15 +10,15 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
+	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
-	glog.V(4).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url)
-
+	logger.V(4).Info("Debug MutatingWebhookConfig registed", "url", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.MutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateDebugMutatingWebhook(
 				config.MutatingWebhookName,
 				url,
 				caData,
@@ -42,8 +41,8 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.MutatingWebhook{
+			generateMutatingWebhook(
 				config.MutatingWebhookName,
 				config.MutatingWebhookServicePath,
 				caData,
@@ -68,32 +67,31 @@ func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() str
 
 //RemoveResourceMutatingWebhookConfiguration removes mutating webhook configuration for all resources
 func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() error {
-
 	configName := wrc.GetResourceMutatingWebhookConfigName()
+	logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind, "name", configName)
 	// delete webhook configuration
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
+		logger.Error(err, "resource does not exit")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
+		logger.V(4).Info("failed to delete resource")
 		return err
 	}
-	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
+	logger.V(4).Info("deleted resource")
 	return nil
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath)
-	glog.V(4).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.ValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.Webhook{
-			generateDebugWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateDebugValidatingWebhook(
 				config.ValidatingWebhookName,
 				url,
 				caData,
@@ -116,8 +114,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.Webhook{
-			generateWebhook(
+		Webhooks: []admregapi.ValidatingWebhook{
+			generateValidatingWebhook(
 				config.ValidatingWebhookName,
 				config.ValidatingWebhookServicePath,
 				caData,
@@ -141,15 +139,16 @@ func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() s
 
 func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error {
 	configName := wrc.GetResourceValidatingWebhookConfigName()
+	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName)
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
+		logger.Error(err, "resource does not exist; deleted already")
 		return nil
 	}
 	if err != nil {
-		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
+		logger.Error(err, "failed to delete the resource")
 		return err
 	}
-	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
+	logger.Info("resource deleted")
 	return nil
 }
diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go
index aacdc72b9f..a312e07277 100644
--- a/pkg/webhookconfig/rwebhookregister.go
+++ b/pkg/webhookconfig/rwebhookregister.go
@@ -3,7 +3,7 @@ package webhookconfig
 import (
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	checker "github.com/nirmata/kyverno/pkg/checker"
 	"github.com/tevino/abool"
 	mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1"
@@ -23,6 +23,7 @@ type ResourceWebhookRegister struct {
 	vWebhookConfigLister           mconfiglister.ValidatingWebhookConfigurationLister
 	webhookRegistrationClient      *WebhookRegistrationClient
 	RunValidationInMutatingWebhook string
+	log                            logr.Logger
 }
 
 // NewResourceWebhookRegister returns a new instance of ResourceWebhookRegister manager
@@ -32,6 +33,7 @@ func NewResourceWebhookRegister(
 	vconfigwebhookinformer mconfiginformer.ValidatingWebhookConfigurationInformer,
 	webhookRegistrationClient *WebhookRegistrationClient,
 	runValidationInMutatingWebhook string,
+	log logr.Logger,
 ) *ResourceWebhookRegister {
 	return &ResourceWebhookRegister{
 		pendingCreation:                abool.New(),
@@ -42,52 +44,54 @@ func NewResourceWebhookRegister(
 		vWebhookConfigLister:           vconfigwebhookinformer.Lister(),
 		webhookRegistrationClient:      webhookRegistrationClient,
 		RunValidationInMutatingWebhook: runValidationInMutatingWebhook,
+		log:                            log,
 	}
 }
 
 //RegisterResourceWebhook registers a resource webhook
 func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
+	logger := rww.log
 	// drop the request if creation is in processing
 	if rww.pendingCreation.IsSet() {
-		glog.V(3).Info("resource webhook configuration is in pending creation, skip the request")
+		logger.V(3).Info("resource webhook configuration is in pending creation, skip the request")
 		return
 	}
 
 	timeDiff := time.Since(rww.LastReqTime.Time())
 	if timeDiff < checker.DefaultDeadline {
-		glog.V(3).Info("Verified webhook status, creating webhook configuration")
+		logger.V(3).Info("verified webhook status, creating webhook configuration")
 		go func() {
 			mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 			mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName)
 			if mutatingConfig != nil {
-				glog.V(4).Info("mutating webhoook configuration already exists")
+				logger.V(4).Info("mutating webhoook configuration already exists")
 			} else {
 				rww.pendingCreation.Set()
 				err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
 				rww.pendingCreation.UnSet()
 				if err1 != nil {
-					glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err1)
+					logger.Error(err1, "failed to create resource mutating webhook configuration, re-queue creation request")
 					rww.RegisterResourceWebhook()
 					return
 				}
-				glog.V(3).Info("Successfully created mutating webhook configuration for resources")
+				logger.V(3).Info("successfully created mutating webhook configuration for resources")
 			}
 
 			if rww.RunValidationInMutatingWebhook != "true" {
 				validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 				validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName)
 				if validatingConfig != nil {
-					glog.V(4).Info("validating webhoook configuration already exists")
+					logger.V(4).Info("validating webhoook configuration already exists")
 				} else {
 					rww.pendingCreation.Set()
 					err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration()
 					rww.pendingCreation.UnSet()
 					if err2 != nil {
-						glog.Errorf("failed to create resource validating webhook configuration: %v, re-queue creation request", err2)
+						logger.Error(err2, "failed to create resource validating webhook configuration; re-queue creation request")
 						rww.RegisterResourceWebhook()
 						return
 					}
-					glog.V(3).Info("Successfully created validating webhook configuration for resources")
+					logger.V(3).Info("successfully created validating webhook configuration for resources")
 				}
 			}
 		}()
@@ -96,19 +100,20 @@ func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
 
 //Run starts the ResourceWebhookRegister manager
 func (rww *ResourceWebhookRegister) Run(stopCh <-chan struct{}) {
+	logger := rww.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, rww.mwebhookconfigSynced, rww.vwebhookconfigSynced) {
-		glog.Error("configuration: failed to sync webhook informer cache")
+		logger.Info("configuration: failed to sync webhook informer cache")
 	}
-
 }
 
 // RemoveResourceWebhookConfiguration removes the resource webhook configurations
 func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
+	logger := rww.log
 	mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 	mutatingConfig, err := rww.mWebhookConfigLister.Get(mutatingConfigName)
 	if err != nil {
-		glog.V(4).Infof("failed to list mutating webhook config: %v", err)
+		logger.Error(err, "failed to list mutating webhook config")
 		return err
 	}
 	if mutatingConfig != nil {
@@ -116,14 +121,14 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 		if err != nil {
 			return err
 		}
-		glog.V(3).Info("removed mutating resource webhook configuration")
+		logger.V(3).Info("emoved mutating resource webhook configuration")
 	}
 
 	if rww.RunValidationInMutatingWebhook != "true" {
 		validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 		validatingConfig, err := rww.vWebhookConfigLister.Get(validatingConfigName)
 		if err != nil {
-			glog.V(4).Infof("failed to list validating webhook config: %v", err)
+			logger.Error(err, "failed to list validating webhook config")
 			return err
 		}
 		if validatingConfig != nil {
@@ -131,7 +136,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 			if err != nil {
 				return err
 			}
-			glog.V(3).Info("removed validating resource webhook configuration")
+			logger.V(3).Info("removed validating resource webhook configuration")
 		}
 	}
 	return nil
diff --git a/pkg/webhooks/admission_test.go b/pkg/webhooks/admission_test.go
deleted file mode 100644
index d753352a72..0000000000
--- a/pkg/webhooks/admission_test.go
+++ /dev/null
@@ -1 +0,0 @@
-package webhooks_test
diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index 34d3e10468..eddded1cde 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -7,7 +7,7 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -38,7 +38,7 @@ var operationToPastTense = map[string]string{
 	"test":    "tested",
 }
 
-func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte {
+func generateAnnotationPatches(engineResponses []response.EngineResponse, log logr.Logger) []byte {
 	var annotations map[string]string
 
 	for _, er := range engineResponses {
@@ -53,7 +53,7 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte
 	}
 
 	var patchResponse annresponse
-	value := annotationFromEngineResponses(engineResponses)
+	value := annotationFromEngineResponses(engineResponses, log)
 	if value == nil {
 		// no patches or error while processing patches
 		return nil
@@ -90,21 +90,21 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte
 	// check the patch
 	_, err := jsonpatch.DecodePatch([]byte("[" + string(patchByte) + "]"))
 	if err != nil {
-		glog.Errorf("Failed to make patch from annotation'%s', err: %v\n ", string(patchByte), err)
+		log.Error(err, "failed o build JSON patch for annotation", "patch", string(patchByte))
 	}
 
 	return patchByte
 }
 
-func annotationFromEngineResponses(engineResponses []response.EngineResponse) []byte {
+func annotationFromEngineResponses(engineResponses []response.EngineResponse, log logr.Logger) []byte {
 	var annotationContent = make(map[string]string)
 	for _, engineResponse := range engineResponses {
 		if !engineResponse.IsSuccesful() {
-			glog.V(3).Infof("Policy %s failed, skip preparing annotation\n", engineResponse.PolicyResponse.Policy)
+			log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.PolicyResponse.Policy)
 			continue
 		}
 
-		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse)
+		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse, log)
 		if rulePatches == nil {
 			continue
 		}
@@ -126,13 +126,13 @@ func annotationFromEngineResponses(engineResponses []response.EngineResponse) []
 	return result
 }
 
-func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rulePatch {
+func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log logr.Logger) []rulePatch {
 	var rulePatches []rulePatch
 	for _, ruleInfo := range policyResponse.Rules {
 		for _, patch := range ruleInfo.Patches {
 			var patchmap map[string]interface{}
 			if err := json.Unmarshal(patch, &patchmap); err != nil {
-				glog.Errorf("Failed to parse patch bytes, err: %v\n", err)
+				log.Error(err, "Failed to parse JSON patch bytes")
 				continue
 			}
 
@@ -142,14 +142,12 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rule
 				Path:     patchmap["path"].(string)}
 
 			rulePatches = append(rulePatches, rp)
-			glog.V(4).Infof("Annotation value prepared: %v\n", rulePatches)
+			log.V(4).Info("annotation value prepared", "patches", rulePatches)
 		}
 	}
-
 	if len(rulePatches) == 0 {
 		return nil
 	}
-
 	return rulePatches
 }
 
diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go
index 320e347ea3..d14657b6cb 100644
--- a/pkg/webhooks/annotations_test.go
+++ b/pkg/webhooks/annotations_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func newPolicyResponse(policy, rule string, patchesStr []string, success bool) response.PolicyResponse {
@@ -42,7 +43,7 @@ func Test_empty_annotation(t *testing.T) {
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, nil)
 
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
 }
@@ -54,7 +55,7 @@ func Test_exist_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -67,7 +68,7 @@ func Test_exist_kyverno_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -79,11 +80,11 @@ func Test_annotation_nil_patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 	assert.Assert(t, annPatches == nil)
 
 	engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, true, annotation)
-	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew})
+	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew}, log.Log)
 	assert.Assert(t, annPatchesNew == nil)
 }
 
@@ -93,7 +94,7 @@ func Test_annotation_failed_Patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, false, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
 
 	assert.Assert(t, annPatches == nil)
 }
diff --git a/pkg/webhooks/checker.go b/pkg/webhooks/checker.go
index e6ccfc41c9..4a52fa7649 100644
--- a/pkg/webhooks/checker.go
+++ b/pkg/webhooks/checker.go
@@ -1,13 +1,12 @@
 package webhooks
 
 import (
-	"github.com/golang/glog"
 	"k8s.io/api/admission/v1beta1"
 )
 
 func (ws *WebhookServer) handleVerifyRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	glog.V(4).Infof("Receive request in mutating webhook '/verify': Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+	logger := ws.log.WithValues("action", "verify", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 2ca90049f8..476606b468 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -4,9 +4,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/go-logr/logr"
 	yamlv2 "gopkg.in/yaml.v2"
-
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
@@ -27,14 +26,14 @@ func isResponseSuccesful(engineReponses []response.EngineResponse) bool {
 
 // returns true -> if there is even one policy that blocks resource request
 // returns false -> if all the policies are meant to report only, we dont block resource request
-func toBlockResource(engineReponses []response.EngineResponse) bool {
+func toBlockResource(engineReponses []response.EngineResponse, log logr.Logger) bool {
 	for _, er := range engineReponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
-			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
+			log.Info("spec.ValidationFailureAction set to enforcel blocking resource request", "policy", er.PolicyResponse.Policy)
 			return true
 		}
 	}
-	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")
+	log.V(4).Info("sepc.ValidationFailureAction set to auit for all applicable policies;allowing resource reques; reporting with policy violation ")
 	return false
 }
 
@@ -103,14 +102,14 @@ const (
 	Audit   = "audit"   // dont block the request on failure, but report failiures as policy violations
 )
 
-func processResourceWithPatches(patch []byte, resource []byte) []byte {
+func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
 	if patch == nil {
 		return resource
 	}
 
 	resource, err := engineutils.ApplyPatchNew(resource, patch)
 	if err != nil {
-		glog.Errorf("failed to patch resource: %v", err)
+		log.Error(err, "failed to patch resource:")
 		return nil
 	}
 	return resource
diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go
index f120c9fb5d..3631845541 100644
--- a/pkg/webhooks/generate/generate.go
+++ b/pkg/webhooks/generate/generate.go
@@ -5,7 +5,7 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -23,37 +23,41 @@ type Generator struct {
 	ch     chan kyverno.GenerateRequestSpec
 	client *kyvernoclient.Clientset
 	stopCh <-chan struct{}
+	log    logr.Logger
 }
 
 //NewGenerator returns a new instance of Generate-Request resource generator
-func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}) *Generator {
+func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}, log logr.Logger) *Generator {
 	gen := &Generator{
 		ch:     make(chan kyverno.GenerateRequestSpec, 1000),
 		client: client,
 		stopCh: stopCh,
+		log:    log,
 	}
 	return gen
 }
 
 //Create to create generate request resoruce (blocking call if channel is full)
 func (g *Generator) Create(gr kyverno.GenerateRequestSpec) error {
-	glog.V(4).Infof("create GR %v", gr)
+	logger := g.log
+	logger.V(4).Info("creating Generate Request", "request", gr)
 	// Send to channel
 	select {
 	case g.ch <- gr:
 		return nil
 	case <-g.stopCh:
-		glog.Info("shutting down channel")
+		logger.Info("shutting down channel")
 		return fmt.Errorf("shutting down gr create channel")
 	}
 }
 
 // Run starts the generate request spec
 func (g *Generator) Run(workers int) {
+	logger := g.log
 	defer utilruntime.HandleCrash()
-	glog.V(4).Info("Started generate request")
+	logger.V(4).Info("starting")
 	defer func() {
-		glog.V(4).Info("Shutting down generate request")
+		logger.V(4).Info("shutting down")
 	}()
 	for i := 0; i < workers; i++ {
 		go wait.Until(g.process, time.Second, g.stopCh)
@@ -62,17 +66,18 @@ func (g *Generator) Run(workers int) {
 }
 
 func (g *Generator) process() {
+	logger := g.log
 	for r := range g.ch {
-		glog.V(4).Infof("received generate request %v", r)
+		logger.V(4).Info("recieved generate request", "request", r)
 		if err := g.generate(r); err != nil {
-			glog.Errorf("Failed to create Generate Request CR: %v", err)
+			logger.Error(err, "failed to generate request CR")
 		}
 	}
 }
 
 func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 	// create a generate request
-	if err := retryCreateResource(g.client, grSpec); err != nil {
+	if err := retryCreateResource(g.client, grSpec, g.log); err != nil {
 		return err
 	}
 	return nil
@@ -81,7 +86,10 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 // -> receiving channel to take requests to create request
 // use worker pattern to read and create the CR resource
 
-func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec) error {
+func retryCreateResource(client *kyvernoclient.Clientset,
+	grSpec kyverno.GenerateRequestSpec,
+	log logr.Logger,
+) error {
 	var i int
 	var err error
 	createResource := func() error {
@@ -95,7 +103,7 @@ func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.Generat
 		// gr.Status.State = kyverno.Pending
 		// generate requests created in kyverno namespace
 		_, err = client.KyvernoV1().GenerateRequests("kyverno").Create(&gr)
-		glog.V(4).Infof("retry %v create generate request", i)
+		log.V(4).Info("retrying create generate request CR", "retryCount", i, "name", gr.GetGenerateName(), "namespace", gr.GetNamespace())
 		i++
 		return err
 	}
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 956c568cac..7f0fc4a692 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -5,7 +5,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -18,19 +17,19 @@ import (
 
 //HandleGenerate handles admission-requests for policies with generate rules
 func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
+	logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 	var engineResponses []response.EngineResponse
 
 	// convert RAW to unstructured
 	resource, err := utils.ConvertToUnstructured(request.Object.Raw)
 	if err != nil {
 		//TODO: skip applying the admission control ?
-		glog.Errorf("unable to convert raw resource to unstructured: %v", err)
+		logger.Error(err, "failed to convert RAR resource to unstructured format")
 		return true, ""
 	}
 
 	// CREATE resources, do not have name, assigned in admission-request
-	glog.V(4).Infof("Handle Generate: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
 
 	userRequestInfo := kyverno.RequestInfo{
 		Roles:             roles,
@@ -41,16 +40,16 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 	// load service account in context
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 1991427ebf..68ca58fae1 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/openapi"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -22,8 +21,8 @@ import (
 // HandleMutation handles mutating webhook admission request
 // return value: generated patches
 func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
-	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+	logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 
 	var patches [][]byte
 	var engineResponses []response.EngineResponse
@@ -39,16 +38,16 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
@@ -58,39 +57,36 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
+		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
 		engineResponses = append(engineResponses, engineResponse)
 		ws.statusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
-			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
+			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
 		err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
 		if err != nil {
-			glog.V(4).Infoln(err)
+			logger.Error(err, "failed to validate resource")
 			continue
 		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
-		glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
+		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
 
 		policyContext.NewResource = engineResponse.PatchedResource
 	}
 
 	// generate annotations
-	if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil {
+	if annPatches := generateAnnotationPatches(engineResponses, logger); annPatches != nil {
 		patches = append(patches, annPatches)
 	}
 
-	// report time
-	reportTime := time.Now()
-
 	// AUDIT
 	// generate violation when response fails
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	ws.pvGenerator.Add(pvInfos...)
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -100,25 +96,21 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	//   all policies were applied succesfully.
 	//   create an event on the resource
 	// ADD EVENTS
-	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update))
+	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update), logger)
 	ws.eventGen.Add(events...)
 
 	// debug info
 	func() {
 		if len(patches) != 0 {
-			glog.V(4).Infof("Patches generated for %s/%s/%s, operation=%v:\n %v",
-				resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.Operation, string(engineutils.JoinPatches(patches)))
+			logger.V(4).Info("JSON patches generated")
 		}
 
 		// if any of the policies fails, print out the error
 		if !isResponseSuccesful(engineResponses) {
-			glog.Errorf("Failed to mutate the resource, report as violation: %s\n", getErrorMsg(engineResponses))
+			logger.Info("failed to apply mutation rules on the resource, reporting policy violation", "errors", getErrorMsg(engineResponses))
 		}
 	}()
 
-	// report time end
-	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName())
-
 	// patches holds all the successful patches, if no patch is created, it returns nil
 	return engineutils.JoinPatches(patches)
 }
diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index 8081528edd..dea2f87fff 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/utils"
@@ -17,12 +17,13 @@ import (
 )
 
 func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	var policy *kyverno.ClusterPolicy
 	raw := request.Object.Raw
 
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
 	if err := json.Unmarshal(raw, &policy); err != nil {
-		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
+		logger.Error(err, "faield to unmarshall policy admission request")
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -31,10 +32,9 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 		}
 	}
 	// Generate JSON Patches for defaults
-	patches, updateMsgs := generateJSONPatchesForDefaults(policy)
+	patches, updateMsgs := generateJSONPatchesForDefaults(policy, logger)
 	if patches != nil {
 		patchType := v1beta1.PatchTypeJSONPatch
-		glog.V(4).Infof("defaulted values %v policy %s", updateMsgs, policy.Name)
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -44,35 +44,34 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 			PatchType: &patchType,
 		}
 	}
-	glog.V(4).Infof("nothing to default for policy %s", policy.Name)
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
 }
 
-func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []string) {
+func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, []string) {
 	var patches [][]byte
 	var updateMsgs []string
 
 	// default 'ValidationFailureAction'
-	if patch, updateMsg := defaultvalidationFailureAction(policy); patch != nil {
+	if patch, updateMsg := defaultvalidationFailureAction(policy, log); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
 	// default 'Background'
-	if patch, updateMsg := defaultBackgroundFlag(policy); patch != nil {
+	if patch, updateMsg := defaultBackgroundFlag(policy, log); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
-	patch, errs := generatePodControllerRule(*policy)
+	patch, errs := generatePodControllerRule(*policy, log)
 	if len(errs) > 0 {
 		var errMsgs []string
 		for _, err := range errs {
 			errMsgs = append(errMsgs, err.Error())
+			log.Error(err, "failed to generate pod controller rule")
 		}
-		glog.Errorf("failed auto generating rule for pod controllers: %s", errMsgs)
 		updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";"))
 	}
 
@@ -81,11 +80,11 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st
 	return utils.JoinPatches(patches), updateMsgs
 }
 
-func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) {
+func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
 	// default 'Background' flag to 'true' if not specified
 	defaultVal := true
 	if policy.Spec.Background == nil {
-		glog.V(4).Infof("default policy %s 'Background' to '%s'", policy.Name, strconv.FormatBool(true))
+		log.V(4).Info("setting default value", "spec.background", true)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -97,19 +96,19 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) {
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			glog.Errorf("failed to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
+			log.Error(err, "failed to set default value", "spec.background", true)
 			return nil, ""
 		}
-		glog.V(4).Infof("generate JSON Patch to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
+		log.Info("generated JSON Patch to set default", "spec.background", true)
 		return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true))
 	}
 	return nil, ""
 }
 
-func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) {
+func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
 	// default ValidationFailureAction to "audit" if not specified
 	if policy.Spec.ValidationFailureAction == "" {
-		glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit)
+		log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -121,10 +120,10 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
+			log.Error(err, "failed to default value", "spec.validationFailureAction", Audit)
 			return nil, ""
 		}
-		glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
+		log.Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit)
 		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit)
 	}
 	return nil, ""
@@ -140,7 +139,7 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 //             make sure all fields are applicable to pod cotrollers
 
 // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
-func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) {
+func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
 	ann := policy.GetAnnotations()
 	controllers, ok := ann[engine.PodControllersAnnotation]
 
@@ -159,10 +158,9 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte,
 	if controllers == "none" {
 		return nil, nil
 	}
+	log.V(3).Info("auto generating rule for pod controllers", "controlers", controllers)
 
-	glog.V(3).Infof("Auto generating rule for pod controller: %s", controllers)
-
-	p, err := generateRulePatches(policy, controllers)
+	p, err := generateRulePatches(policy, controllers, log)
 	patches = append(patches, p...)
 	errs = append(errs, err...)
 	return
@@ -197,7 +195,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
 }
 
 // generateRulePatches generates rule for podControllers based on scenario A and C
-func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rulePatches [][]byte, errs []error) {
+func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
 	var genRule kyvernoRule
 	insertIdx := len(policy.Spec.Rules)
 
@@ -210,7 +208,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rule
 	for _, rule := range policy.Spec.Rules {
 		patchPostion := insertIdx
 
-		genRule = generateRuleForControllers(rule, controllers)
+		genRule = generateRuleForControllers(rule, controllers, log)
 		if reflect.DeepEqual(genRule, kyvernoRule{}) {
 			continue
 		}
@@ -272,7 +270,7 @@ type kyvernoRule struct {
 	Validation       *kyverno.Validation       `json:"validate,omitempty"`
 }
 
-func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRule {
+func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule {
 	if strings.HasPrefix(rule.Name, "autogen-") {
 		return kyvernoRule{}
 	}
@@ -292,7 +290,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu
 	if controllers == "all" {
 		if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil ||
 			exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil {
-			glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name)
+			log.Info("skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", "rule", rule.Name)
 			return kyvernoRule{}
 		}
 		controllers = engine.PodControllers
diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go
index 0b5af63c59..d887cd6ee2 100644
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@@ -8,6 +8,7 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {
@@ -28,7 +29,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -61,7 +62,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -112,7 +113,7 @@ func TestGeneratePodControllerRule_DisableFeature(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -163,7 +164,7 @@ func TestGeneratePodControllerRule_Mutate(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -261,7 +262,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -333,7 +334,7 @@ func TestGeneratePodControllerRule_ValidateAnyPattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -471,7 +472,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy)
+	patches, errs := generatePodControllerRule(policy, log.Log)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index d58a22eec9..897bba0de0 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -4,13 +4,14 @@ import (
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
 	v1beta1 "k8s.io/api/admission/v1beta1"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 //HandlePolicyValidation performs the validation check on policy resource
 func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
-	if err := policyvalidate.Validate(request.Object.Raw); err != nil {
+	if err := policyvalidate.Validate(request.Object.Raw, ws.client, false); err != nil {
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go
index 035a60688e..83e67c5753 100644
--- a/pkg/webhooks/report.go
+++ b/pkg/webhooks/report.go
@@ -3,6 +3,7 @@ package webhooks
 import (
 	"strings"
 
+	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 
@@ -10,7 +11,7 @@ import (
 )
 
 //generateEvents generates event info for the engine responses
-func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool) []event.Info {
+func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
 	var events []event.Info
 	// Scenario 1
 	// - Admission-Response is SUCCESS && CREATE
@@ -26,6 +27,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			successRulesStr := strings.Join(successRules, ";")
 			// event on resource
 			e := event.NewEvent(
+				log,
 				er.PolicyResponse.Resource.Kind,
 				er.PolicyResponse.Resource.APIVersion,
 				er.PolicyResponse.Resource.Namespace,
@@ -59,6 +61,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			filedRulesStr := strings.Join(failedRules, ";")
 			// Event on Policy
 			e := event.NewEvent(
+				log,
 				"ClusterPolicy",
 				kyverno.SchemeGroupVersion.String(),
 				"",
@@ -90,6 +93,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		filedRulesStr := strings.Join(failedRules, ";")
 		// Event on the policy
 		e := event.NewEvent(
+			log,
 			"ClusterPolicy",
 			kyverno.SchemeGroupVersion.String(),
 			"",
@@ -104,6 +108,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		// Event on the resource
 		// event on resource
 		e = event.NewEvent(
+			log,
 			er.PolicyResponse.Resource.Kind,
 			er.PolicyResponse.Resource.APIVersion,
 			er.PolicyResponse.Resource.Namespace,
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index b0ca988449..fbc8788d0b 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/golang/glog"
+	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -69,6 +69,7 @@ type WebhookServer struct {
 	// generate request generator
 	grGenerator            *generate.Generator
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	log                    logr.Logger
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
@@ -88,7 +89,9 @@ func NewWebhookServer(
 	pvGenerator policyviolation.GeneratorInterface,
 	grGenerator *generate.Generator,
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
-	cleanUp chan<- struct{}) (*WebhookServer, error) {
+	cleanUp chan<- struct{},
+	log logr.Logger,
+) (*WebhookServer, error) {
 
 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
@@ -120,6 +123,7 @@ func NewWebhookServer(
 		pMetaStore:                pMetaStore,
 		grGenerator:               grGenerator,
 		resourceWebhookWatcher:    resourceWebhookWatcher,
+		log:                       log,
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
@@ -148,8 +152,9 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	if admissionReview == nil {
 		return
 	}
+	logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name)
 	defer func() {
-		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
+		logger.V(4).Info("request processed", "processingTime", time.Since(startTime))
 	}()
 
 	admissionReview.Response = &v1beta1.AdmissionResponse{
@@ -195,31 +200,29 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
+		logger.Error(err, "failed to list policies. Policies are NOT being applied")
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
-	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
-				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
+			logger.Error(err, "failed to get RBAC infromation for request")
 		}
 	}
-	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// convert RAW to unstructured
 	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
-		glog.Errorf(err.Error())
+		logger.Error(err, "failed to convert RAW resource to unstructured format")
 
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
@@ -245,13 +248,13 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
 
 	// patch the resource with patches before handling validation rules
-	patchedResource := processResourceWithPatches(patches, request.Object.Raw)
+	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
 
 	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
 		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -269,7 +272,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	if request.Operation == v1beta1.Create {
 		ok, msg := ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -292,31 +295,29 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
+		logger.Error(err, "failed to list policies. Policies are NOT being applied")
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
-	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
-				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
+			logger.Error(err, "failed to get RBAC infromation for request")
 		}
 	}
-	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
 	if !ok {
-		glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
+		logger.Info("admission request denied")
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
@@ -336,27 +337,28 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
+	logger := ws.log
 	if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
-		glog.Error("webhook: failed to sync informer cache")
+		logger.Info("failed to sync informer cache")
 	}
 
 	go func(ws *WebhookServer) {
-		glog.V(3).Infof("serving on %s\n", ws.server.Addr)
+		logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
 		if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
-			glog.Infof("HTTP server error: %v", err)
+			logger.Error(err, "failed to listen to requests")
 		}
 	}(ws)
-	glog.Info("Started Webhook Server")
+	logger.Info("starting")
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
 	// max deadline: deadline*3 (set the deployment annotation as false)
 	go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
-
 }
 
 // Stop TLS server and returns control after the server is shut down
 func (ws *WebhookServer) Stop(ctx context.Context) {
+	logger := ws.log
 	// cleanUp
 	// remove the static webhookconfigurations
 	go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
@@ -364,7 +366,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 	err := ws.server.Shutdown(ctx)
 	if err != nil {
 		// Error from closing listeners, or context timeout:
-		glog.Info("Server Shutdown error: ", err)
+		logger.Error(err, "shutting down server")
 		ws.server.Close()
 	}
 }
@@ -372,6 +374,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 // bodyToAdmissionReview creates AdmissionReview object from request body
 // Answers to the http.ResponseWriter if request is not valid
 func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
+	logger := ws.log
 	var body []byte
 	if request.Body != nil {
 		if data, err := ioutil.ReadAll(request.Body); err == nil {
@@ -379,21 +382,21 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt
 		}
 	}
 	if len(body) == 0 {
-		glog.Error("Error: empty body")
+		logger.Info("empty body")
 		http.Error(writer, "empty body", http.StatusBadRequest)
 		return nil
 	}
 
 	contentType := request.Header.Get("Content-Type")
 	if contentType != "application/json" {
-		glog.Error("Error: invalid Content-Type: ", contentType)
+		logger.Info("invalid Content-Type", "contextType", contentType)
 		http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
 		return nil
 	}
 
 	admissionReview := &v1beta1.AdmissionReview{}
 	if err := json.Unmarshal(body, &admissionReview); err != nil {
-		glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err)
+		logger.Error(err, "failed to decode request body to type 'AdmissionReview")
 		http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
 		return nil
 	}
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 54a7fbdf3e..d0b49347ad 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -5,7 +5,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -19,16 +18,14 @@ import (
 // If there are no errors in validating rule we apply generation rules
 // patchedResource is the (resource + patches) after applying mutation rules
 func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
-	glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
-
-	evalTime := time.Now()
+	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger.V(4).Info("incoming request")
 
 	// Get new and old resource
 	newR, oldR, err := extractResources(patchedResource, request)
 	if err != nil {
 		// as resource cannot be parsed, we skip processing
-		glog.Error(err)
+		logger.Error(err, "failed to extract resource")
 		return true, ""
 	}
 	userRequestInfo := kyverno.RequestInfo{
@@ -40,17 +37,17 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		glog.Infof("Failed to load resource in context:%v", err)
+		logger.Error(err, "failed to load incoming resource in context")
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		glog.Infof("Failed to load userInfo in context:%v", err)
+		logger.Error(err, "failed to load userInfo in context")
 	}
 
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		glog.Infof("Failed to load service account in context:%v", err)
+		logger.Error(err, "failed to load service account in context")
 	}
 
 	policyContext := engine.PolicyContext{
@@ -61,8 +58,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		glog.V(2).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
-			newR.GetKind(), newR.GetNamespace(), newR.GetName(), request.UID, request.Operation)
+		logger.V(2).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
@@ -75,17 +71,13 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			resp: engineResponse,
 		})
 		if !engineResponse.IsSuccesful() {
-			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, newR.GetNamespace(), newR.GetName())
+			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
 	}
-	glog.V(4).Infof("eval: %v %s/%s/%s ", time.Since(evalTime), request.Kind, request.Namespace, request.Name)
-	// report time
-	reportTime := time.Now()
-
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"
-	blocked := toBlockResource(engineResponses)
+	blocked := toBlockResource(engineResponses, logger)
 
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -97,19 +89,18 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// Scenario 3:
 	//   all policies were applied succesfully.
 	//   create an event on the resource
-	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update))
+	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger)
 	ws.eventGen.Add(events...)
 	if blocked {
-		glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName())
+		logger.V(4).Info("resource blocked")
 		return false, getEnforceFailureErrorMsg(engineResponses)
 	}
 
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	ws.pvGenerator.Add(pvInfos...)
 	// report time end
-	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name)
 	return true, ""
 }
 
diff --git a/scripts/update-codegen.sh b/scripts/update-codegen.sh
index 686c2cdfe1..a6f56b314d 100755
--- a/scripts/update-codegen.sh
+++ b/scripts/update-codegen.sh
@@ -13,8 +13,10 @@ esac
 NIRMATA_DIR=$(dirname ${BASH_SOURCE})/..
 NIRMATA_ROOT=$(${linkutil} -f ${NIRMATA_DIR})
 
+# instructions to build project https://github.com/nirmata/kyverno/wiki/Building
+
 # get relative path to code generation script
-CODEGEN_PKG=${NIRMATA_DIR}/vendor/k8s.io/code-generator
+CODEGEN_PKG="${GOPATH}/src/k8s.io/code-generator"
 
 # get relative path of nirmata
 NIRMATA_PKG=${NIRMATA_ROOT#"${GOPATH}/src/"}

From b5af456f649596313d0b47e6db13b2f6b031ee76 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 28 Mar 2020 16:36:19 +0530
Subject: [PATCH 050/201] Revert "754 merge conflicts"

This reverts commit 39f75db43568c62e8a933542105c6642f6e3ce0c.
---
 .codeclimate.yml                              |  18 -
 .golangci.yml                                 |  17 -
 .travis.yml                                   |   5 -
 CONTRIBUTING.md                               |   8 +-
 README.md                                     |   1 -
 cmd/initContainer/main.go                     |  80 +--
 cmd/kyverno/main.go                           | 110 ++--
 {api => data}/swaggerDoc.go                   |   0
 definitions/install.yaml                      |   2 +
 definitions/install_debug.yaml                |   2 +
 go.mod                                        |  32 +-
 go.sum                                        | 185 ------
 pkg/api/kyverno/v1/zz_generated.deepcopy.go   |   8 +-
 pkg/auth/auth.go                              | 108 ----
 pkg/auth/auth_test.go                         |  48 --
 pkg/checker/checker.go                        |  41 +-
 pkg/checker/status.go                         |  26 +-
 pkg/client/clientset/versioned/clientset.go   |   7 -
 .../versioned/fake/clientset_generated.go     |   7 +-
 .../clientset/versioned/fake/register.go      |   3 +-
 .../typed/kyverno/v1/kyverno_client.go        |   3 +-
 pkg/config/config.go                          |  28 +-
 pkg/config/dynamicconfig.go                   |  39 +-
 pkg/dclient/certificates.go                   |  37 +-
 pkg/dclient/client.go                         |  32 +-
 pkg/engine/anchor/anchor.go                   |  15 +-
 pkg/engine/context/context.go                 |  19 +-
 pkg/engine/context/evaluate.go                |   7 +-
 pkg/engine/forceMutate.go                     |   5 +-
 pkg/engine/generation.go                      |  18 +-
 pkg/engine/mutate/overlay.go                  |  38 +-
 pkg/engine/mutate/overlayCondition.go         |  27 +-
 pkg/engine/mutate/overlayCondition_test.go    | 111 ++--
 pkg/engine/mutate/overlay_test.go             |  93 ++-
 pkg/engine/mutate/patches.go                  |  17 +-
 pkg/engine/mutate/patches_test.go             |  19 +-
 pkg/engine/mutation.go                        |  41 +-
 pkg/engine/mutation_test.go                   |  16 +-
 pkg/engine/utils.go                           |   5 +-
 pkg/engine/validate/pattern.go                |  76 +--
 pkg/engine/validate/pattern_test.go           | 113 ++--
 pkg/engine/validate/validate.go               |  54 +-
 pkg/engine/validate/validate_test.go          |  52 +-
 pkg/engine/validation.go                      |  55 +-
 pkg/engine/validation_test.go                 |  64 +-
 pkg/engine/variables/common.go                |  10 -
 pkg/engine/variables/evaluate.go              |  11 +-
 pkg/engine/variables/evaluate_test.go         |  61 +-
 pkg/engine/variables/operator/equal.go        |  40 +-
 pkg/engine/variables/operator/notequal.go     |  39 +-
 pkg/engine/variables/operator/operator.go     |  12 +-
 pkg/engine/variables/variables_test.go        |  19 +-
 pkg/engine/variables/vars.go                  |  34 +-
 pkg/engine/variables/vars_test.go             |   7 +-
 pkg/event/controller.go                       |  53 +-
 pkg/generate/cleanup/cleanup.go               |  15 +-
 pkg/generate/cleanup/controller.go            |  51 +-
 pkg/generate/controller.go                    |  45 +-
 pkg/generate/generate.go                      |  65 +-
 pkg/generate/labels.go                        |   6 +-
 pkg/generate/report.go                        |   5 +-
 pkg/generate/status.go                        |  10 +-
 pkg/kyverno/apply/command.go                  |   7 +-
 pkg/kyverno/main.go                           |  11 +-
 pkg/kyverno/validate/command.go               |   7 +-
 pkg/openapi/crdSync.go                        |  13 +-
 pkg/openapi/validation.go                     |   8 +-
 pkg/policy/actions.go                         |  61 --
 pkg/policy/apply.go                           |  46 +-
 pkg/policy/background.go                      |  11 +-
 pkg/policy/cleanup.go                         |  44 +-
 pkg/policy/clusterpv.go                       |  39 +-
 pkg/policy/common.go                          |   4 +-
 pkg/policy/common/common.go                   |  85 ---
 pkg/policy/controller.go                      |  53 +-
 pkg/policy/existing.go                        |  60 +-
 pkg/policy/generate/auth.go                   |  74 ---
 pkg/policy/generate/fake.go                   |  21 -
 pkg/policy/generate/fake/auth.go              |  31 -
 pkg/policy/generate/validate.go               | 151 -----
 pkg/policy/generate/validate_test.go          |  89 ---
 pkg/policy/mutate/validate.go                 |  63 --
 pkg/policy/mutate/validate_test.go            | 151 -----
 pkg/policy/namespacedpv.go                    |  38 +-
 pkg/policy/report.go                          |  33 +-
 pkg/policy/validate.go                        | 223 ++++++-
 pkg/policy/validate/validate.go               |  61 --
 pkg/policy/validate/validate_test.go          | 381 ------------
 pkg/policy/validate_test.go                   | 582 +++++++++++++++++-
 pkg/policy/webhookregistration.go             |   8 +-
 pkg/policystatus/main.go                      |   9 +-
 pkg/policystore/policystore.go                |  16 +-
 pkg/policyviolation/builder.go                |   7 +-
 pkg/policyviolation/builder_test.go           |   3 +-
 pkg/policyviolation/clusterpv.go              |  22 +-
 pkg/policyviolation/common.go                 |   4 +-
 pkg/policyviolation/generator.go              |  41 +-
 pkg/policyviolation/namespacedpv.go           |  22 +-
 pkg/testrunner/scenario.go                    |   9 +-
 pkg/testrunner/utils.go                       |   4 +-
 pkg/tls/tls.go                                |   1 -
 pkg/userinfo/roleRef.go                       |   6 +-
 pkg/userinfo/roleRef_test.go                  |   8 +-
 pkg/utils/util.go                             |  15 +-
 pkg/version/version.go                        |  10 +-
 pkg/webhookconfig/checker.go                  |  21 +-
 pkg/webhookconfig/common.go                   | 128 +---
 pkg/webhookconfig/policy.go                   |  23 +-
 pkg/webhookconfig/registration.go             |  59 +-
 pkg/webhookconfig/resource.go                 |  37 +-
 pkg/webhookconfig/rwebhookregister.go         |  35 +-
 pkg/webhooks/admission_test.go                |   1 +
 pkg/webhooks/annotations.go                   |  22 +-
 pkg/webhooks/annotations_test.go              |  13 +-
 pkg/webhooks/checker.go                       |   5 +-
 pkg/webhooks/common.go                        |  13 +-
 pkg/webhooks/generate/generate.go             |  30 +-
 pkg/webhooks/generation.go                    |  13 +-
 pkg/webhooks/mutation.go                      |  38 +-
 pkg/webhooks/policymutation.go                |  50 +-
 pkg/webhooks/policymutation_test.go           |  15 +-
 pkg/webhooks/policyvalidation.go              |   3 +-
 pkg/webhooks/report.go                        |   7 +-
 pkg/webhooks/server.go                        |  57 +-
 pkg/webhooks/validation.go                    |  33 +-
 scripts/update-codegen.sh                     |   4 +-
 126 files changed, 2111 insertions(+), 3203 deletions(-)
 delete mode 100644 .codeclimate.yml
 delete mode 100644 .golangci.yml
 rename {api => data}/swaggerDoc.go (100%)
 delete mode 100644 pkg/auth/auth.go
 delete mode 100644 pkg/auth/auth_test.go
 delete mode 100644 pkg/engine/variables/common.go
 delete mode 100644 pkg/policy/actions.go
 delete mode 100644 pkg/policy/common/common.go
 delete mode 100644 pkg/policy/generate/auth.go
 delete mode 100644 pkg/policy/generate/fake.go
 delete mode 100644 pkg/policy/generate/fake/auth.go
 delete mode 100644 pkg/policy/generate/validate.go
 delete mode 100644 pkg/policy/generate/validate_test.go
 delete mode 100644 pkg/policy/mutate/validate.go
 delete mode 100644 pkg/policy/mutate/validate_test.go
 delete mode 100644 pkg/policy/validate/validate.go
 delete mode 100644 pkg/policy/validate/validate_test.go
 create mode 100644 pkg/webhooks/admission_test.go

diff --git a/.codeclimate.yml b/.codeclimate.yml
deleted file mode 100644
index 95a96cfddb..0000000000
--- a/.codeclimate.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-engines:
-  govet:
-    enabled: true
-  golint:
-    enabled: false
-  gofmt:
-    enabled: true
-
-ratings:
-  paths:
-    - "**.go"
-
-exclude_paths:
-- documentation/
-- definitions
-- gh-pages
-- samples
-- scripts
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
deleted file mode 100644
index a589a168f3..0000000000
--- a/.golangci.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-linters:
-  enable:
-    - gosec
-    - errcheck
-    - gosimple
-    - bodyclose
-    - staticcheck
-  disable:
-    - ineffassign
-    - deadcode
-    - unused
-    - structcheck
-
-run:
-  skip-files:
-    - ".+_test.go"
-    - ".+_test_.+.go"
\ No newline at end of file
diff --git a/.travis.yml b/.travis.yml
index 3f9676cdb2..917a026a0c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,11 +2,6 @@ language: go
 go:
   - "1.13"
 
-cache:
-  directories:
-    - $HOME/.cache/go-build
-    - $GOPATH/pkg/mod
-  
 # safelist
 branches: 
   only:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9941e08dd5..be104b5dc2 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1 @@
-# Contributing to Kyverno
-
-## Code Style
-
-We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout).
-
-See : https://github.com/nirmata/kyverno#contributing
+See: https://github.com/nirmata/kyverno#contributing
diff --git a/README.md b/README.md
index 2335a3b78f..df3ec092d1 100644
--- a/README.md
+++ b/README.md
@@ -171,6 +171,5 @@ See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](htt
 Thanks for your interest in contributing!
 
   * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
-  * We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
   * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
   * Browse through the [open issues](https://github.com/nirmata/kyverno/issues)
diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index e9e377cb7f..9c5a9141ba 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -5,27 +5,23 @@ package main
 
 import (
 	"flag"
-	"fmt"
 	"os"
 	"regexp"
 	"strconv"
 	"sync"
 	"time"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/signal"
 	"k8s.io/apimachinery/pkg/api/errors"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
-	"k8s.io/klog"
-	"k8s.io/klog/klogr"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
 	kubeconfig string
-	setupLog   = log.Log.WithName("setup")
 )
 
 const (
@@ -34,30 +30,20 @@ const (
 )
 
 func main() {
-	klog.InitFlags(nil)
-	log.SetLogger(klogr.New())
-	// arguments
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	if err := flag.Set("v", "2"); err != nil {
-		klog.Fatalf("failed to set log level: %v", err)
-	}
-	flag.Parse()
-
+	defer glog.Flush()
 	// os signal handler
 	stopCh := signal.SetupSignalHandler()
 	// create client config
 	clientConfig, err := createClientConfig(kubeconfig)
 	if err != nil {
-		setupLog.Error(err, "Failed to build kubeconfig")
-		os.Exit(1)
+		glog.Fatalf("Error building kubeconfig: %v\n", err)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
+	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh)
 	if err != nil {
-		setupLog.Error(err, "Failed to create client")
-		os.Exit(1)
+		glog.Fatalf("Error creating client: %v\n", err)
 	}
 
 	// Exit for unsupported version of kubernetes cluster
@@ -92,46 +78,53 @@ func main() {
 	for err := range merge(done, stopCh, p1, p2) {
 		if err != nil {
 			failure = true
-			log.Log.Error(err, "failed to cleanup resource")
+			glog.Errorf("failed to cleanup: %v", err)
 		}
 	}
 	// if there is any failure then we fail process
 	if failure {
-		log.Log.Info("failed to cleanup webhook configurations")
+		glog.Errorf("failed to cleanup webhook configurations")
 		os.Exit(1)
 	}
 }
 
+func init() {
+	// arguments
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	flag.Set("logtostderr", "true")
+	flag.Set("stderrthreshold", "WARNING")
+	flag.Set("v", "2")
+	flag.Parse()
+}
+
 func removeWebhookIfExists(client *client.Client, kind string, name string) error {
-	logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name)
 	var err error
 	// Get resource
 	_, err = client.GetResource(kind, "", name)
 	if errors.IsNotFound(err) {
-		logger.V(4).Info("resource not found")
+		glog.V(4).Infof("%s(%s) not found", name, kind)
 		return nil
 	}
 	if err != nil {
-		logger.Error(err, "failed to get resource")
+		glog.Errorf("failed to get resource %s(%s)", name, kind)
 		return err
 	}
 	// Delete resource
 	err = client.DeleteResource(kind, "", name, false)
 	if err != nil {
-		logger.Error(err, "failed to delete resource")
+		glog.Errorf("failed to delete resource %s(%s)", name, kind)
 		return err
 	}
-	logger.Info("removed the resource")
+	glog.Infof("cleaned up resource %s(%s)", name, kind)
 	return nil
 }
 
 func createClientConfig(kubeconfig string) (*rest.Config, error) {
-	logger := log.Log
 	if kubeconfig == "" {
-		logger.Info("Using in-cluster configuration")
+		glog.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	logger.Info(fmt.Sprintf("Using configuration from '%s'", kubeconfig))
+	glog.Infof("Using configuration from '%s'", kubeconfig)
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
 
@@ -170,7 +163,6 @@ func gen(done <-chan struct{}, stopCh <-chan struct{}, requests ...request) <-ch
 
 // processes the requests
 func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}, requests <-chan request) <-chan error {
-	logger := log.Log.WithName("process")
 	out := make(chan error)
 	go func() {
 		defer close(out)
@@ -178,10 +170,10 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 			select {
 			case out <- removeWebhookIfExists(client, req.kind, req.name):
 			case <-done:
-				logger.Info("done")
+				println("done process")
 				return
 			case <-stopCh:
-				logger.Info("shutting down")
+				println("shutting down process")
 				return
 			}
 		}
@@ -191,7 +183,6 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}
 
 // waits for all processes to be complete and merges result
 func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan error) <-chan error {
-	logger := log.Log.WithName("merge")
 	var wg sync.WaitGroup
 	out := make(chan error)
 	// gets the output from each process
@@ -201,10 +192,10 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 			select {
 			case out <- err:
 			case <-done:
-				logger.Info("done")
+				println("done merge")
 				return
 			case <-stopCh:
-				logger.Info("shutting down")
+				println("shutting down merge")
 				return
 			}
 		}
@@ -224,37 +215,30 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 }
 
 func isVersionSupported(client *client.Client) {
-	logger := log.Log
 	serverVersion, err := client.DiscoveryClient.GetServerVersion()
 	if err != nil {
-		logger.Error(err, "Failed to get kubernetes server version")
-		os.Exit(1)
+		glog.Fatalf("Failed to get kubernetes server version: %v\n", err)
 	}
 	exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`)
 	groups := exp.FindAllStringSubmatch(serverVersion.String(), -1)
 	if len(groups) != 1 || len(groups[0]) != 4 {
-		logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion)
-		os.Exit(1)
+		glog.Fatalf("Failed to extract kubernetes server version: %v.err %v\n", serverVersion, err)
 	}
 	// convert string to int
 	// assuming the version are always intergers
 	major, err := strconv.Atoi(groups[0][1])
 	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion)
-		os.Exit(1)
+		glog.Fatalf("Failed to extract kubernetes major server version: %v.err %v\n", serverVersion, err)
 	}
 	minor, err := strconv.Atoi(groups[0][2])
 	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion)
-		os.Exit(1)
+		glog.Fatalf("Failed to extract kubernetes minor server version: %v.err %v\n", serverVersion, err)
 	}
 	sub, err := strconv.Atoi(groups[0][3])
 	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion)
-		os.Exit(1)
+		glog.Fatalf("Failed to extract kubernetes sub minor server version:%v. err %v\n", serverVersion, err)
 	}
 	if major <= 1 && minor <= 12 && sub < 7 {
-		logger.Info("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", "serverVersion", serverVersion)
-		os.Exit(1)
+		glog.Fatalf("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", serverVersion)
 	}
 }
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 3bb05a3b39..7087d41832 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -3,12 +3,11 @@ package main
 import (
 	"context"
 	"flag"
-	"fmt"
-	"os"
 	"time"
 
 	"github.com/nirmata/kyverno/pkg/openapi"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"
@@ -28,9 +27,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks"
 	webhookgenerate "github.com/nirmata/kyverno/pkg/webhooks/generate"
 	kubeinformers "k8s.io/client-go/informers"
-	"k8s.io/klog"
-	"k8s.io/klog/klogr"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 var (
@@ -42,38 +38,20 @@ var (
 	// will be removed in future and the configuration will be set only via configmaps
 	filterK8Resources string
 	// User FQDN as CSR CN
-	fqdncn   bool
-	setupLog = log.Log.WithName("setup")
+	fqdncn bool
 )
 
 func main() {
-	klog.InitFlags(nil)
-	log.SetLogger(klogr.New())
-	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
-	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
-	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
-	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
-	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
-	if err := flag.Set("v", "2"); err != nil {
-		setupLog.Error(err, "failed to set log level")
-		os.Exit(1)
-	}
-
-	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
-	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
-
-	flag.Parse()
-
-	version.PrintVersionInfo(log.Log)
+	defer glog.Flush()
+	version.PrintVersionInfo()
 	// cleanUp Channel
 	cleanUp := make(chan struct{})
 	//  handle os signals
 	stopCh := signal.SetupSignalHandler()
 	// CLIENT CONFIG
-	clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log)
+	clientConfig, err := config.CreateClientConfig(kubeconfig)
 	if err != nil {
-		setupLog.Error(err, "Failed to build kubeconfig")
-		os.Exit(1)
+		glog.Fatalf("Error building kubeconfig: %v\n", err)
 	}
 
 	// KYVENO CRD CLIENT
@@ -82,33 +60,29 @@ func main() {
 	//		- PolicyViolation
 	pclient, err := kyvernoclient.NewForConfig(clientConfig)
 	if err != nil {
-		setupLog.Error(err, "Failed to create client")
-		os.Exit(1)
+		glog.Fatalf("Error creating client: %v\n", err)
 	}
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
 	// - invalidate local cache of registered resource every 10 seconds
-	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
+	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
 	if err != nil {
-		setupLog.Error(err, "Failed to create client")
-		os.Exit(1)
+		glog.Fatalf("Error creating client: %v\n", err)
 	}
 	// CRD CHECK
 	// - verify if the CRD for Policy & PolicyViolation are available
-	if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
-		setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
-		os.Exit(1)
+	if !utils.CRDInstalled(client.DiscoveryClient) {
+		glog.Fatalf("Required CRDs unavailable")
 	}
 	// KUBERNETES CLIENT
 	kubeClient, err := utils.NewKubeClient(clientConfig)
 	if err != nil {
-		setupLog.Error(err, "Failed to create kubernetes client")
-		os.Exit(1)
+		glog.Fatalf("Error creating kubernetes client: %v\n", err)
 	}
 
 	// TODO(shuting): To be removed for v1.2.0
-	utils.CleanupOldCrd(client, log.Log)
+	utils.CleanupOldCrd(client)
 
 	// KUBERNETES RESOURCES INFORMER
 	// watches namespace resource
@@ -125,18 +99,16 @@ func main() {
 		clientConfig,
 		client,
 		serverIP,
-		int32(webhookTimeout),
-		log.Log)
+		int32(webhookTimeout))
 
 	// Resource Mutating Webhook Watcher
-	lastReqTime := checker.NewLastReqTime(log.Log.WithName("LastReqTime"))
+	lastReqTime := checker.NewLastReqTime()
 	rWebhookWatcher := webhookconfig.NewResourceWebhookRegister(
 		lastReqTime,
 		kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(),
 		kubeInformer.Admissionregistration().V1beta1().ValidatingWebhookConfigurations(),
 		webhookRegistrationClient,
 		runValidationInMutatingWebhook,
-		log.Log.WithName("ResourceWebhookRegister"),
 	)
 
 	// KYVERNO CRD INFORMER
@@ -155,19 +127,16 @@ func main() {
 	configData := config.NewConfigData(
 		kubeClient,
 		kubeInformer.Core().V1().ConfigMaps(),
-		filterK8Resources,
-		log.Log.WithName("ConfigData"),
-	)
+		filterK8Resources)
 
 	// Policy meta-data store
-	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies(), log.Log.WithName("PolicyStore"))
+	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies())
 
 	// EVENT GENERATOR
 	// - generate event with retry mechanism
 	egen := event.NewEventGenerator(
 		client,
-		pInformer.Kyverno().V1().ClusterPolicies(),
-		log.Log.WithName("EventGenerator"))
+		pInformer.Kyverno().V1().ClusterPolicies())
 
 	// Policy Status Handler - deals with all logic related to policy status
 	statusSync := policystatus.NewSync(
@@ -180,9 +149,7 @@ func main() {
 		client,
 		pInformer.Kyverno().V1().ClusterPolicyViolations(),
 		pInformer.Kyverno().V1().PolicyViolations(),
-		statusSync.Listener,
-		log.Log.WithName("PolicyViolationGenerator"),
-	)
+		statusSync.Listener)
 
 	// POLICY CONTROLLER
 	// - reconciliation policy and policy violation
@@ -198,16 +165,13 @@ func main() {
 		egen,
 		pvgen,
 		policyMetaStore,
-		rWebhookWatcher,
-		log.Log.WithName("PolicyController"),
-	)
+		rWebhookWatcher)
 	if err != nil {
-		setupLog.Error(err, "Failed to create policy controller")
-		os.Exit(1)
+		glog.Fatalf("error creating policy controller: %v\n", err)
 	}
 
 	// GENERATE REQUEST GENERATOR
-	grgen := webhookgenerate.NewGenerator(pclient, stopCh, log.Log.WithName("GenerateRequestGenerator"))
+	grgen := webhookgenerate.NewGenerator(pclient, stopCh)
 
 	// GENERATE CONTROLLER
 	// - applies generate rules on resources based on generate requests created by webhook
@@ -220,7 +184,6 @@ func main() {
 		pvgen,
 		kubedynamicInformer,
 		statusSync.Listener,
-		log.Log.WithName("GenerateController"),
 	)
 	// GENERATE REQUEST CLEANUP
 	// -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout
@@ -230,14 +193,12 @@ func main() {
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		pInformer.Kyverno().V1().GenerateRequests(),
 		kubedynamicInformer,
-		log.Log.WithName("GenerateCleanUpController"),
 	)
 
 	// CONFIGURE CERTIFICATES
 	tlsPair, err := client.InitTLSPemPair(clientConfig, fqdncn)
 	if err != nil {
-		setupLog.Error(err, "Failed to initialize TLS key/certificate pair")
-		os.Exit(1)
+		glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
 	}
 
 	// WEBHOOK REGISTRATION
@@ -246,8 +207,7 @@ func main() {
 	// resource webhook confgiuration is generated dynamically in the webhook server and policy controller
 	// based on the policy resources created
 	if err = webhookRegistrationClient.Register(); err != nil {
-		setupLog.Error(err, "Failed to register Admission webhooks")
-		os.Exit(1)
+		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
 	}
 
 	// Sync openAPI definitions of resources
@@ -274,12 +234,9 @@ func main() {
 		pvgen,
 		grgen,
 		rWebhookWatcher,
-		cleanUp,
-		log.Log.WithName("WebhookServer"),
-	)
+		cleanUp)
 	if err != nil {
-		setupLog.Error(err, "Failed to create webhook server")
-		os.Exit(1)
+		glog.Fatalf("Unable to create webhook server: %v\n", err)
 	}
 	// Start the components
 	pInformer.Start(stopCh)
@@ -317,5 +274,18 @@ func main() {
 	// resource cleanup
 	// remove webhook configurations
 	<-cleanUp
-	setupLog.Info("Kyverno shutdown successful")
+	glog.Info("successful shutdown of kyverno controller")
+}
+
+func init() {
+	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
+	flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations")
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
+	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
+	flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.")
+
+	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
+	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
+	config.LogDefaultFlags()
+	flag.Parse()
 }
diff --git a/api/swaggerDoc.go b/data/swaggerDoc.go
similarity index 100%
rename from api/swaggerDoc.go
rename to data/swaggerDoc.go
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 3e7825e878..be688d3d97 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -109,6 +109,8 @@ spec:
                                         type: string
                   exclude:
                     type: object
+                    required:
+                    - resources
                     properties:
                       roles:
                         type: array
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index bf9194246d..efc62b5a44 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -109,6 +109,8 @@ spec:
                                         type: string
                   exclude:
                     type: object
+                    required:
+                    - resources
                     properties:
                       roles:
                         type: array
diff --git a/go.mod b/go.mod
index f5ba937e12..593b08fdef 100644
--- a/go.mod
+++ b/go.mod
@@ -5,37 +5,39 @@ go 1.13
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/evanphx/json-patch v4.5.0+incompatible
-	github.com/go-logr/logr v0.1.0
+	github.com/gogo/protobuf v1.3.1 // indirect
+	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect
 	github.com/googleapis/gnostic v0.3.1
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
+	github.com/ory/go-acc v0.1.0 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/spf13/cobra v0.0.5
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
+	golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 // indirect
 	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	google.golang.org/appengine v1.6.5 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	gopkg.in/yaml.v2 v2.2.8
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.2.7
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.17.4
-	k8s.io/apimachinery v0.17.4
-	k8s.io/cli-runtime v0.17.4
-	k8s.io/client-go v0.17.4
-	k8s.io/klog v1.0.0
-	k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
+	k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
+	k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
+	k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a
+	k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible
+	k8s.io/klog v1.0.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a
 	k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 // indirect
-	sigs.k8s.io/controller-runtime v0.5.0
+	sigs.k8s.io/kustomize v2.0.3+incompatible // indirect
 )
 
 // Added for go1.13 migration https://github.com/golang/go/issues/32805
-replace (
-	github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
-	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200306081859-6a048a382944
-	k8s.io/component-base => k8s.io/component-base v0.0.0-20190612130303-4062e14deebe
-)
+replace github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
diff --git a/go.sum b/go.sum
index 99c5af7f3b..9b6fc04130 100644
--- a/go.sum
+++ b/go.sum
@@ -15,13 +15,6 @@ github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiU
 github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
@@ -33,29 +26,21 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.0.0 h1:0GoNN3taZV6QI81IXgCbxMyEaJDXMSIjArYBCYzVVvs=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2 h1:JCHLVE3B+kJde7bIEo5N4J+ZbLhp0J1Fs+ulyRws4gE=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
-github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/alecthomas/participle v0.2.1/go.mod h1:SW6HZGeZgSIpcUWX3fXpfZhuaWHnmoD5KCVaqSaNTkk=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.23.19/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-xray-sdk-go v0.9.4/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04=
@@ -65,7 +50,6 @@ github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NR
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
 github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
@@ -80,7 +64,6 @@ github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0=
 github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -90,16 +73,11 @@ github.com/coreos/bbolt v1.3.3/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkE
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.12+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -107,13 +85,9 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/djherbis/atime v1.0.0/go.mod h1:5W+KBIuTwVGcqjIfaTwt+KSYX1o6uep8dtevevQP/f8=
-github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v0.0.0-20180713052910-9f541cc9db5d/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
@@ -122,14 +96,9 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
 github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy v0.0.0-20181003060214-f58a169a71a5/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
-github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
@@ -144,68 +113,21 @@ github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2H
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
-github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
-github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
-github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1 h1:wSt/4CYxs70xbATrGXhokKF1i0tZjENLOo1ioIO13zk=
 github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9 h1:tF+augKRWlWx0J0B7ZyyKSiTyV6E1zZe+7b3qQlcEf8=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
-github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
-github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
-github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
-github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501 h1:C1JKChikHGpXwT5UQDFaryIpDtyyGL/CR6C2kB7F1oc=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
-github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
-github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87 h1:zP3nY8Tk2E6RTkqGYrarZXuzh+ffyLDljLxCy1iJw80=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
-github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
@@ -379,18 +301,14 @@ github.com/gobuffalo/x v0.0.0-20181003152136-452098b06085/go.mod h1:WevpGD+5YOre
 github.com/gobuffalo/x v0.0.0-20181007152206-913e47c59ca7/go.mod h1:9rDPXaB3kXdKWzMc4odGQQdG2e2DIEmANy5aSJ9yesY=
 github.com/gofrs/uuid v3.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/gddo v0.0.0-20180828051604-96d2a289f41e/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
@@ -415,7 +333,6 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -424,13 +341,11 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OI
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.0 h1:Jf4mxPC/ziBnoPIdpQdPJ9OeiomAUHLvxmPRSPH9m4s=
 github.com/google/uuid v1.1.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
 github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk=
 github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20181004151105-1babbf986f6f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -443,12 +358,9 @@ github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36j
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.1.2/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
 github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
@@ -456,7 +368,6 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
@@ -488,8 +399,6 @@ github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvh
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
@@ -506,10 +415,7 @@ github.com/joho/godotenv v1.2.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -539,14 +445,11 @@ github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
-github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/luna-duclos/instrumentedsql v1.1.2/go.mod h1:4LGbEqDnopzNAiyxPPDXhLspyunZxgPTMJBKtC6U0BQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
@@ -554,12 +457,6 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5 h1:0x4qcEHDpruK6ML/m/YSlFUUu0UpRD3I2PHsNCuGnyA=
 github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/going v1.0.2/go.mod h1:UWCk3zm0UKefHZ7l8BNqi26UyiEMniznk8naLdTcy6c=
@@ -586,7 +483,6 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@@ -629,9 +525,7 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/monoculum/formam v0.0.0-20180901015400-4e68be1d79ba/go.mod h1:RKgILGEJq24YyJ2ban8EO0RUVSJlF1pGsEvoLEACr/Q=
 github.com/moul/http2curl v0.0.0-20170919181001-9ac6cf4d929b/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nats-io/gnatsd v1.4.1/go.mod h1:nqco77VO78hLCJpIcVfygDP2rPGfsEHkGTUk94uh5DQ=
 github.com/nats-io/go-nats v1.7.2/go.mod h1:+t7RHT5ApZebkrQdnn6AhQJmhJJiKAvJUio1PiiCtj0=
 github.com/nats-io/go-nats-streaming v0.4.4/go.mod h1:gfq4R3c9sKAINOpelo0gn/b9QDMBZnmrttcsNF+lqyo=
@@ -651,21 +545,15 @@ github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=
-github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c h1:Hww8mOyEKTeON4bZn7FrlLismspbPc1teNRUVH7wLQ8=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c h1:eSfnfIuwhxZyULg1NNuZycJcYkjYVGYe7FczwQReM6U=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
@@ -703,12 +591,10 @@ github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -716,12 +602,10 @@ github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7q
 github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rcrowley/go-metrics v0.0.0-20190704165056-9c2d0518ed81/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -782,7 +666,6 @@ github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb6
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -794,7 +677,6 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
@@ -808,7 +690,6 @@ github.com/tidwall/gjson v1.3.5/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJH
 github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tidwall/sjson v1.0.4/go.mod h1:bURseu1nuBkFpIES5cz6zBtjmYeOQmEESshn7VpF15Y=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
@@ -820,10 +701,8 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT
 github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI=
 github.com/unrolled/secure v0.0.0-20180918153822-f340ee86eb8b/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
 github.com/unrolled/secure v0.0.0-20181005190816-ff9db2ff917f/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
 github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
-github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I=
 github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -833,10 +712,6 @@ github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c/go.mod h1:UrdRz5enIKZ63M
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
-go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
@@ -859,22 +734,15 @@ golang.org/x/crypto v0.0.0-20181127143415-eb0de9b17e85/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190102171810-8d7daa0c54b3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -903,22 +771,16 @@ golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -960,11 +822,9 @@ golang.org/x/sys v0.0.0-20190102155601-82a175fd1598/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190116161447-11f53e031339/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -972,10 +832,8 @@ golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191105231009-c1f44814a5cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 h1:gZpLHxUX5BdYLA08Lj4YCJNN/jk7KtquiArPoeX0WvA=
@@ -986,7 +844,6 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
@@ -1018,7 +875,6 @@ golang.org/x/tools v0.0.0-20190104182027-498d95493402/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190111214448-fc1d57b08d7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190118193359-16909d206f00/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -1028,14 +884,9 @@ golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
-golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -1067,7 +918,6 @@ google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiq
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
@@ -1075,15 +925,12 @@ gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUy
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw=
 gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw=
-gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
@@ -1095,7 +942,6 @@ gopkg.in/jcmturner/gokrb5.v7 v7.2.3/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuv
 gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8=
 gopkg.in/ldap.v3 v3.0.3/go.mod h1:oxD7NyBuxchC+SgJDE1Q5Od05eGt29SDQVBmV+HYbzw=
 gopkg.in/mail.v2 v2.0.0-20180731213649-a0242b2233b4/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw=
-gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/olivere/elastic.v5 v5.0.80/go.mod h1:uhHoB4o3bvX5sorxBU29rPcmBQdV2Qfg0FBrx5D6pV0=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.1.9/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
@@ -1109,8 +955,6 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1119,53 +963,24 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
-k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
-k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo=
-k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
-k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
-k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
-k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
-k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
-k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
-k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
-k8s.io/cli-runtime v0.17.4 h1:ZIJdxpBEszZqUhydrCoiI5rLXS2J/1AF5xFok2QJ9bc=
-k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc=
-k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
-k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
-k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible h1:bK03DJulJi9j05gwnXUufcs2j7h4M85YFvJ0dIlQ9k4=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
-k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
-k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM=
-k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
-k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 h1:sz6xjn8QP74104YNmJpzLbJ+a3ZtHt0tkD0g8vpdWNw=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo=
-sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8=
 sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbLXqhyOyX0=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
index ff1a7c63e4..d4d7cc6820 100644
--- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
@@ -74,7 +74,7 @@ func (in *ClusterPolicy) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	out.ListMeta = in.ListMeta
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicy, len(*in))
@@ -135,7 +135,7 @@ func (in *ClusterPolicyViolation) DeepCopyObject() runtime.Object {
 func (in *ClusterPolicyViolationList) DeepCopyInto(out *ClusterPolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	out.ListMeta = in.ListMeta
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]ClusterPolicyViolation, len(*in))
@@ -241,7 +241,7 @@ func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext {
 func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	out.ListMeta = in.ListMeta
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]GenerateRequest, len(*in))
@@ -420,7 +420,7 @@ func (in *PolicyViolation) DeepCopyObject() runtime.Object {
 func (in *PolicyViolationList) DeepCopyInto(out *PolicyViolationList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	out.ListMeta = in.ListMeta
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]PolicyViolation, len(*in))
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
deleted file mode 100644
index 8f1ef24e1e..0000000000
--- a/pkg/auth/auth.go
+++ /dev/null
@@ -1,108 +0,0 @@
-package auth
-
-import (
-	"fmt"
-	"reflect"
-
-	"github.com/go-logr/logr"
-	client "github.com/nirmata/kyverno/pkg/dclient"
-	authorizationv1 "k8s.io/api/authorization/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-//CanIOptions provides utility ti check if user has authorization for the given operation
-type CanIOptions struct {
-	namespace string
-	verb      string
-	kind      string
-	client    *client.Client
-	log       logr.Logger
-}
-
-//NewCanI returns a new instance of operation access controler evaluator
-func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions {
-	o := CanIOptions{
-		client: client,
-		log:    log,
-	}
-
-	o.namespace = namespace
-	o.kind = kind
-	o.verb = verb
-
-	return &o
-}
-
-//RunAccessCheck checks if the caller can perform the operation
-// - operation is a combination of namespace, kind, verb
-// - can only evaluate a single verb
-// - group version resource is determined from the kind using the discovery client REST mapper
-// - If disallowed, the reason and evaluationError is avialable in the logs
-// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
-func (o *CanIOptions) RunAccessCheck() (bool, error) {
-	// get GroupVersionResource from RESTMapper
-	// get GVR from kind
-	gvr := o.client.DiscoveryClient.GetGVRFromKind(o.kind)
-	if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) {
-		// cannot find GVR
-		return false, fmt.Errorf("failed to get the Group Version Resource for kind %s", o.kind)
-	}
-
-	sar := &authorizationv1.SelfSubjectAccessReview{
-		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
-			ResourceAttributes: &authorizationv1.ResourceAttributes{
-				Namespace: o.namespace,
-				Verb:      o.verb,
-				Group:     gvr.Group,
-				Resource:  gvr.Resource,
-			},
-		},
-	}
-	// Set self subject access review
-	// - namespace
-	// - verb
-	// - resource
-	// - subresource
-	logger := o.log.WithValues("kind", sar.Kind, "namespace", sar.Namespace, "name", sar.Name)
-
-	// Create the Resource
-	resp, err := o.client.CreateResource("SelfSubjectAccessReview", "", sar, false)
-	if err != nil {
-		logger.Error(err, "failed to create resource")
-		return false, err
-	}
-
-	// status.allowed
-	allowed, ok, err := unstructured.NestedBool(resp.Object, "status", "allowed")
-	if !ok {
-		if err != nil {
-			logger.Error(err, "failed to get the field", "field", "status.allowed")
-		}
-		logger.Info("field not found", "field", "status.allowed")
-	}
-
-	if !allowed {
-		// status.reason
-		reason, ok, err := unstructured.NestedString(resp.Object, "status", "reason")
-		if !ok {
-			if err != nil {
-				logger.Error(err, "failed to get the field", "field", "status.reason")
-			}
-			logger.Info("field not found", "field", "status.reason")
-		}
-		// status.evaluationError
-		evaluationError, ok, err := unstructured.NestedString(resp.Object, "status", "evaludationError")
-		if !ok {
-			if err != nil {
-				logger.Error(err, "failed to get the field", "field", "status.evaluationError")
-			}
-			logger.Info("field not found", "field", "status.evaluationError")
-		}
-
-		// Reporting ? (just logs)
-		logger.Info("disallowed operation", "reason", reason, "evaluationError", evaluationError)
-	}
-
-	return allowed, nil
-}
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
deleted file mode 100644
index 6dbc800285..0000000000
--- a/pkg/auth/auth_test.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package auth
-
-// import (
-// 	"testing"
-// 	"time"
-
-// 	"github.com/golang/glog"
-// 	"github.com/nirmata/kyverno/pkg/config"
-// 	dclient "github.com/nirmata/kyverno/pkg/dclient"
-// 	"github.com/nirmata/kyverno/pkg/signal"
-// )
-
-// func Test_Auth_pass(t *testing.T) {
-// 	// needs running cluster
-// 	var kubeconfig string
-// 	stopCh := signal.SetupSignalHandler()
-// 	kubeconfig = "/Users/shivd/.kube/config"
-// 	clientConfig, err := config.CreateClientConfig(kubeconfig)
-// 	if err != nil {
-// 		glog.Fatalf("Error building kubeconfig: %v\n", err)
-// 	}
-
-// 	// DYNAMIC CLIENT
-// 	// - client for all registered resources
-// 	// - invalidate local cache of registered resource every 10 seconds
-// 	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
-// 	if err != nil {
-// 		glog.Fatalf("Error creating client: %v\n", err)
-// 	}
-
-// 	// Can i authenticate
-
-// 	kind := "Deployment"
-// 	namespace := "default"
-// 	verb := "test"
-// 	canI := NewCanI(client, kind, namespace, verb)
-// 	ok, err := canI.RunAccessCheck()
-// 	if err != nil {
-// 		t.Error(err)
-// 	}
-// 	if ok {
-// 		t.Log("allowed")
-// 	} else {
-// 		t.Log("notallowed")
-// 	}
-// 	t.FailNow()
-
-// }
diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go
index 16b8276d40..762776dffd 100644
--- a/pkg/checker/checker.go
+++ b/pkg/checker/checker.go
@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
@@ -20,9 +20,8 @@ const (
 
 // LastReqTime stores the lastrequest times for incoming api-requests
 type LastReqTime struct {
-	t   time.Time
-	mu  sync.RWMutex
-	log logr.Logger
+	t  time.Time
+	mu sync.RWMutex
 }
 
 //Time returns the lastrequest time
@@ -40,17 +39,16 @@ func (t *LastReqTime) SetTime(tm time.Time) {
 }
 
 //NewLastReqTime returns a new instance of LastRequestTime store
-func NewLastReqTime(log logr.Logger) *LastReqTime {
+func NewLastReqTime() *LastReqTime {
 	return &LastReqTime{
-		t:   time.Now(),
-		log: log,
+		t: time.Now(),
 	}
 }
 
-func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister, log logr.Logger) bool {
+func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister) bool {
 	policies, err := pLister.ListResources(labels.NewSelector())
 	if err != nil {
-		log.Error(err, "failed to list cluster policies")
+		glog.Error()
 	}
 	for _, policy := range policies {
 		if policy.HasMutateOrValidateOrGenerate() {
@@ -64,16 +62,15 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic
 
 //Run runs the checker and verify the resource update
 func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) {
-	logger := t.log
-	logger.V(2).Info("tarting default resync for webhook checker", "resyncTime", defaultResync)
+	glog.V(2).Infof("starting default resync for webhook checker with resync time %d nanoseconds", defaultResync)
 	maxDeadline := deadline * time.Duration(MaxRetryCount)
 	ticker := time.NewTicker(defaultResync)
 	/// interface to update and increment kyverno webhook status via annotations
-	statuscontrol := NewVerifyControl(client, eventGen, logger.WithName("StatusControl"))
+	statuscontrol := NewVerifyControl(client, eventGen)
 	// send the initial update status
-	if checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
+	if checkIfPolicyWithMutateAndGenerateExists(pLister) {
 		if err := statuscontrol.SuccessStatus(); err != nil {
-			logger.Error(err, "failed to set 'success' status")
+			glog.Error(err)
 		}
 	}
 
@@ -87,36 +84,36 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev
 		case <-ticker.C:
 			// if there are no policies then we dont have a webhook on resource.
 			// we indirectly check if the resource
-			if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
+			if !checkIfPolicyWithMutateAndGenerateExists(pLister) {
 				continue
 			}
 			// get current time
 			timeDiff := time.Since(t.Time())
 			if timeDiff > maxDeadline {
-				logger.Info("request exceeded max deadline", "deadline", maxDeadline)
-				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				glog.Infof("failed to receive any request for more than %v ", maxDeadline)
+				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// set the status unavailable
 				if err := statuscontrol.FailedStatus(); err != nil {
-					logger.Error(err, "failed to set 'failed' status")
+					glog.Error(err)
 				}
 				continue
 			}
 			if timeDiff > deadline {
-				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
 				// send request to update the kyverno deployment
 				if err := statuscontrol.IncrementAnnotation(); err != nil {
-					logger.Error(err, "failed to increment annotation")
+					glog.Error(err)
 				}
 				continue
 			}
 			// if the status was false before then we update it to true
 			// send request to update the kyverno deployment
 			if err := statuscontrol.SuccessStatus(); err != nil {
-				logger.Error(err, "failed to update success status")
+				glog.Error(err)
 			}
 		case <-stopCh:
 			// handler termination signal
-			logger.V(2).Info("stopping default resync for webhook checker")
+			glog.V(2).Infof("stopping default resync for webhook checker")
 			return
 		}
 	}
diff --git a/pkg/checker/status.go b/pkg/checker/status.go
index 110abf8eef..39b19189dd 100644
--- a/pkg/checker/status.go
+++ b/pkg/checker/status.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 )
@@ -29,7 +29,6 @@ type StatusInterface interface {
 type StatusControl struct {
 	client   *dclient.Client
 	eventGen event.Interface
-	log      logr.Logger
 }
 
 //SuccessStatus ...
@@ -43,22 +42,20 @@ func (vc StatusControl) FailedStatus() error {
 }
 
 // NewVerifyControl ...
-func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr.Logger) *StatusControl {
+func NewVerifyControl(client *dclient.Client, eventGen event.Interface) *StatusControl {
 	return &StatusControl{
 		client:   client,
 		eventGen: eventGen,
-		log:      log,
 	}
 }
 
 func (vc StatusControl) setStatus(status string) error {
-	logger := vc.log
-	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status))
+	glog.Infof("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status)
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		logger.Error(err, "failed to get deployment resource")
+		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -70,7 +67,7 @@ func (vc StatusControl) setStatus(status string) error {
 	if ok {
 		// annotatiaion is present
 		if webhookAction == status {
-			logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStats, status))
+			glog.V(4).Infof("annotation %s already set to '%s'", annWebhookStats, status)
 			return nil
 		}
 	}
@@ -80,7 +77,7 @@ func (vc StatusControl) setStatus(status string) error {
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annWebhookStats, deployName, deployNamespace))
+		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annWebhookStats, deployName, deployNamespace, err)
 		return err
 	}
 	// create event on kyverno deployment
@@ -100,13 +97,12 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) {
 
 //IncrementAnnotation ...
 func (vc StatusControl) IncrementAnnotation() error {
-	logger := vc.log
-	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter))
+	glog.Infof("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter)
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		logger.Error(err, "failed to get deployment %s in namespace %s", deployName, deployNamespace)
+		glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err)
 		return err
 	}
 	ann = deploy.GetAnnotations()
@@ -116,18 +112,18 @@ func (vc StatusControl) IncrementAnnotation() error {
 	}
 	counter, err := strconv.Atoi(ann[annCounter])
 	if err != nil {
-		logger.Error(err, "Failed to parse string")
+		glog.V(4).Infof("failed to parse string: %v", err)
 		return err
 	}
 	// increment counter
 	counter++
 	ann[annCounter] = strconv.Itoa(counter)
-	logger.Info("incrementing annotation", "old", annCounter, "new", counter)
+	glog.Infof("incrementing annotation %s counter to %d", annCounter, counter)
 	deploy.SetAnnotations(ann)
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace))
+		glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annCounter, deployName, deployNamespace, err)
 		return err
 	}
 	return nil
diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go
index 8aa7b0e529..5fbce444ff 100644
--- a/pkg/client/clientset/versioned/clientset.go
+++ b/pkg/client/clientset/versioned/clientset.go
@@ -19,8 +19,6 @@ limitations under the License.
 package versioned
 
 import (
-	"fmt"
-
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
@@ -53,14 +51,9 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 }
 
 // NewForConfig creates a new Clientset for the given config.
-// If config's RateLimiter is not set and QPS and Burst are acceptable,
-// NewForConfig will generate a rate-limiter in configShallowCopy.
 func NewForConfig(c *rest.Config) (*Clientset, error) {
 	configShallowCopy := *c
 	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
-		if configShallowCopy.Burst <= 0 {
-			return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0")
-		}
 		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
 	}
 	var cs Clientset
diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go
index c3264dcb64..215b1d997a 100644
--- a/pkg/client/clientset/versioned/fake/clientset_generated.go
+++ b/pkg/client/clientset/versioned/fake/clientset_generated.go
@@ -41,7 +41,7 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 		}
 	}
 
-	cs := &Clientset{tracker: o}
+	cs := &Clientset{}
 	cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake}
 	cs.AddReactor("*", "*", testing.ObjectReaction(o))
 	cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
@@ -63,17 +63,12 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 type Clientset struct {
 	testing.Fake
 	discovery *fakediscovery.FakeDiscovery
-	tracker   testing.ObjectTracker
 }
 
 func (c *Clientset) Discovery() discovery.DiscoveryInterface {
 	return c.discovery
 }
 
-func (c *Clientset) Tracker() testing.ObjectTracker {
-	return c.tracker
-}
-
 var _ clientset.Interface = &Clientset{}
 
 // KyvernoV1 retrieves the KyvernoV1Client
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
index 482e66ffc7..4a90cf5ba8 100644
--- a/pkg/client/clientset/versioned/fake/register.go
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -29,8 +29,7 @@ import (
 
 var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
-
-// var parameterCodec = runtime.NewParameterCodec(scheme)
+var parameterCodec = runtime.NewParameterCodec(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
 	kyvernov1.AddToScheme,
 }
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
index 8c1b5a0ea8..54d8944680 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go
@@ -21,6 +21,7 @@ package v1
 import (
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	rest "k8s.io/client-go/rest"
 )
 
@@ -85,7 +86,7 @@ func setConfigDefaults(config *rest.Config) error {
 	gv := v1.SchemeGroupVersion
 	config.GroupVersion = &gv
 	config.APIPath = "/apis"
-	config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
 
 	if config.UserAgent == "" {
 		config.UserAgent = rest.DefaultKubernetesUserAgent()
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 2d6ccdcb68..241728a2c7 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -1,7 +1,9 @@
 package config
 
 import (
-	"github.com/go-logr/logr"
+	"flag"
+
+	"github.com/golang/glog"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
 )
@@ -72,13 +74,29 @@ var (
 	VerifyMutatingWebhookServicePath = "/verifymutate"
 )
 
+//LogDefaultFlags sets default glog flags
+func LogDefaultFlags() {
+	var err error
+	err = flag.Set("logtostderr", "true")
+	if err != nil {
+		glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err)
+	}
+	err = flag.Set("stderrthreshold", "WARNING")
+	if err != nil {
+		glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err)
+	}
+	flag.Set("v", "2")
+	if err != nil {
+		glog.Fatalf("failed to set flag 'v' to '2':%v", err)
+	}
+}
+
 //CreateClientConfig creates client config
-func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) {
-	logger := log.WithName("CreateClientConfig")
+func CreateClientConfig(kubeconfig string) (*rest.Config, error) {
 	if kubeconfig == "" {
-		logger.Info("Using in-cluster configuration")
+		glog.Info("Using in-cluster configuration")
 		return rest.InClusterConfig()
 	}
-	logger.V(4).Info("Using specified kubeconfig", "kubeconfig", kubeconfig)
+	glog.V(4).Infof("Using configuration from '%s'", kubeconfig)
 	return clientcmd.BuildConfigFromFlags("", kubeconfig)
 }
diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go
index 1787f67bd9..6bf624e7bb 100644
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@@ -1,13 +1,14 @@
 package config
 
 import (
+	"fmt"
 	"os"
 	"reflect"
 	"regexp"
 	"strings"
 	"sync"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/minio/minio/pkg/wildcard"
 	v1 "k8s.io/api/core/v1"
 	informers "k8s.io/client-go/informers/core/v1"
@@ -30,7 +31,6 @@ type ConfigData struct {
 	filters []k8Resource
 	// hasynced
 	cmSycned cache.InformerSynced
-	log      logr.Logger
 }
 
 // ToFilter checks if the given resource is set to be filtered in the configuration
@@ -51,21 +51,20 @@ type Interface interface {
 }
 
 // NewConfigData ...
-func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string, log logr.Logger) *ConfigData {
+func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string) *ConfigData {
 	// environment var is read at start only
 	if cmNameEnv == "" {
-		log.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
+		glog.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration")
 	}
 	cd := ConfigData{
 		client:   rclient,
 		cmName:   os.Getenv(cmNameEnv),
 		cmSycned: cmInformer.Informer().HasSynced,
-		log:      log,
 	}
 	//TODO: this has been added to backward support command line arguments
 	// will be removed in future and the configuration will be set only via configmaps
 	if filterK8Resources != "" {
-		cd.log.Info("init configuration from commandline arguments")
+		glog.Info("Init configuration from commandline arguments")
 		cd.initFilters(filterK8Resources)
 	}
 
@@ -79,10 +78,9 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
 
 //Run checks syncing
 func (cd *ConfigData) Run(stopCh <-chan struct{}) {
-	logger := cd.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, cd.cmSycned) {
-		logger.Info("configuration: failed to sync informer cache")
+		glog.Error("configuration: failed to sync informer cache")
 	}
 }
 
@@ -105,17 +103,16 @@ func (cd *ConfigData) updateCM(old, cur interface{}) {
 }
 
 func (cd *ConfigData) deleteCM(obj interface{}) {
-	logger := cd.log
 	cm, ok := obj.(*v1.ConfigMap)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("failed to get object from tombstone")
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		_, ok = tombstone.Obj.(*v1.ConfigMap)
 		if !ok {
-			logger.Info("Tombstone contained object that is not a ConfigMap", "object", obj)
+			glog.Info(fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj))
 			return
 		}
 	}
@@ -128,20 +125,19 @@ func (cd *ConfigData) deleteCM(obj interface{}) {
 }
 
 func (cd *ConfigData) load(cm v1.ConfigMap) {
-	logger := cd.log.WithValues("name", cm.Name, "namespace", cm.Namespace)
 	if cm.Data == nil {
-		logger.V(4).Info("configuration: No data defined in ConfigMap")
+		glog.V(4).Infof("Configuration: No data defined in ConfigMap %s", cm.Name)
 		return
 	}
 	// get resource filters
 	filters, ok := cm.Data["resourceFilters"]
 	if !ok {
-		logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
+		glog.V(4).Infof("Configuration: No resourceFilters defined in ConfigMap %s", cm.Name)
 		return
 	}
 	// filters is a string
 	if filters == "" {
-		logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
+		glog.V(4).Infof("Configuration: resourceFilters is empty in ConfigMap %s", cm.Name)
 		return
 	}
 	// parse and load the configuration
@@ -150,10 +146,11 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 
 	newFilters := parseKinds(filters)
 	if reflect.DeepEqual(newFilters, cd.filters) {
-		logger.V(4).Info("resourceFilters did not change")
+		glog.V(4).Infof("Configuration: resourceFilters did not change in ConfigMap %s", cm.Name)
 		return
 	}
-	logger.V(4).Info(" Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
+	glog.V(4).Infof("Configuration: Old resource filters %v", cd.filters)
+	glog.Infof("Configuration: New resource filters to %v", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
@@ -161,20 +158,20 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 //TODO: this has been added to backward support command line arguments
 // will be removed in future and the configuration will be set only via configmaps
 func (cd *ConfigData) initFilters(filters string) {
-	logger := cd.log
 	// parse and load the configuration
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 
 	newFilters := parseKinds(filters)
-	logger.Info("Init resource filters", "filters", newFilters)
+	glog.Infof("Configuration: Init resource filters to %v", newFilters)
 	// update filters
 	cd.filters = newFilters
 }
 
 func (cd *ConfigData) unload(cm v1.ConfigMap) {
-	logger := cd.log
-	logger.Info("ConfigMap deleted, removing configuration filters", "name", cm.Name, "namespace", cm.Namespace)
+	// TODO pick one msg
+	glog.Infof("Configuration: ConfigMap %s deleted, removing configuration filters", cm.Name)
+	glog.Infof("Configuration: Removing all resource filters as ConfigMap %s deleted", cm.Name)
 	cd.mux.Lock()
 	defer cd.mux.Unlock()
 	cd.filters = []k8Resource{}
diff --git a/pkg/dclient/certificates.go b/pkg/dclient/certificates.go
index 125dc7cec3..76b3cda819 100644
--- a/pkg/dclient/certificates.go
+++ b/pkg/dclient/certificates.go
@@ -6,6 +6,7 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	tls "github.com/nirmata/kyverno/pkg/tls"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -18,14 +19,13 @@ import (
 // Created pair is stored in cluster's secret.
 // Returns struct with key/certificate pair.
 func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.TlsPemPair, error) {
-	logger := c.log
 	certProps, err := c.GetTLSCertProps(configuration)
 	if err != nil {
 		return nil, err
 	}
 	tlsPair := c.ReadTlsPair(certProps)
 	if tls.IsTLSPairShouldBeUpdated(tlsPair) {
-		logger.Info("Generating new key/certificate pair for TLS")
+		glog.Info("Generating new key/certificate pair for TLS")
 		tlsPair, err = c.generateTLSPemPair(certProps, fqdncn)
 		if err != nil {
 			return nil, err
@@ -35,7 +35,8 @@ func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.T
 		}
 		return tlsPair, nil
 	}
-	logger.Info("Using existing TLS key/certificate pair")
+
+	glog.Infoln("Using existing TLS key/certificate pair")
 	return tlsPair, nil
 }
 
@@ -70,7 +71,6 @@ func (c *Client) generateTLSPemPair(props tls.TlsCertificateProps, fqdncn bool)
 
 // Submits and approves certificate request, returns request which need to be fetched
 func (c *Client) submitAndApproveCertificateRequest(req *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
-	logger := c.log.WithName("submitAndApproveCertificateRequest")
 	certClient, err := c.GetCSRInterface()
 	if err != nil {
 		return nil, err
@@ -86,7 +86,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 			if err != nil {
 				return nil, fmt.Errorf("Unable to delete existing certificate request: %v", err)
 			}
-			logger.Info("Old certificate request is deleted")
+			glog.Info("Old certificate request is deleted")
 			break
 		}
 	}
@@ -95,7 +95,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, err
 	}
-	logger.Info("Certificate request created", "name", unstrRes.GetName())
+	glog.Infof("Certificate request %s is created", unstrRes.GetName())
 
 	res, err := convertToCSR(unstrRes)
 	if err != nil {
@@ -110,7 +110,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
 	if err != nil {
 		return nil, fmt.Errorf("Unable to approve certificate request: %v", err)
 	}
-	logger.Info("Certificate request is approved", "name", res.ObjectMeta.Name)
+	glog.Infof("Certificate request %s is approved", res.ObjectMeta.Name)
 
 	return res, nil
 }
@@ -144,10 +144,9 @@ func (c *Client) fetchCertificateFromRequest(req *certificates.CertificateSignin
 
 //ReadRootCASecret returns the RootCA from the pre-defined secret
 func (c *Client) ReadRootCASecret() (result []byte) {
-	logger := c.log.WithName("ReadRootCASecret")
 	certProps, err := c.GetTLSCertProps(c.clientConfig)
 	if err != nil {
-		logger.Error(err, "failed to get TLS Cert Properties")
+		glog.Error(err)
 		return result
 	}
 	sname := generateRootCASecretName(certProps)
@@ -157,16 +156,16 @@ func (c *Client) ReadRootCASecret() (result []byte) {
 	}
 	tlsca, err := convertToSecret(stlsca)
 	if err != nil {
-		logger.Error(err, "failed to convert secret", "name", sname, "namespace", certProps.Namespace)
+		glog.Error(err)
 		return result
 	}
 
 	result = tlsca.Data[rootCAKey]
 	if len(result) == 0 {
-		logger.Info("root CA certificate not found in secret", "name", tlsca.Name, "namespace", certProps.Namespace)
+		glog.Warningf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name)
 		return result
 	}
-	logger.V(4).Info("using CA bundle defined in secret to validate the webhook's server certificate", "name", tlsca.Name, "namespace", certProps.Namespace)
+	glog.V(4).Infof("using CA bundle defined in secret %s/%s to validate the webhook's server certificate", certProps.Namespace, tlsca.Name)
 	return result
 }
 
@@ -175,11 +174,10 @@ const rootCAKey string = "rootCA.crt"
 
 //ReadTlsPair Reads the pair of TLS certificate and key from the specified secret.
 func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
-	logger := c.log.WithName("ReadTlsPair")
 	sname := generateTLSPairSecretName(props)
 	unstrSecret, err := c.GetResource(Secrets, props.Namespace, sname)
 	if err != nil {
-		logger.Error(err, "Failed to get secret", "name", sname, "namespace", props.Namespace)
+		glog.Warningf("Unable to get secret %s/%s: %s", props.Namespace, sname, err)
 		return nil
 	}
 
@@ -190,7 +188,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		sname := generateRootCASecretName(props)
 		_, err := c.GetResource(Secrets, props.Namespace, sname)
 		if err != nil {
-			logger.Error(err, "Root CA secret is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", "name", sname, "namespace", props.Namespace)
+			glog.Errorf("Root CA secret %s/%s is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", props.Namespace, sname)
 			return nil
 		}
 	}
@@ -203,11 +201,11 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 		PrivateKey:  secret.Data[v1.TLSPrivateKeyKey],
 	}
 	if len(pemPair.Certificate) == 0 {
-		logger.Info("TLS Certificate not found in secret", "name", sname, "namespace", props.Namespace)
+		glog.Warningf("TLS Certificate not found in secret %s/%s", props.Namespace, sname)
 		return nil
 	}
 	if len(pemPair.PrivateKey) == 0 {
-		logger.Info("TLS PrivateKey not found in secret", "name", sname, "namespace", props.Namespace)
+		glog.Warningf("TLS PrivateKey not found in secret %s/%s", props.Namespace, sname)
 		return nil
 	}
 	return &pemPair
@@ -216,7 +214,6 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
 //WriteTlsPair Writes the pair of TLS certificate and key to the specified secret.
 // Updates existing secret or creates new one.
 func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPemPair) error {
-	logger := c.log.WithName("WriteTlsPair")
 	name := generateTLSPairSecretName(props)
 	_, err := c.GetResource(Secrets, props.Namespace, name)
 	if err != nil {
@@ -238,7 +235,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 
 		_, err := c.CreateResource(Secrets, props.Namespace, secret, false)
 		if err == nil {
-			logger.Info("secret created", "name", name, "namespace", props.Namespace)
+			glog.Infof("Secret %s is created", name)
 		}
 		return err
 	}
@@ -254,7 +251,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem
 	if err != nil {
 		return err
 	}
-	logger.Info("secret updated", "name", name, "namespace", props.Namespace)
+	glog.Infof("Secret %s is updated", name)
 	return nil
 }
 
diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index 557059bc15..6cacaeaf9a 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -5,8 +5,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-logr/logr"
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	apps "k8s.io/api/apps/v1"
 	certificates "k8s.io/api/certificates/v1beta1"
@@ -31,15 +32,13 @@ import (
 //Client enables interaction with k8 resource
 type Client struct {
 	client          dynamic.Interface
-	log             logr.Logger
 	clientConfig    *rest.Config
 	kclient         kubernetes.Interface
 	DiscoveryClient IDiscovery
 }
 
 //NewClient creates new instance of client
-func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}, log logr.Logger) (*Client, error) {
-
+func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}) (*Client, error) {
 	dclient, err := dynamic.NewForConfig(config)
 	if err != nil {
 		return nil, err
@@ -52,10 +51,9 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}
 		client:       dclient,
 		clientConfig: config,
 		kclient:      kclient,
-		log:          log.WithName("Client"),
 	}
 	// Set discovery client
-	discoveryClient := ServerPreferredResources{cachedClient: memory.NewMemCacheClient(kclient.Discovery()), log: client.log}
+	discoveryClient := ServerPreferredResources{memory.NewMemCacheClient(kclient.Discovery())}
 	// client will invalidate registered resources cache every x seconds,
 	// As there is no way to identify if the registered resource is available or not
 	// we will be invalidating the local cache, so the next request get a fresh cache
@@ -191,6 +189,7 @@ func (c *Client) UpdateStatusResource(kind string, namespace string, obj interfa
 func convertToUnstructured(obj interface{}) *unstructured.Unstructured {
 	unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&obj)
 	if err != nil {
+		glog.Errorf("Unable to convert : %v", err)
 		return nil
 	}
 	return &unstructured.Unstructured{Object: unstructuredObj}
@@ -229,24 +228,22 @@ func (c *Client) SetDiscovery(discoveryClient IDiscovery) {
 //ServerPreferredResources stores the cachedClient instance for discovery client
 type ServerPreferredResources struct {
 	cachedClient discovery.CachedDiscoveryInterface
-	log          logr.Logger
 }
 
 //Poll will keep invalidate the local cache
 func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struct{}) {
-	logger := c.log.WithName("Poll")
 	// start a ticker
 	ticker := time.NewTicker(resync)
 	defer func() { ticker.Stop() }()
-	logger.Info("starting registered resources sync", "period", resync)
+	glog.Infof("Starting registered resources sync: every %d seconds", resync)
 	for {
 		select {
 		case <-stopCh:
-			logger.Info("stopping registered resources sync")
+			glog.Info("Stopping registered resources sync")
 			return
 		case <-ticker.C:
 			// set cache as stale
-			logger.V(6).Info("invalidating local client cache for registered resources")
+			glog.V(6).Info("invalidating local client cache for registered resources")
 			c.cachedClient.Invalidate()
 		}
 	}
@@ -264,12 +261,12 @@ func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error)
 func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource {
 	var gvr schema.GroupVersionResource
 	var err error
-	gvr, err = loadServerResources(kind, c.cachedClient, c.log)
+	gvr, err = loadServerResources(kind, c.cachedClient)
 	if err != nil && !c.cachedClient.Fresh() {
 
 		// invalidate cahce & re-try once more
 		c.cachedClient.Invalidate()
-		gvr, err = loadServerResources(kind, c.cachedClient, c.log)
+		gvr, err = loadServerResources(kind, c.cachedClient)
 		if err == nil {
 			return gvr
 		}
@@ -282,12 +279,11 @@ func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) {
 	return c.cachedClient.ServerVersion()
 }
 
-func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log logr.Logger) (schema.GroupVersionResource, error) {
-	logger := log.WithName("loadServerResources")
-	emptyGVR := schema.GroupVersionResource{}
+func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (schema.GroupVersionResource, error) {
 	serverresources, err := cdi.ServerPreferredResources()
+	emptyGVR := schema.GroupVersionResource{}
 	if err != nil {
-		logger.Error(err, "failed to get registered preferred resources")
+		glog.Error(err)
 		return emptyGVR, err
 	}
 	for _, serverresource := range serverresources {
@@ -297,7 +293,7 @@ func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log l
 			if resource.Kind == k && !strings.Contains(resource.Name, "/") {
 				gv, err := schema.ParseGroupVersion(serverresource.GroupVersion)
 				if err != nil {
-					logger.Error(err, "failed to parse groupVersion from schema", "groupVersion", serverresource.GroupVersion)
+					glog.Error(err)
 					return emptyGVR, err
 				}
 				return gv.WithResource(resource.Name), nil
diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go
index 9dccab3577..2d81a068ec 100644
--- a/pkg/engine/anchor/anchor.go
+++ b/pkg/engine/anchor/anchor.go
@@ -4,8 +4,7 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/go-logr/logr"
-	"sigs.k8s.io/controller-runtime/pkg/log"
+	"github.com/golang/glog"
 )
 
 //ValidationHandler for element processes
@@ -13,7 +12,7 @@ type ValidationHandler interface {
 	Handle(handler resourceElementHandler, resourceMap map[string]interface{}, originPattern interface{}) (string, error)
 }
 
-type resourceElementHandler = func(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error)
+type resourceElementHandler = func(resourceElement, patternElement, originPattern interface{}, path string) (string, error)
 
 //CreateElementHandler factory to process elements
 func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler {
@@ -83,7 +82,7 @@ func (eh EqualityHandler) Handle(handler resourceElementHandler, resourceMap map
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(log.Log, value, eh.pattern, originPattern, currentPath)
+		returnPath, err := handler(value, eh.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -116,7 +115,7 @@ func (dh DefaultHandler) Handle(handler resourceElementHandler, resourceMap map[
 	} else if dh.pattern == "*" && resourceMap[dh.element] == nil {
 		return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element)
 	} else {
-		path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath)
+		path, err := handler(resourceMap[dh.element], dh.pattern, originPattern, currentPath)
 		if err != nil {
 			return path, err
 		}
@@ -147,7 +146,7 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource
 	// check if anchor is present in resource
 	if value, ok := resourceMap[anchorKey]; ok {
 		// validate the values of the pattern
-		returnPath, err := handler(log.Log, value, ch.pattern, originPattern, currentPath)
+		returnPath, err := handler(value, ch.pattern, originPattern, currentPath)
 		if err != nil {
 			return returnPath, err
 		}
@@ -195,6 +194,7 @@ func (eh ExistenceHandler) Handle(handler resourceElementHandler, resourceMap ma
 			}
 			return validateExistenceListResource(handler, typedResource, typedPatternMap, originPattern, currentPath)
 		default:
+			glog.Error("Invalid type: Existence ^ () anchor can be used only on list/array type resource")
 			return currentPath, fmt.Errorf("Invalid resource type %T: Existence ^ () anchor can be used only on list/array type resource", value)
 		}
 	}
@@ -206,9 +206,10 @@ func validateExistenceListResource(handler resourceElementHandler, resourceList
 	// if non satisfy then throw an error
 	for i, resourceElement := range resourceList {
 		currentPath := path + strconv.Itoa(i) + "/"
-		_, err := handler(log.Log, resourceElement, patternMap, originPattern, currentPath)
+		_, err := handler(resourceElement, patternMap, originPattern, currentPath)
 		if err == nil {
 			// condition is satisfied, dont check further
+			glog.V(4).Infof("Existence check satisfied at path %s, for pattern %v", currentPath, patternMap)
 			return "", nil
 		}
 	}
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index 163e81fef0..05805a0a91 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -6,9 +6,8 @@ import (
 	"sync"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Interface to manage context operations
@@ -34,7 +33,6 @@ type Context struct {
 	mu            sync.RWMutex
 	jsonRaw       []byte
 	whiteListVars []string
-	log           logr.Logger
 }
 
 //NewContext returns a new context
@@ -44,7 +42,6 @@ func NewContext(whiteListVars ...string) *Context {
 		// data:    map[string]interface{}{},
 		jsonRaw:       []byte(`{}`), // empty json struct
 		whiteListVars: whiteListVars,
-		log:           log.Log.WithName("context"),
 	}
 	return &ctx
 }
@@ -57,7 +54,7 @@ func (ctx *Context) AddJSON(dataRaw []byte) error {
 	// merge json
 	ctx.jsonRaw, err = jsonpatch.MergePatch(ctx.jsonRaw, dataRaw)
 	if err != nil {
-		ctx.log.Error(err, "failed to merge JSON data")
+		glog.V(4).Infof("failed to merge JSON data: %v", err)
 		return err
 	}
 	return nil
@@ -69,7 +66,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 	// unmarshall the resource struct
 	var data interface{}
 	if err := json.Unmarshal(dataRaw, &data); err != nil {
-		ctx.log.Error(err, "failed to unmarshall the resource")
+		glog.V(4).Infof("failed to unmarshall the context data: %v", err)
 		return err
 	}
 
@@ -85,7 +82,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		ctx.log.Error(err, "failed to marshal the resource")
+		glog.V(4).Infof("failed to marshall the updated context data")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -101,7 +98,7 @@ func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		ctx.log.Error(err, "failed to marshal the UserInfo")
+		glog.V(4).Infof("failed to marshall the updated context data")
 		return err
 	}
 	return ctx.AddJSON(objRaw)
@@ -121,6 +118,8 @@ func (ctx *Context) AddSA(userName string) error {
 	// filter namespace
 	groups := strings.Split(sa, ":")
 	if len(groups) >= 2 {
+		glog.V(4).Infof("serviceAccount namespace: %s", groups[0])
+		glog.V(4).Infof("serviceAccount name: %s", groups[1])
 		saName = groups[1]
 		saNamespace = groups[0]
 	}
@@ -132,7 +131,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNameRaw, err := json.Marshal(saNameObj)
 	if err != nil {
-		ctx.log.Error(err, "failed to marshal the SA")
+		glog.V(4).Infof("failed to marshall the updated context data")
 		return err
 	}
 	if err := ctx.AddJSON(saNameRaw); err != nil {
@@ -146,7 +145,7 @@ func (ctx *Context) AddSA(userName string) error {
 	}
 	saNsRaw, err := json.Marshal(saNsObj)
 	if err != nil {
-		ctx.log.Error(err, "failed to marshal the SA namespace")
+		glog.V(4).Infof("failed to marshall the updated context data")
 		return err
 	}
 	if err := ctx.AddJSON(saNsRaw); err != nil {
diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go
index f15a8a1e17..78f9643497 100644
--- a/pkg/engine/context/evaluate.go
+++ b/pkg/engine/context/evaluate.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"github.com/golang/glog"
 	jmespath "github.com/jmespath/go-jmespath"
 )
 
@@ -18,7 +19,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 	// compile the query
 	queryPath, err := jmespath.Compile(query)
 	if err != nil {
-		ctx.log.Error(err, "incorrect query", "query", query)
+		glog.V(4).Infof("incorrect query %s: %v", query, err)
 		return emptyResult, fmt.Errorf("incorrect query %s: %v", query, err)
 	}
 	// search
@@ -27,13 +28,13 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 
 	var data interface{}
 	if err := json.Unmarshal(ctx.jsonRaw, &data); err != nil {
-		ctx.log.Error(err, "failed to unmarshal context")
+		glog.V(4).Infof("failed to unmarshall context: %v", err)
 		return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err)
 	}
 
 	result, err := queryPath.Search(data)
 	if err != nil {
-		ctx.log.Error(err, "failed to search query", "query", query)
+		glog.V(4).Infof("failed to search query %s: %v", query, err)
 		return emptyResult, fmt.Errorf("failed to search query %s: %v", query, err)
 	}
 	return result, nil
diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go
index 9453109742..14ba42c468 100644
--- a/pkg/engine/forceMutate.go
+++ b/pkg/engine/forceMutate.go
@@ -12,7 +12,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) {
@@ -58,7 +57,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
 		if mutation.Overlay != nil {
 			overlay := mutation.Overlay
 			if ctx != nil {
-				if overlay, err = variables.SubstituteVars(log.Log, ctx, overlay); err != nil {
+				if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
 					return unstructured.Unstructured{}, err
 				}
 			} else {
@@ -73,7 +72,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
 
 		if rule.Mutation.Patches != nil {
 			var resp response.RuleResponse
-			resp, resource = mutate.ProcessPatches(log.Log, rule, resource)
+			resp, resource = mutate.ProcessPatches(rule, resource)
 			if !resp.Success {
 				return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
 			}
diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go
index 552bbc3a4d..0f8cea1937 100644
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@@ -3,14 +3,12 @@ package engine
 import (
 	"time"
 
-	"github.com/go-logr/logr"
-
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Generate checks for validity of generate rule on the resource
@@ -22,11 +20,10 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) {
 	resource := policyContext.NewResource
 	admissionInfo := policyContext.AdmissionInfo
 	ctx := policyContext.Context
-	logger := log.Log.WithName("Generate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
-	return filterRules(policy, resource, admissionInfo, ctx, logger)
+	return filterRules(policy, resource, admissionInfo, ctx)
 }
 
-func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) *response.RuleResponse {
+func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) *response.RuleResponse {
 	if !rule.HasGenerate() {
 		return nil
 	}
@@ -34,14 +31,15 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	startTime := time.Now()
 
 	if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
+		glog.V(4).Infof(err.Error())
 		return nil
 	}
 	// operate on the copy of the conditions, as we perform variable substitution
 	copyConditions := copyConditions(rule.Conditions)
 
 	// evaluate pre-conditions
-	if !variables.EvaluateConditions(log, ctx, copyConditions) {
-		log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
+	if !variables.EvaluateConditions(ctx, copyConditions) {
+		glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
 		return nil
 	}
 	// build rule Response
@@ -55,7 +53,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	}
 }
 
-func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) response.EngineResponse {
+func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) response.EngineResponse {
 	resp := response.EngineResponse{
 		PolicyResponse: response.PolicyResponse{
 			Policy: policy.Name,
@@ -68,7 +66,7 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	}
 
 	for _, rule := range policy.Spec.Rules {
-		if ruleResp := filterRule(rule, resource, admissionInfo, ctx, log); ruleResp != nil {
+		if ruleResp := filterRule(rule, resource, admissionInfo, ctx); ruleResp != nil {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
 		}
 	}
diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go
index 5e4982260e..3b76f30c74 100644
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@@ -10,53 +10,51 @@ import (
 	"strings"
 	"time"
 
+	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 )
 
 // ProcessOverlay processes mutation overlay on the resource
-func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
+func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
 	startTime := time.Now()
-	logger := log.WithValues("rule", ruleName)
-	logger.V(4).Info("started applying overlay rule ", "startTime", startTime)
+	glog.V(4).Infof("started applying overlay rule %q (%v)", ruleName, startTime)
 	resp.Name = ruleName
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		logger.V(4).Info("finished applying overlay rule", "processingTime", resp.RuleStats.ProcessingTime)
+		glog.V(4).Infof("finished applying overlay rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
 	}()
 
-	patches, overlayerr := processOverlayPatches(logger, resource.UnstructuredContent(), overlay)
+	patches, overlayerr := processOverlayPatches(resource.UnstructuredContent(), overlay)
 	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// condition key is not present in the resource, don't apply this rule
 		// consider as success
 		case conditionNotPresent:
-			logger.V(3).Info("skip applying rule")
+			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
 			resp.Success = true
 			return resp, resource
 		// conditions are not met, don't apply this rule
 		case conditionFailure:
-			logger.V(3).Info("skip applying rule")
+			glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg())
 			//TODO: send zero response and not consider this as applied?
 			resp.Success = true
 			resp.Message = overlayerr.ErrorMsg()
 			return resp, resource
 		// rule application failed
 		case overlayFailure:
-			logger.Info("failed to process overlay")
+			glog.Errorf("Resource %s/%s/%s: failed to process overlay: %v in the rule %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg(), ruleName)
 			resp.Success = false
 			resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg())
 			return resp, resource
 		default:
-			logger.Info("failed to process overlay")
+			glog.Errorf("Resource %s/%s/%s: Unknown type of error: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.Error())
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Unknown type of error: %v", overlayerr.Error())
 			return resp, resource
@@ -72,7 +70,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		logger.Error(err, "failed to marshal resource")
+		glog.Infof("unable to marshall resource: %v", err)
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -81,7 +79,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
 	if err != nil {
 		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
-		logger.V(2).Info("applying patches", "patches", string(utils.JoinPatches(patches)))
+		glog.V(2).Infof("%s, patches=%s", msg, string(utils.JoinPatches(patches)))
 		resp.Success = false
 		resp.Message = msg
 		return resp, resource
@@ -89,7 +87,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
-		logger.Error(err, "failed to unmarshal resource")
+		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
@@ -103,17 +101,17 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 	return resp, patchedResource
 }
 
-func processOverlayPatches(log logr.Logger, resource, overlay interface{}) ([][]byte, overlayError) {
-	if path, overlayerr := meetConditions(log, resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
+func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) {
+	if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
 		// anchor key does not exist in the resource, skip applying policy
 		case conditionNotPresent:
-			log.V(4).Info("skip applying policy", "path", path, "error", overlayerr)
+			glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, condition tag not present: %v at %s", overlayerr.ErrorMsg(), path))
 		// anchor key is not satisfied in the resource, skip applying policy
 		case conditionFailure:
 			// anchor key is not satisfied in the resource, skip applying policy
-			log.V(4).Info("failed to validate condition", "path", path, "error", overlayerr)
+			glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr)
 			return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, conditions are not met at %s, %v", path, overlayerr))
 		}
 	}
@@ -385,7 +383,7 @@ func prepareJSONValue(overlay interface{}) string {
 	overlayWithoutAnchors := removeAnchorFromSubTree(overlay)
 	jsonOverlay, err := json.Marshal(overlayWithoutAnchors)
 	if err != nil || hasOnlyAnchors(overlay) {
-		log.Log.Error(err, "failed to marshall withoutanchors or has only anchors")
+		glog.V(3).Info(err)
 		return ""
 	}
 
@@ -411,7 +409,7 @@ func removeAnchorFromSubTree(overlay interface{}) interface{} {
 }
 
 func removeAnchroFromMap(overlay map[string]interface{}) map[string]interface{} {
-	result := make(map[string]interface{})
+	result := make(map[string]interface{}, 0)
 	for k, v := range overlay {
 		result[getRawKeyIfWrappedWithAttributes(k)] = removeAnchorFromSubTree(v)
 	}
diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go
index 56b19de4e9..134cc23cc0 100755
--- a/pkg/engine/mutate/overlayCondition.go
+++ b/pkg/engine/mutate/overlayCondition.go
@@ -5,18 +5,17 @@ import (
 	"reflect"
 	"strconv"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-func meetConditions(log logr.Logger, resource, overlay interface{}) (string, overlayError) {
-	return checkConditions(log, resource, overlay, "/")
+func meetConditions(resource, overlay interface{}) (string, overlayError) {
+	return checkConditions(resource, overlay, "/")
 }
 
 // resource and overlay should be the same type
-func checkConditions(log logr.Logger, resource, overlay interface{}, path string) (string, overlayError) {
+func checkConditions(resource, overlay interface{}, path string) (string, overlayError) {
 	// overlay has no anchor, return true
 	if !hasNestedAnchors(overlay) {
 		return "", overlayError{}
@@ -27,7 +26,7 @@ func checkConditions(log logr.Logger, resource, overlay interface{}, path string
 	// condition never be true in this case
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
 		if hasNestedAnchors(overlay) {
-			log.V(4).Info(fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource))
+			glog.V(4).Infof("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource)
 			return path, newOverlayError(conditionFailure,
 				fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T %v, resource %T %v", path, overlay, overlay, resource, resource))
 
@@ -45,7 +44,7 @@ func checkConditions(log logr.Logger, resource, overlay interface{}, path string
 	default:
 		// anchor on non map/array is invalid:
 		// - anchor defined on values
-		log.Info("Found invalid conditional anchor: anchor defined on values")
+		glog.Warningln("Found invalid conditional anchor: anchor defined on values")
 		return "", overlayError{}
 	}
 }
@@ -69,12 +68,12 @@ func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}, path st
 
 func checkConditionOnArray(resource, overlay []interface{}, path string) (string, overlayError) {
 	if 0 == len(overlay) {
-		log.Log.V(4).Info("Mutate overlay pattern is empty", "path", path)
+		glog.Infof("Mutate overlay pattern is empty, path %s", path)
 		return "", overlayError{}
 	}
 
 	if reflect.TypeOf(resource[0]) != reflect.TypeOf(overlay[0]) {
-		log.Log.V(4).Info(fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
+		glog.V(4).Infof("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])
 		return path, newOverlayError(conditionFailure,
 			fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]))
 	}
@@ -112,7 +111,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
 // resource - A: B2
 func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) {
 	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
-		log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
+		glog.V(4).Infof("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)
 		return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource))
 	}
 
@@ -140,8 +139,8 @@ func compareOverlay(resource, overlay interface{}, path string) (string, overlay
 			}
 		}
 	case string, float64, int, int64, bool, nil:
-		if !validate.ValidateValueWithPattern(log.Log, resource, overlay) {
-			log.Log.V(4).Info(fmt.Sprintf("Mutate rule: failed validating value %v with overlay %v", resource, overlay))
+		if !validate.ValidateValueWithPattern(resource, overlay) {
+			glog.V(4).Infof("Mutate rule: failed validating value %v with overlay %v", resource, overlay)
 			return path, newOverlayError(conditionFailure, fmt.Sprintf("Failed validating value %v with overlay %v", resource, overlay))
 		}
 	default:
@@ -166,7 +165,7 @@ func validateNonAnchorOverlayMap(resourceMap, overlayWithoutAnchor map[string]in
 				continue
 			}
 		}
-		if newPath, err := checkConditions(log.Log, resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
+		if newPath, err := checkConditions(resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) {
 			return newPath, err
 		}
 	}
@@ -180,7 +179,7 @@ func checkConditionsOnArrayOfSameTypes(resource, overlay []interface{}, path str
 	default:
 		for i, overlayElement := range overlay {
 			curPath := path + strconv.Itoa(i) + "/"
-			path, err := checkConditions(log.Log, resource[i], overlayElement, curPath)
+			path, err := checkConditions(resource[i], overlayElement, curPath)
 			if !reflect.DeepEqual(err, overlayError{}) {
 				return path, err
 			}
diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go
index 8da6eefee9..b898acfbcd 100644
--- a/pkg/engine/mutate/overlayCondition_test.go
+++ b/pkg/engine/mutate/overlayCondition_test.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestMeetConditions_NoAnchor(t *testing.T) {
@@ -27,11 +26,9 @@ func TestMeetConditions_NoAnchor(t *testing.T) {
 	 }`)
 	var overlay interface{}
 
-	err := json.Unmarshal(overlayRaw, &overlay)
-	assert.Assert(t, reflect.DeepEqual(err, nil))
-
-	_, err = meetConditions(log.Log, nil, overlay)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(nil, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -81,12 +78,10 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, !reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`
@@ -104,10 +99,9 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
 	   ]
 	}`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, overlayerr := meetConditions(log.Log, resource, overlay)
+	_, overlayerr := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 }
 
@@ -142,14 +136,11 @@ func TestMeetConditions_DifferentTypes(t *testing.T) {
 	 }`)
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
 	// anchor exist
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/"))
 }
 
@@ -199,12 +190,10 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err := meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444")
 }
 
@@ -259,13 +248,10 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -339,13 +325,10 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -423,13 +406,10 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -460,13 +440,10 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false")
 
 	overlayRaw = []byte(`{
@@ -493,10 +470,9 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -523,10 +499,9 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
 		}
 	 }`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 }
 
@@ -557,13 +532,10 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRawAnchorOnPeers, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	_, err = meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	_, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -590,10 +562,9 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 
 	overlayRaw = []byte(`{
@@ -620,10 +591,9 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
 		}
 	 }`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	_, err = meetConditions(log.Log, resource, overlay)
+	_, err = meetConditions(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Failed validating value ENV_VALUE with overlay ENV_VALUE1")
 }
 
@@ -679,13 +649,10 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
-
-	path, err := meetConditions(log.Log, resource, overlay)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
+	path, err := meetConditions(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(path) == 0)
 }
diff --git a/pkg/engine/mutate/overlay_test.go b/pkg/engine/mutate/overlay_test.go
index a7c8890039..8c062fe58d 100644
--- a/pkg/engine/mutate/overlay_test.go
+++ b/pkg/engine/mutate/overlay_test.go
@@ -8,7 +8,6 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {
@@ -64,12 +63,10 @@ func TestProcessOverlayPatches_NestedListWithAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -166,12 +163,10 @@ func TestProcessOverlayPatches_InsertIntoArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -289,12 +284,10 @@ func TestProcessOverlayPatches_TestInsertToArray(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, patches != nil)
 
@@ -374,12 +367,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -465,10 +456,9 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(log.Log, resource, overlay)
+	patches, err = processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -502,10 +492,9 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) {
 		}
 	}`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(log.Log, resource, overlay)
+	patches, err = processOverlayPatches(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /spec/template/metadata/labels/app/, [overlayError:0] Failed validating value nginx with overlay nginx1")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -531,12 +520,10 @@ func TestProcessOverlayPatches_AddingAnchor(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -618,12 +605,10 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -699,10 +684,9 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) {
 		}
 	}`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(log.Log, resource, overlay)
+	patches, err = processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(err, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -763,12 +747,10 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -823,10 +805,9 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) {
 	   ]
 	}`)
 
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, err = processOverlayPatches(log.Log, resource, overlay)
+	patches, err = processOverlayPatches(resource, overlay)
 	assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /subsets/0/ports/0/port/, [overlayError:0] Failed validating value 443 with overlay 444")
 	assert.Assert(t, len(patches) == 0)
 }
@@ -905,12 +886,10 @@ func TestProcessOverlayPatches_insertWithCondition(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
@@ -1018,12 +997,10 @@ func TestProcessOverlayPatches_InsertIfNotPresentWithConditions(t *testing.T) {
 
 	var resource, overlay interface{}
 
-	err := json.Unmarshal(resourceRaw, &resource)
-	assert.NilError(t, err)
-	err = json.Unmarshal(overlayRaw, &overlay)
-	assert.NilError(t, err)
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
 
-	patches, overlayerr := processOverlayPatches(log.Log, resource, overlay)
+	patches, overlayerr := processOverlayPatches(resource, overlay)
 	assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{}))
 	assert.Assert(t, len(patches) != 0)
 
diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go
index 7b294bbca9..61fc93ecea 100644
--- a/pkg/engine/mutate/patches.go
+++ b/pkg/engine/mutate/patches.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -20,22 +20,21 @@ func applyPatch(resource []byte, patchRaw []byte) ([]byte, error) {
 }
 
 //ProcessPatches applies the patches on the resource and returns the patched resource
-func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
-	logger := log.WithValues("rule", rule.Name)
+func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
 	startTime := time.Now()
-	logger.V(4).Info("started JSON patch", "startTime", startTime)
+	glog.V(4).Infof("started JSON patch rule %q (%v)", rule.Name, startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Mutation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		logger.V(4).Info("finished JSON patch", "processingTime", resp.RuleStats.ProcessingTime)
+		glog.V(4).Infof("finished JSON patch rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
 	}()
 
 	// convert to RAW
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
 		resp.Success = false
-		logger.Error(err, "failed to marshal resource")
+		glog.Infof("unable to marshall resource: %v", err)
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
 	}
@@ -46,14 +45,14 @@ func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Un
 		// JSON patch
 		patchRaw, err := json.Marshal(patch)
 		if err != nil {
-			logger.Error(err, "failed to marshal JSON patch")
+			glog.V(4).Infof("failed to marshall JSON patch %v: %v", patch, err)
 			errs = append(errs, err)
 			continue
 		}
 		patchResource, err := applyPatch(resourceRaw, patchRaw)
 		// TODO: continue on error if one of the patches fails, will add the failure event in such case
 		if err != nil && patch.Operation == "remove" {
-			log.Error(err, "failed to process JSON path or patch is a 'remove' operation")
+			glog.Info(err)
 			continue
 		}
 		if err != nil {
@@ -78,7 +77,7 @@ func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Un
 	}
 	err = patchedResource.UnmarshalJSON(resourceRaw)
 	if err != nil {
-		logger.Error(err, "failed to unmmarshal resource")
+		glog.Infof("failed to unmarshall resource to undstructured: %v", err)
 		resp.Success = false
 		resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err)
 		return resp, resource
diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go
index 1b617d5517..f38b68d2c4 100644
--- a/pkg/engine/mutate/patches_test.go
+++ b/pkg/engine/mutate/patches_test.go
@@ -5,7 +5,6 @@ import (
 
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	types "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
@@ -42,7 +41,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, emptyRule, *resourceUnstructured)
+	rr, _ := ProcessPatches(emptyRule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -71,14 +70,14 @@ func makeRuleWithPatches(patches []types.Patch) types.Rule {
 
 func TestProcessPatches_EmptyDocument(t *testing.T) {
 	rule := makeRuleWithPatch(makeAddIsMutatedLabelPatch())
-	rr, _ := ProcessPatches(log.Log, rule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(rule, unstructured.Unstructured{})
 	assert.Assert(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
 
 func TestProcessPatches_AllEmpty(t *testing.T) {
 	emptyRule := types.Rule{}
-	rr, _ := ProcessPatches(log.Log, emptyRule, unstructured.Unstructured{})
+	rr, _ := ProcessPatches(emptyRule, unstructured.Unstructured{})
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -91,7 +90,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -103,7 +102,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -116,7 +115,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, !rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -130,7 +129,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) != 0)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, rr.Patches[0])
@@ -143,7 +142,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 0)
 }
@@ -156,7 +155,7 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured)
+	rr, _ := ProcessPatches(rule, *resourceUnstructured)
 	assert.Check(t, rr.Success)
 	assert.Assert(t, len(rr.Patches) == 1)
 	assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, rr.Patches[0])
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index b147f5b490..d1fab46211 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -5,13 +5,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/mutate"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -29,25 +28,26 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	policy := policyContext.Policy
 	resource := policyContext.NewResource
 	ctx := policyContext.Context
-	logger := log.Log.WithName("Mutate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
-	logger.V(4).Info("start processing", "startTime", startTime)
+
 	startMutateResultResponse(&resp, policy, resource)
-	defer endMutateResultResponse(logger, &resp, startTime)
+	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
+	defer endMutateResultResponse(&resp, startTime)
 
 	patchedResource := policyContext.NewResource
 	for _, rule := range policy.Spec.Rules {
 		var ruleResponse response.RuleResponse
-		logger := logger.WithValues("rule", rule.Name)
 		//TODO: to be checked before calling the resources as well
 		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
 			continue
 		}
+		startTime := time.Now()
+		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
-			logger.V(4).Info("resource fails the match description")
+			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
 			continue
 		}
 
@@ -55,8 +55,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(logger, ctx, copyConditions) {
-			logger.V(4).Info("resource fails the preconditions")
+		if !variables.EvaluateConditions(ctx, copyConditions) {
+			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
 			continue
 		}
 
@@ -66,7 +66,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			overlay := mutation.Overlay
 			// subsiitue the variables
 			var err error
-			if overlay, err = variables.SubstituteVars(logger, ctx, overlay); err != nil {
+			if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil {
 				// variable subsitution failed
 				ruleResponse.Success = false
 				ruleResponse.Message = err.Error()
@@ -74,13 +74,15 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 				continue
 			}
 
-			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, overlay, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, overlay, patchedResource)
 			if ruleResponse.Success {
 				// - overlay pattern does not match the resource conditions
 				if ruleResponse.Patches == nil {
+					glog.V(4).Infof(ruleResponse.Message)
 					continue
 				}
-				logger.V(4).Info("overlay applied succesfully")
+
+				glog.V(4).Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			}
 
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
@@ -90,8 +92,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		// Process Patches
 		if rule.Mutation.Patches != nil {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessPatches(logger, rule, patchedResource)
-			logger.V(4).Info("patches applied successfully")
+			ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)
+			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount(&resp)
 		}
@@ -104,14 +106,14 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 
 		if strings.Contains(PodControllers, resource.GetKind()) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, podTemplateRule, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, podTemplateRule, patchedResource)
 			if !ruleResponse.Success {
-				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
+				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
 				continue
 			}
 
 			if ruleResponse.Success && ruleResponse.Patches != nil {
-				logger.V(2).Info("inserted annotation for podTemplate")
+				glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
 				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			}
 		}
@@ -135,9 +137,10 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	// TODO(shuting): set response with mutationFailureAction
 }
 
-func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
+func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	logger.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
+	glog.V(4).Infof("finished applying mutation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
+	glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
 }
 
 // podTemplateRule mutate pod template with annotation
diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 07f345e265..278d9672f2 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -67,17 +67,11 @@ func Test_VariableSubstitutionOverlay(t *testing.T) {
 	expectedPatch := []byte(`{ "op": "add", "path": "/metadata/labels", "value":{"appname":"check-root-user"} }`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	if err != nil {
-		t.Error(err)
-	}
+	json.Unmarshal(rawPolicy, &policy)
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	ctx := context.NewContext()
-	err = ctx.AddResource(rawResource)
-	if err != nil {
-		t.Error(err)
-	}
+	ctx.AddResource(rawResource)
 	value, err := ctx.Query("request.object.metadata.name")
 	t.Log(value)
 	if err != nil {
@@ -145,14 +139,12 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(policyraw, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(policyraw, &policy)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	err = ctx.AddResource(resourceRaw)
-	assert.NilError(t, err)
+	ctx.AddResource(resourceRaw)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 1ee8449d23..c97b2eccb8 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -9,7 +9,8 @@ import (
 	"github.com/nirmata/kyverno/pkg/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	"github.com/golang/glog"
 
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -52,7 +53,7 @@ func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
 func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
 	selector, err := metav1.LabelSelectorAsSelector(labelSelector)
 	if err != nil {
-		log.Log.Error(err, "failed to build label selector")
+		glog.Error(err)
 		return false, err
 	}
 
diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go
index 7779f9b6ca..e7b37283bd 100644
--- a/pkg/engine/validate/pattern.go
+++ b/pkg/engine/validate/pattern.go
@@ -1,13 +1,12 @@
 package validate
 
 import (
-	"fmt"
 	"math"
 	"regexp"
 	"strconv"
 	"strings"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/minio/minio/pkg/wildcard"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 	apiresource "k8s.io/apimachinery/pkg/api/resource"
@@ -22,52 +21,52 @@ const (
 )
 
 // ValidateValueWithPattern validates value with operators and wildcards
-func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool {
+func ValidateValueWithPattern(value, pattern interface{}) bool {
 	switch typedPattern := pattern.(type) {
 	case bool:
 		typedValue, ok := value.(bool)
 		if !ok {
-			log.V(4).Info("Expected type bool", "type", fmt.Sprintf("%T", value), "value", value)
+			glog.V(4).Infof("Expected bool, found %T", value)
 			return false
 		}
 		return typedPattern == typedValue
 	case int:
-		return validateValueWithIntPattern(log, value, int64(typedPattern))
+		return validateValueWithIntPattern(value, int64(typedPattern))
 	case int64:
-		return validateValueWithIntPattern(log, value, typedPattern)
+		return validateValueWithIntPattern(value, typedPattern)
 	case float64:
-		return validateValueWithFloatPattern(log, value, typedPattern)
+		return validateValueWithFloatPattern(value, typedPattern)
 	case string:
-		return validateValueWithStringPatterns(log, value, typedPattern)
+		return validateValueWithStringPatterns(value, typedPattern)
 	case nil:
-		return validateValueWithNilPattern(log, value)
+		return validateValueWithNilPattern(value)
 	case map[string]interface{}:
 		// TODO: check if this is ever called?
-		return validateValueWithMapPattern(log, value, typedPattern)
+		return validateValueWithMapPattern(value, typedPattern)
 	case []interface{}:
 		// TODO: check if this is ever called?
-		log.Info("arrays as patterns is not supported")
+		glog.Warning("Arrays as patterns are not supported")
 		return false
 	default:
-		log.Info("Unkown type", "type", fmt.Sprintf("%T", typedPattern), "value", typedPattern)
+		glog.Warningf("Unknown type as pattern: %v", typedPattern)
 		return false
 	}
 }
 
-func validateValueWithMapPattern(log logr.Logger, value interface{}, typedPattern map[string]interface{}) bool {
+func validateValueWithMapPattern(value interface{}, typedPattern map[string]interface{}) bool {
 	// verify the type of the resource value is map[string]interface,
 	// we only check for existence of object, not the equality of content and value
 	//TODO: check if adding
 	_, ok := value.(map[string]interface{})
 	if !ok {
-		log.Info("Expected type map[string]interface{}", "type", fmt.Sprintf("%T", value), "value", value)
+		glog.Warningf("Expected map[string]interface{}, found %T\n", value)
 		return false
 	}
 	return true
 }
 
 // Handler for int values during validation process
-func validateValueWithIntPattern(log logr.Logger, value interface{}, pattern int64) bool {
+func validateValueWithIntPattern(value interface{}, pattern int64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		return int64(typedValue) == pattern
@@ -79,38 +78,38 @@ func validateValueWithIntPattern(log logr.Logger, value interface{}, pattern int
 			return int64(typedValue) == pattern
 		}
 
-		log.Info("Expected type int", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
+		glog.Warningf("Expected int, found float: %f\n", typedValue)
 		return false
 	case string:
 		// extract int64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			log.Error(err, "Failed to parse int64 from string")
+			glog.Warningf("Failed to parse int64 from string: %v", err)
 			return false
 		}
 		return int64Num == pattern
 	default:
-		log.Info("Expected type int", "type", fmt.Sprintf("%T", value), "value", value)
+		glog.Warningf("Expected int, found: %T\n", value)
 		return false
 	}
 }
 
 // Handler for float values during validation process
-func validateValueWithFloatPattern(log logr.Logger, value interface{}, pattern float64) bool {
+func validateValueWithFloatPattern(value interface{}, pattern float64) bool {
 	switch typedValue := value.(type) {
 	case int:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int(pattern) == value
 		}
-		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 		return false
 	case int64:
 		// check that float has no fraction
 		if pattern == math.Trunc(pattern) {
 			return int64(pattern) == value
 		}
-		log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 		return false
 	case float64:
 		return typedValue == pattern
@@ -118,18 +117,18 @@ func validateValueWithFloatPattern(log logr.Logger, value interface{}, pattern f
 		// extract float64 from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			log.Error(err, "Failed to parse float64 from string")
+			glog.Warningf("Failed to parse float64 from string: %v", err)
 			return false
 		}
 		return float64Num == pattern
 	default:
-		log.Info("Expected type float", "type", fmt.Sprintf("%T", value), "value", value)
+		glog.Warningf("Expected float, found: %T\n", value)
 		return false
 	}
 }
 
 // Handler for nil values during validation process
-func validateValueWithNilPattern(log logr.Logger, value interface{}) bool {
+func validateValueWithNilPattern(value interface{}) bool {
 	switch typed := value.(type) {
 	case float64:
 		return typed == 0.0
@@ -144,20 +143,20 @@ func validateValueWithNilPattern(log logr.Logger, value interface{}) bool {
 	case nil:
 		return true
 	case map[string]interface{}, []interface{}:
-		log.Info("Maps and arrays could not be checked with nil pattern")
+		glog.Warningf("Maps and arrays could not be checked with nil pattern")
 		return false
 	default:
-		log.Info("Unknown type as value when checking for nil pattern", "type", fmt.Sprintf("%T", value), "value", value)
+		glog.Warningf("Unknown type as value when checking for nil pattern: %T\n", value)
 		return false
 	}
 }
 
 // Handler for pattern values during validation process
-func validateValueWithStringPatterns(log logr.Logger, value interface{}, pattern string) bool {
+func validateValueWithStringPatterns(value interface{}, pattern string) bool {
 	statements := strings.Split(pattern, "|")
 	for _, statement := range statements {
 		statement = strings.Trim(statement, " ")
-		if validateValueWithStringPattern(log, value, statement) {
+		if validateValueWithStringPattern(value, statement) {
 			return true
 		}
 	}
@@ -167,24 +166,24 @@ func validateValueWithStringPatterns(log logr.Logger, value interface{}, pattern
 
 // Handler for single pattern value during validation process
 // Detects if pattern has a number
-func validateValueWithStringPattern(log logr.Logger, value interface{}, pattern string) bool {
+func validateValueWithStringPattern(value interface{}, pattern string) bool {
 	operator := operator.GetOperatorFromStringPattern(pattern)
 	pattern = pattern[len(operator):]
 	number, str := getNumberAndStringPartsFromPattern(pattern)
 
 	if "" == number {
-		return validateString(log, value, str, operator)
+		return validateString(value, str, operator)
 	}
 
-	return validateNumberWithStr(log, value, pattern, operator)
+	return validateNumberWithStr(value, pattern, operator)
 }
 
 // Handler for string values
-func validateString(log logr.Logger, value interface{}, pattern string, operatorVariable operator.Operator) bool {
+func validateString(value interface{}, pattern string, operatorVariable operator.Operator) bool {
 	if operator.NotEqual == operatorVariable || operator.Equal == operatorVariable {
 		strValue, ok := value.(string)
 		if !ok {
-			log.Info("Expected type string", "type", fmt.Sprintf("%T", value), "value", value)
+			glog.Warningf("Expected string, found %T\n", value)
 			return false
 		}
 
@@ -196,16 +195,17 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator
 
 		return wildcardResult
 	}
-	log.Info("Operators >, >=, <, <= are not applicable to strings")
+
+	glog.Warningf("Operators >, >=, <, <= are not applicable to strings")
 	return false
 }
 
 // validateNumberWithStr compares quantity if pattern type is quantity
 //  or a wildcard match to pattern string
-func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
+func validateNumberWithStr(value interface{}, pattern string, operator operator.Operator) bool {
 	typedValue, err := convertToString(value)
 	if err != nil {
-		log.Error(err, "failed to convert to string")
+		glog.Warning(err)
 		return false
 	}
 
@@ -214,7 +214,7 @@ func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, o
 	if err == nil {
 		valueQuan, err := apiresource.ParseQuantity(typedValue)
 		if err != nil {
-			log.Error(err, "invalid quantity in resource", "type", fmt.Sprintf("%T", typedValue), "value", typedValue)
+			glog.Warningf("Invalid quantity in resource %s, err: %v\n", typedValue, err)
 			return false
 		}
 
@@ -223,7 +223,7 @@ func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, o
 
 	// 2. wildcard match
 	if !wildcard.Match(pattern, typedValue) {
-		log.Info("value failed wildcard check", "type", fmt.Sprintf("%T", typedValue), "value", typedValue, "check", pattern)
+		glog.Warningf("Value '%s' has not passed wildcard check: %s", typedValue, pattern)
 		return false
 	}
 	return true
diff --git a/pkg/engine/validate/pattern_test.go b/pkg/engine/validate/pattern_test.go
index 8d8d437d2b..8ee4e34881 100644
--- a/pkg/engine/validate/pattern_test.go
+++ b/pkg/engine/validate/pattern_test.go
@@ -6,14 +6,13 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateValueWithPattern_Bool(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(log.Log, true, true))
-	assert.Assert(t, !ValidateValueWithPattern(log.Log, true, false))
-	assert.Assert(t, !ValidateValueWithPattern(log.Log, false, true))
-	assert.Assert(t, ValidateValueWithPattern(log.Log, false, false))
+	assert.Assert(t, ValidateValueWithPattern(true, true))
+	assert.Assert(t, !ValidateValueWithPattern(true, false))
+	assert.Assert(t, !ValidateValueWithPattern(false, true))
+	assert.Assert(t, ValidateValueWithPattern(false, false))
 }
 
 func TestValidateString_AsteriskTest(t *testing.T) {
@@ -21,8 +20,8 @@ func TestValidateString_AsteriskTest(t *testing.T) {
 	value := "anything"
 	empty := ""
 
-	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
-	assert.Assert(t, validateString(log.Log, empty, pattern, operator.Equal))
+	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(empty, pattern, operator.Equal))
 }
 
 func TestValidateString_LeftAsteriskTest(t *testing.T) {
@@ -30,32 +29,32 @@ func TestValidateString_LeftAsteriskTest(t *testing.T) {
 	value := "leftright"
 	right := "right"
 
-	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
-	assert.Assert(t, validateString(log.Log, right, pattern, operator.Equal))
+	assert.Assert(t, validateString(value, pattern, operator.Equal))
+	assert.Assert(t, validateString(right, pattern, operator.Equal))
 
 	value = "leftmiddle"
 	middle := "middle"
 
-	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
-	assert.Assert(t, !validateString(log.Log, middle, pattern, operator.Equal))
+	assert.Assert(t, !validateString(value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(middle, pattern, operator.Equal))
 }
 
 func TestValidateString_MiddleAsteriskTest(t *testing.T) {
 	pattern := "ab*ba"
 	value := "abbeba"
-	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(value, pattern, operator.Equal))
 
 	value = "abbca"
-	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(value, pattern, operator.Equal))
 }
 
 func TestValidateString_QuestionMark(t *testing.T) {
 	pattern := "ab?ba"
 	value := "abbba"
-	assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, validateString(value, pattern, operator.Equal))
 
 	value = "abbbba"
-	assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal))
+	assert.Assert(t, !validateString(value, pattern, operator.Equal))
 }
 
 func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
@@ -77,7 +76,7 @@ func TestValidateValueWithPattern_BoolInJson(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
@@ -99,7 +98,7 @@ func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, !ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, !ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
@@ -121,7 +120,7 @@ func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
@@ -143,7 +142,7 @@ func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
@@ -165,7 +164,7 @@ func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
@@ -187,77 +186,77 @@ func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) {
 	err = json.Unmarshal(rawValue, &value)
 	assert.Assert(t, err)
 
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"]))
+	assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"]))
 }
 
 func TestValidateValueWithPattern_StringsLogicalOr(t *testing.T) {
 	pattern := "192.168.88.1 | 10.100.11.*"
 	value := "10.100.11.54"
-	assert.Assert(t, ValidateValueWithPattern(log.Log, value, pattern))
+	assert.Assert(t, ValidateValueWithPattern(value, pattern))
 }
 
 func TestValidateValueWithPattern_EqualTwoFloats(t *testing.T) {
-	assert.Assert(t, ValidateValueWithPattern(log.Log, 7.0, 7.000))
+	assert.Assert(t, ValidateValueWithPattern(7.0, 7.000))
 }
 
 func TestValidateValueWithNilPattern_NullPatternStringValue(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(log.Log, "value"))
+	assert.Assert(t, !validateValueWithNilPattern("value"))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultString(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(log.Log, ""))
+	assert.Assert(t, validateValueWithNilPattern(""))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultFloat(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(log.Log, 0.0))
+	assert.Assert(t, validateValueWithNilPattern(0.0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternFloat(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(log.Log, 0.1))
+	assert.Assert(t, !validateValueWithNilPattern(0.1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultInt(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(log.Log, 0))
+	assert.Assert(t, validateValueWithNilPattern(0))
 }
 
 func TestValidateValueWithNilPattern_NullPatternInt(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(log.Log, 1))
+	assert.Assert(t, !validateValueWithNilPattern(1))
 }
 
 func TestValidateValueWithNilPattern_NullPatternDefaultBool(t *testing.T) {
-	assert.Assert(t, validateValueWithNilPattern(log.Log, false))
+	assert.Assert(t, validateValueWithNilPattern(false))
 }
 
 func TestValidateValueWithNilPattern_NullPatternTrueBool(t *testing.T) {
-	assert.Assert(t, !validateValueWithNilPattern(log.Log, true))
+	assert.Assert(t, !validateValueWithNilPattern(true))
 }
 
 func TestValidateValueWithFloatPattern_FloatValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.9914, 7.9914))
+	assert.Assert(t, validateValueWithFloatPattern(7.9914, 7.9914))
 }
 
 func TestValidateValueWithFloatPattern_FloatValueNotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.9914, 7.99141))
+	assert.Assert(t, !validateValueWithFloatPattern(7.9914, 7.99141))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFractionIntValue(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(7, 7.000000))
 }
 
 func TestValidateValueWithFloatPattern_FloatPatternWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7.000000))
+	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7.000000))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWithoutFraction(t *testing.T) {
-	assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7))
+	assert.Assert(t, validateValueWithFloatPattern(7.000000, 7))
 }
 
 func TestValidateValueWithIntPattern_FloatValueWitFraction(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.000001, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(7.000001, 7))
 }
 
 func TestValidateValueWithIntPattern_NotPass(t *testing.T) {
-	assert.Assert(t, !validateValueWithFloatPattern(log.Log, 8, 7))
+	assert.Assert(t, !validateValueWithFloatPattern(8, 7))
 }
 
 func TestGetNumberAndStringPartsFromPattern_NumberAndString(t *testing.T) {
@@ -291,35 +290,35 @@ func TestGetNumberAndStringPartsFromPattern_Empty(t *testing.T) {
 }
 
 func TestValidateNumberWithStr_LessFloatAndInt(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7.000001", operator.More))
-	assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr(7.00001, "7.000001", operator.More))
+	assert.Assert(t, validateNumberWithStr(7.00001, "7", operator.NotEqual))
 
-	assert.Assert(t, validateNumberWithStr(log.Log, 7.0000, "7", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr(log.Log, 6.000000001, "6", operator.Less))
+	assert.Assert(t, validateNumberWithStr(7.0000, "7", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(6.000000001, "6", operator.Less))
 }
 
 func TestValidateQuantity_InvalidQuantity(t *testing.T) {
-	assert.Assert(t, !validateNumberWithStr(log.Log, "1024Gi", "", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr(log.Log, "gii", "1024Gi", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr("1024Gi", "", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr("gii", "1024Gi", operator.Equal))
 }
 
 func TestValidateQuantity_Equal(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr(log.Log, "1024Gi", "1024Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(log.Log, "1024Mi", "1Gi", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", "200m", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(log.Log, "500", "500", operator.Equal))
-	assert.Assert(t, !validateNumberWithStr(log.Log, "2048", "1024", operator.Equal))
-	assert.Assert(t, validateNumberWithStr(log.Log, 1024, "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("1024Gi", "1024Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("1024Mi", "1Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("0.2", "200m", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("500", "500", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr("2048", "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(1024, "1024", operator.Equal))
 }
 
 func TestValidateQuantity_Operation(t *testing.T) {
-	assert.Assert(t, validateNumberWithStr(log.Log, "1Gi", "1000Mi", operator.More))
-	assert.Assert(t, validateNumberWithStr(log.Log, "1G", "1Gi", operator.Less))
-	assert.Assert(t, validateNumberWithStr(log.Log, "500m", "0.5", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr(log.Log, "1", "500m", operator.MoreEqual))
-	assert.Assert(t, validateNumberWithStr(log.Log, "0.5", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.LessEqual))
-	assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.NotEqual))
+	assert.Assert(t, validateNumberWithStr("1Gi", "1000Mi", operator.More))
+	assert.Assert(t, validateNumberWithStr("1G", "1Gi", operator.Less))
+	assert.Assert(t, validateNumberWithStr("500m", "0.5", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr("1", "500m", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr("0.5", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.NotEqual))
 }
 
 func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go
index 6e3d40da7d..9d94f07789 100644
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@@ -8,15 +8,15 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
 )
 
 // ValidateResourceWithPattern is a start of element-by-element validation process
 // It assumes that validation is started from root, so "/" is passed
-func ValidateResourceWithPattern(log logr.Logger, resource, pattern interface{}) (string, error) {
-	path, err := validateResourceElement(log, resource, pattern, pattern, "/")
+func ValidateResourceWithPattern(resource, pattern interface{}) (string, error) {
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	if err != nil {
 		return path, err
 	}
@@ -27,44 +27,44 @@ func ValidateResourceWithPattern(log logr.Logger, resource, pattern interface{})
 // validateResourceElement detects the element type (map, array, nil, string, int, bool, float)
 // and calls corresponding handler
 // Pattern tree and resource tree can have different structure. In this case validation fails
-func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
+func validateResourceElement(resourceElement, patternElement, originPattern interface{}, path string) (string, error) {
 	var err error
 	switch typedPatternElement := patternElement.(type) {
 	// map
 	case map[string]interface{}:
 		typedResourceElement, ok := resourceElement.(map[string]interface{})
 		if !ok {
-			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
+			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
 			return path, fmt.Errorf("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
 		}
 
-		return validateMap(log, typedResourceElement, typedPatternElement, originPattern, path)
+		return validateMap(typedResourceElement, typedPatternElement, originPattern, path)
 	// array
 	case []interface{}:
 		typedResourceElement, ok := resourceElement.([]interface{})
 		if !ok {
-			log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement))
+			glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement)
 			return path, fmt.Errorf("Validation rule Failed at path %s, resource does not satisfy the expected overlay pattern", path)
 		}
 
-		return validateArray(log, typedResourceElement, typedPatternElement, originPattern, path)
+		return validateArray(typedResourceElement, typedPatternElement, originPattern, path)
 	// elementary values
 	case string, float64, int, int64, bool, nil:
 		/*Analyze pattern */
 		if checkedPattern := reflect.ValueOf(patternElement); checkedPattern.Kind() == reflect.String {
 			if isStringIsReference(checkedPattern.String()) { //check for $ anchor
-				patternElement, err = actualizePattern(log, originPattern, checkedPattern.String(), path)
+				patternElement, err = actualizePattern(originPattern, checkedPattern.String(), path)
 				if err != nil {
 					return path, err
 				}
 			}
 		}
-		if !ValidateValueWithPattern(log, resourceElement, patternElement) {
+		if !ValidateValueWithPattern(resourceElement, patternElement) {
 			return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
 		}
 
 	default:
-		log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement))
+		glog.V(4).Infof("Pattern contains unknown type %T. Path: %s", patternElement, path)
 		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
 	}
 	return "", nil
@@ -72,7 +72,7 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o
 
 // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap
 // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement
-func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
+func validateMap(resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
 	// check if there is anchor in pattern
 	// Phase 1 : Evaluate all the anchors
 	// Phase 2 : Evaluate non-anchors
@@ -91,7 +91,7 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
 		if err != nil {
 			// If Conditional anchor fails then we dont process the resources
 			if anchor.IsConditionAnchor(key) {
-				log.Error(err, "condition anchor did not satisfy, wont process the resource")
+				glog.V(4).Infof("condition anchor did not satisfy, wont process the resources: %s", err)
 				return "", nil
 			}
 			return handlerPath, err
@@ -109,7 +109,7 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
 	return "", nil
 }
 
-func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
+func validateArray(resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) {
 
 	if 0 == len(patternArray) {
 		return path, fmt.Errorf("Pattern Array empty")
@@ -119,7 +119,7 @@ func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, o
 	case map[string]interface{}:
 		// This is special case, because maps in arrays can have anchors that must be
 		// processed with the special way affecting the entire array
-		path, err := validateArrayOfMaps(log, resourceArray, typedPatternElement, originPattern, path)
+		path, err := validateArrayOfMaps(resourceArray, typedPatternElement, originPattern, path)
 		if err != nil {
 			return path, err
 		}
@@ -127,7 +127,7 @@ func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, o
 		// In all other cases - detect type and handle each array element with validateResourceElement
 		for i, patternElement := range patternArray {
 			currentPath := path + strconv.Itoa(i) + "/"
-			path, err := validateResourceElement(log, resourceArray[i], patternElement, originPattern, currentPath)
+			path, err := validateResourceElement(resourceArray[i], patternElement, originPattern, currentPath)
 			if err != nil {
 				return path, err
 			}
@@ -137,7 +137,7 @@ func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, o
 	return "", nil
 }
 
-func actualizePattern(log logr.Logger, origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
+func actualizePattern(origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) {
 	var foundValue interface{}
 
 	referencePattern = strings.Trim(referencePattern, "$()")
@@ -155,7 +155,7 @@ func actualizePattern(log logr.Logger, origPattern interface{}, referencePattern
 	// value :=
 	actualPath := formAbsolutePath(referencePattern, absolutePath)
 
-	valFromReference, err := getValueFromReference(log, origPattern, actualPath)
+	valFromReference, err := getValueFromReference(origPattern, actualPath)
 	if err != nil {
 		return err, nil
 	}
@@ -196,15 +196,15 @@ func formAbsolutePath(referencePath, absolutePath string) string {
 }
 
 //Prepares original pattern, path to value, and call traverse function
-func getValueFromReference(log logr.Logger, origPattern interface{}, reference string) (interface{}, error) {
+func getValueFromReference(origPattern interface{}, reference string) (interface{}, error) {
 	originalPatternMap := origPattern.(map[string]interface{})
 	reference = reference[1:]
 	statements := strings.Split(reference, "/")
 
-	return getValueFromPattern(log, originalPatternMap, statements, 0)
+	return getValueFromPattern(originalPatternMap, statements, 0)
 }
 
-func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
+func getValueFromPattern(patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) {
 
 	for key, pattern := range patternMap {
 		rawKey := getRawKeyIfWrappedWithAttributes(key)
@@ -221,21 +221,19 @@ func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, key
 				for i, value := range typedPattern {
 					resourceMap, ok := value.(map[string]interface{})
 					if !ok {
-						log.V(4).Info("Pattern and resource have different structures.", "expected", fmt.Sprintf("%T", pattern), "current", fmt.Sprintf("%T", value))
+						glog.V(4).Infof("Pattern and resource have different structures. Expected %T, found %T", pattern, value)
 						return nil, fmt.Errorf("Validation rule failed, resource does not have expected pattern %v", patternMap)
 					}
 					if keys[currentKeyIndex+1] == strconv.Itoa(i) {
-						return getValueFromPattern(log, resourceMap, keys, currentKeyIndex+2)
+						return getValueFromPattern(resourceMap, keys, currentKeyIndex+2)
 					}
-					// TODO : SA4004: the surrounding loop is unconditionally terminated (staticcheck)
 					return nil, errors.New("Reference to non-existent place in the document")
 				}
-				return nil, nil // Just a hack to fix the lint
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case map[string]interface{}:
 			if keys[currentKeyIndex] == rawKey {
-				return getValueFromPattern(log, typedPattern, keys, currentKeyIndex+1)
+				return getValueFromPattern(typedPattern, keys, currentKeyIndex+1)
 			}
 			return nil, errors.New("Reference to non-existent place in the document")
 		case string, float64, int, int64, bool, nil:
@@ -253,12 +251,12 @@ func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, key
 
 // validateArrayOfMaps gets anchors from pattern array map element, applies anchors logic
 // and then validates each map due to the pattern
-func validateArrayOfMaps(log logr.Logger, resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
+func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
 	for i, resourceElement := range resourceMapArray {
 		// check the types of resource element
 		// expect it to be map, but can be anything ?:(
 		currentPath := path + strconv.Itoa(i) + "/"
-		returnpath, err := validateResourceElement(log, resourceElement, patternMap, originPattern, currentPath)
+		returnpath, err := validateResourceElement(resourceElement, patternMap, originPattern, currentPath)
 		if err != nil {
 			return returnpath, err
 		}
diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go
index 7f916239e0..acabd87ac1 100644
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@@ -5,7 +5,6 @@ import (
 	"testing"
 
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func TestValidateMap(t *testing.T) {
@@ -101,7 +100,7 @@ func TestValidateMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -197,7 +196,7 @@ func TestValidateMap_AsteriskForInt(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	t.Log(path)
 	assert.NilError(t, err)
 }
@@ -290,7 +289,7 @@ func TestValidateMap_AsteriskForMap(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -378,7 +377,7 @@ func TestValidateMap_AsteriskForArray(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -469,7 +468,7 @@ func TestValidateMap_AsteriskFieldIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/template/spec/containers/0/")
 	assert.Assert(t, err != nil)
 }
@@ -558,10 +557,9 @@ func TestValidateMap_livenessProbeIsNull(t *testing.T) {
 
 	var pattern, resource map[string]interface{}
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
-	err := json.Unmarshal(rawMap, &resource)
-	assert.NilError(t, err)
+	json.Unmarshal(rawMap, &resource)
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -651,7 +649,7 @@ func TestValidateMap_livenessProbeIsMissing(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateMap(log.Log, resource, pattern, pattern, "/")
+	path, err := validateMap(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -697,7 +695,7 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	// assert.Equal(t, path, "/1/object/0/key2/")
 	// assert.NilError(t, err)
@@ -732,7 +730,7 @@ func TestValidateMapElement_OneElementInArrayPass(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -786,7 +784,7 @@ func TestValidateMap_CorrectRelativePathInConfig(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -840,7 +838,7 @@ func TestValidateMap_RelativePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -894,7 +892,7 @@ func TestValidateMap_OnlyAnchorsInPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -948,7 +946,7 @@ func TestValidateMap_MalformedReferenceOnlyDolarMark(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1002,7 +1000,7 @@ func TestValidateMap_RelativePathWithParentheses(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.NilError(t, err)
 }
@@ -1056,7 +1054,7 @@ func TestValidateMap_MalformedPath(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1110,7 +1108,7 @@ func TestValidateMap_AbosolutePathExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1151,7 +1149,7 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "")
 	assert.Assert(t, err == nil)
 }
@@ -1193,7 +1191,7 @@ func TestValidateMap_AbsolutePathToMetadata_fail(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/image/")
 	assert.Assert(t, err != nil)
 }
@@ -1247,7 +1245,7 @@ func TestValidateMap_AbosolutePathDoesNotExists(t *testing.T) {
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 	assert.Assert(t, json.Unmarshal(rawMap, &resource))
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/")
 	assert.Assert(t, err != nil)
 }
@@ -1278,7 +1276,7 @@ func TestActualizePattern_GivenRelativePathThatExists(t *testing.T) {
 
 	assert.Assert(t, json.Unmarshal(rawPattern, &pattern))
 
-	pattern, err := actualizePattern(log.Log, pattern, referencePath, absolutePath)
+	pattern, err := actualizePattern(pattern, referencePath, absolutePath)
 
 	assert.Assert(t, err == nil)
 }
@@ -1346,12 +1344,10 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) {
 	]`)
 
 	var pattern, resource interface{}
-	err := json.Unmarshal(rawPattern, &pattern)
-	assert.NilError(t, err)
-	err = json.Unmarshal(rawMap, &resource)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPattern, &pattern)
+	json.Unmarshal(rawMap, &resource)
 
-	path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/")
+	path, err := validateResourceElement(resource, pattern, pattern, "/")
 	assert.Equal(t, path, "/0/object/0/key2/")
 	assert.Assert(t, err != nil)
 }
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 00c32f6791..fc4e89bf1c 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/response"
@@ -13,7 +13,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/validate"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //Validate applies validation rules from policy on the resource
@@ -24,18 +23,17 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	oldR := policyContext.OldResource
 	ctx := policyContext.Context
 	admissionInfo := policyContext.AdmissionInfo
-	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name, "kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
 
 	// policy information
-	logger.V(4).Info("start processing", "startTime", startTime)
+	glog.V(4).Infof("started applying validation rules of policy %q (%v)", policy.Name, startTime)
 
 	// Process new & old resource
 	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
 		// Create Mode
 		// Operate on New Resource only
-		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
+		resp := validateResource(ctx, policy, newR, admissionInfo)
 		startResultResponse(resp, policy, newR)
-		defer endResultResponse(logger, resp, startTime)
+		defer endResultResponse(resp, startTime)
 		// set PatchedResource with origin resource if empty
 		// in order to create policy violation
 		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
@@ -46,14 +44,14 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	// Update Mode
 	// Operate on New and Old Resource only
 	// New resource
-	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
-	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
+	oldResponse := validateResource(ctx, policy, oldR, admissionInfo)
+	newResponse := validateResource(ctx, policy, newR, admissionInfo)
 
 	// if the old and new response is same then return empty response
 	if !isSameResponse(oldResponse, newResponse) {
 		// there are changes send response
 		startResultResponse(newResponse, policy, newR)
-		defer endResultResponse(logger, newResponse, startTime)
+		defer endResultResponse(newResponse, startTime)
 		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
 			newResponse.PatchedResource = newR
 		}
@@ -75,9 +73,10 @@ func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPo
 	resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction
 }
 
-func endResultResponse(log logr.Logger, resp *response.EngineResponse, startTime time.Time) {
+func endResultResponse(resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	log.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
+	glog.V(4).Infof("Finished applying validation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime)
+	glog.V(4).Infof("Validation Rules appplied successfully count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy)
 }
 
 func incrementAppliedCount(resp *response.EngineResponse) {
@@ -85,18 +84,20 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue
 		}
+		startTime := time.Now()
+		glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-			log.V(4).Info("resource fails the match description")
+			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error())
 			continue
 		}
 
@@ -104,13 +105,13 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 		copyConditions := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(log, ctx, copyConditions) {
-			log.V(4).Info("resource fails the preconditions")
+		if !variables.EvaluateConditions(ctx, copyConditions) {
+			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
 			continue
 		}
 
 		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-			ruleResponse := validatePatterns(log, ctx, resource, rule)
+			ruleResponse := validatePatterns(ctx, resource, rule)
 			incrementAppliedCount(resp)
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 		}
@@ -158,15 +159,14 @@ func isSameRules(oldRules []response.RuleResponse, newRules []response.RuleRespo
 }
 
 // validatePatterns validate pattern and anyPattern
-func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
+func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
 	startTime := time.Now()
-	logger := log.WithValues("rule", rule.Name)
-	logger.V(4).Info("start processing rule", "startTime", startTime)
+	glog.V(4).Infof("started applying validation rule %q (%v)", rule.Name, startTime)
 	resp.Name = rule.Name
 	resp.Type = utils.Validation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		logger.V(4).Info("finshed processing", "processingTime", resp.RuleStats.ProcessingTime)
+		glog.V(4).Infof("finished applying validation rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime)
 	}()
 	// work on a copy of validation rule
 	validationRule := rule.Validation.DeepCopy()
@@ -176,7 +176,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 		// substitute variables in the pattern
 		pattern := validationRule.Pattern
 		var err error
-		if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
+		if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
 			// variable subsitution failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed. '%s'",
@@ -184,7 +184,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 			return resp
 		}
 
-		if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
+		if path, err := validate.ValidateResourceWithPattern(resource.Object, pattern); err != nil {
 			// validation failed
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed at path '%s'",
@@ -192,7 +192,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 			return resp
 		}
 		// rule application successful
-		logger.V(4).Info("successfully processed rule")
+		glog.V(4).Infof("rule %s pattern validated successfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 		resp.Success = true
 		resp.Message = fmt.Sprintf("Validation rule '%s' succeeded.", rule.Name)
 		return resp
@@ -203,18 +203,19 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 		var failedAnyPatternsErrors []error
 		var err error
 		for idx, pattern := range validationRule.AnyPattern {
-			if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil {
+			if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil {
 				// variable subsitution failed
 				failedSubstitutionsErrors = append(failedSubstitutionsErrors, err)
 				continue
 			}
-			_, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern)
+			_, err := validate.ValidateResourceWithPattern(resource.Object, pattern)
 			if err == nil {
 				resp.Success = true
 				resp.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded.", rule.Name, idx)
 				return resp
 			}
-			logger.V(4).Info(fmt.Sprintf("validation rule failed for anyPattern[%d]", idx), "message", rule.Validation.Message)
+			glog.V(4).Infof("Validation error: %s; Validation rule %s anyPattern[%d] for %s/%s/%s",
+				rule.Validation.Message, rule.Name, idx, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			patternErr := fmt.Errorf("anyPattern[%d] failed; %s", idx, err)
 			failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr)
 		}
@@ -233,7 +234,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 				errorStr = append(errorStr, err.Error())
 			}
 			resp.Success = false
-			log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr))
+			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
 			if rule.Validation.Message == "" {
 				resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
 			} else {
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index fb6f272966..5a77d81b69 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -23,8 +23,7 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
 	}`)
 
 	var unmarshalled map[string]interface{}
-	err := json.Unmarshal(rawMap, &unmarshalled)
-	assert.NilError(t, err)
+	json.Unmarshal(rawMap, &unmarshalled)
 
 	actualMap := utils.GetAnchorsFromMap(unmarshalled)
 	assert.Equal(t, len(actualMap), 2)
@@ -115,8 +114,7 @@ func TestValidate_image_tag_fail(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -214,8 +212,7 @@ func TestValidate_image_tag_pass(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -292,8 +289,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -374,8 +370,7 @@ func TestValidate_host_network_port(t *testing.T) {
 	 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -464,8 +459,7 @@ func TestValidate_anchor_arraymap_pass(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -553,8 +547,8 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
+
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
@@ -622,8 +616,7 @@ func TestValidate_anchor_map_notfound(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -695,8 +688,7 @@ func TestValidate_anchor_map_found_valid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -768,8 +760,7 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -843,8 +834,7 @@ func TestValidate_AnchorList_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -918,8 +908,7 @@ func TestValidate_AnchorList_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -993,8 +982,7 @@ func TestValidate_existenceAnchor_fail(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1069,8 +1057,7 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1157,8 +1144,7 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 	 }	 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1244,8 +1230,7 @@ func TestValidate_negationAnchor_pass(t *testing.T) {
 	 	 `)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(rawPolicy, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(rawPolicy, &policy)
 
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
@@ -1312,14 +1297,12 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
 	  }`)
 
 	var policy kyverno.ClusterPolicy
-	err := json.Unmarshal(policyraw, &policy)
-	assert.NilError(t, err)
+	json.Unmarshal(policyraw, &policy)
 	resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	err = ctx.AddResource(resourceRaw)
-	assert.NilError(t, err)
+	ctx.AddResource(resourceRaw)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1409,8 +1392,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *t
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	err = ctx.AddResource(resourceRaw)
-	assert.NilError(t, err)
+	ctx.AddResource(resourceRaw)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1500,8 +1482,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	err = ctx.AddResource(resourceRaw)
-	assert.NilError(t, err)
+	ctx.AddResource(resourceRaw)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
@@ -1591,8 +1572,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 	assert.NilError(t, err)
 
 	ctx := context.NewContext()
-	err = ctx.AddResource(resourceRaw)
-	assert.NilError(t, err)
+	ctx.AddResource(resourceRaw)
 
 	policyContext := PolicyContext{
 		Policy:      policy,
diff --git a/pkg/engine/variables/common.go b/pkg/engine/variables/common.go
deleted file mode 100644
index 292b82d988..0000000000
--- a/pkg/engine/variables/common.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package variables
-
-import "regexp"
-
-//IsVariable returns true if the element contains a 'valid' variable {{}}
-func IsVariable(element string) bool {
-	validRegex := regexp.MustCompile(variableRegex)
-	groups := validRegex.FindAllStringSubmatch(element, -1)
-	return len(groups) != 0
-}
diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go
index d0ebf7ed74..519a909d01 100644
--- a/pkg/engine/variables/evaluate.go
+++ b/pkg/engine/variables/evaluate.go
@@ -1,16 +1,16 @@
 package variables
 
 import (
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables/operator"
 )
 
 //Evaluate evaluates the condition
-func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition) bool {
+func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool {
 	// get handler for the operator
-	handle := operator.CreateOperatorHandler(log, ctx, condition.Operator, SubstituteVars)
+	handle := operator.CreateOperatorHandler(ctx, condition.Operator, SubstituteVars)
 	if handle == nil {
 		return false
 	}
@@ -18,10 +18,11 @@ func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Cond
 }
 
 //EvaluateConditions evaluates multiple conditions
-func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition) bool {
+func EvaluateConditions(ctx context.EvalInterface, conditions []kyverno.Condition) bool {
 	// AND the conditions
 	for _, condition := range conditions {
-		if !Evaluate(log, ctx, condition) {
+		if !Evaluate(ctx, condition) {
+			glog.V(4).Infof("condition %v failed", condition)
 			return false
 		}
 	}
diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go
index d7d409b8f5..33b3a4f2b7 100644
--- a/pkg/engine/variables/evaluate_test.go
+++ b/pkg/engine/variables/evaluate_test.go
@@ -6,7 +6,6 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // STRINGS
@@ -19,7 +18,7 @@ func Test_Eval_Equal_Const_String_Pass(t *testing.T) {
 		Value:    "name",
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -33,7 +32,7 @@ func Test_Eval_Equal_Const_String_Fail(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -47,7 +46,7 @@ func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) {
 		Value:    "name1",
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -61,7 +60,7 @@ func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) {
 		Value:    "name",
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -77,7 +76,7 @@ func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) {
 		Value:    true,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -91,7 +90,7 @@ func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) {
 		Value:    false,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -105,7 +104,7 @@ func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) {
 		Value:    false,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -119,7 +118,7 @@ func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) {
 		Value:    true,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -134,7 +133,7 @@ func Test_Eval_Equal_Const_int_Pass(t *testing.T) {
 		Value:    1,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -148,7 +147,7 @@ func Test_Eval_Equal_Const_int_Fail(t *testing.T) {
 		Value:    2,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -162,7 +161,7 @@ func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) {
 		Value:    2,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -176,7 +175,7 @@ func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) {
 		Value:    1,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -191,7 +190,7 @@ func Test_Eval_Equal_Const_int64_Pass(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -205,7 +204,7 @@ func Test_Eval_Equal_Const_int64_Fail(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -219,7 +218,7 @@ func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) {
 		Value:    int64(2),
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -233,7 +232,7 @@ func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) {
 		Value:    int64(1),
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -249,7 +248,7 @@ func Test_Eval_Equal_Const_float64_Pass(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -263,7 +262,7 @@ func Test_Eval_Equal_Const_float64_Fail(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -277,7 +276,7 @@ func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) {
 		Value:    1.6,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -291,7 +290,7 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) {
 		Value:    1.5,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -321,7 +320,7 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -349,7 +348,7 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -377,7 +376,7 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -405,7 +404,7 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -435,7 +434,7 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -461,7 +460,7 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -487,7 +486,7 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -513,7 +512,7 @@ func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) {
 		Value:    obj2,
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
@@ -546,7 +545,7 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) {
 		Value:    "temp",
 	}
 
-	if !Evaluate(log.Log, ctx, condition) {
+	if !Evaluate(ctx, condition) {
 		t.Error("expected to pass")
 	}
 }
@@ -577,7 +576,7 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) {
 		Value:    "temp1",
 	}
 
-	if Evaluate(log.Log, ctx, condition) {
+	if Evaluate(ctx, condition) {
 		t.Error("expected to fail")
 	}
 }
diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go
index 1bc181f0f8..81ea80c621 100644
--- a/pkg/engine/variables/operator/equal.go
+++ b/pkg/engine/variables/operator/equal.go
@@ -1,21 +1,19 @@
 package operator
 
 import (
-	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewEqualHandler returns handler to manage Equal operations
-func NewEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return EqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
-		log:        log,
 	}
 }
 
@@ -23,7 +21,6 @@ func NewEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler Vari
 type EqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
-	log        logr.Logger
 }
 
 //Evaluate evaluates expression with Equal Operator
@@ -31,14 +28,14 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = eh.subHandler(eh.log, eh.ctx, key); err != nil {
+	if key, err = eh.subHandler(eh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		eh.log.Error(err, "Failed to resolve variable", "variable", key)
+		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
 		return false
 	}
-	if value, err = eh.subHandler(eh.log, eh.ctx, value); err != nil {
+	if value, err = eh.subHandler(eh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		eh.log.Error(err, "Failed to resolve variable", "variable", value)
+		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
 		return false
 	}
 
@@ -59,7 +56,7 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return eh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		eh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
+		glog.Errorf("Unsupported type %v", typedKey)
 		return false
 	}
 }
@@ -68,7 +65,7 @@ func (eh EqualHandler) validateValueWithSlicePattern(key []interface{}, value in
 	if val, ok := value.([]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	eh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
 	return false
 }
 
@@ -76,7 +73,7 @@ func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, v
 	if val, ok := value.(map[string]interface{}); ok {
 		return reflect.DeepEqual(key, val)
 	}
-	eh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
 	return false
 }
 
@@ -84,8 +81,7 @@ func (eh EqualHandler) validateValuewithStringPattern(key string, value interfac
 	if val, ok := value.(string); ok {
 		return key == val
 	}
-
-	eh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected string, %v is of type %T", value, value)
 	return false
 }
 
@@ -96,25 +92,25 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 		if key == math.Trunc(key) {
 			return int(key) == typedValue
 		}
-		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) == typedValue
 		}
-		eh.log.Info("Expected type float, found int", "typedValue", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 	case float64:
 		return typedValue == key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			eh.log.Error(err, "Failed to parse float64 from string")
+			glog.Warningf("Failed to parse float64 from string: %v", err)
 			return false
 		}
 		return float64Num == key
 	default:
-		eh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Warningf("Expected float, found: %T\n", value)
 		return false
 	}
 	return false
@@ -123,7 +119,7 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		eh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Error("Expected bool, found %V", value)
 		return false
 	}
 	return key == typedValue
@@ -140,18 +136,18 @@ func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{})
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) == key
 		}
-		eh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
+		glog.Warningf("Expected int, found float: %f", typedValue)
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			eh.log.Error(err, "Failed to parse int64 from string")
+			glog.Warningf("Failed to parse int64 from string: %v", err)
 			return false
 		}
 		return int64Num == key
 	default:
-		eh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Warningf("Expected int, %v is of type %T", value, value)
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/notequal.go b/pkg/engine/variables/operator/notequal.go
index ce9b4e87f8..9af9e891f3 100644
--- a/pkg/engine/variables/operator/notequal.go
+++ b/pkg/engine/variables/operator/notequal.go
@@ -1,21 +1,19 @@
 package operator
 
 import (
-	"fmt"
 	"math"
 	"reflect"
 	"strconv"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
 //NewNotEqualHandler returns handler to manage NotEqual operations
-func NewNotEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
+func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler {
 	return NotEqualHandler{
 		ctx:        ctx,
 		subHandler: subHandler,
-		log:        log,
 	}
 }
 
@@ -23,7 +21,6 @@ func NewNotEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler V
 type NotEqualHandler struct {
 	ctx        context.EvalInterface
 	subHandler VariableSubstitutionHandler
-	log        logr.Logger
 }
 
 //Evaluate evaluates expression with NotEqual Operator
@@ -31,14 +28,14 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	var err error
 	//TODO: decouple variables from evaluation
 	// substitute the variables
-	if key, err = neh.subHandler(neh.log, neh.ctx, key); err != nil {
+	if key, err = neh.subHandler(neh.ctx, key); err != nil {
 		// Failed to resolve the variable
-		neh.log.Error(err, "Failed to resolve variable", "variable", key)
+		glog.Infof("Failed to resolve variables in key: %s: %v", key, err)
 		return false
 	}
-	if value, err = neh.subHandler(neh.log, neh.ctx, value); err != nil {
+	if value, err = neh.subHandler(neh.ctx, value); err != nil {
 		// Failed to resolve the variable
-		neh.log.Error(err, "Failed to resolve variable", "variable", value)
+		glog.Infof("Failed to resolve variables in value: %s: %v", value, err)
 		return false
 	}
 	// key and value need to be of same type
@@ -58,7 +55,7 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
 	case []interface{}:
 		return neh.validateValueWithSlicePattern(typedKey, value)
 	default:
-		neh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
+		glog.Error("Unsupported type %V", typedKey)
 		return false
 	}
 }
@@ -67,7 +64,7 @@ func (neh NotEqualHandler) validateValueWithSlicePattern(key []interface{}, valu
 	if val, ok := value.([]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	neh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected []interface{}, %v is of type %T", value, value)
 	return false
 }
 
@@ -75,7 +72,7 @@ func (neh NotEqualHandler) validateValueWithMapPattern(key map[string]interface{
 	if val, ok := value.(map[string]interface{}); ok {
 		return !reflect.DeepEqual(key, val)
 	}
-	neh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value)
 	return false
 }
 
@@ -83,7 +80,7 @@ func (neh NotEqualHandler) validateValuewithStringPattern(key string, value inte
 	if val, ok := value.(string); ok {
 		return key != val
 	}
-	neh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
+	glog.Warningf("Expected string, %v is of type %T", value, value)
 	return false
 }
 
@@ -94,25 +91,25 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 		if key == math.Trunc(key) {
 			return int(key) != typedValue
 		}
-		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 	case int64:
 		// check that float has not fraction
 		if key == math.Trunc(key) {
 			return int64(key) != typedValue
 		}
-		neh.log.Info("Expected type float, found int", "typedValue", typedValue)
+		glog.Warningf("Expected float, found int: %d\n", typedValue)
 	case float64:
 		return typedValue != key
 	case string:
 		// extract float from string
 		float64Num, err := strconv.ParseFloat(typedValue, 64)
 		if err != nil {
-			neh.log.Error(err, "Failed to parse float64 from string")
+			glog.Warningf("Failed to parse float64 from string: %v", err)
 			return false
 		}
 		return float64Num != key
 	default:
-		neh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Warningf("Expected float, found: %T\n", value)
 		return false
 	}
 	return false
@@ -121,7 +118,7 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte
 func (neh NotEqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
-		neh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Error("Expected bool, found %V", value)
 		return false
 	}
 	return key != typedValue
@@ -138,18 +135,18 @@ func (neh NotEqualHandler) validateValuewithIntPattern(key int64, value interfac
 		if typedValue == math.Trunc(typedValue) {
 			return int64(typedValue) != key
 		}
-		neh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue))
+		glog.Warningf("Expected int, found float: %f\n", typedValue)
 		return false
 	case string:
 		// extract in64 from string
 		int64Num, err := strconv.ParseInt(typedValue, 10, 64)
 		if err != nil {
-			neh.log.Error(err, "Failed to parse int64 from string")
+			glog.Warningf("Failed to parse int64 from string: %v", err)
 			return false
 		}
 		return int64Num != key
 	default:
-		neh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value))
+		glog.Warningf("Expected int, %v is of type %T", value, value)
 		return false
 	}
 }
diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go
index adafe69982..2b3f9ce7a1 100644
--- a/pkg/engine/variables/operator/operator.go
+++ b/pkg/engine/variables/operator/operator.go
@@ -1,7 +1,7 @@
 package operator
 
 import (
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
@@ -17,17 +17,17 @@ type OperatorHandler interface {
 }
 
 //VariableSubstitutionHandler defines the handler function for variable substitution
-type VariableSubstitutionHandler = func(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error)
+type VariableSubstitutionHandler = func(ctx context.EvalInterface, pattern interface{}) (interface{}, error)
 
 //CreateOperatorHandler returns the operator handler based on the operator used in condition
-func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
+func CreateOperatorHandler(ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler {
 	switch op {
 	case kyverno.Equal:
-		return NewEqualHandler(log, ctx, subHandler)
+		return NewEqualHandler(ctx, subHandler)
 	case kyverno.NotEqual:
-		return NewNotEqualHandler(log, ctx, subHandler)
+		return NewNotEqualHandler(ctx, subHandler)
 	default:
-		log.Info("operator not supported", "operator", string(op))
+		glog.Errorf("unsupported operator: %s", string(op))
 	}
 	return nil
 }
diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go
index e01bf4f820..6d2eb7c60c 100644
--- a/pkg/engine/variables/variables_test.go
+++ b/pkg/engine/variables/variables_test.go
@@ -7,7 +7,6 @@ import (
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
@@ -85,7 +84,7 @@ func Test_variablesub1(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -175,7 +174,7 @@ func Test_variablesub_multiple(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -262,7 +261,7 @@ func Test_variablesubstitution(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -323,7 +322,7 @@ func Test_variableSubstitutionValue(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -381,7 +380,7 @@ func Test_variableSubstitutionValueOperatorNotEqual(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -440,7 +439,7 @@ func Test_variableSubstitutionValueFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
 		t.Log("expected to fails")
 		t.Fail()
 	}
@@ -498,7 +497,7 @@ func Test_variableSubstitutionObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -562,7 +561,7 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err == nil {
 		t.Error(err)
 	}
 
@@ -621,7 +620,7 @@ func Test_variableSubstitutionMultipleObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if _, err := SubstituteVars(ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 59fd8f7fd5..4c336f2ede 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 )
 
@@ -17,9 +17,9 @@ const (
 
 //SubstituteVars replaces the variables with the values defined in the context
 // - if any variable is invaid or has nil value, it is considered as a failed varable substitution
-func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
+func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
 	errs := []error{}
-	pattern = subVars(log, ctx, pattern, "", &errs)
+	pattern = subVars(ctx, pattern, "", &errs)
 	if len(errs) == 0 {
 		// no error while parsing the pattern
 		return pattern, nil
@@ -27,40 +27,40 @@ func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interfac
 	return pattern, fmt.Errorf("%v", errs)
 }
 
-func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
+func subVars(ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
 	switch typedPattern := pattern.(type) {
 	case map[string]interface{}:
-		return subMap(log, ctx, typedPattern, path, errs)
+		return subMap(ctx, typedPattern, path, errs)
 	case []interface{}:
-		return subArray(log, ctx, typedPattern, path, errs)
+		return subArray(ctx, typedPattern, path, errs)
 	case string:
-		return subValR(log, ctx, typedPattern, path, errs)
+		return subValR(ctx, typedPattern, path, errs)
 	default:
 		return pattern
 	}
 }
 
-func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
+func subMap(ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
 	for key, patternElement := range patternMap {
 		curPath := path + "/" + key
-		value := subVars(log, ctx, patternElement, curPath, errs)
+		value := subVars(ctx, patternElement, curPath, errs)
 		patternMap[key] = value
 
 	}
 	return patternMap
 }
 
-func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
+func subArray(ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
 	for idx, patternElement := range patternList {
 		curPath := path + "/" + strconv.Itoa(idx)
-		value := subVars(log, ctx, patternElement, curPath, errs)
+		value := subVars(ctx, patternElement, curPath, errs)
 		patternList[idx] = value
 	}
 	return patternList
 }
 
 // subValR resolves the variables if defined
-func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
 
 	// variable values can be scalar values(string,int, float) or they can be obects(map,slice)
 	// - {{variable}}
@@ -73,7 +73,7 @@ func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, pa
 	// since this might be a potential place for error, required better error reporting and handling
 
 	// object values are only suported for single variable substitution
-	if ok, retVal := processIfSingleVariable(log, ctx, valuePattern, path, errs); ok {
+	if ok, retVal := processIfSingleVariable(ctx, valuePattern, path, errs); ok {
 		return retVal
 	}
 	// var emptyInterface interface{}
@@ -82,7 +82,7 @@ func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, pa
 	for {
 		valueStr := valuePattern
 		if len(failedVars) != 0 {
-			log.Info("failed to resolve variablesl short-circuiting")
+			glog.Info("some failed variables short-circuiting")
 			break
 		}
 		// get variables at this level
@@ -123,7 +123,7 @@ func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, pa
 				continue
 			}
 			// if type is not scalar then consider this as a failed variable
-			log.Info("variable resolves to non-scalar value. Non-Scalar values are not supported for nested variables", "variable", k, "value", v)
+			glog.Infof("variable %s resolves to non-scalar value %v. Non-Scalar values are not supported for nested variables", k, v)
 			failedVars = append(failedVars, k)
 		}
 		valuePattern = newVal
@@ -143,10 +143,10 @@ func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, pa
 // if the value can be evaluted return the value
 // -> return value can be scalar or object type
 // -> if the variable is not present in the context then add an error and dont process further
-func processIfSingleVariable(log logr.Logger, ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
+func processIfSingleVariable(ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
 	valueStr, ok := valuePattern.(string)
 	if !ok {
-		log.Info("failed to convert to string", "pattern", valuePattern)
+		glog.Infof("failed to convert %v to string", valuePattern)
 		return false, nil
 	}
 	// get variables at this level
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index aae517a082..171c62ace4 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -6,7 +6,6 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_subVars_success(t *testing.T) {
@@ -65,7 +64,7 @@ func Test_subVars_success(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, pattern); err != nil {
+	if _, err := SubstituteVars(ctx, pattern); err != nil {
 		t.Error(err)
 	}
 }
@@ -126,7 +125,7 @@ func Test_subVars_failed(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, pattern); err == nil {
+	if _, err := SubstituteVars(ctx, pattern); err == nil {
 		t.Error("error is expected")
 	}
 }
@@ -153,5 +152,5 @@ func Test_SubvarRecursive(t *testing.T) {
 	ctx := context.NewContext()
 	assert.Assert(t, ctx.AddResource(resourceRaw))
 	errs := []error{}
-	subValR(log.Log, ctx, string(patternRaw), "/", &errs)
+	subValR(ctx, string(patternRaw), "/", &errs)
 }
diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index a33e50f756..aa98d09e42 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -3,7 +3,7 @@ package event
 import (
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -17,7 +17,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
-	"k8s.io/klog"
 )
 
 //Generator generate events
@@ -35,7 +34,6 @@ type Generator struct {
 	admissionCtrRecorder record.EventRecorder
 	// events generated at namespaced policy controller to process 'generate' rule
 	genPolicyRecorder record.EventRecorder
-	log               logr.Logger
 }
 
 //Interface to generate event
@@ -44,33 +42,32 @@ type Interface interface {
 }
 
 //NewEventGenerator to generate a new event controller
-func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer, log logr.Logger) *Generator {
+func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer) *Generator {
 
 	gen := Generator{
 		client:               client,
 		pLister:              pInformer.Lister(),
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), eventWorkQueueName),
 		pSynced:              pInformer.Informer().HasSynced,
-		policyCtrRecorder:    initRecorder(client, PolicyController, log),
-		admissionCtrRecorder: initRecorder(client, AdmissionController, log),
-		genPolicyRecorder:    initRecorder(client, GeneratePolicyController, log),
-		log:                  log,
+		policyCtrRecorder:    initRecorder(client, PolicyController),
+		admissionCtrRecorder: initRecorder(client, AdmissionController),
+		genPolicyRecorder:    initRecorder(client, GeneratePolicyController),
 	}
 	return &gen
 }
 
-func initRecorder(client *client.Client, eventSource Source, log logr.Logger) record.EventRecorder {
+func initRecorder(client *client.Client, eventSource Source) record.EventRecorder {
 	// Initliaze Event Broadcaster
 	err := scheme.AddToScheme(scheme.Scheme)
 	if err != nil {
-		log.Error(err, "failed to add to scheme")
+		glog.Error(err)
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(klog.Infof)
+	eventBroadcaster.StartLogging(glog.V(4).Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
-		log.Error(err, "failed to get event interface for logging")
+		glog.Error(err) // TODO: add more specific error
 		return nil
 	}
 	eventBroadcaster.StartRecordingToSink(
@@ -84,12 +81,11 @@ func initRecorder(client *client.Client, eventSource Source, log logr.Logger) re
 
 //Add queues an event for generation
 func (gen *Generator) Add(infos ...Info) {
-	logger := gen.log
 	for _, info := range infos {
 		if info.Name == "" {
 			// dont create event for resources with generateName
 			// as the name is not generated yet
-			logger.V(4).Info("not creating an event as the resource has not been assigned a name yet", "kind", info.Kind, "name", info.Name, "namespace", info.Namespace)
+			glog.V(4).Infof("received info %v, not creating an event as the resource has not been assigned a name yet", info)
 			continue
 		}
 		gen.queue.Add(info)
@@ -98,14 +94,12 @@ func (gen *Generator) Add(infos ...Info) {
 
 // Run begins generator
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
-	logger := gen.log
 	defer utilruntime.HandleCrash()
-
-	logger.Info("start")
-	defer logger.Info("shutting down")
+	glog.Info("Starting event generator")
+	defer glog.Info("Shutting down event generator")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("event generator: failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -120,25 +114,24 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
-	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
 	}
 	// This controller retries if something goes wrong. After that, it stops trying.
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		logger.Error(err, "Error syncing events;re-queuing request,the resource might not have been created yet", "key", key)
+		glog.Warningf("Error syncing events %v(re-queuing request, the resource might not have been created yet): %v", key, err)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
-	logger.Error(err, "dropping the key out of queue", "key", key)
+	glog.Error(err)
+	glog.Warningf("Dropping the key out of the queue: %v", err)
 }
 
 func (gen *Generator) processNextWorkItem() bool {
-	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -151,7 +144,7 @@ func (gen *Generator) processNextWorkItem() bool {
 
 		if key, ok = obj.(Info); !ok {
 			gen.queue.Forget(obj)
-			logger.Info("Incorrect type; expected type 'info'", "obj", obj)
+			glog.Warningf("Expecting type info by got %v\n", obj)
 			return nil
 		}
 		err := gen.syncHandler(key)
@@ -159,14 +152,13 @@ func (gen *Generator) processNextWorkItem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		logger.Error(err, "failed to process next work item")
+		glog.Error(err)
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(key Info) error {
-	logger := gen.log
 	var robj runtime.Object
 	var err error
 	switch key.Kind {
@@ -174,13 +166,13 @@ func (gen *Generator) syncHandler(key Info) error {
 		//TODO: policy is clustered resource so wont need namespace
 		robj, err = gen.pLister.Get(key.Name)
 		if err != nil {
-			logger.Error(err, "failed to get policy", "name", key.Name)
+			glog.V(4).Infof("Error creating event: unable to get policy %s, will retry ", key.Name)
 			return err
 		}
 	default:
 		robj, err = gen.client.GetResource(key.Kind, key.Namespace, key.Name)
 		if err != nil {
-			logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
+			glog.V(4).Infof("Error creating event: unable to get resource %s/%s/%s, will retry ", key.Kind, key.Namespace, key.Name)
 			return err
 		}
 	}
@@ -200,14 +192,13 @@ func (gen *Generator) syncHandler(key Info) error {
 	case GeneratePolicyController:
 		gen.genPolicyRecorder.Event(robj, eventType, key.Reason, key.Message)
 	default:
-		logger.Info("info.source not defined for the request")
+		glog.Info("info.source not defined for the event generator request")
 	}
 	return nil
 }
 
 //NewEvent builds a event creation request
 func NewEvent(
-	log logr.Logger,
 	rkind,
 	rapiVersion,
 	rnamespace,
@@ -218,7 +209,7 @@ func NewEvent(
 	args ...interface{}) Info {
 	msgText, err := getEventMsg(message, args...)
 	if err != nil {
-		log.Error(err, "failed to get event message")
+		glog.Error(err)
 	}
 	return Info{
 		Kind:      rkind,
diff --git a/pkg/generate/cleanup/cleanup.go b/pkg/generate/cleanup/cleanup.go
index de1758aeba..d25fddd44e 100644
--- a/pkg/generate/cleanup/cleanup.go
+++ b/pkg/generate/cleanup/cleanup.go
@@ -1,20 +1,19 @@
 package cleanup
 
 import (
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
-	logger := c.log.WithValues("kind", gr.Kind, "namespace", gr.Namespace, "name", gr.Name)
 	// 1- Corresponding policy has been deleted
 	// then we dont delete the generated resources
 
 	// 2- The trigger resource is deleted, then delete the generated resources
-	if !ownerResourceExists(logger, c.client, gr) {
-		if err := deleteGeneratedResources(logger, c.client, gr); err != nil {
+	if !ownerResourceExists(c.client, gr) {
+		if err := deleteGeneratedResources(c.client, gr); err != nil {
 			return err
 		}
 		// - trigger-resource is deleted
@@ -25,25 +24,25 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error {
 	return nil
 }
 
-func ownerResourceExists(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) bool {
+func ownerResourceExists(client *dclient.Client, gr kyverno.GenerateRequest) bool {
 	_, err := client.GetResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name)
 	// trigger resources has been deleted
 	if apierrors.IsNotFound(err) {
 		return false
 	}
 	if err != nil {
-		log.Error(err, "failed to get resource", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
+		glog.V(4).Infof("Failed to get resource %s/%s/%s: error : %s", gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name, err)
 	}
 	// if there was an error while querying the resources we dont delete the generated resources
 	// but expect the deletion in next reconciliation loop
 	return true
 }
 
-func deleteGeneratedResources(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) error {
+func deleteGeneratedResources(client *dclient.Client, gr kyverno.GenerateRequest) error {
 	for _, genResource := range gr.Status.GeneratedResources {
 		err := client.DeleteResource(genResource.Kind, genResource.Namespace, genResource.Name, false)
 		if apierrors.IsNotFound(err) {
-			log.Error(err, "resource not foundl will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
+			glog.V(4).Infof("resource %s/%s/%s not found, will no delete", genResource.Kind, genResource.Namespace, genResource.Name)
 			continue
 		}
 		if err != nil {
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index 2c31254219..396058a346 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -1,9 +1,11 @@
 package cleanup
 
 import (
+	"fmt"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -51,7 +53,6 @@ type Controller struct {
 	//TODO: list of generic informers
 	// only support Namespaces for deletion of resource
 	nsInformer informers.GenericInformer
-	log        logr.Logger
 }
 
 //NewController returns a new controller instance to manage generate-requests
@@ -61,7 +62,6 @@ func NewController(
 	pInformer kyvernoinformer.ClusterPolicyInformer,
 	grInformer kyvernoinformer.GenerateRequestInformer,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
-	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		kyvernoClient: kyvernoclient,
@@ -70,7 +70,6 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:           workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"),
 		dynamicInformer: dynamicInformer,
-		log:             log,
 	}
 	c.control = Control{client: kyvernoclient}
 	c.enqueueGR = c.enqueue
@@ -103,11 +102,10 @@ func NewController(
 }
 
 func (c *Controller) deleteGenericResource(obj interface{}) {
-	logger := c.log
 	r := obj.(*unstructured.Unstructured)
 	grs, err := c.grLister.GetGenerateRequestsForResource(r.GetKind(), r.GetNamespace(), r.GetName())
 	if err != nil {
-		logger.Error(err, "failed to get generate request CR for resource", "kind", r.GetKind(), "namespace", r.GetNamespace(), "name", r.GetName())
+		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", r.GetKind(), r.GetNamespace(), r.GetName(), err)
 		return
 	}
 	// re-evaluate the GR as the resource was deleted
@@ -117,27 +115,26 @@ func (c *Controller) deleteGenericResource(obj interface{}) {
 }
 
 func (c *Controller) deletePolicy(obj interface{}) {
-	logger := c.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("ouldn't get object from tombstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			logger.Info("Tombstone contained object that is not a Generate Request", "obj", obj)
+			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
 			return
 		}
 	}
-	logger.V(4).Info("deleting policy", "name", p.Name)
+	glog.V(4).Infof("Deleting Policy %s", p.Name)
 	// clean up the GR
 	// Get the corresponding GR
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(p.Name)
 	if err != nil {
-		logger.Error(err, "failed to generate request CR for the policy", "name", p.Name)
+		glog.Errorf("failed to Generate Requests for policy %s: %v", p.Name, err)
 		return
 	}
 	for _, gr := range grs {
@@ -156,46 +153,44 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
-	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			logger.Info("ombstone contained object that is not a Generate Request", "obj", obj)
+			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
 			return
 		}
 	}
-	logger.V(4).Info("deleting Generate Request CR", "name", gr.Name)
+	glog.V(4).Infof("Deleting GR %s", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
-	logger := c.log
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		logger.Error(err, "failed to extract key")
+		glog.Error(err)
 		return
 	}
-	logger.V(4).Info("eneque generate request", "name", gr.Name)
+	glog.V(4).Infof("cleanup enqueu: %v", gr.Name)
 	c.queue.Add(key)
 }
 
 //Run starts the generate-request re-conciliation loop
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
-	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
-	logger.Info("starting")
-	defer logger.Info("shutting down")
+
+	glog.Info("Starting generate-policy-cleanup controller")
+	defer glog.Info("Shutting down generate-policy-cleanup controller")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("generate-policy-cleanup controller: failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -224,33 +219,31 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
-	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		logger.Error(err, "failed to sync generate request", "key", key)
+		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	logger.Error(err, "dropping generate request out of the queue", "key", key)
+	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
-	logger := c.log.WithValues("key", key)
 	var err error
 	startTime := time.Now()
-	logger.Info("started syncing generate request", "startTime", startTime)
+	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
 	defer func() {
-		logger.V(4).Info("finished syncying generate request", "processingTIme", time.Since(startTime))
+		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if errors.IsNotFound(err) {
-		logger.Info("generate request has been deleted")
+		glog.Infof("Generate Request %s has been deleted", key)
 		return nil
 	}
 	if err != nil {
diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go
index b848609177..d40ed2af0d 100644
--- a/pkg/generate/controller.go
+++ b/pkg/generate/controller.go
@@ -1,9 +1,10 @@
 package generate
 
 import (
+	"fmt"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -56,9 +57,9 @@ type Controller struct {
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory
 	//TODO: list of generic informers
 	// only support Namespaces for re-evalutation on resource updates
-	nsInformer           informers.GenericInformer
+	nsInformer informers.GenericInformer
+
 	policyStatusListener policystatus.Listener
-	log                  logr.Logger
 }
 
 //NewController returns an instance of the Generate-Request Controller
@@ -71,7 +72,6 @@ func NewController(
 	pvGenerator policyviolation.GeneratorInterface,
 	dynamicInformer dynamicinformer.DynamicSharedInformerFactory,
 	policyStatus policystatus.Listener,
-	log logr.Logger,
 ) *Controller {
 	c := Controller{
 		client:        client,
@@ -82,7 +82,6 @@ func NewController(
 		// as we dont want a deleted GR to be re-queue
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"),
 		dynamicInformer:      dynamicInformer,
-		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	c.statusControl = StatusControl{client: kyvernoclient}
@@ -118,12 +117,11 @@ func NewController(
 }
 
 func (c *Controller) updateGenericResource(old, cur interface{}) {
-	logger := c.log
 	curR := cur.(*unstructured.Unstructured)
 
 	grs, err := c.grLister.GetGenerateRequestsForResource(curR.GetKind(), curR.GetNamespace(), curR.GetName())
 	if err != nil {
-		logger.Error(err, "failed to get generate request CR for the resoource", "kind", curR.GetKind(), "name", curR.GetName(), "namespace", curR.GetNamespace())
+		glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", curR.GetKind(), curR.GetNamespace(), curR.GetName(), err)
 		return
 	}
 	// re-evaluate the GR as the resource was updated
@@ -136,14 +134,13 @@ func (c *Controller) updateGenericResource(old, cur interface{}) {
 func (c *Controller) enqueue(gr *kyverno.GenerateRequest) {
 	key, err := cache.MetaNamespaceKeyFunc(gr)
 	if err != nil {
-		c.log.Error(err, "failed to extract name")
+		glog.Error(err)
 		return
 	}
 	c.queue.Add(key)
 }
 
 func (c *Controller) updatePolicy(old, cur interface{}) {
-	logger := c.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	if oldP.ResourceVersion == curP.ResourceVersion {
@@ -151,11 +148,11 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
-	logger.V(4).Info("updating policy", "name", oldP.Name)
+	glog.V(4).Infof("Updating Policy %s", oldP.Name)
 	// get the list of GR for the current Policy version
 	grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(curP.Name)
 	if err != nil {
-		logger.Error(err, "failed to generate request for policy", "name", curP.Name)
+		glog.Errorf("failed to Generate Requests for policy %s: %v", curP.Name, err)
 		return
 	}
 	// re-evaluate the GR as the policy was updated
@@ -186,36 +183,34 @@ func (c *Controller) updateGR(old, cur interface{}) {
 }
 
 func (c *Controller) deleteGR(obj interface{}) {
-	logger := c.log
 	gr, ok := obj.(*kyverno.GenerateRequest)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		_, ok = tombstone.Obj.(*kyverno.GenerateRequest)
 		if !ok {
-			logger.Info("tombstone contained object that is not a Generate Request CR", "obj", obj)
+			glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj))
 			return
 		}
 	}
-	logger.Info("deleting generate request", "name", gr.Name)
+	glog.V(4).Infof("Deleting GR %s", gr.Name)
 	// sync Handler will remove it from the queue
 	c.enqueueGR(gr)
 }
 
 //Run ...
 func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
-	logger := c.log
 	defer utilruntime.HandleCrash()
 	defer c.queue.ShutDown()
 
-	logger.Info("starting")
-	defer logger.Info("shutting down")
+	glog.Info("Starting generate-policy controller")
+	defer glog.Info("Shutting down generate-policy controller")
 
 	if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("generate-policy controller: failed to sync informer cache")
 		return
 	}
 	for i := 0; i < workers; i++ {
@@ -244,29 +239,27 @@ func (c *Controller) processNextWorkItem() bool {
 }
 
 func (c *Controller) handleErr(err error, key interface{}) {
-	logger := c.log
 	if err == nil {
 		c.queue.Forget(key)
 		return
 	}
 
 	if c.queue.NumRequeues(key) < maxRetries {
-		logger.Error(err, "failed to sync generate request", "key", key)
+		glog.Errorf("Error syncing Generate Request %v: %v", key, err)
 		c.queue.AddRateLimited(key)
 		return
 	}
 	utilruntime.HandleError(err)
-	logger.Error(err, "Dropping generate request from the queue", "key", key)
+	glog.Infof("Dropping generate request %q out of the queue: %v", key, err)
 	c.queue.Forget(key)
 }
 
 func (c *Controller) syncGenerateRequest(key string) error {
-	logger := c.log
 	var err error
 	startTime := time.Now()
-	logger.Info("started sync", "key", key, "startTime", startTime)
+	glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime)
 	defer func() {
-		logger.V(4).Info("finished sync", "key", key, "processingTime", time.Since(startTime))
+		glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime))
 	}()
 	_, grName, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
@@ -275,7 +268,7 @@ func (c *Controller) syncGenerateRequest(key string) error {
 
 	gr, err := c.grLister.Get(grName)
 	if err != nil {
-		logger.Error(err, "failed to list generate requests")
+		glog.V(4).Info(err)
 		return err
 	}
 	return c.processGR(gr)
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index 9f3edc4bc8..bff1dbbca6 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -17,7 +17,6 @@ import (
 )
 
 func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
-	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	var err error
 	var resource *unstructured.Unstructured
 	var genResources []kyverno.ResourceSpec
@@ -25,46 +24,45 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
 	resource, err = getResource(c.client, gr.Spec.Resource)
 	if err != nil {
 		// Dont update status
-		logger.Error(err, "resource does not exist or is yet to be created, requeueing")
+		glog.V(4).Infof("resource does not exist or is yet to be created, requeuing: %v", err)
 		return err
 	}
 	// 2 - Apply the generate policy on the resource
 	genResources, err = c.applyGenerate(*resource, *gr)
 	// 3 - Report Events
-	reportEvents(logger, err, c.eventGen, *gr, *resource)
+	reportEvents(err, c.eventGen, *gr, *resource)
 	// 4 - Update Status
 	return updateStatus(c.statusControl, *gr, err, genResources)
 }
 
 func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
-	logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name)
 	// Get the list of rules to be applied
 	// get policy
 	policy, err := c.pLister.Get(gr.Spec.Policy)
 	if err != nil {
-		logger.Error(err, "policy not found")
+		glog.V(4).Infof("policy %s not found: %v", gr.Spec.Policy, err)
 		return nil, nil
 	}
 	// build context
 	ctx := context.NewContext()
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
-		logger.Error(err, "failed to marshal resource")
+		glog.V(4).Infof("failed to marshal resource: %v", err)
 		return nil, err
 	}
 	err = ctx.AddResource(resourceRaw)
 	if err != nil {
-		logger.Error(err, "failed to load resource in context")
+		glog.Infof("Failed to load resource in context: %v", err)
 		return nil, err
 	}
 	err = ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo)
 	if err != nil {
-		logger.Error(err, "failed to load SA in context")
+		glog.Infof("Failed to load userInfo in context: %v", err)
 		return nil, err
 	}
 	err = ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		logger.Error(err, "failed to load UserInfo in context")
+		glog.Infof("Failed to load serviceAccount in context: %v", err)
 		return nil, err
 	}
 
@@ -78,12 +76,12 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 	// check if the policy still applies to the resource
 	engineResponse := engine.Generate(policyContext)
 	if len(engineResponse.PolicyResponse.Rules) == 0 {
-		logger.V(4).Info("policy does not apply to resource")
+		glog.V(4).Infof("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
 		return nil, fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource)
 	}
 
 	// Apply the generate rule on resource
-	return c.applyGeneratePolicy(logger, policyContext, gr)
+	return c.applyGeneratePolicy(policyContext, gr)
 }
 
 func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error {
@@ -95,7 +93,7 @@ func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateReque
 	return statusControl.Success(gr, genResources)
 }
 
-func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
+func (c *Controller) applyGeneratePolicy(policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) {
 	// List of generatedResources
 	var genResources []kyverno.ResourceSpec
 	// Get the response as the actions to be performed on the resource
@@ -115,8 +113,9 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.P
 		if !rule.HasGenerate() {
 			continue
 		}
+
 		startTime := time.Now()
-		genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting)
+		genResource, err := applyRule(c.client, rule, resource, ctx, processExisting)
 		if err != nil {
 			return nil, err
 		}
@@ -173,7 +172,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str
 	return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
 }
 
-func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
+func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
 	var rdata map[string]interface{}
 	var err error
 	var mode ResourceMode
@@ -188,7 +187,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	// format : {{<variable_name}}
 	// - if there is variables that are not defined the context -> results in error and rule is not applied
 	// - valid variables are replaced with the values
-	if _, err := variables.SubstituteVars(log, ctx, genUnst.Object); err != nil {
+	if _, err := variables.SubstituteVars(ctx, genUnst.Object); err != nil {
 		return noGenResource, err
 	}
 	genKind, _, err := unstructured.NestedString(genUnst.Object, "kind")
@@ -220,9 +219,9 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	}
 
 	if genData != nil {
-		rdata, mode, err = manageData(log, genKind, genNamespace, genName, genData, client, resource)
+		rdata, mode, err = manageData(genKind, genNamespace, genName, genData, client, resource)
 	} else {
-		rdata, mode, err = manageClone(log, genKind, genNamespace, genName, genCopy, client, resource)
+		rdata, mode, err = manageClone(genKind, genNamespace, genName, genCopy, client, resource)
 	}
 	if err != nil {
 		return noGenResource, err
@@ -249,38 +248,38 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	// - app.kubernetes.io/managed-by: kyverno
 	// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
 	manageLabels(newResource, resource)
-	logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
+
 	if mode == Create {
 		// Reset resource version
 		newResource.SetResourceVersion("")
 		// Create the resource
-		logger.V(4).Info("creating new resource")
+		glog.V(4).Infof("Creating new resource %s/%s/%s", genKind, genNamespace, genName)
 		_, err = client.CreateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to create resource
 			return noGenResource, err
 		}
-		logger.V(4).Info("created new resource")
+		glog.V(4).Infof("Created new resource %s/%s/%s", genKind, genNamespace, genName)
 
 	} else if mode == Update {
-		logger.V(4).Info("updating existing resource")
+		glog.V(4).Infof("Updating existing resource %s/%s/%s", genKind, genNamespace, genName)
 		// Update the resource
 		_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
 		if err != nil {
 			// Failed to update resource
 			return noGenResource, err
 		}
-		logger.V(4).Info("updated new resource")
+		glog.V(4).Infof("Updated existing resource %s/%s/%s", genKind, genNamespace, genName)
 	}
 
 	return newGenResource, nil
 }
 
-func manageData(log logr.Logger, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageData(kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	obj, err := client.GetResource(kind, namespace, name)
 	if apierrors.IsNotFound(err) {
-		log.Error(err, "resource does not exist, will try to create", "genKind", kind, "genNamespace", namespace, "genName", name)
+		glog.V(4).Infof("Resource %s/%s/%s does not exists, will try to create", kind, namespace, name)
 		return data, Create, nil
 	}
 	if err != nil {
@@ -289,17 +288,18 @@ func manageData(log logr.Logger, kind, namespace, name string, data map[string]i
 		return nil, Skip, err
 	}
 	// Resource exists; verfiy the content of the resource
-	err = checkResource(log, data, obj)
+	err = checkResource(data, obj)
 	if err == nil {
 		// Existing resource does contain the mentioned configuration in spec, skip processing the resource as it is already in expected state
 		return nil, Skip, nil
 	}
-	log.Info("to be generated resoruce already exists, but is missing the specifeid configurations, will try to update", "genKind", kind, "genNamespace", namespace, "genName", name)
+
+	glog.V(4).Infof("Resource %s/%s/%s exists but missing required configuration, will try to update", kind, namespace, name)
 	return data, Update, nil
 
 }
 
-func manageClone(log logr.Logger, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
+func manageClone(kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) {
 	// check if resource to be generated exists
 	_, err := client.GetResource(kind, namespace, name)
 	if err == nil {
@@ -308,7 +308,6 @@ func manageClone(log logr.Logger, kind, namespace, name string, clone map[string
 	}
 	//TODO: check this
 	if !apierrors.IsNotFound(err) {
-		log.Error(err, "reference/clone resource is not found", "genKind", kind, "genNamespace", namespace, "genName", name)
 		//something wrong while fetching resource
 		return nil, Skip, err
 	}
@@ -326,6 +325,8 @@ func manageClone(log logr.Logger, kind, namespace, name string, clone map[string
 		// attempting to clone it self, this will fail -> short-ciruit it
 		return nil, Skip, nil
 	}
+
+	glog.V(4).Infof("check if resource %s/%s/%s exists", kind, newRNs, newRName)
 	// check if the resource as reference in clone exists?
 	obj, err := client.GetResource(kind, newRNs, newRName)
 	if err != nil {
@@ -348,10 +349,10 @@ const (
 	Update = "UPDATE"
 )
 
-func checkResource(log logr.Logger, newResourceSpec interface{}, resource *unstructured.Unstructured) error {
+func checkResource(newResourceSpec interface{}, resource *unstructured.Unstructured) error {
 	// check if the resource spec if a subset of the resource
-	if path, err := validate.ValidateResourceWithPattern(log, resource.Object, newResourceSpec); err != nil {
-		log.Error(err, "Failed to match the resource ", "path", path)
+	if path, err := validate.ValidateResourceWithPattern(resource.Object, newResourceSpec); err != nil {
+		glog.V(4).Infof("Failed to match the resource at path %s: err %v", path, err)
 		return err
 	}
 	return nil
diff --git a/pkg/generate/labels.go b/pkg/generate/labels.go
index c7d67b5a55..282caf55fa 100644
--- a/pkg/generate/labels.go
+++ b/pkg/generate/labels.go
@@ -3,8 +3,8 @@ package generate
 import (
 	"fmt"
 
+	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func manageLabels(unstr *unstructured.Unstructured, triggerResource unstructured.Unstructured) {
@@ -30,7 +30,7 @@ func managedBy(labels map[string]string) {
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			log.Log.Info(fmt.Sprintf("resource managed by %s, kyverno wont over-ride the label", val))
+			glog.Infof("resource managed by %s, kyverno wont over-ride the label", val)
 			return
 		}
 	}
@@ -46,7 +46,7 @@ func generatedBy(labels map[string]string, triggerResource unstructured.Unstruct
 	val, ok := labels[key]
 	if ok {
 		if val != value {
-			log.Log.Info(fmt.Sprintf("resource generated by %s, kyverno wont over-ride the label", val))
+			glog.Infof("resource generated by %s, kyverno wont over-ride the label", val)
 			return
 		}
 	}
diff --git a/pkg/generate/report.go b/pkg/generate/report.go
index f9d24fcc10..eaa5939e41 100644
--- a/pkg/generate/report.go
+++ b/pkg/generate/report.go
@@ -3,13 +3,13 @@ package generate
 import (
 	"fmt"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/event"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
+func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
 	if err == nil {
 		// Success Events
 		// - resource -> policy rule applied successfully
@@ -18,6 +18,7 @@ func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyver
 		eventGen.Add(events...)
 		return
 	}
+	glog.V(4).Infof("reporing events for %v", err)
 	events := failedEvents(err, gr, resource)
 	eventGen.Add(events...)
 }
diff --git a/pkg/generate/status.go b/pkg/generate/status.go
index db0182f89a..70d9539053 100644
--- a/pkg/generate/status.go
+++ b/pkg/generate/status.go
@@ -1,9 +1,9 @@
 package generate
 
 import (
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //StatusControlInterface provides interface to update status subresource
@@ -25,10 +25,10 @@ func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string, genRe
 	gr.Status.GeneratedResources = genResources
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
+		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Failed))
 		return err
 	}
-	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Failed))
+	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Failed))
 	return nil
 }
 
@@ -41,9 +41,9 @@ func (sc StatusControl) Success(gr kyverno.GenerateRequest, genResources []kyver
 
 	_, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr)
 	if err != nil {
-		log.Log.Error(err, "failed to update generate request status", "name", gr.Name)
+		glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Completed))
 		return err
 	}
-	log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Completed))
+	glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Completed))
 	return nil
 }
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index 26023c43e1..95e0f241cd 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -13,6 +13,8 @@ import (
 
 	policy2 "github.com/nirmata/kyverno/pkg/policy"
 
+	"github.com/golang/glog"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"k8s.io/client-go/discovery"
@@ -32,7 +34,6 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/kubernetes/scheme"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -50,7 +51,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						log.Log.Error(err, "failed to sanitize")
+						glog.V(4).Info(err)
 						err = fmt.Errorf("Internal error")
 					}
 				}
@@ -70,7 +71,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true)
+				err := policy2.Validate(utils.MarshalPolicy(*policy))
 				if err != nil {
 					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
 				}
diff --git a/pkg/kyverno/main.go b/pkg/kyverno/main.go
index 6424a57ddc..d0d1163ef6 100644
--- a/pkg/kyverno/main.go
+++ b/pkg/kyverno/main.go
@@ -9,9 +9,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/kyverno/apply"
 
 	"github.com/nirmata/kyverno/pkg/kyverno/version"
-	"k8s.io/klog"
-	"k8s.io/klog/klogr"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/spf13/cobra"
 )
@@ -22,7 +19,7 @@ func CLI() {
 		Short: "kyverno manages native policies of Kubernetes",
 	}
 
-	configurelog(cli)
+	configureGlog(cli)
 
 	commands := []*cobra.Command{
 		version.Command(),
@@ -39,9 +36,9 @@ func CLI() {
 	}
 }
 
-func configurelog(cli *cobra.Command) {
-	klog.InitFlags(nil)
-	log.SetLogger(klogr.New())
+func configureGlog(cli *cobra.Command) {
+	flag.Parse()
+	_ = flag.Set("logtostderr", "true")
 
 	cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
 	_ = cli.PersistentFlags().MarkHidden("alsologtostderr")
diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go
index 82863aa397..dce6e7dc32 100644
--- a/pkg/kyverno/validate/command.go
+++ b/pkg/kyverno/validate/command.go
@@ -11,12 +11,13 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/kyverno/sanitizedError"
 
+	"github.com/golang/glog"
+
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Command() *cobra.Command {
@@ -28,7 +29,7 @@ func Command() *cobra.Command {
 			defer func() {
 				if err != nil {
 					if !sanitizedError.IsErrorSanitized(err) {
-						log.Log.Error(err, "failed to sanitize")
+						glog.V(4).Info(err)
 						err = fmt.Errorf("Internal error")
 					}
 				}
@@ -44,7 +45,7 @@ func Command() *cobra.Command {
 			}
 
 			for _, policy := range policies {
-				err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true)
+				err = policyvalidate.Validate(utils.MarshalPolicy(*policy))
 				if err != nil {
 					fmt.Println("Policy " + policy.Name + " is invalid")
 				} else {
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 2c8f3023e4..61c32c45d3 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -6,12 +6,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
+	"github.com/golang/glog"
+
 	"gopkg.in/yaml.v2"
 
 	"github.com/googleapis/gnostic/compiler"
 
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -43,12 +44,12 @@ func NewCRDSync(client *client.Client) *crdSync {
 func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
 	if err != nil {
-		log.Log.Error(err, "cannot get openapi schema")
+		glog.V(4).Infof("cannot get openapi schema: %v", err)
 	}
 
 	err = useOpenApiDocument(newDoc)
 	if err != nil {
-		log.Log.Error(err, "Could not set custom OpenApi document")
+		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
 	}
 
 	// Sync CRD before kyverno starts
@@ -62,7 +63,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 func (c *crdSync) sync() {
 	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
 	if err != nil {
-		log.Log.Error(err, "could not fetch crd's from server")
+		glog.V(4).Infof("could not fetch crd's from server: %v", err)
 		return
 	}
 
@@ -92,7 +93,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	crdName := crdDefinition.Spec.Names.Kind
 	if len(crdDefinition.Spec.Versions) < 1 {
-		log.Log.V(4).Info("could not parse crd schema, no versions present")
+		glog.V(4).Infof("could not parse crd schema, no versions present")
 		return
 	}
 
@@ -103,7 +104,7 @@ func parseCRD(crd unstructured.Unstructured) {
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
 	if err != nil {
-		log.Log.Error(err, "could not parse crd schema:")
+		glog.V(4).Infof("could not parse crd schema:%v", err)
 		return
 	}
 
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index 01ea226b0f..bb724b9d0e 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -8,9 +8,12 @@ import (
 	"strings"
 	"sync"
 
-	data "github.com/nirmata/kyverno/api"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 
+	"github.com/nirmata/kyverno/data"
+
+	"github.com/golang/glog"
+
 	"github.com/nirmata/kyverno/pkg/engine"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
@@ -20,7 +23,6 @@ import (
 	"github.com/googleapis/gnostic/compiler"
 	"k8s.io/kube-openapi/pkg/util/proto"
 	"k8s.io/kube-openapi/pkg/util/proto/validation"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"gopkg.in/yaml.v2"
 )
@@ -118,7 +120,7 @@ func validatePolicyMutation(policy v1.ClusterPolicy) error {
 		newPolicy.Spec.Rules = rules
 		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
 		if resource == nil {
-			log.Log.V(4).Info(fmt.Sprintf("Cannot Validate policy: openApi definition now found for %v", kind))
+			glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind)
 			return nil
 		}
 		newResource := unstructured.Unstructured{Object: resource}
diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go
deleted file mode 100644
index 4442113cd4..0000000000
--- a/pkg/policy/actions.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package policy
-
-import (
-	"fmt"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	dclient "github.com/nirmata/kyverno/pkg/dclient"
-	"github.com/nirmata/kyverno/pkg/policy/generate"
-	"github.com/nirmata/kyverno/pkg/policy/mutate"
-	"github.com/nirmata/kyverno/pkg/policy/validate"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-//Validation provides methods to validate a rule
-type Validation interface {
-	Validate() (string, error)
-}
-
-//validateAction performs validation on the rule actions
-// - Mutate
-// - Validation
-// - Generate
-func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bool) error {
-	var checker Validation
-
-	// Mutate
-	if rule.HasMutate() {
-		checker = mutate.NewMutateFactory(rule.Mutation)
-		if path, err := checker.Validate(); err != nil {
-			return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err)
-		}
-	}
-
-	// Validate
-	if rule.HasValidate() {
-		checker = validate.NewValidateFactory(rule.Validation)
-		if path, err := checker.Validate(); err != nil {
-			return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err)
-		}
-	}
-
-	// Generate
-	if rule.HasGenerate() {
-		//TODO: this check is there to support offline validations
-		// generate uses selfSubjectReviews to verify actions
-		// this need to modified to use different implementation for online and offline mode
-		if mock {
-			checker = generate.NewFakeGenerate(rule.Generation)
-			if path, err := checker.Validate(); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
-			}
-		} else {
-			checker = generate.NewGenerateFactory(client, rule.Generation, log.Log)
-			if path, err := checker.Validate(); err != nil {
-				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
-			}
-		}
-	}
-
-	return nil
-}
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index ad60ad5d6d..32d654346c 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -19,12 +19,12 @@ import (
 
 // applyPolicy applies policy on a resource
 //TODO: generation rules
-func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
+func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (responses []response.EngineResponse) {
 	startTime := time.Now()
 
-	logger.Info("start applying policy", "startTime", startTime)
+	glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime)
 	defer func() {
-		logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime))
+		glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime))
 	}()
 
 	var engineResponses []response.EngineResponse
@@ -32,15 +32,13 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	var err error
 	// build context
 	ctx := context.NewContext()
-	err = ctx.AddResource(transformResource(resource))
-	if err != nil {
-		logger.Error(err, "enable to add transform resource to ctx")
-	}
+	ctx.AddResource(transformResource(resource))
+
 	//MUTATION
-	engineResponse, err = mutation(policy, resource, ctx, logger)
+	engineResponse, err = mutation(policy, resource, ctx)
 	engineResponses = append(engineResponses, engineResponse)
 	if err != nil {
-		logger.Error(err, "failed to process mutation rule")
+		glog.Errorf("unable to process mutation rules: %v", err)
 	}
 
 	//VALIDATION
@@ -50,52 +48,52 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	//TODO: GENERATION
 	return engineResponses
 }
-func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface, log logr.Logger) (response.EngineResponse, error) {
+func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface) (response.EngineResponse, error) {
 
 	engineResponse := engine.Mutate(engine.PolicyContext{Policy: policy, NewResource: resource, Context: ctx})
 	if !engineResponse.IsSuccesful() {
-		log.V(4).Info("failed to apply mutation rules; reporting them")
+		glog.V(4).Infof("mutation had errors reporting them")
 		return engineResponse, nil
 	}
 	// Verify if the JSON pathes returned by the Mutate are already applied to the resource
 	if reflect.DeepEqual(resource, engineResponse.PatchedResource) {
 		// resources matches
-		log.V(4).Info("resource already satisfys the policy")
+		glog.V(4).Infof("resource %s/%s/%s satisfies policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
 		return engineResponse, nil
 	}
-	return getFailedOverallRuleInfo(resource, engineResponse, log)
+	return getFailedOverallRuleInfo(resource, engineResponse)
 }
 
 // getFailedOverallRuleInfo gets detailed info for over-all mutation failure
-func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse, log logr.Logger) (response.EngineResponse, error) {
+func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse) (response.EngineResponse, error) {
 	rawResource, err := resource.MarshalJSON()
 	if err != nil {
-		log.Error(err, "faield to marshall resource")
+		glog.V(4).Infof("unable to marshal resource: %v\n", err)
 		return response.EngineResponse{}, err
 	}
 
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
-		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
+		glog.V(4).Infof("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
 		if len(rule.Patches) == 0 {
 			continue
 		}
 		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
 		if err != nil {
-			log.Error(err, "failed to decode JSON patch", "patches", rule.Patches)
+			glog.V(4).Infof("unable to decode patch %s: %v", rule.Patches, err)
 			return response.EngineResponse{}, err
 		}
 
 		// apply the patches returned by mutate to the original resource
 		patchedResource, err := patch.Apply(rawResource)
 		if err != nil {
-			log.Error(err, "failed to apply JSON patch", "patches", rule.Patches)
+			glog.V(4).Infof("unable to apply patch %s: %v", rule.Patches, err)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
-			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
+			glog.V(4).Infof("policy %s rule %s condition not satisfied by existing resource", engineResponse.PolicyResponse.Policy, rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches, log))
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches))
 		}
 	}
 	return engineResponse, nil
@@ -107,14 +105,14 @@ type jsonPatch struct {
 	Value interface{} `json:"value"`
 }
 
-func extractPatchPath(patches [][]byte, log logr.Logger) string {
+func extractPatchPath(patches [][]byte) string {
 	var resultPath []string
 	// extract the patch path and value
 	for _, patch := range patches {
-		log.V(4).Info("expected json patch not found in resource", "patch", string(patch))
+		glog.V(4).Infof("expected json patch not found in resource: %s", string(patch))
 		var data jsonPatch
 		if err := json.Unmarshal(patch, &data); err != nil {
-			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
+			glog.V(4).Infof("Failed to decode the generated patch %v: Error %v", string(patch), err)
 			continue
 		}
 		resultPath = append(resultPath, data.Path)
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 2331359534..423fc51c4d 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -6,7 +6,6 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //ContainsUserInfo returns error is userInfo is defined
@@ -36,23 +35,23 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
 		filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
-			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
+			if condition.Key, err = variables.SubstituteVars(ctx, condition.Key); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
 			}
 
-			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); err != nil {
+			if condition.Value, err = variables.SubstituteVars(ctx, condition.Value); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
 			}
 		}
 
-		if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); err != nil {
+		if rule.Mutation.Overlay, err = variables.SubstituteVars(ctx, rule.Mutation.Overlay); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/mutate/overlay", idx)
 		}
-		if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); err != nil {
+		if rule.Validation.Pattern, err = variables.SubstituteVars(ctx, rule.Validation.Pattern); err != nil {
 			return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/pattern", idx)
 		}
 		for idx2, pattern := range rule.Validation.AnyPattern {
-			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); err != nil {
+			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(ctx, pattern); err != nil {
 				return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
 			}
 		}
diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go
index 40394c2785..6a41c579ba 100644
--- a/pkg/policy/cleanup.go
+++ b/pkg/policy/cleanup.go
@@ -4,71 +4,57 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
-func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
-	for _, er := range ers {
-		if !er.IsSuccesful() {
-			continue
-		}
-		if len(er.PolicyResponse.Rules) == 0 {
-			continue
-		}
-		// clean up after the policy has been corrected
-		pc.cleanUpPolicyViolation(er.PolicyResponse)
-	}
-}
-
 func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) {
-	logger := pc.log
 	// - check if there is violation on resource (label:Selector)
 	if pResponse.Resource.Namespace == "" {
-		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger)
+		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name)
 		if err != nil {
-			logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name)
+			glog.Errorf("failed to cleanUp violations: %v", err)
 			return
 		}
 
 		if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
 			return
 		}
+
+		glog.V(4).Infof("cleanup cluster violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey())
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name)
-		} else {
-			logger.Info("deleted cluster policy violation", "name", pv.Name)
+			glog.Errorf("failed to delete cluster policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err)
 		}
+
 		return
 	}
 
 	// namespace policy violation
-	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger)
+	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name)
 	if err != nil {
-		logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name)
+		glog.Error(err)
 		return
 	}
 
 	if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) {
 		return
 	}
+	glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", nspv.Name, pResponse.Resource.Namespace, nspv.Spec.ResourceSpec.ToKey())
 	if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {
-		logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
-	} else {
-		logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
+		glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", nspv.Name, nspv.Spec.ResourceSpec.ToKey(), err)
 	}
 }
 
 // Wont do the claiming of objects, just lookup based on selectors
-func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) {
+func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string) (kyverno.ClusterPolicyViolation, error) {
 	var err error
 	// Check Violation on resource
 	pvs, err := pvLister.List(labels.Everything())
 	if err != nil {
-		log.Error(err, "failed to list cluster policy violations")
+		glog.V(2).Infof("unable to list policy violations : %v", err)
 		return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)
 	}
 
@@ -83,10 +69,10 @@ func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyNam
 	return kyverno.ClusterPolicyViolation{}, nil
 }
 
-func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) {
+func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string) (kyverno.PolicyViolation, error) {
 	nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything())
 	if err != nil {
-		log.Error(err, "failed to list namespaced policy violation")
+		glog.V(2).Infof("failed to list namespaced pv: %v", err)
 		return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
 	}
 
diff --git a/pkg/policy/clusterpv.go b/pkg/policy/clusterpv.go
index 35704f72d8..0f9f2564ae 100644
--- a/pkg/policy/clusterpv.go
+++ b/pkg/policy/clusterpv.go
@@ -1,13 +1,15 @@
 package policy
 
 import (
+	"fmt"
+
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	pv := obj.(*kyverno.ClusterPolicyViolation)
-	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -20,15 +22,15 @@ func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
 		return
 	}
-	logger.V(4).Info("resource added")
+	glog.V(4).Infof("Cluster Policy Violation %s added.", pv.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -42,20 +44,19 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
-	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForClusterPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
 		if err := pc.pvControl.DeleteClusterPolicyViolation(curPV.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted cluster policy violation %s: %v", curPV.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name)
 		return
 	}
-	logger.V(4).Info("resource updated")
+	glog.V(4).Infof("Cluster PolicyViolation %s updated", curPV.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -66,7 +67,6 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) {
 // a DeletionFinalStateUnknown marker item.
 
 func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
-	logger := pc.log
 	pv, ok := obj.(*kyverno.ClusterPolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -75,35 +75,33 @@ func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.ClusterPolicyViolation)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 	}
-	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForClusterPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
 		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name)
 		return
 	}
-	logger.V(4).Info("resource updated")
+	glog.V(4).Infof("Cluster PolicyViolation %s updated", pv.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.ClusterPolicyViolation) []*kyverno.ClusterPolicy {
-	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -115,7 +113,8 @@ func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.Clust
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
+		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
+			pv.Name, pv.Labels, policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/common.go b/pkg/policy/common.go
index cb99b9dd2f..b4d6155abc 100644
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@@ -3,10 +3,10 @@ package policy
 import (
 	"fmt"
 
+	"github.com/golang/glog"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func buildPolicyLabel(policyName string) (labels.Selector, error) {
@@ -27,7 +27,7 @@ func buildPolicyLabel(policyName string) (labels.Selector, error) {
 func transformResource(resource unstructured.Unstructured) []byte {
 	data, err := resource.MarshalJSON()
 	if err != nil {
-		log.Log.Error(err, "failed to marshal resource")
+		glog.Errorf("failed to marshall resource %v: %v", resource, err)
 		return nil
 	}
 	return data
diff --git a/pkg/policy/common/common.go b/pkg/policy/common/common.go
deleted file mode 100644
index 35bc132007..0000000000
--- a/pkg/policy/common/common.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package common
-
-import (
-	"fmt"
-	"regexp"
-	"strconv"
-
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
-)
-
-//ValidatePattern validates the pattern
-func ValidatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	switch typedPatternElement := patternElement.(type) {
-	case map[string]interface{}:
-		return validateMap(typedPatternElement, path, supportedAnchors)
-	case []interface{}:
-		return validateArray(typedPatternElement, path, supportedAnchors)
-	case string, float64, int, int64, bool, nil:
-		//TODO? check operator
-		return "", nil
-	default:
-		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
-	}
-}
-func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	// check if anchors are defined
-	for key, value := range patternMap {
-		// if key is anchor
-		// check regex () -> this is anchor
-		// ()
-		// single char ()
-		re, err := regexp.Compile(`^.?\(.+\)$`)
-		if err != nil {
-			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
-		}
-
-		matched := re.MatchString(key)
-		// check the type of anchor
-		if matched {
-			// some type of anchor
-			// check if valid anchor
-			if !checkAnchors(key, supportedAnchors) {
-				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
-			}
-
-			// addition check for existence anchor
-			// value must be of type list
-			if anchor.IsExistenceAnchor(key) {
-				typedValue, ok := value.([]interface{})
-				if !ok {
-					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
-				}
-				// validate there is only one entry in the list
-				if len(typedValue) == 0 || len(typedValue) > 1 {
-					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
-				}
-			}
-		}
-		// lets validate the values now :)
-		if errPath, err := ValidatePattern(value, path+"/"+key, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
-	for i, patternElement := range patternArray {
-		currentPath := path + strconv.Itoa(i) + "/"
-		// lets validate the values now :)
-		if errPath, err := ValidatePattern(patternElement, currentPath, supportedAnchors); err != nil {
-			return errPath, err
-		}
-	}
-	return "", nil
-}
-
-func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
-	for _, f := range supportedAnchors {
-		if f(key) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 2a471a37fe..d303bebf52 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -1,9 +1,10 @@
 package policy
 
 import (
+	"fmt"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
@@ -71,7 +72,6 @@ type PolicyController struct {
 	pvGenerator policyviolation.GeneratorInterface
 	// resourceWebhookWatcher queues the webhook creation request, creates the webhook
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
-	log                    logr.Logger
 }
 
 // NewPolicyController create a new PolicyController
@@ -84,11 +84,10 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
 	pMetaStore policystore.UpdateInterface,
-	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
-	log logr.Logger) (*PolicyController, error) {
+	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister) (*PolicyController, error) {
 	// Event broad caster
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(log.Info)
+	eventBroadcaster.StartLogging(glog.Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		return nil, err
@@ -105,7 +104,6 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 		pMetaStore:             pMetaStore,
 		pvGenerator:            pvGenerator,
 		resourceWebhookWatcher: resourceWebhookWatcher,
-		log:                    log,
 	}
 
 	pc.pvControl = RealPVControl{Client: kyvernoClient, Recorder: pc.eventRecorder}
@@ -147,7 +145,6 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 }
 
 func (pc *PolicyController) addPolicy(obj interface{}) {
-	logger := pc.log
 	p := obj.(*kyverno.ClusterPolicy)
 	// Only process policies that are enabled for "background" execution
 	// policy.spec.background -> "True"
@@ -171,19 +168,19 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 			return
 		}
 	}
-	logger.V(4).Info("adding policy", "name", p.Name)
+
+	glog.V(4).Infof("Adding Policy %s", p.Name)
 	pc.enqueuePolicy(p)
 }
 
 func (pc *PolicyController) updatePolicy(old, cur interface{}) {
-	logger := pc.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 	// TODO: optimize this : policy meta-store
 	// Update policy-> (remove,add)
 	err := pc.pMetaStore.UnRegister(*oldP)
 	if err != nil {
-		logger.Error(err, "failed to unregister policy", "name", oldP.Name)
+		glog.Infof("Failed to unregister policy %s", oldP.Name)
 	}
 	pc.pMetaStore.Register(*curP)
 
@@ -206,29 +203,28 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 			return
 		}
 	}
-	logger.V(4).Info("updating policy", "name", oldP.Name)
+	glog.V(4).Infof("Updating Policy %s", oldP.Name)
 	pc.enqueuePolicy(curP)
 }
 
 func (pc *PolicyController) deletePolicy(obj interface{}) {
-	logger := pc.log
 	p, ok := obj.(*kyverno.ClusterPolicy)
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("couldnt get object from tomstone", "obj", obj)
+			glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
 			return
 		}
 		p, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
-			logger.Info("tombstone container object that is not a policy", "obj", obj)
+			glog.Info(fmt.Errorf("Tombstone contained object that is not a Policy %#v", obj))
 			return
 		}
 	}
-	logger.V(4).Info("deleting policy", "name", p.Name)
+	glog.V(4).Infof("Deleting Policy %s", p.Name)
 	// Unregister from policy meta-store
 	if err := pc.pMetaStore.UnRegister(*p); err != nil {
-		logger.Error(err, "failed to unregister policy", "name", p.Name)
+		glog.Infof("failed to unregister policy %s", p.Name)
 	}
 	// we process policies that are not set of background processing as we need to perform policy violation
 	// cleanup when a policy is deleted.
@@ -236,10 +232,9 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 }
 
 func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
-	logger := pc.log
 	key, err := cache.MetaNamespaceKeyFunc(policy)
 	if err != nil {
-		logger.Error(err, "failed to enqueu policy")
+		glog.Error(err)
 		return
 	}
 	pc.queue.Add(key)
@@ -247,16 +242,15 @@ func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) {
 
 // Run begins watching and syncing.
 func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
-	logger := pc.log
 
 	defer utilruntime.HandleCrash()
 	defer pc.queue.ShutDown()
 
-	logger.Info("starting")
-	defer logger.Info("shutting down")
+	glog.Info("Starting policy controller")
+	defer glog.Info("Shutting down policy controller")
 
 	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("failed to sync informer cache")
 		return
 	}
 
@@ -291,33 +285,31 @@ func (pc *PolicyController) processNextWorkItem() bool {
 }
 
 func (pc *PolicyController) handleErr(err error, key interface{}) {
-	logger := pc.log
 	if err == nil {
 		pc.queue.Forget(key)
 		return
 	}
 
 	if pc.queue.NumRequeues(key) < maxRetries {
-		logger.Error(err, "failed to sync policy", "key", key)
+		glog.V(2).Infof("Error syncing Policy %v: %v", key, err)
 		pc.queue.AddRateLimited(key)
 		return
 	}
 
 	utilruntime.HandleError(err)
-	logger.V(2).Info("dropping policy out of queue", "key", key)
+	glog.V(2).Infof("Dropping policy %q out of the queue: %v", key, err)
 	pc.queue.Forget(key)
 }
 
 func (pc *PolicyController) syncPolicy(key string) error {
-	logger := pc.log
 	startTime := time.Now()
-	logger.V(4).Info("started syncing policy", "key", key, "startTime", startTime)
+	glog.V(4).Infof("Started syncing policy %q (%v)", key, startTime)
 	defer func() {
-		logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime))
+		glog.V(4).Infof("Finished syncing policy %q (%v)", key, time.Since(startTime))
 	}()
 	policy, err := pc.pLister.Get(key)
 	if errors.IsNotFound(err) {
-		logger.V(2).Info("policy deleted", "key", key)
+		glog.V(2).Infof("Policy %v has been deleted", key)
 		// delete cluster policy violation
 		if err := pc.deleteClusterPolicyViolations(key); err != nil {
 			return err
@@ -330,7 +322,8 @@ func (pc *PolicyController) syncPolicy(key string) error {
 		// remove webhook configurations if there are no policies
 		if err := pc.removeResourceWebhookConfiguration(); err != nil {
 			// do not fail, if unable to delete resource webhook config
-			logger.Error(err, "failed to remove resource webhook configurations")
+			glog.V(4).Infof("failed to remove resource webhook configuration: %v", err)
+			glog.Errorln(err)
 		}
 		return nil
 	}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index af8dfc09c6..97c09affac 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -5,7 +5,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
@@ -19,27 +19,27 @@ import (
 )
 
 func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []response.EngineResponse {
-	logger := pc.log.WithValues("policy", policy.Name)
 	// Parse through all the resources
 	// drops the cache after configured rebuild time
 	pc.rm.Drop()
 	var engineResponses []response.EngineResponse
 	// get resource that are satisfy the resource description defined in the rules
-	resourceMap := listResources(pc.client, policy, pc.configHandler, logger)
+	resourceMap := listResources(pc.client, policy, pc.configHandler)
 	for _, resource := range resourceMap {
 		// pre-processing, check if the policy and resource version has been processed before
 		if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {
-			logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+			glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
 			continue
 		}
 
 		// skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied
-		if skipPodApplication(resource, logger) {
+		if skipPodApplication(resource) {
 			continue
 		}
 
 		// apply the policy on each
-		engineResponse := applyPolicy(policy, resource, logger)
+		glog.V(4).Infof("apply policy %s with resource version %s on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
+		engineResponse := applyPolicy(policy, resource)
 		// get engine response for mutation & validation independently
 		engineResponses = append(engineResponses, engineResponse...)
 		// post-processing, register the resource as processed
@@ -48,26 +48,36 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 	return engineResponses
 }
 
-func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
+func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface) map[string]unstructured.Unstructured {
 	// key uid
 	resourceMap := map[string]unstructured.Unstructured{}
 
 	for _, rule := range policy.Spec.Rules {
 		// resources that match
 		for _, k := range rule.MatchResources.Kinds {
+			// if kindIsExcluded(k, rule.ExcludeResources.Kinds) {
+			// 	glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k)
+			// 	continue
+			// }
 			var namespaces []string
+			if k == "Namespace" {
+				// TODO
+				// this is handled by generator controller
+				glog.V(4).Infof("skipping processing policy %s rule %s for kind Namespace", policy.Name, rule.Name)
+				continue
+			}
 			if len(rule.MatchResources.Namespaces) > 0 {
 				namespaces = append(namespaces, rule.MatchResources.Namespaces...)
-				log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
+				glog.V(4).Infof("namespaces specified for inclusion: %v", rule.MatchResources.Namespaces)
 			} else {
-				log.V(4).Info("processing all namespaces", "rule", rule.Name)
+				glog.V(4).Infof("processing policy %s rule %s, namespace not defined, getting all namespaces ", policy.Name, rule.Name)
 				// get all namespaces
-				namespaces = getAllNamespaces(client, log)
+				namespaces = getAllNamespaces(client)
 			}
 
 			// get resources in the namespaces
 			for _, ns := range namespaces {
-				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
+				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler)
 				mergeresources(resourceMap, rMap)
 			}
 
@@ -76,16 +86,16 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
 	return resourceMap
 }
 
-func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
+func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}
 	// merge include and exclude label selector values
 	ls := rule.MatchResources.Selector
 	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
-	log.V(4).Info("list resources to be processed")
+	glog.V(4).Infof("get resources for kind %s, namespace %s, selector %v", kind, namespace, rule.MatchResources.Selector)
 	list, err := client.ListResource(kind, namespace, ls)
 	if err != nil {
-		log.Error(err, "failed to list resources", "kind", kind)
+		glog.Infof("unable to get resources: err %v", err)
 		return nil
 	}
 	// filter based on name
@@ -93,6 +103,7 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {
+				glog.V(4).Infof("skipping resource %s/%s due to include condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
 				continue
 			}
 		}
@@ -107,11 +118,12 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 
 	// exclude the resources
 	// skip resources to be filtered
-	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler, log)
+	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler)
+	//	glog.V(4).Infof("resource map: %v", resourceMap)
 	return resourceMap
 }
 
-func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface, log logr.Logger) {
+func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface) {
 	if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) {
 		return
 	}
@@ -142,7 +154,7 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
 		// if the label selector is incorrect, should be fail or
 		if err != nil {
-			log.Error(err, "failed to build label selector")
+			glog.Error(err)
 			return Skip
 		}
 		if selector.Matches(labels.Set(labelsMap)) {
@@ -193,6 +205,8 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
 		}
 		// exclude the filtered resources
 		if configHandler.ToFilter(resource.GetKind(), resource.GetNamespace(), resource.GetName()) {
+			//TODO: improve the text
+			glog.V(4).Infof("excluding resource %s/%s/%s as its satisfies the filtered resources", resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			delete(included, uid)
 			continue
 		}
@@ -230,13 +244,12 @@ func mergeresources(a, b map[string]unstructured.Unstructured) {
 	}
 }
 
-func getAllNamespaces(client *client.Client, log logr.Logger) []string {
-
+func getAllNamespaces(client *client.Client) []string {
 	var namespaces []string
 	// get all namespaces
 	nsList, err := client.ListResource("Namespace", "", nil)
 	if err != nil {
-		log.Error(err, "failed to list namespaces")
+		glog.Error(err)
 		return namespaces
 	}
 	for _, ns := range nsList.Items {
@@ -278,11 +291,14 @@ type resourceManager interface {
 //TODO: or drop based on the size
 func (rm *ResourceManager) Drop() {
 	timeSince := time.Since(rm.time)
+	glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince)
+	glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second)
 	if timeSince > time.Duration(rm.rebuildTime)*time.Second {
 		rm.mux.Lock()
 		defer rm.mux.Unlock()
 		rm.data = map[string]interface{}{}
 		rm.time = time.Now()
+		glog.V(4).Infof("dropping cache at time %v", rm.time)
 	}
 }
 
@@ -311,14 +327,14 @@ func buildKey(policy, pv, kind, ns, name, rv string) string {
 	return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv
 }
 
-func skipPodApplication(resource unstructured.Unstructured, log logr.Logger) bool {
+func skipPodApplication(resource unstructured.Unstructured) bool {
 	if resource.GetKind() != "Pod" {
 		return false
 	}
 
 	annotation := resource.GetAnnotations()
 	if _, ok := annotation[engine.PodTemplateAnnotation]; ok {
-		log.V(4).Info("Policies already processed on pod controllers, skip processing policy on Pod", "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
+		glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod/%s/%s", resource.GetNamespace(), resource.GetName())
 		return true
 	}
 
diff --git a/pkg/policy/generate/auth.go b/pkg/policy/generate/auth.go
deleted file mode 100644
index 3da64a4289..0000000000
--- a/pkg/policy/generate/auth.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package generate
-
-import (
-	"github.com/go-logr/logr"
-	"github.com/nirmata/kyverno/pkg/auth"
-	dclient "github.com/nirmata/kyverno/pkg/dclient"
-)
-
-//Operations provides methods to performing operations on resource
-type Operations interface {
-	// CanICreate returns 'true' if self can 'create' resource
-	CanICreate(kind, namespace string) (bool, error)
-	// CanIUpdate returns 'true' if self can 'update' resource
-	CanIUpdate(kind, namespace string) (bool, error)
-	// CanIDelete returns 'true' if self can 'delete' resource
-	CanIDelete(kind, namespace string) (bool, error)
-	// CanIGet returns 'true' if self can 'get' resource
-	CanIGet(kind, namespace string) (bool, error)
-}
-
-//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
-type Auth struct {
-	client *dclient.Client
-	log    logr.Logger
-}
-
-//NewAuth returns a new instance of Auth for operations
-func NewAuth(client *dclient.Client, log logr.Logger) *Auth {
-	a := Auth{
-		client: client,
-		log:    log,
-	}
-	return &a
-}
-
-// CanICreate returns 'true' if self can 'create' resource
-func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "create", a.log)
-	ok, err := canI.RunAccessCheck()
-	if err != nil {
-		return false, err
-	}
-	return ok, nil
-}
-
-// CanIUpdate returns 'true' if self can 'update' resource
-func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "update", a.log)
-	ok, err := canI.RunAccessCheck()
-	if err != nil {
-		return false, err
-	}
-	return ok, nil
-}
-
-// CanIDelete returns 'true' if self can 'delete' resource
-func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log)
-	ok, err := canI.RunAccessCheck()
-	if err != nil {
-		return false, err
-	}
-	return ok, nil
-}
-
-// CanIGet returns 'true' if self can 'get' resource
-func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
-	canI := auth.NewCanI(a.client, kind, namespace, "get", a.log)
-	ok, err := canI.RunAccessCheck()
-	if err != nil {
-		return false, err
-	}
-	return ok, nil
-}
diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go
deleted file mode 100644
index 0d561c7a94..0000000000
--- a/pkg/policy/generate/fake.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package generate
-
-import (
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/policy/generate/fake"
-)
-
-//FakeGenerate provides implementation for generate rule processing
-// with mocks/fakes for cluster interactions
-type FakeGenerate struct {
-	Generate
-}
-
-//NewFakeGenerate returns a new instance of generatecheck that uses
-// fake/mock implementation for operation access(always returns true)
-func NewFakeGenerate(rule kyverno.Generation) *FakeGenerate {
-	g := FakeGenerate{}
-	g.rule = rule
-	g.authCheck = fake.NewFakeAuth()
-	return &g
-}
diff --git a/pkg/policy/generate/fake/auth.go b/pkg/policy/generate/fake/auth.go
deleted file mode 100644
index 3e7467bf06..0000000000
--- a/pkg/policy/generate/fake/auth.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package fake
-
-//FakeAuth providers implementation for testing, retuning true for all operations
-type FakeAuth struct {
-}
-
-//NewFakeAuth returns a new instance of Fake Auth that returns true for each operation
-func NewFakeAuth() *FakeAuth {
-	a := FakeAuth{}
-	return &a
-}
-
-// CanICreate returns 'true'
-func (a *FakeAuth) CanICreate(kind, namespace string) (bool, error) {
-	return true, nil
-}
-
-// CanIUpdate returns 'true'
-func (a *FakeAuth) CanIUpdate(kind, namespace string) (bool, error) {
-	return true, nil
-}
-
-// CanIDelete returns 'true'
-func (a *FakeAuth) CanIDelete(kind, namespace string) (bool, error) {
-	return true, nil
-}
-
-// CanIGet returns 'true'
-func (a *FakeAuth) CanIGet(kind, namespace string) (bool, error) {
-	return true, nil
-}
diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go
deleted file mode 100644
index 460842ea98..0000000000
--- a/pkg/policy/generate/validate.go
+++ /dev/null
@@ -1,151 +0,0 @@
-package generate
-
-import (
-	"fmt"
-	"reflect"
-
-	"github.com/go-logr/logr"
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	dclient "github.com/nirmata/kyverno/pkg/dclient"
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
-	"github.com/nirmata/kyverno/pkg/engine/variables"
-	"github.com/nirmata/kyverno/pkg/policy/common"
-)
-
-// Generate provides implementation to validate 'generate' rule
-type Generate struct {
-	// rule to hold 'generate' rule specifications
-	rule kyverno.Generation
-	// authCheck to check access for operations
-	authCheck Operations
-	//logger
-	log logr.Logger
-}
-
-//NewGenerateFactory returns a new instance of Generate validation checker
-func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log logr.Logger) *Generate {
-	g := Generate{
-		rule:      rule,
-		authCheck: NewAuth(client, log),
-		log:       log,
-	}
-
-	return &g
-}
-
-//Validate validates the 'generate' rule
-func (g *Generate) Validate() (string, error) {
-	rule := g.rule
-	if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("clone or data are required")
-	}
-	if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) {
-		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
-	}
-	kind, name, namespace := rule.Kind, rule.Name, rule.Namespace
-
-	if name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if kind == "" {
-		return "kind", fmt.Errorf("kind cannot be empty")
-	}
-	// Can I generate resource
-
-	if !reflect.DeepEqual(rule.Clone, kyverno.CloneFrom{}) {
-		if path, err := g.validateClone(rule.Clone, kind); err != nil {
-			return fmt.Sprintf("clone.%s", path), err
-		}
-	}
-	if rule.Data != nil {
-		//TODO: is this required ?? as anchors can only be on pattern and not resource
-		// we can add this check by not sure if its needed here
-		if path, err := common.ValidatePattern(rule.Data, "/", []anchor.IsAnchor{}); err != nil {
-			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
-		}
-	}
-
-	// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
-	// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
-	// instuctions to modify the RBAC for kyverno are mentioned at https://github.com/nirmata/kyverno/blob/master/documentation/installation.md
-	// - operations required: create/update/delete/get
-	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
-	if err := g.canIGenerate(kind, namespace); err != nil {
-		return "", err
-	}
-	return "", nil
-}
-
-func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, error) {
-	if c.Name == "" {
-		return "name", fmt.Errorf("name cannot be empty")
-	}
-	if c.Namespace == "" {
-		return "namespace", fmt.Errorf("namespace cannot be empty")
-	}
-	namespace := c.Namespace
-	// Skip if there is variable defined
-	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
-		// GET
-		ok, err := g.authCheck.CanIGet(kind, namespace)
-		if err != nil {
-			return "", err
-		}
-		if !ok {
-			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
-		}
-	} else {
-		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
-	}
-	return "", nil
-}
-
-//canIGenerate returns a error if kyverno cannot perform oprations
-func (g *Generate) canIGenerate(kind, namespace string) error {
-	// Skip if there is variable defined
-	authCheck := g.authCheck
-	if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
-		// CREATE
-		ok, err := authCheck.CanICreate(kind, namespace)
-		if err != nil {
-			// machinery error
-			return err
-		}
-		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
-		}
-		// UPDATE
-		ok, err = authCheck.CanIUpdate(kind, namespace)
-		if err != nil {
-			// machinery error
-			return err
-		}
-		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
-		}
-		// GET
-		ok, err = authCheck.CanIGet(kind, namespace)
-		if err != nil {
-			// machinery error
-			return err
-		}
-		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
-		}
-
-		// DELETE
-		ok, err = authCheck.CanIDelete(kind, namespace)
-		if err != nil {
-			// machinery error
-			return err
-		}
-		if !ok {
-			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace)
-		}
-
-	} else {
-		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
-	}
-
-	return nil
-}
diff --git a/pkg/policy/generate/validate_test.go b/pkg/policy/generate/validate_test.go
deleted file mode 100644
index 631aac6ed3..0000000000
--- a/pkg/policy/generate/validate_test.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package generate
-
-import (
-	"encoding/json"
-	"testing"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"gotest.tools/assert"
-)
-
-func Test_Validate_Generate(t *testing.T) {
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "podSelector": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	var genRule kyverno.Generation
-	err := json.Unmarshal(rawGenerate, &genRule)
-	assert.NilError(t, err)
-	checker := NewFakeGenerate(genRule)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Generate_HasAnchors(t *testing.T) {
-	var err error
-	rawGenerate := []byte(`
-	{
-		"kind": "NetworkPolicy",
-		"name": "defaultnetworkpolicy",
-		"data": {
-		   "spec": {
-			  "(podSelector)": {},
-			  "policyTypes": [
-				 "Ingress",
-				 "Egress"
-			  ],
-			  "ingress": [
-				 {}
-			  ],
-			  "egress": [
-				 {}
-			  ]
-		   }
-		}
-	 }`)
-
-	var genRule kyverno.Generation
-	err = json.Unmarshal(rawGenerate, &genRule)
-	assert.NilError(t, err)
-	checker := NewFakeGenerate(genRule)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	rawGenerate = []byte(`
-	{
-		"kind": "ConfigMap",
-		"name": "copied-cm",
-		"clone": {
-		   "^(namespace)": "default",
-		   "name": "game"
-		}
-	 }`)
-
-	err = json.Unmarshal(rawGenerate, &genRule)
-	assert.NilError(t, err)
-	checker = NewFakeGenerate(genRule)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go
deleted file mode 100644
index 6a24c3d388..0000000000
--- a/pkg/policy/mutate/validate.go
+++ /dev/null
@@ -1,63 +0,0 @@
-package mutate
-
-import (
-	"errors"
-	"fmt"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
-	"github.com/nirmata/kyverno/pkg/policy/common"
-)
-
-// Mutate provides implementation to validate 'mutate' rule
-type Mutate struct {
-	// rule to hold 'mutate' rule specifications
-	rule kyverno.Mutation
-}
-
-//NewMutateFactory returns a new instance of Mutate validation checker
-func NewMutateFactory(rule kyverno.Mutation) *Mutate {
-	m := Mutate{
-		rule: rule,
-	}
-	return &m
-}
-
-//Validate validates the 'mutate' rule
-func (m *Mutate) Validate() (string, error) {
-	rule := m.rule
-	// JSON Patches
-	if len(rule.Patches) != 0 {
-		for i, patch := range rule.Patches {
-			if err := validatePatch(patch); err != nil {
-				return fmt.Sprintf("patch[%d]", i), err
-			}
-		}
-	}
-	// Overlay
-	if rule.Overlay != nil {
-		path, err := common.ValidatePattern(rule.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
-		if err != nil {
-			return path, err
-		}
-	}
-	return "", nil
-}
-
-// Validate if all mandatory PolicyPatch fields are set
-func validatePatch(pp kyverno.Patch) error {
-	if pp.Path == "" {
-		return errors.New("JSONPatch field 'path' is mandatory")
-	}
-	if pp.Operation == "add" || pp.Operation == "replace" {
-		if pp.Value == nil {
-			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
-		}
-
-		return nil
-	} else if pp.Operation == "remove" {
-		return nil
-	}
-
-	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
-}
diff --git a/pkg/policy/mutate/validate_test.go b/pkg/policy/mutate/validate_test.go
deleted file mode 100644
index 84ff0e59b7..0000000000
--- a/pkg/policy/mutate/validate_test.go
+++ /dev/null
@@ -1,151 +0,0 @@
-package mutate
-
-import (
-	"encoding/json"
-	"testing"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"gotest.tools/assert"
-)
-
-func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		  "spec": {
-			"(serviceAccountName)": "*",
-			"automountServiceAccountToken": false
-		  }
-		}
-	  }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-	checker := NewMutateFactory(mutate)
-	if _, err := checker.Validate(); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "+(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutate kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	checker := NewMutateFactory(mutate)
-	if _, err := checker.Validate(); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Mutate_Mismatched(t *testing.T) {
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "^(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	var mutateExistence kyverno.Mutation
-	err := json.Unmarshal(rawMutate, &mutateExistence)
-	assert.NilError(t, err)
-
-	checker := NewMutateFactory(mutateExistence)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateEqual kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "=(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateEqual)
-	assert.NilError(t, err)
-
-	checker = NewMutateFactory(mutateEqual)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	var mutateNegation kyverno.Mutation
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "X(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutateNegation)
-	assert.NilError(t, err)
-
-	checker = NewMutateFactory(mutateEqual)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Mutate_Unsupported(t *testing.T) {
-	var err error
-	var mutate kyverno.Mutation
-	// case 1
-	rawMutate := []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "!(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	checker := NewMutateFactory(mutate)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawMutate = []byte(`
-	{
-		"overlay": {
-		   "spec": {
-			  "~(serviceAccountName)": "*",
-			  "automountServiceAccountToken": false
-		   }
-		}
-	 }`)
-
-	err = json.Unmarshal(rawMutate, &mutate)
-	assert.NilError(t, err)
-
-	checker = NewMutateFactory(mutate)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go
index 8dd83d1f12..654343d7df 100644
--- a/pkg/policy/namespacedpv.go
+++ b/pkg/policy/namespacedpv.go
@@ -1,13 +1,13 @@
 package policy
 
 import (
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	cache "k8s.io/client-go/tools/cache"
 )
 
 func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	pv := obj.(*kyverno.PolicyViolation)
-	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 
 	if pv.DeletionTimestamp != nil {
 		// On a restart of the controller manager, it's possible for an object to
@@ -20,16 +20,15 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("namepaced policy violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name)
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("PolicyViolation %s deleted", pv.Name)
 		return
 	}
-
-	logger.V(4).Info("resource added")
+	glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -43,20 +42,19 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 		// Two different versions of the same replica set will always have different RVs.
 		return
 	}
-	logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name)
 
 	ps := pc.getPolicyForNamespacedPolicyViolation(curPV)
 	if len(ps) == 0 {
 		// there is no namespaced policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name)
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(curPV.Namespace, curPV.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", curPV.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("Namespaced Policy Violation %s deleted", curPV.Name)
 		return
 	}
-	logger.V(4).Info("resource updated")
+	glog.V(4).Infof("Namespaced Policy sViolation %s updated", curPV.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
@@ -64,7 +62,6 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
 }
 
 func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
-	logger := pc.log
 	pv, ok := obj.(*kyverno.PolicyViolation)
 	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
 	// in the list, leading to the insertion of a tombstone object which contains
@@ -73,36 +70,34 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
 	if !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Infof("Couldn't get object from tombstone %#v", obj)
 			return
 		}
 		pv, ok = tombstone.Obj.(*kyverno.PolicyViolation)
 		if !ok {
-			logger.Info("Couldn't get object from tombstone", "obj", obj)
+			glog.Infof("Couldn't get object from tombstone %#v", obj)
 			return
 		}
 	}
 
-	logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
 	if len(ps) == 0 {
 		// there is no cluster policy for this violation, so we can delete this cluster policy violation
-		logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup")
+		glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name)
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
-			logger.Error(err, "failed to delete resource")
+			glog.Errorf("Failed to deleted namespaced policy violation %s: %v", pv.Name, err)
 			return
 		}
-		logger.V(4).Info("resource deleted")
+		glog.V(4).Infof("Namespaced Policy Violation %s deleted", pv.Name)
 		return
 	}
-	logger.V(4).Info("resource updated")
+	glog.V(4).Infof("Namespaced PolicyViolation %s updated", pv.Name)
 	for _, p := range ps {
 		pc.enqueuePolicy(p)
 	}
 }
 
 func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) []*kyverno.ClusterPolicy {
-	logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name)
 	policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv)
 	if err != nil || len(policies) == 0 {
 		return nil
@@ -114,7 +109,8 @@ func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.Po
 	if len(policies) > 1 {
 		// ControllerRef will ensure we don't do anything crazy, but more than one
 		// item in this list nevertheless constitutes user error.
-		logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name)
+		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
+			pv.Name, pv.Labels, policies[0].Name)
 	}
 	return policies
 }
diff --git a/pkg/policy/report.go b/pkg/policy/report.go
index 476e07abb9..3614da9b32 100644
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@@ -3,7 +3,7 @@ package policy
 import (
 	"fmt"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
@@ -13,12 +13,11 @@ import (
 // - has violation -> report
 // - no violation -> cleanup policy violations
 func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {
-	logger := pc.log
 	// generate Events
-	eventInfos := generateEvents(pc.log, engineResponses)
+	eventInfos := generateEvents(engineResponses)
 	pc.eventGen.Add(eventInfos...)
 	// create policy violation
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
 	for i := range pvInfos {
 		pvInfos[i].FromSync = true
 	}
@@ -30,27 +29,39 @@ func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineRe
 	pc.cleanUp(engineResponses)
 }
 
-func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info {
+func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
+	for _, er := range ers {
+		if !er.IsSuccesful() {
+			continue
+		}
+		if len(er.PolicyResponse.Rules) == 0 {
+			continue
+		}
+		// clean up after the policy has been corrected
+		pc.cleanUpPolicyViolation(er.PolicyResponse)
+	}
+}
+
+func generateEvents(ers []response.EngineResponse) []event.Info {
 	var eventInfos []event.Info
 	for _, er := range ers {
 		if er.IsSuccesful() {
 			continue
 		}
-		eventInfos = append(eventInfos, generateEventsPerEr(log, er)...)
+		eventInfos = append(eventInfos, generateEventsPerEr(er)...)
 	}
 	return eventInfos
 }
 
-func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
-	logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
+func generateEventsPerEr(er response.EngineResponse) []event.Info {
 	var eventInfos []event.Info
-	logger.V(4).Info("reporting results for policy")
+	glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
 	for _, rule := range er.PolicyResponse.Rules {
 		if rule.Success {
 			continue
 		}
 		// generate event on resource for each failed rule
-		logger.V(4).Info("generating event on resource")
+		glog.V(4).Infof("generation event on resource '%s/%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy)
 		e := event.Info{}
 		e.Kind = er.PolicyResponse.Resource.Kind
 		e.Namespace = er.PolicyResponse.Resource.Namespace
@@ -65,7 +76,7 @@ func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.In
 	}
 
 	// generate a event on policy for all failed rules
-	logger.V(4).Info("generating event on policy")
+	glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy)
 	e := event.Info{}
 	e.Kind = "ClusterPolicy"
 	e.Namespace = ""
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index cffa69fe68..9dec98a2c9 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -5,12 +5,16 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
+	"regexp"
+	"strconv"
 	"strings"
 
+	"github.com/golang/glog"
+
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	dclient "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/engine/anchor"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -18,10 +22,11 @@ import (
 // Validate does some initial check to verify some conditions
 // - One operation per rule
 // - ResourceDescription mandatory checks
-func Validate(policyRaw []byte, client *dclient.Client, mock bool) error {
+func Validate(policyRaw []byte) error {
 	var p kyverno.ClusterPolicy
 	err := json.Unmarshal(policyRaw, &p)
 	if err != nil {
+		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
 		return fmt.Errorf("failed to unmarshal policy admission request err %v", err)
 	}
 
@@ -57,12 +62,24 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool) error {
 			// as there are more than 1 operation in rule, not need to evaluate it further
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
-		// validate rule actions
-		// - Mutate
-		// - Validate
-		// - Generate
-		if err := validateActions(i, rule, client, mock); err != nil {
-			return err
+		// Operation Validation
+		// Mutation
+		if rule.HasMutate() {
+			if path, err := validateMutation(rule.Mutation); err != nil {
+				return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", i, path, err)
+			}
+		}
+		// Validation
+		if rule.HasValidate() {
+			if path, err := validateValidation(rule.Validation); err != nil {
+				return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", i, path, err)
+			}
+		}
+		// Generation
+		if rule.HasGenerate() {
+			if path, err := validateGeneration(rule.Generation); err != nil {
+				return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", i, path, err)
+			}
 		}
 
 		// If a rules match block does not match any kind,
@@ -261,3 +278,193 @@ func validateResourceDescription(rd kyverno.ResourceDescription) error {
 	}
 	return nil
 }
+
+func validateMutation(m kyverno.Mutation) (string, error) {
+	// JSON Patches
+	if len(m.Patches) != 0 {
+		for i, patch := range m.Patches {
+			if err := validatePatch(patch); err != nil {
+				return fmt.Sprintf("patch[%d]", i), err
+			}
+		}
+	}
+	// Overlay
+	if m.Overlay != nil {
+		path, err := validatePattern(m.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor})
+		if err != nil {
+			return path, err
+		}
+	}
+	return "", nil
+}
+
+// Validate if all mandatory PolicyPatch fields are set
+func validatePatch(pp kyverno.Patch) error {
+	if pp.Path == "" {
+		return errors.New("JSONPatch field 'path' is mandatory")
+	}
+	if pp.Operation == "add" || pp.Operation == "replace" {
+		if pp.Value == nil {
+			return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation)
+		}
+
+		return nil
+	} else if pp.Operation == "remove" {
+		return nil
+	}
+
+	return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation)
+}
+
+func validateValidation(v kyverno.Validation) (string, error) {
+	if err := validateOverlayPattern(v); err != nil {
+		// no need to proceed ahead
+		return "", err
+	}
+
+	if v.Pattern != nil {
+		if path, err := validatePattern(v.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+			return fmt.Sprintf("pattern.%s", path), err
+		}
+	}
+
+	if len(v.AnyPattern) != 0 {
+		for i, pattern := range v.AnyPattern {
+			if path, err := validatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
+				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
+			}
+		}
+	}
+	return "", nil
+}
+
+// validateOverlayPattern checks one of pattern/anyPattern must exist
+func validateOverlayPattern(v kyverno.Validation) error {
+	if v.Pattern == nil && len(v.AnyPattern) == 0 {
+		return fmt.Errorf("a pattern or anyPattern must be specified")
+	}
+
+	if v.Pattern != nil && len(v.AnyPattern) != 0 {
+		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
+	}
+
+	return nil
+}
+
+// Validate returns error if generator is configured incompletely
+func validateGeneration(gen kyverno.Generation) (string, error) {
+
+	if gen.Data == nil && gen.Clone == (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("clone or data are required")
+	}
+	if gen.Data != nil && gen.Clone != (kyverno.CloneFrom{}) {
+		return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)")
+	}
+	// check kind is non empty
+	// check name is non empty
+	if gen.Name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if gen.Kind == "" {
+		return "kind", fmt.Errorf("kind cannot be empty")
+	}
+	if !reflect.DeepEqual(gen.Clone, kyverno.CloneFrom{}) {
+		if path, err := validateClone(gen.Clone); err != nil {
+			return fmt.Sprintf("clone.%s", path), err
+		}
+	}
+	if gen.Data != nil {
+		//TODO: is this required ?? as anchors can only be on pattern and not resource
+		// we can add this check by not sure if its needed here
+		if path, err := validatePattern(gen.Data, "/", []anchor.IsAnchor{}); err != nil {
+			return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err)
+		}
+	}
+	return "", nil
+}
+
+func validateClone(c kyverno.CloneFrom) (string, error) {
+	if c.Name == "" {
+		return "name", fmt.Errorf("name cannot be empty")
+	}
+	if c.Namespace == "" {
+		return "namespace", fmt.Errorf("namespace cannot be empty")
+	}
+	return "", nil
+}
+
+func validatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	switch typedPatternElement := patternElement.(type) {
+	case map[string]interface{}:
+		return validateMap(typedPatternElement, path, supportedAnchors)
+	case []interface{}:
+		return validateArray(typedPatternElement, path, supportedAnchors)
+	case string, float64, int, int64, bool, nil:
+		//TODO? check operator
+		return "", nil
+	default:
+		return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path)
+	}
+}
+
+func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	// check if anchors are defined
+	for key, value := range patternMap {
+		// if key is anchor
+		// check regex () -> this is anchor
+		// ()
+		// single char ()
+		re, err := regexp.Compile(`^.?\(.+\)$`)
+		if err != nil {
+			return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err)
+		}
+
+		matched := re.MatchString(key)
+		// check the type of anchor
+		if matched {
+			// some type of anchor
+			// check if valid anchor
+			if !checkAnchors(key, supportedAnchors) {
+				return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key)
+			}
+
+			// addition check for existence anchor
+			// value must be of type list
+			if anchor.IsExistenceAnchor(key) {
+				typedValue, ok := value.([]interface{})
+				if !ok {
+					return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list")
+				}
+				// validate there is only one entry in the list
+				if len(typedValue) == 0 || len(typedValue) > 1 {
+					return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified")
+				}
+			}
+		}
+		// lets validate the values now :)
+		if errPath, err := validatePattern(value, path+"/"+key, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) {
+	for i, patternElement := range patternArray {
+		currentPath := path + strconv.Itoa(i) + "/"
+		// lets validate the values now :)
+		if errPath, err := validatePattern(patternElement, currentPath, supportedAnchors); err != nil {
+			return errPath, err
+		}
+	}
+	return "", nil
+}
+
+func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool {
+	for _, f := range supportedAnchors {
+		if f(key) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
deleted file mode 100644
index 3889f9f163..0000000000
--- a/pkg/policy/validate/validate.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package validate
-
-import (
-	"fmt"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/engine/anchor"
-	"github.com/nirmata/kyverno/pkg/policy/common"
-)
-
-// Validate provides implementation to validate 'validate' rule
-type Validate struct {
-	// rule to hold 'validate' rule specifications
-	rule kyverno.Validation
-}
-
-//NewValidateFactory returns a new instance of Mutate validation checker
-func NewValidateFactory(rule kyverno.Validation) *Validate {
-	m := Validate{
-		rule: rule,
-	}
-	return &m
-}
-
-//Validate validates the 'validate' rule
-func (v *Validate) Validate() (string, error) {
-	rule := v.rule
-	if err := v.validateOverlayPattern(); err != nil {
-		// no need to proceed ahead
-		return "", err
-	}
-
-	if rule.Pattern != nil {
-		if path, err := common.ValidatePattern(rule.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-			return fmt.Sprintf("pattern.%s", path), err
-		}
-	}
-
-	if len(rule.AnyPattern) != 0 {
-		for i, pattern := range rule.AnyPattern {
-			if path, err := common.ValidatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil {
-				return fmt.Sprintf("anyPattern[%d].%s", i, path), err
-			}
-		}
-	}
-	return "", nil
-}
-
-// validateOverlayPattern checks one of pattern/anyPattern must exist
-func (v *Validate) validateOverlayPattern() error {
-	rule := v.rule
-	if rule.Pattern == nil && len(rule.AnyPattern) == 0 {
-		return fmt.Errorf("a pattern or anyPattern must be specified")
-	}
-
-	if rule.Pattern != nil && len(rule.AnyPattern) != 0 {
-		return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)")
-	}
-
-	return nil
-}
diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go
deleted file mode 100644
index ee83204707..0000000000
--- a/pkg/policy/validate/validate_test.go
+++ /dev/null
@@ -1,381 +0,0 @@
-package validate
-
-import (
-	"encoding/json"
-	"testing"
-
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"gotest.tools/assert"
-)
-
-func Test_Validate_OverlayPattern_Empty(t *testing.T) {
-	rawValidation := []byte(`
-   {}`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
- 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
-      }
-	`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  }
-		],
-		"pattern": {
-		  "spec": {
-			"containers": [
-			  {
-				"name": "*",
-				"securityContext": {
-				  "allowPrivilegeEscalation": false,
-				  "privileged": false
-				}
-			  }
-			]
-		  }
-		}
-	  }`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-func Test_Validate_OverlayPattern_Valid(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "securityContext": {
-				"allowPrivilegeEscalation": false,
-				"privileged": false
-			  }
-			}
-		  },
-		  {
-			"spec": {
-			  "containers": [
-				{
-				  "name": "*",
-				  "securityContext": {
-					"allowPrivilegeEscalation": false,
-					"privileged": false
-				  }
-				}
-			  ]
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		  {
-			"spec": {
-			  "template": {
-				"spec": {
-				  "containers": [
-					{
-					  "^(securityContext)": {
-						"runAsNonRoot": true
-					  }
-					}
-				  ]
-				}
-			  }
-			}
-		  }
-		]
-	  }
-`)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
-	rawValidation := []byte(`{
-		"message": "validate container security contexts",
-		"pattern": {
-		  "spec": {
-			"template": {
-			  "spec": {
-				"containers": [
-				  {
-					"securityContext": {
-					  "allowPrivilegeEscalation": "^(false)"
-					}
-				  }
-				]
-			  }
-			}
-		  }
-		}
-	  }
-	  		  `)
-
-	var validation kyverno.Validation
-	err := json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
-	var err error
-	var validation kyverno.Validation
-	rawValidation := []byte(`
-	{
-		"message": "validate container security contexts",
-		"anyPattern": [
-		   {
-			  "spec": {
-				 "template": {
-					"spec": {
-					   "^(containers)": [
-						  {
-							 "securityContext": {
-								"runAsNonRoot": "true"
-							 }
-						  }
-					   ]
-					}
-				 }
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-	rawValidation = []byte(`
-	{
-		"message": "validate container security contexts",
-		"pattern": {
-		   "spec": {
-			  "template": {
-				 "spec": {
-					"^(containers)": [
-					   {
-						  "securityContext": {
-							 "allowPrivilegeEscalation": "false"
-						  }
-					   }
-					]
-				 }
-			  }
-		   }
-		}
-	 }	`)
-	err = json.Unmarshal(rawValidation, &validation)
-	assert.NilError(t, err)
-	checker = NewValidateFactory(validation)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
-
-func Test_Validate_Validate_ValidAnchor(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-	var rawValidate []byte
-	// case 1
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"anyPattern": [
-		    {
-			  "spec": {
-				 "securityContext": {
-					"(runAsNonRoot)": true
-				 }
-			  }
-		   },
-		   {
-			  "spec": {
-				 "^(containers)": [
-					{
-					   "name": "*",
-					   "securityContext": {
-						  "runAsNonRoot": true
-					   }
-					}
-				 ]
-			  }
-		   }
-		]
-	 }`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	checker := NewValidateFactory(validate)
-	if _, err := checker.Validate(); err != nil {
-		assert.NilError(t, err)
-	}
-
-	// case 2
-	validate = kyverno.Validation{}
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "=(securityContext)": {
-				 "runAsNonRoot": "true"
-			  }
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	checker = NewValidateFactory(validate)
-	if _, err := checker.Validate(); err != nil {
-		assert.NilError(t, err)
-	}
-}
-
-func Test_Validate_Validate_Mismatched(t *testing.T) {
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "+(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	 }`)
-
-	var validate kyverno.Validation
-	err := json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validate)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-}
-
-func Test_Validate_Validate_Unsupported(t *testing.T) {
-	var err error
-	var validate kyverno.Validation
-
-	// case 1
-	rawValidate := []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "!(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-	checker := NewValidateFactory(validate)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-	// case 2
-	rawValidate = []byte(`
-	{
-		"message": "Root user is not allowed. Set runAsNonRoot to true.",
-		"pattern": {
-		   "spec": {
-			  "containers": [
-				 {
-					"name": "*",
-					"securityContext": {
-					   "~(runAsNonRoot)": true
-					}
-				 }
-			  ]
-		   }
-		}
-	}`)
-
-	err = json.Unmarshal(rawValidate, &validate)
-	assert.NilError(t, err)
-
-	checker = NewValidateFactory(validate)
-	if _, err := checker.Validate(); err != nil {
-		assert.Assert(t, err != nil)
-	}
-
-}
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index bd239995cc..9082e9322a 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -287,6 +287,369 @@ func Test_Validate_ResourceDescription_InvalidSelector(t *testing.T) {
 	assert.Assert(t, err != nil)
 }
 
+func Test_Validate_OverlayPattern_Empty(t *testing.T) {
+	rawValidation := []byte(`
+   {}`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+ 	{ "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
+      }
+	`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  }
+		],
+		"pattern": {
+		  "spec": {
+			"containers": [
+			  {
+				"name": "*",
+				"securityContext": {
+				  "allowPrivilegeEscalation": false,
+				  "privileged": false
+				}
+			  }
+			]
+		  }
+		}
+	  }`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_OverlayPattern_Valid(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "securityContext": {
+				"allowPrivilegeEscalation": false,
+				"privileged": false
+			  }
+			}
+		  },
+		  {
+			"spec": {
+			  "containers": [
+				{
+				  "name": "*",
+				  "securityContext": {
+					"allowPrivilegeEscalation": false,
+					"privileged": false
+				  }
+				}
+			  ]
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.NilError(t, err)
+	}
+
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) {
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		  {
+			"spec": {
+			  "template": {
+				"spec": {
+				  "containers": [
+					{
+					  "^(securityContext)": {
+						"runAsNonRoot": true
+					  }
+					}
+				  ]
+				}
+			  }
+			}
+		  }
+		]
+	  }
+`)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
+
+func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) {
+	rawValidation := []byte(`{
+		"message": "validate container security contexts",
+		"pattern": {
+		  "spec": {
+			"template": {
+			  "spec": {
+				"containers": [
+				  {
+					"securityContext": {
+					  "allowPrivilegeEscalation": "^(false)"
+					}
+				  }
+				]
+			  }
+			}
+		  }
+		}
+	  }
+	  		  `)
+
+	var validation kyverno.Validation
+	err := json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_ExistingAnchor_Valid(t *testing.T) {
+	var err error
+	var validation kyverno.Validation
+	rawValidation := []byte(`
+	{
+		"message": "validate container security contexts",
+		"anyPattern": [
+		   {
+			  "spec": {
+				 "template": {
+					"spec": {
+					   "^(containers)": [
+						  {
+							 "securityContext": {
+								"runAsNonRoot": "true"
+							 }
+						  }
+					   ]
+					}
+				 }
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+	rawValidation = []byte(`
+	{
+		"message": "validate container security contexts",
+		"pattern": {
+		   "spec": {
+			  "template": {
+				 "spec": {
+					"^(containers)": [
+					   {
+						  "securityContext": {
+							 "allowPrivilegeEscalation": "false"
+						  }
+					   }
+					]
+				 }
+			  }
+		   }
+		}
+	 }	`)
+	err = json.Unmarshal(rawValidation, &validation)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validation); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
+
+func Test_Validate_Validate_ValidAnchor(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+	var rawValidate []byte
+	// case 1
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"anyPattern": [
+		    {
+			  "spec": {
+				 "securityContext": {
+					"(runAsNonRoot)": true
+				 }
+			  }
+		   },
+		   {
+			  "spec": {
+				 "^(containers)": [
+					{
+					   "name": "*",
+					   "securityContext": {
+						  "runAsNonRoot": true
+					   }
+					}
+				 ]
+			  }
+		   }
+		]
+	 }`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	if _, err := validateValidation(validate); err != nil {
+		assert.NilError(t, err)
+	}
+
+	// case 2
+	validate = kyverno.Validation{}
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "=(securityContext)": {
+				 "runAsNonRoot": "true"
+			  }
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	if _, err := validateValidation(validate); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Validate_Mismatched(t *testing.T) {
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "+(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	 }`)
+
+	var validate kyverno.Validation
+	err := json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Validate_Unsupported(t *testing.T) {
+	var err error
+	var validate kyverno.Validation
+
+	// case 1
+	rawValidate := []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "!(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+	if _, err := validateValidation(validate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawValidate = []byte(`
+	{
+		"message": "Root user is not allowed. Set runAsNonRoot to true.",
+		"pattern": {
+		   "spec": {
+			  "containers": [
+				 {
+					"name": "*",
+					"securityContext": {
+					   "~(runAsNonRoot)": true
+					}
+				 }
+			  ]
+		   }
+		}
+	}`)
+
+	err = json.Unmarshal(rawValidate, &validate)
+	assert.NilError(t, err)
+
+	if _, err := validateValidation(validate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+}
+
 func Test_Validate_Policy(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -369,10 +732,225 @@ func Test_Validate_Policy(t *testing.T) {
 		}
 	 }`)
 
-	err := Validate(rawPolicy, nil, true)
+	err := Validate(rawPolicy)
 	assert.NilError(t, err)
 }
 
+func Test_Validate_Mutate_ConditionAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		  "spec": {
+			"(serviceAccountName)": "*",
+			"automountServiceAccountToken": false
+		  }
+		}
+	  }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+	if _, err := validateMutation(mutate); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_PlusAnchor(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "+(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutate kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutate); err != nil {
+		assert.NilError(t, err)
+	}
+}
+
+func Test_Validate_Mutate_Mismatched(t *testing.T) {
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "^(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	var mutateExistence kyverno.Mutation
+	err := json.Unmarshal(rawMutate, &mutateExistence)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutateExistence); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateEqual kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "=(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateEqual)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutateEqual); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	var mutateNegation kyverno.Mutation
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "X(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutateNegation)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutateEqual); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Mutate_Unsupported(t *testing.T) {
+	var err error
+	var mutate kyverno.Mutation
+	// case 1
+	rawMutate := []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "!(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	// case 2
+	rawMutate = []byte(`
+	{
+		"overlay": {
+		   "spec": {
+			  "~(serviceAccountName)": "*",
+			  "automountServiceAccountToken": false
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawMutate, &mutate)
+	assert.NilError(t, err)
+
+	if _, err := validateMutation(mutate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Generate(t *testing.T) {
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "podSelector": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var generate kyverno.Generation
+	err := json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, err)
+
+	if _, err := validateGeneration(generate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
+func Test_Validate_Generate_HasAnchors(t *testing.T) {
+	var err error
+	var generate kyverno.Generation
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "(podSelector)": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	err = json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, err)
+	if _, err := validateGeneration(generate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+
+	rawGenerate = []byte(`
+	{
+		"kind": "ConfigMap",
+		"name": "copied-cm",
+		"clone": {
+		   "^(namespace)": "default",
+		   "name": "game"
+		}
+	 }`)
+
+	errNew := json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, errNew)
+	err = json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, err)
+	if _, err := validateGeneration(generate); err != nil {
+		assert.Assert(t, err != nil)
+	}
+}
+
 func Test_Validate_ErrorFormat(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@@ -511,7 +1089,7 @@ func Test_Validate_ErrorFormat(t *testing.T) {
 	 }
 	`)
 
-	err := Validate(rawPolicy, nil, true)
+	err := Validate(rawPolicy)
 	assert.Assert(t, err != nil)
 }
 
diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go
index 5c8fc0aa69..f4b2188b2a 100644
--- a/pkg/policy/webhookregistration.go
+++ b/pkg/policy/webhookregistration.go
@@ -1,25 +1,25 @@
 package policy
 
 import (
+	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
 func (pc *PolicyController) removeResourceWebhookConfiguration() error {
-	logger := pc.log
 	var err error
 	// get all existing policies
 	policies, err := pc.pLister.List(labels.NewSelector())
 	if err != nil {
-		logger.Error(err, "failed to list policies")
+		glog.V(4).Infof("failed to list policies: %v", err)
 		return err
 	}
 
 	if len(policies) == 0 {
-		logger.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
+		glog.V(4).Info("no policies loaded, removing resource webhook configuration if one exists")
 		return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 	}
 
-	logger.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
+	glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists")
 
 	return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration()
 }
diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go
index b21ff2e505..3e633aaf82 100644
--- a/pkg/policystatus/main.go
+++ b/pkg/policystatus/main.go
@@ -2,16 +2,16 @@ package policystatus
 
 import (
 	"encoding/json"
-	"fmt"
 	"sync"
 	"time"
 
+	"github.com/golang/glog"
+
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // Policy status implementation works in the following way,
@@ -111,7 +111,8 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) {
 			s.cache.keyToMutex.Get(statusUpdater.PolicyName()).Unlock()
 			oldStatus, _ := json.Marshal(status)
 			newStatus, _ := json.Marshal(updatedStatus)
-			log.Log.V(4).Info(fmt.Sprintf("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus)))
+
+			glog.V(4).Infof("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus))
 		case <-stopCh:
 			return
 		}
@@ -139,7 +140,7 @@ func (s *Sync) updatePolicyStatus() {
 			s.cache.dataMu.Lock()
 			delete(s.cache.data, policyName)
 			s.cache.dataMu.Unlock()
-			log.Log.Error(err, "failed to update policy status")
+			glog.V(4).Info(err)
 		}
 	}
 }
diff --git a/pkg/policystore/policystore.go b/pkg/policystore/policystore.go
index 0ecfd5ea32..f8a8e30874 100644
--- a/pkg/policystore/policystore.go
+++ b/pkg/policystore/policystore.go
@@ -3,11 +3,12 @@ package policystore
 import (
 	"sync"
 
-	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/labels"
+
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
-	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/tools/cache"
 )
 
@@ -23,7 +24,6 @@ type PolicyStore struct {
 	pLister kyvernolister.ClusterPolicyLister
 	// returns true if the cluster policy store has been synced at least once
 	pSynched cache.InformerSynced
-	log      logr.Logger
 }
 
 //UpdateInterface provides api to update policies
@@ -40,29 +40,25 @@ type LookupInterface interface {
 }
 
 // NewPolicyStore returns a new policy store
-func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,
-	log logr.Logger) *PolicyStore {
+func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore {
 	ps := PolicyStore{
 		data:     make(kindMap),
 		pLister:  pInformer.Lister(),
 		pSynched: pInformer.Informer().HasSynced,
-		log:      log,
 	}
 	return &ps
 }
 
 //Run checks syncing
 func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
-	logger := ps.log
 	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("policy meta store: failed to sync informer cache")
 	}
 }
 
 //Register a new policy
 func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
-	logger := ps.log
-	logger.V(4).Info("adding policy", "name", policy.Name)
+	glog.V(4).Infof("adding resources %s", policy.Name)
 	ps.mu.Lock()
 	defer ps.mu.Unlock()
 	var pmap policyMap
diff --git a/pkg/policyviolation/builder.go b/pkg/policyviolation/builder.go
index da556697be..1de366eb66 100644
--- a/pkg/policyviolation/builder.go
+++ b/pkg/policyviolation/builder.go
@@ -3,23 +3,24 @@ package policyviolation
 import (
 	"fmt"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 )
 
 //GeneratePVsFromEngineResponse generate Violations from engine responses
-func GeneratePVsFromEngineResponse(ers []response.EngineResponse, log logr.Logger) (pvInfos []Info) {
+func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) {
 	for _, er := range ers {
 		// ignore creation of PV for resources that are yet to be assigned a name
 		if er.PolicyResponse.Resource.Name == "" {
-			log.V(4).Info("resource does no have a name assigned yet, not creating a policy violation", "resource", er.PolicyResponse.Resource)
+			glog.V(4).Infof("resource %v, has not been assigned a name, not creating a policy violation for it", er.PolicyResponse.Resource)
 			continue
 		}
 		// skip when response succeed
 		if er.IsSuccesful() {
 			continue
 		}
+		glog.V(4).Infof("Building policy violation for engine response %v", er)
 		// build policy violation info
 		pvInfos = append(pvInfos, buildPVInfo(er))
 	}
diff --git a/pkg/policyviolation/builder_test.go b/pkg/policyviolation/builder_test.go
index a44314f9f2..bd3f8c97f0 100644
--- a/pkg/policyviolation/builder_test.go
+++ b/pkg/policyviolation/builder_test.go
@@ -5,7 +5,6 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
@@ -53,6 +52,6 @@ func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) {
 		},
 	}
 
-	pvInfos := GeneratePVsFromEngineResponse(ers, log.Log)
+	pvInfos := GeneratePVsFromEngineResponse(ers)
 	assert.Assert(t, len(pvInfos) == 1)
 }
diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index 4cb26ea216..c9336f8059 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -21,13 +21,11 @@ type clusterPV struct {
 	cpvLister kyvernolister.ClusterPolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
-	// logger
-	log logr.Logger
 	// update policy stats with violationCount
 	policyStatusListener policystatus.Listener
 }
 
-func newClusterPV(log logr.Logger, dclient *client.Client,
+func newClusterPV(dclient *client.Client,
 	cpvLister kyvernolister.ClusterPolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 	policyStatus policystatus.Listener,
@@ -36,7 +34,6 @@ func newClusterPV(log logr.Logger, dclient *client.Client,
 		dclient:              dclient,
 		cpvLister:            cpvLister,
 		kyvernoInterface:     kyvernoInterface,
-		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &cpv
@@ -59,7 +56,6 @@ func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) {
-	logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -70,7 +66,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 	pvs, err := cpv.cpvLister.List(ls)
 	if err != nil {
-		logger.Error(err, "failed to list cluster policy violations")
+		glog.Errorf("unable to list cluster policy violations : %v", err)
 		return nil, err
 	}
 
@@ -87,8 +83,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 
 func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	var err error
-	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
-	logger.V(4).Info("creating new policy violation")
+	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name)
 	obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -100,7 +95,7 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	// create resource
 	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv)
 	if err != nil {
-		logger.Error(err, "failed to create cluster policy violation")
+		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
 		return err
 	}
 
@@ -108,16 +103,15 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
 
-	logger.Info("cluster policy violation created")
+	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
 	return nil
 }
 
 func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) error {
-	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
+		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
 		return nil
 	}
 	// set name
@@ -129,7 +123,7 @@ func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) err
 	if err != nil {
 		return fmt.Errorf("failed to update cluster policy violation: %v", err)
 	}
-	logger.Info("cluster policy violation created")
+	glog.Infof("cluster policy violation updated for resource %v", newPv.Spec.ResourceSpec)
 
 	if newPv.Annotations["fromSync"] != "true" {
 		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go
index e2211edb13..6f077b25b8 100644
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@@ -5,13 +5,13 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference {
@@ -34,7 +34,7 @@ func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstr
 	var err error
 	getResource := func() error {
 		obj, err = client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name)
-		log.Log.V(4).Info(fmt.Sprintf("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name))
+		glog.V(4).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name)
 		i++
 		return err
 	}
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index ed3ffe76a2..db5ca63fcd 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -8,7 +8,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
@@ -38,7 +38,6 @@ type Generator struct {
 	// returns true if the cluster policy store has been synced at least once
 	pvSynced cache.InformerSynced
 	// returns true if the namespaced cluster policy store has been synced at at least once
-	log                  logr.Logger
 	nspvSynced           cache.InformerSynced
 	queue                workqueue.RateLimitingInterface
 	dataStore            *dataStore
@@ -108,8 +107,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
 	dclient *dclient.Client,
 	pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
 	nspvInformer kyvernoinformer.PolicyViolationInformer,
-	policyStatus policystatus.Listener,
-	log logr.Logger) *Generator {
+	policyStatus policystatus.Listener) *Generator {
 	gen := Generator{
 		kyvernoInterface:     client.KyvernoV1(),
 		dclient:              dclient,
@@ -119,7 +117,6 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
 		nspvSynced:           nspvInformer.Informer().HasSynced,
 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
 		dataStore:            newDataStore(),
-		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &gen
@@ -138,18 +135,18 @@ func (gen *Generator) enqueue(info Info) {
 func (gen *Generator) Add(infos ...Info) {
 	for _, info := range infos {
 		gen.enqueue(info)
+		glog.V(3).Infof("Added policy violation: %s", info.toKey())
 	}
 }
 
 // Run starts the workers
 func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
-	logger := gen.log
 	defer utilruntime.HandleCrash()
-	logger.Info("start")
-	defer logger.Info("shutting down")
+	glog.Info("Start policy violation generator")
+	defer glog.Info("Shutting down policy violation generator")
 
 	if !cache.WaitForCacheSync(stopCh, gen.pvSynced, gen.nspvSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("policy violation generator: failed to sync informer cache")
 	}
 
 	for i := 0; i < workers; i++ {
@@ -164,7 +161,6 @@ func (gen *Generator) runWorker() {
 }
 
 func (gen *Generator) handleErr(err error, key interface{}) {
-	logger := gen.log
 	if err == nil {
 		gen.queue.Forget(key)
 		return
@@ -172,22 +168,23 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 
 	// retires requests if there is error
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		logger.Error(err, "failed to sync policy violation", "key", key)
+		glog.V(4).Infof("Error syncing policy violation %v: %v", key, err)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)
 		return
 	}
 	gen.queue.Forget(key)
+	glog.Error(err)
 	// remove from data store
 	if keyHash, ok := key.(string); ok {
 		gen.dataStore.delete(keyHash)
 	}
-	logger.Error(err, "dropping key out of the queue", "key", key)
+
+	glog.Warningf("Dropping the key out of the queue: %v", err)
 }
 
 func (gen *Generator) processNextWorkitem() bool {
-	logger := gen.log
 	obj, shutdown := gen.queue.Get()
 	if shutdown {
 		return false
@@ -199,7 +196,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		var ok bool
 		if keyHash, ok = obj.(string); !ok {
 			gen.queue.Forget(obj)
-			logger.Info("incorrect type; expecting type 'string'", "obj", obj)
+			glog.Warningf("Expecting type string but got %v\n", obj)
 			return nil
 		}
 		// lookup data store
@@ -207,7 +204,7 @@ func (gen *Generator) processNextWorkitem() bool {
 		if reflect.DeepEqual(info, Info{}) {
 			// empty key
 			gen.queue.Forget(obj)
-			logger.Info("empty key")
+			glog.Warningf("Got empty key %v\n", obj)
 			return nil
 		}
 		err := gen.syncHandler(info)
@@ -215,22 +212,22 @@ func (gen *Generator) processNextWorkitem() bool {
 		return nil
 	}(obj)
 	if err != nil {
-		logger.Error(err, "failed to process item")
+		glog.Error(err)
 		return true
 	}
 	return true
 }
 
 func (gen *Generator) syncHandler(info Info) error {
-	logger := gen.log
+	glog.V(4).Infof("received info:%v", info)
 	var handler pvGenerator
 	builder := newPvBuilder()
 	if info.Resource.GetNamespace() == "" {
 		// cluster scope resource generate a clusterpolicy violation
-		handler = newClusterPV(gen.log.WithName("ClusterPV"), gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener)
+		handler = newClusterPV(gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener)
 	} else {
 		// namespaced resources generated a namespaced policy violation in the namespace of the resource
-		handler = newNamespacedPV(gen.log.WithName("NamespacedPV"), gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener)
+		handler = newNamespacedPV(gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener)
 	}
 
 	failure := false
@@ -243,12 +240,12 @@ func (gen *Generator) syncHandler(info Info) error {
 	}
 
 	// Create Policy Violations
-	logger.V(4).Info("creating policy violation", "key", info.toKey())
+	glog.V(3).Infof("Creating policy violation: %s", info.toKey())
 	if err := handler.create(pv); err != nil {
 		failure = true
-		logger.Error(err, "failed to create policy violation")
+		glog.V(3).Infof("Failed to create policy violation: %v", err)
 	} else {
-		logger.Info("created policy violation", "key", info.toKey())
+		glog.V(3).Infof("Policy violation created: %s", info.toKey())
 	}
 
 	if failure {
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index 3b0202c6df..ff32748d0b 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@@ -21,13 +21,11 @@ type namespacedPV struct {
 	nspvLister kyvernolister.PolicyViolationLister
 	// policy violation interface
 	kyvernoInterface kyvernov1.KyvernoV1Interface
-	// logger
-	log logr.Logger
 	// update policy status with violationCount
 	policyStatusListener policystatus.Listener
 }
 
-func newNamespacedPV(log logr.Logger, dclient *client.Client,
+func newNamespacedPV(dclient *client.Client,
 	nspvLister kyvernolister.PolicyViolationLister,
 	kyvernoInterface kyvernov1.KyvernoV1Interface,
 	policyStatus policystatus.Listener,
@@ -36,7 +34,6 @@ func newNamespacedPV(log logr.Logger, dclient *client.Client,
 		dclient:              dclient,
 		nspvLister:           nspvLister,
 		kyvernoInterface:     kyvernoInterface,
-		log:                  log,
 		policyStatusListener: policyStatus,
 	}
 	return &nspv
@@ -59,7 +56,6 @@ func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error {
 }
 
 func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
-	logger := nspv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
 	var err error
 	// use labels
 	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
@@ -69,7 +65,7 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 	}
 	pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls)
 	if err != nil {
-		logger.Error(err, "failed to list namespaced policy violations")
+		glog.Errorf("unable to list namespaced policy violations : %v", err)
 		return nil, err
 	}
 
@@ -86,8 +82,7 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P
 
 func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	var err error
-	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
-	logger.V(4).Info("creating new policy violation")
+	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
 	obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
@@ -99,23 +94,22 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	// create resource
 	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv)
 	if err != nil {
-		logger.Error(err, "failed to create namespaced policy violation")
+		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
 		return err
 	}
 
 	if newPv.Annotations["fromSync"] != "true" {
 		nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
-	logger.Info("namespaced policy violation created")
+	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
 	return nil
 }
 
 func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error {
-	logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
 	var err error
 	// check if there is any update
 	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
-		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
+		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
 		return nil
 	}
 	// set name
@@ -130,6 +124,6 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	if newPv.Annotations["fromSync"] != "true" {
 		nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
-	logger.Info("namespaced policy violation created")
+	glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
 	return nil
 }
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 6ca1ed583a..39eaeb7257 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -3,6 +3,7 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
+	"flag"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -18,6 +19,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/scheme"
 
+	"github.com/golang/glog"
 	"gopkg.in/yaml.v2"
 	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
 )
@@ -306,7 +308,7 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured {
 func getClient(t *testing.T, files []string) *client.Client {
 	var objects []runtime.Object
 	if files != nil {
-
+		glog.V(4).Infof("loading resources: %v", files)
 		for _, file := range files {
 			objects = loadObjects(t, file)
 		}
@@ -402,7 +404,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 		policy := kyverno.ClusterPolicy{}
 		pBytes, err := apiyaml.ToJSON(p)
 		if err != nil {
-			t.Error(err)
+			glog.Error(err)
 			continue
 		}
 
@@ -425,8 +427,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }
 
 func testScenario(t *testing.T, path string) {
-
-	// flag.Set("logtostderr", "true")
+	flag.Set("logtostderr", "true")
 	// flag.Set("v", "8")
 
 	scenario, err := loadScenario(t, path)
diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go
index 6fdfb91c78..d888cdcdc6 100644
--- a/pkg/testrunner/utils.go
+++ b/pkg/testrunner/utils.go
@@ -4,8 +4,8 @@ import (
 	"io/ioutil"
 	"os"
 
+	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -42,7 +42,7 @@ func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) {
 	resource := &unstructured.Unstructured{}
 	err := resource.UnmarshalJSON(data)
 	if err != nil {
-		log.Log.Error(err, "failed to unmarshal resource")
+		glog.V(4).Infof("failed to unmarshall resource: %v", err)
 		return nil, err
 	}
 	return resource, nil
diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
index 4acc08272d..c91c9b922c 100644
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@@ -142,6 +142,5 @@ func IsTLSPairShouldBeUpdated(tlsPair *TlsPemPair) bool {
 		return true
 	}
 
-	// TODO : should use time.Until instead of t.Sub(time.Now()) (gosimple)
 	return expirationDate.Sub(time.Now()) < timeReserveBeforeCertificateExpiration
 }
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index d813f07f4e..ac089bc041 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -4,12 +4,12 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/golang/glog"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -101,7 +101,7 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
 	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
-		log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
+		glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):])
 		return false
 	}
 
@@ -117,6 +117,6 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 		}
 	}
 
-	log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
+	glog.V(3).Infof("user/group '%v' info not found in request userInfo: %v", subject.Name, keys)
 	return false
 }
diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go
index 003bbe2cd6..3929c38577 100644
--- a/pkg/userinfo/roleRef_test.go
+++ b/pkg/userinfo/roleRef_test.go
@@ -1,6 +1,7 @@
 package userinfo
 
 import (
+	"flag"
 	"reflect"
 	"testing"
 
@@ -152,10 +153,9 @@ func newRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.Rol
 }
 
 func Test_getRoleRefByRoleBindings(t *testing.T) {
-
-	// flag.Parse()
-	// flag.Set("logtostderr", "true")
-	// flag.Set("v", "3")
+	flag.Parse()
+	flag.Set("logtostderr", "true")
+	flag.Set("v", "3")
 
 	list := make([]*rbacv1.RoleBinding, 2)
 
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index 5fe0602e71..c6c41f4be0 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -3,7 +3,8 @@ package utils
 import (
 	"reflect"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
+
 	"github.com/minio/minio/pkg/wildcard"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -58,15 +59,14 @@ func Btoi(b bool) int {
 }
 
 //CRDInstalled to check if the CRD is installed or not
-func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
-	logger := log.WithName("CRDInstalled")
+func CRDInstalled(discovery client.IDiscovery) bool {
 	check := func(kind string) bool {
 		gvr := discovery.GetGVRFromKind(kind)
 		if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
-			logger.Info("CRD not installed", "kind", kind)
+			glog.Errorf("%s CRD not installed", kind)
 			return false
 		}
-		logger.Info("CRD found", "kind", kind)
+		glog.Infof("CRD %s found ", kind)
 		return true
 	}
 	if !check("ClusterPolicy") || !check("ClusterPolicyViolation") || !check("PolicyViolation") {
@@ -77,12 +77,11 @@ func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
 
 //CleanupOldCrd deletes any existing NamespacedPolicyViolation resources in cluster
 // If resource violates policy, new Violations will be generated
-func CleanupOldCrd(client *dclient.Client, log logr.Logger) {
-	logger := log.WithName("CleanupOldCrd")
+func CleanupOldCrd(client *dclient.Client) {
 	gvr := client.DiscoveryClient.GetGVRFromKind("NamespacedPolicyViolation")
 	if !reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
 		if err := client.DeleteResource("CustomResourceDefinition", "", "namespacedpolicyviolations.kyverno.io", false); err != nil {
-			logger.Error(err, "Failed to remove prevous CRD", "kind", "namespacedpolicyviolation")
+			glog.Infof("Failed to remove previous CRD namespacedpolicyviolations: %v", err)
 		}
 	}
 }
diff --git a/pkg/version/version.go b/pkg/version/version.go
index 8d9303d204..ef768a35bf 100644
--- a/pkg/version/version.go
+++ b/pkg/version/version.go
@@ -1,7 +1,7 @@
 package version
 
 import (
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 )
 
 // These fields are set during an official build
@@ -13,8 +13,8 @@ var (
 )
 
 //PrintVersionInfo displays the kyverno version - git version
-func PrintVersionInfo(log logr.Logger) {
-	log.Info("Kyverno", "Version", BuildVersion)
-	log.Info("Kyverno", "BuildHash", BuildHash)
-	log.Info("Kyverno", "BuildTime", BuildTime)
+func PrintVersionInfo() {
+	glog.Infof("Kyverno version: %s\n", BuildVersion)
+	glog.Infof("Kyverno BuildHash: %s\n", BuildHash)
+	glog.Infof("Kyverno BuildTime: %s\n", BuildTime)
 }
diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go
index db1e765629..ee85f36c35 100644
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	errorsapi "k8s.io/apimachinery/pkg/api/errors"
@@ -18,8 +19,8 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
 				config.VerifyMutatingWebhookName,
 				config.VerifyMutatingWebhookServicePath,
 				caData,
@@ -35,15 +36,14 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
-	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.VerifyMutatingWebhookServicePath)
-	logger.V(4).Info("Debug VerifyMutatingWebhookConfig is registered with url", "url", url)
+	glog.V(4).Infof("Debug VerifyMutatingWebhookConfig is registered with url %s\n", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.VerifyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateDebugMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
 				config.VerifyMutatingWebhookName,
 				url,
 				caData,
@@ -68,14 +68,13 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w
 	} else {
 		mutatingConfig = config.VerifyMutatingWebhookConfigurationName
 	}
-	logger := wrc.log.WithValues("name", mutatingConfig)
-	logger.V(4).Info("removing webhook configuration")
+	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
 	err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "verify webhook configuration, does not exits. not deleting")
+		glog.V(4).Infof("verify webhook configuration %s, does not exits. not deleting", mutatingConfig)
 	} else if err != nil {
-		logger.Error(err, "failed to delete verify wwebhook configuration")
+		glog.Errorf("failed to delete verify webhook configuration %s: %v", mutatingConfig, err)
 	} else {
-		logger.V(4).Info("successfully deleted verify webhook configuration")
+		glog.V(4).Infof("successfully deleted verify webhook configuration %s", mutatingConfig)
 	}
 }
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index 2b1c17f6e0..d73fcafb13 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -3,6 +3,7 @@ package webhookconfig
 import (
 	"io/ioutil"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -10,21 +11,20 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) readCaData() []byte {
-	logger := wrc.log
 	var caData []byte
 	// Check if ca is defined in the secret tls-ca
 	// assume the key and signed cert have been defined in secret tls.kyverno
 	if caData = wrc.client.ReadRootCASecret(); len(caData) != 0 {
-		logger.V(4).Info("read CA from secret")
+		glog.V(4).Infof("read CA from secret")
 		return caData
 	}
-	logger.V(4).Info("failed to read CA from secret, reading from kubeconfig")
+	glog.V(4).Infof("failed to read CA from secret, reading from kubeconfig")
 	// load the CA from kubeconfig
 	if caData = extractCA(wrc.clientConfig); len(caData) != 0 {
-		logger.V(4).Info("read CA from kubeconfig")
+		glog.V(4).Infof("read CA from kubeconfig")
 		return caData
 	}
-	logger.V(4).Info("failed to read CA from kubeconfig")
+	glog.V(4).Infof("failed to read CA from kubeconfig")
 	return nil
 }
 
@@ -46,11 +46,10 @@ func extractCA(config *rest.Config) (result []byte) {
 }
 
 func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
-	logger := wrc.log
 	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()
 
 	if err != nil {
-		logger.Error(err, "failed to construct OwnerReference")
+		glog.Errorf("Error when constructing OwnerReference, err: %v\n", err)
 		return v1.OwnerReference{}
 	}
 
@@ -62,11 +61,10 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 	}
 }
 
-// debug mutating webhook
-func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
+func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.MutatingWebhook{
+	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			URL:      &url,
@@ -95,116 +93,10 @@ func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool
 	}
 }
 
-func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
+func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
 	failurePolicy := admregapi.Ignore
-	return admregapi.ValidatingWebhook{
-		Name: name,
-		ClientConfig: admregapi.WebhookClientConfig{
-			URL:      &url,
-			CABundle: caData,
-		},
-		SideEffects: &sideEffect,
-		Rules: []admregapi.RuleWithOperations{
-			admregapi.RuleWithOperations{
-				Operations: operationTypes,
-				Rule: admregapi.Rule{
-					APIGroups: []string{
-						apiGroups,
-					},
-					APIVersions: []string{
-						apiVersions,
-					},
-					Resources: []string{
-						resource,
-					},
-				},
-			},
-		},
-		AdmissionReviewVersions: []string{"v1beta1"},
-		TimeoutSeconds:          &timeoutSeconds,
-		FailurePolicy:           &failurePolicy,
-	}
-}
-
-// func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
-// 	sideEffect := admregapi.SideEffectClassNoneOnDryRun
-// 	failurePolicy := admregapi.Ignore
-// 	return admregapi.Webhook{
-// 		Name: name,
-// 		ClientConfig: admregapi.WebhookClientConfig{
-// 			Service: &admregapi.ServiceReference{
-// 				Namespace: config.KubePolicyNamespace,
-// 				Name:      config.WebhookServiceName,
-// 				Path:      &servicePath,
-// 			},
-// 			CABundle: caData,
-// 		},
-// 		SideEffects: &sideEffect,
-// 		Rules: []admregapi.RuleWithOperations{
-// 			admregapi.RuleWithOperations{
-// 				Operations: operationTypes,
-// 				Rule: admregapi.Rule{
-// 					APIGroups: []string{
-// 						apiGroups,
-// 					},
-// 					APIVersions: []string{
-// 						apiVersions,
-// 					},
-// 					Resources: []string{
-// 						resource,
-// 					},
-// 				},
-// 			},
-// 		},
-// 		AdmissionReviewVersions: []string{"v1beta1"},
-// 		TimeoutSeconds:          &timeoutSeconds,
-// 		FailurePolicy:           &failurePolicy,
-// 	}
-// }
-
-// mutating webhook
-func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook {
-	sideEffect := admregapi.SideEffectClassNoneOnDryRun
-	failurePolicy := admregapi.Ignore
-	return admregapi.MutatingWebhook{
-		Name: name,
-		ClientConfig: admregapi.WebhookClientConfig{
-			Service: &admregapi.ServiceReference{
-				Namespace: config.KubePolicyNamespace,
-				Name:      config.WebhookServiceName,
-				Path:      &servicePath,
-			},
-			CABundle: caData,
-		},
-		SideEffects: &sideEffect,
-		Rules: []admregapi.RuleWithOperations{
-			admregapi.RuleWithOperations{
-				Operations: operationTypes,
-				Rule: admregapi.Rule{
-					APIGroups: []string{
-						apiGroups,
-					},
-					APIVersions: []string{
-						apiVersions,
-					},
-					Resources: []string{
-						resource,
-					},
-				},
-			},
-		},
-		AdmissionReviewVersions: []string{"v1beta1"},
-		TimeoutSeconds:          &timeoutSeconds,
-		FailurePolicy:           &failurePolicy,
-	}
-}
-
-// validating webhook
-func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook {
-	sideEffect := admregapi.SideEffectClassNoneOnDryRun
-	failurePolicy := admregapi.Ignore
-	return admregapi.ValidatingWebhook{
+	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			Service: &admregapi.ServiceReference{
diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go
index da9fa0fa8a..d1798a54e5 100644
--- a/pkg/webhookconfig/policy.go
+++ b/pkg/webhookconfig/policy.go
@@ -3,6 +3,7 @@ package webhookconfig
 import (
 	"fmt"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -17,8 +18,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.ValidatingWebhook{
-			generateValidatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
 				config.PolicyValidatingWebhookName,
 				config.PolicyValidatingWebhookServicePath,
 				caData,
@@ -34,16 +35,15 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa
 }
 
 func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
-	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath)
-	logger.V(4).Info("Debug PolicyValidatingWebhookConfig is registered with url ", "url", url)
+	glog.V(4).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.ValidatingWebhook{
-			generateDebugValidatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
 				config.PolicyValidatingWebhookName,
 				url,
 				caData,
@@ -66,8 +66,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
 				config.PolicyMutatingWebhookName,
 				config.PolicyMutatingWebhookServicePath,
 				caData,
@@ -82,16 +82,15 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData
 	}
 }
 func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
-	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyMutatingWebhookServicePath)
-	logger.V(4).Info("Debug PolicyMutatingWebhookConfig is registered with url ", "url", url)
+	glog.V(4).Infof("Debug PolicyMutatingWebhookConfig is registered with url %s\n", url)
 
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.PolicyMutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateDebugMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
 				config.PolicyMutatingWebhookName,
 				url,
 				caData,
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 8124ad39d4..8db0cba73c 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -2,11 +2,10 @@ package webhookconfig
 
 import (
 	"errors"
-	"fmt"
 	"sync"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
@@ -28,7 +27,6 @@ type WebhookRegistrationClient struct {
 	// serverIP should be used if running Kyverno out of clutser
 	serverIP       string
 	timeoutSeconds int32
-	log            logr.Logger
 }
 
 // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
@@ -36,22 +34,19 @@ func NewWebhookRegistrationClient(
 	clientConfig *rest.Config,
 	client *client.Client,
 	serverIP string,
-	webhookTimeout int32,
-	log logr.Logger) *WebhookRegistrationClient {
+	webhookTimeout int32) *WebhookRegistrationClient {
 	return &WebhookRegistrationClient{
 		clientConfig:   clientConfig,
 		client:         client,
 		serverIP:       serverIP,
 		timeoutSeconds: webhookTimeout,
-		log:            log.WithName("WebhookRegistrationClient"),
 	}
 }
 
 // Register creates admission webhooks configs on cluster
 func (wrc *WebhookRegistrationClient) Register() error {
-	logger := wrc.log.WithName("Register")
 	if wrc.serverIP != "" {
-		logger.Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP))
+		glog.Infof("Registering webhook with url https://%s\n", wrc.serverIP)
 	}
 
 	// For the case if cluster already has this configs
@@ -93,7 +88,6 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<-
 // used to forward request to kyverno webhooks to apply policeis
 // Mutationg webhook is be used for Mutating purpose
 func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error {
-	logger := wrc.log
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
 
@@ -114,17 +108,16 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 	}
 	_, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		logger.V(4).Info("resource mutating webhook configuration already exists. not creating one", "name", config.Name)
+		glog.V(4).Infof("resource mutating webhook configuration %s, already exists. not creating one", config.Name)
 		return nil
 	}
 	if err != nil {
-		logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name)
+		glog.V(4).Infof("failed to create resource mutating webhook configuration %s: %v", config.Name, err)
 		return err
 	}
 	return nil
 }
 
-//CreateResourceValidatingWebhookConfiguration ...
 func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.ValidatingWebhookConfiguration
@@ -141,15 +134,14 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati
 		// clientConfig - service
 		config = wrc.constructValidatingWebhookConfig(caData)
 	}
-	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	_, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		logger.V(4).Info("resource already exists. not create one")
+		glog.V(4).Infof("resource validating webhook configuration %s, already exists. not creating one", config.Name)
 		return nil
 	}
 	if err != nil {
-		logger.Error(err, "failed to create resource")
+		glog.V(4).Infof("failed to create resource validating webhook configuration %s: %v", config.Name, err)
 		return err
 	}
 	return nil
@@ -176,19 +168,20 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration
 		// clientConfig - service
 		config = wrc.contructPolicyValidatingWebhookConfig(caData)
 	}
-	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name)
 
 	// create validating webhook configuration resource
 	if _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-	logger.V(4).Info("created resource")
+
+	glog.V(4).Infof("created Validating Webhook Configuration %s ", config.Name)
 	return nil
 }
 
 func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() error {
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
+
 	// read CA data from
 	// 1) secret(config)
 	// 2) kubeconfig
@@ -210,7 +203,8 @@ func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration()
 	if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil {
 		return err
 	}
-	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
+
+	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
 	return nil
 }
 
@@ -240,7 +234,7 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 		return err
 	}
 
-	wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name)
+	glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name)
 	return nil
 }
 
@@ -249,9 +243,9 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 // Register will fail if the config exists, so there is no need to fail on error
 func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	startTime := time.Now()
-	wrc.log.Info("Started cleaning up webhookconfigurations")
+	glog.V(4).Infof("Started cleaning up webhookconfigurations")
 	defer func() {
-		wrc.log.V(4).Info("Finished cleaning up webhookcongfigurations", "processingTime", time.Since(startTime))
+		glog.V(4).Infof("Finished cleaning up webhookcongfigurations (%v)", time.Since(startTime))
 	}()
 
 	var wg sync.WaitGroup
@@ -275,13 +269,13 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 func (wrc *WebhookRegistrationClient) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceMutatingWebhookConfiguration(); err != nil {
-		wrc.log.Error(err, "failed to remove resource mutating webhook configuration")
+		glog.Error(err)
 	}
 }
 func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
 	if err := wrc.RemoveResourceValidatingWebhookConfiguration(); err != nil {
-		wrc.log.Error(err, "failed to remove resource validation webhook configuration")
+		glog.Error(err)
 	}
 }
 
@@ -296,15 +290,15 @@ func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(w
 	} else {
 		mutatingConfig = config.PolicyMutatingWebhookConfigurationName
 	}
-	logger := wrc.log.WithValues("name", mutatingConfig)
-	logger.V(4).Info("removing mutating webhook configuration")
+
+	glog.V(4).Infof("removing webhook configuration %s", mutatingConfig)
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "policy mutating webhook configuration does not exist, not deleting")
+		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", mutatingConfig)
 	} else if err != nil {
-		logger.Error(err, "failed to delete policy mutating webhook configuration")
+		glog.Errorf("failed to delete policy webhook configuration %s: %v", mutatingConfig, err)
 	} else {
-		logger.V(4).Info("successfully deleted policy mutating webhook configutation")
+		glog.V(4).Infof("successfully deleted policy webhook configuration %s", mutatingConfig)
 	}
 }
 
@@ -319,14 +313,13 @@ func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration
 	} else {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
-	logger := wrc.log.WithValues("name", validatingConfig)
-	logger.V(4).Info("removing validating webhook configuration")
+	glog.V(4).Infof("removing webhook configuration %s", validatingConfig)
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "policy validating webhook configuration does not exist, not deleting")
+		glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", validatingConfig)
 	} else if err != nil {
-		logger.Error(err, "failed to delete policy validating webhook configuration")
+		glog.Errorf("failed to delete policy webhook configuration %s: %v", validatingConfig, err)
 	} else {
-		logger.V(4).Info("successfully deleted policy validating webhook configutation")
+		glog.V(4).Infof("successfully deleted policy webhook configuration %s", validatingConfig)
 	}
 }
diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go
index 050517da0a..090c33636a 100644
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@@ -3,6 +3,7 @@ package webhookconfig
 import (
 	"fmt"
 
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	admregapi "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -10,15 +11,15 @@ import (
 )
 
 func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
-	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
-	logger.V(4).Info("Debug MutatingWebhookConfig registed", "url", url)
+	glog.V(4).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url)
+
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.MutatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateDebugMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
 				config.MutatingWebhookName,
 				url,
 				caData,
@@ -41,8 +42,8 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.MutatingWebhook{
-			generateMutatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
 				config.MutatingWebhookName,
 				config.MutatingWebhookServicePath,
 				caData,
@@ -67,31 +68,32 @@ func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() str
 
 //RemoveResourceMutatingWebhookConfiguration removes mutating webhook configuration for all resources
 func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() error {
+
 	configName := wrc.GetResourceMutatingWebhookConfigName()
-	logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind, "name", configName)
 	// delete webhook configuration
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		logger.Error(err, "resource does not exit")
+		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
 		return nil
 	}
 	if err != nil {
-		logger.V(4).Info("failed to delete resource")
+		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
 		return err
 	}
-	logger.V(4).Info("deleted resource")
+	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
 	return nil
 }
 
 func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration {
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath)
+	glog.V(4).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url)
 
 	return &admregapi.ValidatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.ValidatingWebhookConfigurationDebugName,
 		},
-		Webhooks: []admregapi.ValidatingWebhook{
-			generateDebugValidatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateDebugWebhook(
 				config.ValidatingWebhookName,
 				url,
 				caData,
@@ -114,8 +116,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []
 				wrc.constructOwner(),
 			},
 		},
-		Webhooks: []admregapi.ValidatingWebhook{
-			generateValidatingWebhook(
+		Webhooks: []admregapi.Webhook{
+			generateWebhook(
 				config.ValidatingWebhookName,
 				config.ValidatingWebhookServicePath,
 				caData,
@@ -139,16 +141,15 @@ func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() s
 
 func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error {
 	configName := wrc.GetResourceValidatingWebhookConfigName()
-	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName)
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		logger.Error(err, "resource does not exist; deleted already")
+		glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName)
 		return nil
 	}
 	if err != nil {
-		logger.Error(err, "failed to delete the resource")
+		glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err)
 		return err
 	}
-	logger.Info("resource deleted")
+	glog.V(4).Infof("deleted resource webhook configuration %s", configName)
 	return nil
 }
diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go
index a312e07277..aacdc72b9f 100644
--- a/pkg/webhookconfig/rwebhookregister.go
+++ b/pkg/webhookconfig/rwebhookregister.go
@@ -3,7 +3,7 @@ package webhookconfig
 import (
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	checker "github.com/nirmata/kyverno/pkg/checker"
 	"github.com/tevino/abool"
 	mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1"
@@ -23,7 +23,6 @@ type ResourceWebhookRegister struct {
 	vWebhookConfigLister           mconfiglister.ValidatingWebhookConfigurationLister
 	webhookRegistrationClient      *WebhookRegistrationClient
 	RunValidationInMutatingWebhook string
-	log                            logr.Logger
 }
 
 // NewResourceWebhookRegister returns a new instance of ResourceWebhookRegister manager
@@ -33,7 +32,6 @@ func NewResourceWebhookRegister(
 	vconfigwebhookinformer mconfiginformer.ValidatingWebhookConfigurationInformer,
 	webhookRegistrationClient *WebhookRegistrationClient,
 	runValidationInMutatingWebhook string,
-	log logr.Logger,
 ) *ResourceWebhookRegister {
 	return &ResourceWebhookRegister{
 		pendingCreation:                abool.New(),
@@ -44,54 +42,52 @@ func NewResourceWebhookRegister(
 		vWebhookConfigLister:           vconfigwebhookinformer.Lister(),
 		webhookRegistrationClient:      webhookRegistrationClient,
 		RunValidationInMutatingWebhook: runValidationInMutatingWebhook,
-		log:                            log,
 	}
 }
 
 //RegisterResourceWebhook registers a resource webhook
 func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
-	logger := rww.log
 	// drop the request if creation is in processing
 	if rww.pendingCreation.IsSet() {
-		logger.V(3).Info("resource webhook configuration is in pending creation, skip the request")
+		glog.V(3).Info("resource webhook configuration is in pending creation, skip the request")
 		return
 	}
 
 	timeDiff := time.Since(rww.LastReqTime.Time())
 	if timeDiff < checker.DefaultDeadline {
-		logger.V(3).Info("verified webhook status, creating webhook configuration")
+		glog.V(3).Info("Verified webhook status, creating webhook configuration")
 		go func() {
 			mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 			mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName)
 			if mutatingConfig != nil {
-				logger.V(4).Info("mutating webhoook configuration already exists")
+				glog.V(4).Info("mutating webhoook configuration already exists")
 			} else {
 				rww.pendingCreation.Set()
 				err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
 				rww.pendingCreation.UnSet()
 				if err1 != nil {
-					logger.Error(err1, "failed to create resource mutating webhook configuration, re-queue creation request")
+					glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err1)
 					rww.RegisterResourceWebhook()
 					return
 				}
-				logger.V(3).Info("successfully created mutating webhook configuration for resources")
+				glog.V(3).Info("Successfully created mutating webhook configuration for resources")
 			}
 
 			if rww.RunValidationInMutatingWebhook != "true" {
 				validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 				validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName)
 				if validatingConfig != nil {
-					logger.V(4).Info("validating webhoook configuration already exists")
+					glog.V(4).Info("validating webhoook configuration already exists")
 				} else {
 					rww.pendingCreation.Set()
 					err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration()
 					rww.pendingCreation.UnSet()
 					if err2 != nil {
-						logger.Error(err2, "failed to create resource validating webhook configuration; re-queue creation request")
+						glog.Errorf("failed to create resource validating webhook configuration: %v, re-queue creation request", err2)
 						rww.RegisterResourceWebhook()
 						return
 					}
-					logger.V(3).Info("successfully created validating webhook configuration for resources")
+					glog.V(3).Info("Successfully created validating webhook configuration for resources")
 				}
 			}
 		}()
@@ -100,20 +96,19 @@ func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
 
 //Run starts the ResourceWebhookRegister manager
 func (rww *ResourceWebhookRegister) Run(stopCh <-chan struct{}) {
-	logger := rww.log
 	// wait for cache to populate first time
 	if !cache.WaitForCacheSync(stopCh, rww.mwebhookconfigSynced, rww.vwebhookconfigSynced) {
-		logger.Info("configuration: failed to sync webhook informer cache")
+		glog.Error("configuration: failed to sync webhook informer cache")
 	}
+
 }
 
 // RemoveResourceWebhookConfiguration removes the resource webhook configurations
 func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
-	logger := rww.log
 	mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
 	mutatingConfig, err := rww.mWebhookConfigLister.Get(mutatingConfigName)
 	if err != nil {
-		logger.Error(err, "failed to list mutating webhook config")
+		glog.V(4).Infof("failed to list mutating webhook config: %v", err)
 		return err
 	}
 	if mutatingConfig != nil {
@@ -121,14 +116,14 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 		if err != nil {
 			return err
 		}
-		logger.V(3).Info("emoved mutating resource webhook configuration")
+		glog.V(3).Info("removed mutating resource webhook configuration")
 	}
 
 	if rww.RunValidationInMutatingWebhook != "true" {
 		validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
 		validatingConfig, err := rww.vWebhookConfigLister.Get(validatingConfigName)
 		if err != nil {
-			logger.Error(err, "failed to list validating webhook config")
+			glog.V(4).Infof("failed to list validating webhook config: %v", err)
 			return err
 		}
 		if validatingConfig != nil {
@@ -136,7 +131,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 			if err != nil {
 				return err
 			}
-			logger.V(3).Info("removed validating resource webhook configuration")
+			glog.V(3).Info("removed validating resource webhook configuration")
 		}
 	}
 	return nil
diff --git a/pkg/webhooks/admission_test.go b/pkg/webhooks/admission_test.go
new file mode 100644
index 0000000000..d753352a72
--- /dev/null
+++ b/pkg/webhooks/admission_test.go
@@ -0,0 +1 @@
+package webhooks_test
diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index eddded1cde..34d3e10468 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -7,7 +7,7 @@ import (
 	yamlv2 "gopkg.in/yaml.v2"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -38,7 +38,7 @@ var operationToPastTense = map[string]string{
 	"test":    "tested",
 }
 
-func generateAnnotationPatches(engineResponses []response.EngineResponse, log logr.Logger) []byte {
+func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte {
 	var annotations map[string]string
 
 	for _, er := range engineResponses {
@@ -53,7 +53,7 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse, log lo
 	}
 
 	var patchResponse annresponse
-	value := annotationFromEngineResponses(engineResponses, log)
+	value := annotationFromEngineResponses(engineResponses)
 	if value == nil {
 		// no patches or error while processing patches
 		return nil
@@ -90,21 +90,21 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse, log lo
 	// check the patch
 	_, err := jsonpatch.DecodePatch([]byte("[" + string(patchByte) + "]"))
 	if err != nil {
-		log.Error(err, "failed o build JSON patch for annotation", "patch", string(patchByte))
+		glog.Errorf("Failed to make patch from annotation'%s', err: %v\n ", string(patchByte), err)
 	}
 
 	return patchByte
 }
 
-func annotationFromEngineResponses(engineResponses []response.EngineResponse, log logr.Logger) []byte {
+func annotationFromEngineResponses(engineResponses []response.EngineResponse) []byte {
 	var annotationContent = make(map[string]string)
 	for _, engineResponse := range engineResponses {
 		if !engineResponse.IsSuccesful() {
-			log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.PolicyResponse.Policy)
+			glog.V(3).Infof("Policy %s failed, skip preparing annotation\n", engineResponse.PolicyResponse.Policy)
 			continue
 		}
 
-		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse, log)
+		rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse)
 		if rulePatches == nil {
 			continue
 		}
@@ -126,13 +126,13 @@ func annotationFromEngineResponses(engineResponses []response.EngineResponse, lo
 	return result
 }
 
-func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log logr.Logger) []rulePatch {
+func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rulePatch {
 	var rulePatches []rulePatch
 	for _, ruleInfo := range policyResponse.Rules {
 		for _, patch := range ruleInfo.Patches {
 			var patchmap map[string]interface{}
 			if err := json.Unmarshal(patch, &patchmap); err != nil {
-				log.Error(err, "Failed to parse JSON patch bytes")
+				glog.Errorf("Failed to parse patch bytes, err: %v\n", err)
 				continue
 			}
 
@@ -142,12 +142,14 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log lo
 				Path:     patchmap["path"].(string)}
 
 			rulePatches = append(rulePatches, rp)
-			log.V(4).Info("annotation value prepared", "patches", rulePatches)
+			glog.V(4).Infof("Annotation value prepared: %v\n", rulePatches)
 		}
 	}
+
 	if len(rulePatches) == 0 {
 		return nil
 	}
+
 	return rulePatches
 }
 
diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go
index d14657b6cb..320e347ea3 100644
--- a/pkg/webhooks/annotations_test.go
+++ b/pkg/webhooks/annotations_test.go
@@ -6,7 +6,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"gotest.tools/assert"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func newPolicyResponse(policy, rule string, patchesStr []string, success bool) response.PolicyResponse {
@@ -43,7 +42,7 @@ func Test_empty_annotation(t *testing.T) {
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, nil)
 
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
 }
@@ -55,7 +54,7 @@ func Test_exist_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -68,7 +67,7 @@ func Test_exist_kyverno_annotation(t *testing.T) {
 
 	patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }`
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
 
 	expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}`
 	assert.Assert(t, string(annPatches) == expectedPatches)
@@ -80,11 +79,11 @@ func Test_annotation_nil_patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, true, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
 	assert.Assert(t, annPatches == nil)
 
 	engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, true, annotation)
-	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew}, log.Log)
+	annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew})
 	assert.Assert(t, annPatchesNew == nil)
 }
 
@@ -94,7 +93,7 @@ func Test_annotation_failed_Patch(t *testing.T) {
 	}
 
 	engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, false, annotation)
-	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log)
+	annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse})
 
 	assert.Assert(t, annPatches == nil)
 }
diff --git a/pkg/webhooks/checker.go b/pkg/webhooks/checker.go
index 4a52fa7649..e6ccfc41c9 100644
--- a/pkg/webhooks/checker.go
+++ b/pkg/webhooks/checker.go
@@ -1,12 +1,13 @@
 package webhooks
 
 import (
+	"github.com/golang/glog"
 	"k8s.io/api/admission/v1beta1"
 )
 
 func (ws *WebhookServer) handleVerifyRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("action", "verify", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
+	glog.V(4).Infof("Receive request in mutating webhook '/verify': Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 476606b468..2ca90049f8 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -4,8 +4,9 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/go-logr/logr"
 	yamlv2 "gopkg.in/yaml.v2"
+
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
@@ -26,14 +27,14 @@ func isResponseSuccesful(engineReponses []response.EngineResponse) bool {
 
 // returns true -> if there is even one policy that blocks resource request
 // returns false -> if all the policies are meant to report only, we dont block resource request
-func toBlockResource(engineReponses []response.EngineResponse, log logr.Logger) bool {
+func toBlockResource(engineReponses []response.EngineResponse) bool {
 	for _, er := range engineReponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
-			log.Info("spec.ValidationFailureAction set to enforcel blocking resource request", "policy", er.PolicyResponse.Policy)
+			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
 			return true
 		}
 	}
-	log.V(4).Info("sepc.ValidationFailureAction set to auit for all applicable policies;allowing resource reques; reporting with policy violation ")
+	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")
 	return false
 }
 
@@ -102,14 +103,14 @@ const (
 	Audit   = "audit"   // dont block the request on failure, but report failiures as policy violations
 )
 
-func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
+func processResourceWithPatches(patch []byte, resource []byte) []byte {
 	if patch == nil {
 		return resource
 	}
 
 	resource, err := engineutils.ApplyPatchNew(resource, patch)
 	if err != nil {
-		log.Error(err, "failed to patch resource:")
+		glog.Errorf("failed to patch resource: %v", err)
 		return nil
 	}
 	return resource
diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go
index 3631845541..f120c9fb5d 100644
--- a/pkg/webhooks/generate/generate.go
+++ b/pkg/webhooks/generate/generate.go
@@ -5,7 +5,7 @@ import (
 	"time"
 
 	backoff "github.com/cenkalti/backoff"
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -23,41 +23,37 @@ type Generator struct {
 	ch     chan kyverno.GenerateRequestSpec
 	client *kyvernoclient.Clientset
 	stopCh <-chan struct{}
-	log    logr.Logger
 }
 
 //NewGenerator returns a new instance of Generate-Request resource generator
-func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}, log logr.Logger) *Generator {
+func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}) *Generator {
 	gen := &Generator{
 		ch:     make(chan kyverno.GenerateRequestSpec, 1000),
 		client: client,
 		stopCh: stopCh,
-		log:    log,
 	}
 	return gen
 }
 
 //Create to create generate request resoruce (blocking call if channel is full)
 func (g *Generator) Create(gr kyverno.GenerateRequestSpec) error {
-	logger := g.log
-	logger.V(4).Info("creating Generate Request", "request", gr)
+	glog.V(4).Infof("create GR %v", gr)
 	// Send to channel
 	select {
 	case g.ch <- gr:
 		return nil
 	case <-g.stopCh:
-		logger.Info("shutting down channel")
+		glog.Info("shutting down channel")
 		return fmt.Errorf("shutting down gr create channel")
 	}
 }
 
 // Run starts the generate request spec
 func (g *Generator) Run(workers int) {
-	logger := g.log
 	defer utilruntime.HandleCrash()
-	logger.V(4).Info("starting")
+	glog.V(4).Info("Started generate request")
 	defer func() {
-		logger.V(4).Info("shutting down")
+		glog.V(4).Info("Shutting down generate request")
 	}()
 	for i := 0; i < workers; i++ {
 		go wait.Until(g.process, time.Second, g.stopCh)
@@ -66,18 +62,17 @@ func (g *Generator) Run(workers int) {
 }
 
 func (g *Generator) process() {
-	logger := g.log
 	for r := range g.ch {
-		logger.V(4).Info("recieved generate request", "request", r)
+		glog.V(4).Infof("received generate request %v", r)
 		if err := g.generate(r); err != nil {
-			logger.Error(err, "failed to generate request CR")
+			glog.Errorf("Failed to create Generate Request CR: %v", err)
 		}
 	}
 }
 
 func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 	// create a generate request
-	if err := retryCreateResource(g.client, grSpec, g.log); err != nil {
+	if err := retryCreateResource(g.client, grSpec); err != nil {
 		return err
 	}
 	return nil
@@ -86,10 +81,7 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error {
 // -> receiving channel to take requests to create request
 // use worker pattern to read and create the CR resource
 
-func retryCreateResource(client *kyvernoclient.Clientset,
-	grSpec kyverno.GenerateRequestSpec,
-	log logr.Logger,
-) error {
+func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec) error {
 	var i int
 	var err error
 	createResource := func() error {
@@ -103,7 +95,7 @@ func retryCreateResource(client *kyvernoclient.Clientset,
 		// gr.Status.State = kyverno.Pending
 		// generate requests created in kyverno namespace
 		_, err = client.KyvernoV1().GenerateRequests("kyverno").Create(&gr)
-		log.V(4).Info("retrying create generate request CR", "retryCount", i, "name", gr.GetGenerateName(), "namespace", gr.GetNamespace())
+		glog.V(4).Infof("retry %v create generate request", i)
 		i++
 		return err
 	}
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 7f0fc4a692..956c568cac 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -5,6 +5,7 @@ import (
 	"sort"
 	"time"
 
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -17,19 +18,19 @@ import (
 
 //HandleGenerate handles admission-requests for policies with generate rules
 func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
-	logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
 	var engineResponses []response.EngineResponse
 
 	// convert RAW to unstructured
 	resource, err := utils.ConvertToUnstructured(request.Object.Raw)
 	if err != nil {
 		//TODO: skip applying the admission control ?
-		logger.Error(err, "failed to convert RAR resource to unstructured format")
+		glog.Errorf("unable to convert raw resource to unstructured: %v", err)
 		return true, ""
 	}
 
 	// CREATE resources, do not have name, assigned in admission-request
+	glog.V(4).Infof("Handle Generate: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+		resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
 
 	userRequestInfo := kyverno.RequestInfo{
 		Roles:             roles,
@@ -40,16 +41,16 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
+		glog.Infof("Failed to load resource in context:%v", err)
 	}
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
+		glog.Infof("Failed to load userInfo in context:%v", err)
 	}
 	// load service account in context
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		logger.Error(err, "failed to load service account in context")
+		glog.Infof("Failed to load service account in context:%v", err)
 	}
 
 	policyContext := engine.PolicyContext{
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 68ca58fae1..1991427ebf 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/nirmata/kyverno/pkg/openapi"
 
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -21,8 +22,8 @@ import (
 // HandleMutation handles mutating webhook admission request
 // return value: generated patches
 func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
-	logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
+	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
 
 	var patches [][]byte
 	var engineResponses []response.EngineResponse
@@ -38,16 +39,16 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
+		glog.Infof("Failed to load resource in context:%v", err)
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
+		glog.Infof("Failed to load userInfo in context:%v", err)
 	}
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		logger.Error(err, "failed to load service account in context")
+		glog.Infof("Failed to load service account in context:%v", err)
 	}
 
 	policyContext := engine.PolicyContext{
@@ -57,36 +58,39 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
-
+		glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
 		engineResponses = append(engineResponses, engineResponse)
 		ws.statusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
-			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
+			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
 			continue
 		}
 		err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
 		if err != nil {
-			logger.Error(err, "failed to validate resource")
+			glog.V(4).Infoln(err)
 			continue
 		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
-		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
+		glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
 
 		policyContext.NewResource = engineResponse.PatchedResource
 	}
 
 	// generate annotations
-	if annPatches := generateAnnotationPatches(engineResponses, logger); annPatches != nil {
+	if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil {
 		patches = append(patches, annPatches)
 	}
 
+	// report time
+	reportTime := time.Now()
+
 	// AUDIT
 	// generate violation when response fails
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
 	ws.pvGenerator.Add(pvInfos...)
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -96,21 +100,25 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	//   all policies were applied succesfully.
 	//   create an event on the resource
 	// ADD EVENTS
-	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update), logger)
+	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update))
 	ws.eventGen.Add(events...)
 
 	// debug info
 	func() {
 		if len(patches) != 0 {
-			logger.V(4).Info("JSON patches generated")
+			glog.V(4).Infof("Patches generated for %s/%s/%s, operation=%v:\n %v",
+				resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.Operation, string(engineutils.JoinPatches(patches)))
 		}
 
 		// if any of the policies fails, print out the error
 		if !isResponseSuccesful(engineResponses) {
-			logger.Info("failed to apply mutation rules on the resource, reporting policy violation", "errors", getErrorMsg(engineResponses))
+			glog.Errorf("Failed to mutate the resource, report as violation: %s\n", getErrorMsg(engineResponses))
 		}
 	}()
 
+	// report time end
+	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName())
+
 	// patches holds all the successful patches, if no patch is created, it returns nil
 	return engineutils.JoinPatches(patches)
 }
diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index dea2f87fff..8081528edd 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	jsonpatch "github.com/evanphx/json-patch"
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/utils"
@@ -17,13 +17,12 @@ import (
 )
 
 func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	var policy *kyverno.ClusterPolicy
 	raw := request.Object.Raw
 
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
 	if err := json.Unmarshal(raw, &policy); err != nil {
-		logger.Error(err, "faield to unmarshall policy admission request")
+		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -32,9 +31,10 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 		}
 	}
 	// Generate JSON Patches for defaults
-	patches, updateMsgs := generateJSONPatchesForDefaults(policy, logger)
+	patches, updateMsgs := generateJSONPatchesForDefaults(policy)
 	if patches != nil {
 		patchType := v1beta1.PatchTypeJSONPatch
+		glog.V(4).Infof("defaulted values %v policy %s", updateMsgs, policy.Name)
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -44,34 +44,35 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
 			PatchType: &patchType,
 		}
 	}
+	glog.V(4).Infof("nothing to default for policy %s", policy.Name)
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
 }
 
-func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, []string) {
+func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []string) {
 	var patches [][]byte
 	var updateMsgs []string
 
 	// default 'ValidationFailureAction'
-	if patch, updateMsg := defaultvalidationFailureAction(policy, log); patch != nil {
+	if patch, updateMsg := defaultvalidationFailureAction(policy); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
 	// default 'Background'
-	if patch, updateMsg := defaultBackgroundFlag(policy, log); patch != nil {
+	if patch, updateMsg := defaultBackgroundFlag(policy); patch != nil {
 		patches = append(patches, patch)
 		updateMsgs = append(updateMsgs, updateMsg)
 	}
 
-	patch, errs := generatePodControllerRule(*policy, log)
+	patch, errs := generatePodControllerRule(*policy)
 	if len(errs) > 0 {
 		var errMsgs []string
 		for _, err := range errs {
 			errMsgs = append(errMsgs, err.Error())
-			log.Error(err, "failed to generate pod controller rule")
 		}
+		glog.Errorf("failed auto generating rule for pod controllers: %s", errMsgs)
 		updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";"))
 	}
 
@@ -80,11 +81,11 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logg
 	return utils.JoinPatches(patches), updateMsgs
 }
 
-func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
+func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) {
 	// default 'Background' flag to 'true' if not specified
 	defaultVal := true
 	if policy.Spec.Background == nil {
-		log.V(4).Info("setting default value", "spec.background", true)
+		glog.V(4).Infof("default policy %s 'Background' to '%s'", policy.Name, strconv.FormatBool(true))
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -96,19 +97,19 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]by
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			log.Error(err, "failed to set default value", "spec.background", true)
+			glog.Errorf("failed to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
 			return nil, ""
 		}
-		log.Info("generated JSON Patch to set default", "spec.background", true)
+		glog.V(4).Infof("generate JSON Patch to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name)
 		return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true))
 	}
 	return nil, ""
 }
 
-func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
+func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) {
 	// default ValidationFailureAction to "audit" if not specified
 	if policy.Spec.ValidationFailureAction == "" {
-		log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit)
+		glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@@ -120,10 +121,10 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			log.Error(err, "failed to default value", "spec.validationFailureAction", Audit)
+			glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
 			return nil, ""
 		}
-		log.Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit)
+		glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
 		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit)
 	}
 	return nil, ""
@@ -139,7 +140,7 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg
 //             make sure all fields are applicable to pod cotrollers
 
 // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
-func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
+func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) {
 	ann := policy.GetAnnotations()
 	controllers, ok := ann[engine.PodControllersAnnotation]
 
@@ -158,9 +159,10 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p
 	if controllers == "none" {
 		return nil, nil
 	}
-	log.V(3).Info("auto generating rule for pod controllers", "controlers", controllers)
 
-	p, err := generateRulePatches(policy, controllers, log)
+	glog.V(3).Infof("Auto generating rule for pod controller: %s", controllers)
+
+	p, err := generateRulePatches(policy, controllers)
 	patches = append(patches, p...)
 	errs = append(errs, err...)
 	return
@@ -195,7 +197,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
 }
 
 // generateRulePatches generates rule for podControllers based on scenario A and C
-func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
+func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rulePatches [][]byte, errs []error) {
 	var genRule kyvernoRule
 	insertIdx := len(policy.Spec.Rules)
 
@@ -208,7 +210,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log l
 	for _, rule := range policy.Spec.Rules {
 		patchPostion := insertIdx
 
-		genRule = generateRuleForControllers(rule, controllers, log)
+		genRule = generateRuleForControllers(rule, controllers)
 		if reflect.DeepEqual(genRule, kyvernoRule{}) {
 			continue
 		}
@@ -270,7 +272,7 @@ type kyvernoRule struct {
 	Validation       *kyverno.Validation       `json:"validate,omitempty"`
 }
 
-func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule {
+func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRule {
 	if strings.HasPrefix(rule.Name, "autogen-") {
 		return kyvernoRule{}
 	}
@@ -290,7 +292,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 	if controllers == "all" {
 		if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil ||
 			exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil {
-			log.Info("skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", "rule", rule.Name)
+			glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name)
 			return kyvernoRule{}
 		}
 		controllers = engine.PodControllers
diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go
index d887cd6ee2..0b5af63c59 100644
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@@ -8,7 +8,6 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"gotest.tools/assert"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 func compareJSONAsMap(t *testing.T, expected, actual []byte) {
@@ -29,7 +28,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -62,7 +61,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -113,7 +112,7 @@ func TestGeneratePodControllerRule_DisableFeature(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 	assert.Assert(t, len(patches) == 0)
 }
@@ -164,7 +163,7 @@ func TestGeneratePodControllerRule_Mutate(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -262,7 +261,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -334,7 +333,7 @@ func TestGeneratePodControllerRule_ValidateAnyPattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
@@ -472,7 +471,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) {
 
 	var policy kyverno.ClusterPolicy
 	assert.Assert(t, json.Unmarshal(policyRaw, &policy))
-	patches, errs := generatePodControllerRule(policy, log.Log)
+	patches, errs := generatePodControllerRule(policy)
 	assert.Assert(t, len(errs) == 0)
 
 	p, err := utils.ApplyPatches(policyRaw, patches)
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index 897bba0de0..d58a22eec9 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -4,14 +4,13 @@ import (
 	policyvalidate "github.com/nirmata/kyverno/pkg/policy"
 
 	v1beta1 "k8s.io/api/admission/v1beta1"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 //HandlePolicyValidation performs the validation check on policy resource
 func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
-	if err := policyvalidate.Validate(request.Object.Raw, ws.client, false); err != nil {
+	if err := policyvalidate.Validate(request.Object.Raw); err != nil {
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go
index 83e67c5753..035a60688e 100644
--- a/pkg/webhooks/report.go
+++ b/pkg/webhooks/report.go
@@ -3,7 +3,6 @@ package webhooks
 import (
 	"strings"
 
-	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 
@@ -11,7 +10,7 @@ import (
 )
 
 //generateEvents generates event info for the engine responses
-func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
+func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool) []event.Info {
 	var events []event.Info
 	// Scenario 1
 	// - Admission-Response is SUCCESS && CREATE
@@ -27,7 +26,6 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			successRulesStr := strings.Join(successRules, ";")
 			// event on resource
 			e := event.NewEvent(
-				log,
 				er.PolicyResponse.Resource.Kind,
 				er.PolicyResponse.Resource.APIVersion,
 				er.PolicyResponse.Resource.Namespace,
@@ -61,7 +59,6 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 			filedRulesStr := strings.Join(failedRules, ";")
 			// Event on Policy
 			e := event.NewEvent(
-				log,
 				"ClusterPolicy",
 				kyverno.SchemeGroupVersion.String(),
 				"",
@@ -93,7 +90,6 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		filedRulesStr := strings.Join(failedRules, ";")
 		// Event on the policy
 		e := event.NewEvent(
-			log,
 			"ClusterPolicy",
 			kyverno.SchemeGroupVersion.String(),
 			"",
@@ -108,7 +104,6 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate
 		// Event on the resource
 		// event on resource
 		e = event.NewEvent(
-			log,
 			er.PolicyResponse.Resource.Kind,
 			er.PolicyResponse.Resource.APIVersion,
 			er.PolicyResponse.Resource.Namespace,
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index fbc8788d0b..b0ca988449 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/go-logr/logr"
+	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
@@ -69,7 +69,6 @@ type WebhookServer struct {
 	// generate request generator
 	grGenerator            *generate.Generator
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
-	log                    logr.Logger
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
@@ -89,9 +88,7 @@ func NewWebhookServer(
 	pvGenerator policyviolation.GeneratorInterface,
 	grGenerator *generate.Generator,
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
-	cleanUp chan<- struct{},
-	log logr.Logger,
-) (*WebhookServer, error) {
+	cleanUp chan<- struct{}) (*WebhookServer, error) {
 
 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
@@ -123,7 +120,6 @@ func NewWebhookServer(
 		pMetaStore:                pMetaStore,
 		grGenerator:               grGenerator,
 		resourceWebhookWatcher:    resourceWebhookWatcher,
-		log:                       log,
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
@@ -152,9 +148,8 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	if admissionReview == nil {
 		return
 	}
-	logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name)
 	defer func() {
-		logger.V(4).Info("request processed", "processingTime", time.Since(startTime))
+		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
 	}()
 
 	admissionReview.Response = &v1beta1.AdmissionResponse{
@@ -200,29 +195,31 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		logger.Error(err, "failed to list policies. Policies are NOT being applied")
+		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
+	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			logger.Error(err, "failed to get RBAC infromation for request")
+			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
+				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
 		}
 	}
+	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// convert RAW to unstructured
 	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
-		logger.Error(err, "failed to convert RAW resource to unstructured format")
+		glog.Errorf(err.Error())
 
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
@@ -248,13 +245,13 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
 
 	// patch the resource with patches before handling validation rules
-	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
+	patchedResource := processResourceWithPatches(patches, request.Object.Raw)
 
 	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
 		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			logger.Info("admission request denied")
+			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -272,7 +269,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	if request.Operation == v1beta1.Create {
 		ok, msg := ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
-			logger.Info("admission request denied")
+			glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
 			return &v1beta1.AdmissionResponse{
 				Allowed: false,
 				Result: &metav1.Status{
@@ -295,29 +292,31 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
-		logger.Error(err, "failed to list policies. Policies are NOT being applied")
+		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
 	var roles, clusterRoles []string
 
 	// getRoleRef only if policy has roles/clusterroles defined
+	startTime := time.Now()
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			logger.Error(err, "failed to get RBAC infromation for request")
+			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
+				request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err)
 		}
 	}
+	glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
 
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
 	if !ok {
-		logger.Info("admission request denied")
+		glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
@@ -337,28 +336,27 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
-	logger := ws.log
 	if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
-		logger.Info("failed to sync informer cache")
+		glog.Error("webhook: failed to sync informer cache")
 	}
 
 	go func(ws *WebhookServer) {
-		logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
+		glog.V(3).Infof("serving on %s\n", ws.server.Addr)
 		if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
-			logger.Error(err, "failed to listen to requests")
+			glog.Infof("HTTP server error: %v", err)
 		}
 	}(ws)
-	logger.Info("starting")
+	glog.Info("Started Webhook Server")
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
 	// max deadline: deadline*3 (set the deployment annotation as false)
 	go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
+
 }
 
 // Stop TLS server and returns control after the server is shut down
 func (ws *WebhookServer) Stop(ctx context.Context) {
-	logger := ws.log
 	// cleanUp
 	// remove the static webhookconfigurations
 	go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
@@ -366,7 +364,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 	err := ws.server.Shutdown(ctx)
 	if err != nil {
 		// Error from closing listeners, or context timeout:
-		logger.Error(err, "shutting down server")
+		glog.Info("Server Shutdown error: ", err)
 		ws.server.Close()
 	}
 }
@@ -374,7 +372,6 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 // bodyToAdmissionReview creates AdmissionReview object from request body
 // Answers to the http.ResponseWriter if request is not valid
 func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
-	logger := ws.log
 	var body []byte
 	if request.Body != nil {
 		if data, err := ioutil.ReadAll(request.Body); err == nil {
@@ -382,21 +379,21 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt
 		}
 	}
 	if len(body) == 0 {
-		logger.Info("empty body")
+		glog.Error("Error: empty body")
 		http.Error(writer, "empty body", http.StatusBadRequest)
 		return nil
 	}
 
 	contentType := request.Header.Get("Content-Type")
 	if contentType != "application/json" {
-		logger.Info("invalid Content-Type", "contextType", contentType)
+		glog.Error("Error: invalid Content-Type: ", contentType)
 		http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
 		return nil
 	}
 
 	admissionReview := &v1beta1.AdmissionReview{}
 	if err := json.Unmarshal(body, &admissionReview); err != nil {
-		logger.Error(err, "failed to decode request body to type 'AdmissionReview")
+		glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err)
 		http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
 		return nil
 	}
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..54a7fbdf3e 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -5,6 +5,7 @@ import (
 	"sort"
 	"time"
 
+	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -18,14 +19,16 @@ import (
 // If there are no errors in validating rule we apply generation rules
 // patchedResource is the (resource + patches) after applying mutation rules
 func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
-	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
+	glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
+
+	evalTime := time.Now()
 
 	// Get new and old resource
 	newR, oldR, err := extractResources(patchedResource, request)
 	if err != nil {
 		// as resource cannot be parsed, we skip processing
-		logger.Error(err, "failed to extract resource")
+		glog.Error(err)
 		return true, ""
 	}
 	userRequestInfo := kyverno.RequestInfo{
@@ -37,17 +40,17 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
+		glog.Infof("Failed to load resource in context:%v", err)
 	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
+		glog.Infof("Failed to load userInfo in context:%v", err)
 	}
 
 	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
 	if err != nil {
-		logger.Error(err, "failed to load service account in context")
+		glog.Infof("Failed to load service account in context:%v", err)
 	}
 
 	policyContext := engine.PolicyContext{
@@ -58,7 +61,8 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		glog.V(2).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
+			newR.GetKind(), newR.GetNamespace(), newR.GetName(), request.UID, request.Operation)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
@@ -71,13 +75,17 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			resp: engineResponse,
 		})
 		if !engineResponse.IsSuccesful() {
-			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
+			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, newR.GetNamespace(), newR.GetName())
 			continue
 		}
 	}
+	glog.V(4).Infof("eval: %v %s/%s/%s ", time.Since(evalTime), request.Kind, request.Namespace, request.Name)
+	// report time
+	reportTime := time.Now()
+
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"
-	blocked := toBlockResource(engineResponses, logger)
+	blocked := toBlockResource(engineResponses)
 
 	// REPORTING EVENTS
 	// Scenario 1:
@@ -89,18 +97,19 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// Scenario 3:
 	//   all policies were applied succesfully.
 	//   create an event on the resource
-	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger)
+	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update))
 	ws.eventGen.Add(events...)
 	if blocked {
-		logger.V(4).Info("resource blocked")
+		glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName())
 		return false, getEnforceFailureErrorMsg(engineResponses)
 	}
 
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
-	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
+	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
 	ws.pvGenerator.Add(pvInfos...)
 	// report time end
+	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name)
 	return true, ""
 }
 
diff --git a/scripts/update-codegen.sh b/scripts/update-codegen.sh
index a6f56b314d..686c2cdfe1 100755
--- a/scripts/update-codegen.sh
+++ b/scripts/update-codegen.sh
@@ -13,10 +13,8 @@ esac
 NIRMATA_DIR=$(dirname ${BASH_SOURCE})/..
 NIRMATA_ROOT=$(${linkutil} -f ${NIRMATA_DIR})
 
-# instructions to build project https://github.com/nirmata/kyverno/wiki/Building
-
 # get relative path to code generation script
-CODEGEN_PKG="${GOPATH}/src/k8s.io/code-generator"
+CODEGEN_PKG=${NIRMATA_DIR}/vendor/k8s.io/code-generator
 
 # get relative path of nirmata
 NIRMATA_PKG=${NIRMATA_ROOT#"${GOPATH}/src/"}

From 9ce0102db978c4a8ceab5731548431efda23706a Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 28 Mar 2020 16:47:42 +0530
Subject: [PATCH 051/201] 754 missing changes from previous commit

---
 go.sum                           | 9 +++++++++
 pkg/webhooks/policyvalidation.go | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/go.sum b/go.sum
index d6eac3a67e..3b8605ba9c 100644
--- a/go.sum
+++ b/go.sum
@@ -148,6 +148,7 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
@@ -862,6 +863,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1097,6 +1099,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
@@ -1107,18 +1110,21 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
 k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
 k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
+k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo=
 k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA=
 k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
 k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
 k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
 k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
 k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
 k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
 k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc=
 k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
+k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
 k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible h1:bK03DJulJi9j05gwnXUufcs2j7h4M85YFvJ0dIlQ9k4=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
@@ -1134,12 +1140,14 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM=
 k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
 k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 h1:sz6xjn8QP74104YNmJpzLbJ+a3ZtHt0tkD0g8vpdWNw=
 k8s.io/utils v0.0.0-20200109141947-94aeca20bf09/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo=
 sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8=
 sigs.k8s.io/kustomize v2.0.3+incompatible h1:JUufWFNlI44MdtnjUqVnvh29rR37PQFzPbLXqhyOyX0=
 sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU=
@@ -1148,4 +1156,5 @@ sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index 7d58ac3c1d..897bba0de0 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -11,7 +11,7 @@ import (
 //HandlePolicyValidation performs the validation check on policy resource
 func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
-	if err := policyvalidate.Validate(request.Object.Raw); err != nil {
+	if err := policyvalidate.Validate(request.Object.Raw, ws.client, false); err != nil {
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{

From 793321e410ad7e47f843e455eab684d837dc9e20 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 28 Mar 2020 16:50:56 +0530
Subject: [PATCH 052/201] 754 missing changes for prev commit

---
 go.sum | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/go.sum b/go.sum
index 3b8605ba9c..99c5af7f3b 100644
--- a/go.sum
+++ b/go.sum
@@ -34,9 +34,11 @@ github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAE
 github.com/PuerkitoBio/purell v1.0.0 h1:0GoNN3taZV6QI81IXgCbxMyEaJDXMSIjArYBCYzVVvs=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2 h1:JCHLVE3B+kJde7bIEo5N4J+ZbLhp0J1Fs+ulyRws4gE=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
@@ -124,6 +126,7 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
 github.com/elazarl/goproxy v0.0.0-20181003060214-f58a169a71a5/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633 h1:H2pdYOb3KQ1/YsqVWoWNLQO+fusocsw354rqGTZtAgw=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -165,12 +168,14 @@ github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+
 github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
+github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9 h1:tF+augKRWlWx0J0B7ZyyKSiTyV6E1zZe+7b3qQlcEf8=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
 github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
+github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
 github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
@@ -185,6 +190,7 @@ github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nA
 github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
+github.com/go-openapi/spec v0.19.3 h1:0XRyw8kguri6Yw4SxhsQA/atC88yqrk0+G4YhI2wabc=
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
 github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
 github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
@@ -195,6 +201,7 @@ github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dp
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.5 h1:lTz6Ys4CmqqCQmZPBlbQENR1/GucA2bzYTE12Pw4tFY=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
 github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
@@ -440,6 +447,7 @@ github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@@ -537,6 +545,7 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/luna-duclos/instrumentedsql v1.1.2/go.mod h1:4LGbEqDnopzNAiyxPPDXhLspyunZxgPTMJBKtC6U0BQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -549,6 +558,7 @@ github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
 github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM=
@@ -1122,6 +1132,7 @@ k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0
 k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
+k8s.io/cli-runtime v0.17.4 h1:ZIJdxpBEszZqUhydrCoiI5rLXS2J/1AF5xFok2QJ9bc=
 k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc=
 k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
 k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=

From f055076041027fea2534eca3e10d8b53c693ef7f Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sun, 29 Mar 2020 07:25:13 +0530
Subject: [PATCH 053/201] Revert "767 tested prototype"

This reverts commit 4ae65497bfaf61145a263007092993ea464464bc.
---
 cmd/kyverno/main.go              |  36 +++---
 pkg/webhooks/generate/handler.go |   1 -
 pkg/webhooks/generation.go       |   4 +-
 pkg/webhooks/mutation.go         |   6 +-
 pkg/webhooks/policyvalidation.go |   2 +-
 pkg/webhooks/server.go           | 184 ++++++++++++++++++++-----------
 pkg/webhooks/validation.go       |   6 +-
 7 files changed, 142 insertions(+), 97 deletions(-)
 delete mode 100644 pkg/webhooks/generate/handler.go

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 3948467639..857039b35a 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -219,26 +219,22 @@ func main() {
 	// -- annotations on resources with update details on mutation JSON patches
 	// -- generate policy violation resource
 	// -- generate events on policy and resource
-	server, err := webhooks.NewWebhookServer(&webhooks.WebhookServer{
-		Client:                    client,
-		KyvernoClient:             pclient,
-		PLister:                   pInformer.Kyverno().V1().ClusterPolicies().Lister(),
-		PSynced:                   pInformer.Kyverno().V1().ClusterPolicies().Informer().HasSynced,
-		RbLister:                  kubeInformer.Rbac().V1().RoleBindings().Lister(),
-		RbSynced:                  kubeInformer.Rbac().V1().RoleBindings().Informer().HasSynced,
-		CrbLister:                 kubeInformer.Rbac().V1().ClusterRoleBindings().Lister(),
-		CrbSynced:                 kubeInformer.Rbac().V1().ClusterRoleBindings().Informer().HasSynced,
-		EventGen:                  egen,
-		WebhookRegistrationClient: webhookRegistrationClient,
-		StatusListener:            statusSync.Listener,
-		ConfigHandler:             configData,
-		CleanUp:                   cleanUp,
-		LastReqTime:               rWebhookWatcher.LastReqTime,
-		PvGenerator:               pvgen,
-		PMetaStore:                policyMetaStore,
-		GrGenerator:               grgen,
-		ResourceWebhookWatcher:    rWebhookWatcher,
-	}, tlsPair)
+	server, err := webhooks.NewWebhookServer(
+		pclient,
+		client,
+		tlsPair,
+		pInformer.Kyverno().V1().ClusterPolicies(),
+		kubeInformer.Rbac().V1().RoleBindings(),
+		kubeInformer.Rbac().V1().ClusterRoleBindings(),
+		egen,
+		webhookRegistrationClient,
+		statusSync.Listener,
+		configData,
+		policyMetaStore,
+		pvgen,
+		grgen,
+		rWebhookWatcher,
+		cleanUp)
 	if err != nil {
 		glog.Fatalf("Unable to create webhook server: %v\n", err)
 	}
diff --git a/pkg/webhooks/generate/handler.go b/pkg/webhooks/generate/handler.go
deleted file mode 100644
index eb8347795a..0000000000
--- a/pkg/webhooks/generate/handler.go
+++ /dev/null
@@ -1 +0,0 @@
-package generate
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 401b1e553e..956c568cac 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -66,13 +66,13 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 		if len(engineResponse.PolicyResponse.Rules) > 0 {
 			// some generate rules do apply to the resource
 			engineResponses = append(engineResponses, engineResponse)
-			ws.StatusListener.Send(generateStats{
+			ws.statusListener.Send(generateStats{
 				resp: engineResponse,
 			})
 		}
 	}
 	// Adds Generate Request to a channel(queue size 1000) to generators
-	if err := createGenerateRequest(ws.GrGenerator, userRequestInfo, engineResponses...); err != nil {
+	if err := createGenerateRequest(ws.grGenerator, userRequestInfo, engineResponses...); err != nil {
 		//TODO: send appropriate error
 		return false, "Kyverno blocked: failed to create Generate Requests"
 	}
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 8469d00fde..1991427ebf 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -63,7 +63,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
 		engineResponses = append(engineResponses, engineResponse)
-		ws.StatusListener.Send(mutateStats{resp: engineResponse})
+		ws.statusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
 			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
 			continue
@@ -91,7 +91,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// AUDIT
 	// generate violation when response fails
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
-	ws.PvGenerator.Add(pvInfos...)
+	ws.pvGenerator.Add(pvInfos...)
 	// REPORTING EVENTS
 	// Scenario 1:
 	//   some/all policies failed to apply on the resource. a policy volation is generated.
@@ -101,7 +101,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	//   create an event on the resource
 	// ADD EVENTS
 	events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update))
-	ws.EventGen.Add(events...)
+	ws.eventGen.Add(events...)
 
 	// debug info
 	func() {
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index b713731d4e..fefa9a11f7 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -39,7 +39,7 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
 	if admissionResp.Allowed {
 		// if the policy contains mutating & validation rules and it config does not exist we create one
 		// queue the request
-		ws.ResourceWebhookWatcher.RegisterResourceWebhook()
+		ws.resourceWebhookWatcher.RegisterResourceWebhook()
 	}
 	return admissionResp
 }
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 9cf689a677..b0ca988449 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -13,6 +13,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@@ -26,6 +27,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/webhooks/generate"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rbacinformer "k8s.io/client-go/informers/rbac/v1"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
 	"k8s.io/client-go/tools/cache"
 )
@@ -34,50 +36,64 @@ import (
 // MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
 type WebhookServer struct {
 	server        http.Server
-	Client        *client.Client
-	KyvernoClient *kyvernoclient.Clientset
+	client        *client.Client
+	kyvernoClient *kyvernoclient.Clientset
 	// list/get cluster policy resource
-	PLister kyvernolister.ClusterPolicyLister
+	pLister kyvernolister.ClusterPolicyLister
 	// returns true if the cluster policy store has synced atleast
-	PSynced cache.InformerSynced
+	pSynced cache.InformerSynced
 	// list/get role binding resource
-	RbLister rbaclister.RoleBindingLister
+	rbLister rbaclister.RoleBindingLister
 	// return true if role bining store has synced atleast once
-	RbSynced cache.InformerSynced
+	rbSynced cache.InformerSynced
 	// list/get cluster role binding resource
-	CrbLister rbaclister.ClusterRoleBindingLister
+	crbLister rbaclister.ClusterRoleBindingLister
 	// return true if cluster role binding store has synced atleast once
-	CrbSynced cache.InformerSynced
+	crbSynced cache.InformerSynced
 	// generate events
-	EventGen event.Interface
+	eventGen event.Interface
 	// webhook registration client
-	WebhookRegistrationClient *webhookconfig.WebhookRegistrationClient
+	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
 	// API to send policy stats for aggregation
-	StatusListener policystatus.Listener
+	statusListener policystatus.Listener
 	// helpers to validate against current loaded configuration
-	ConfigHandler config.Interface
+	configHandler config.Interface
 	// channel for cleanup notification
-	CleanUp chan<- struct{}
+	cleanUp chan<- struct{}
 	// last request time
-	LastReqTime *checker.LastReqTime
+	lastReqTime *checker.LastReqTime
 	// store to hold policy meta data for faster lookup
-	PMetaStore policystore.LookupInterface
+	pMetaStore policystore.LookupInterface
 	// policy violation generator
-	PvGenerator policyviolation.GeneratorInterface
+	pvGenerator policyviolation.GeneratorInterface
 	// generate request generator
-	GrGenerator            *generate.Generator
-	ResourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+	grGenerator            *generate.Generator
+	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
 }
 
 // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
 // Policy Controller and Kubernetes Client should be initialized in configuration
 func NewWebhookServer(
-	ws *WebhookServer,
-	tlsPair *tlsutils.TlsPemPair) (*WebhookServer, error) {
+	kyvernoClient *kyvernoclient.Clientset,
+	client *client.Client,
+	tlsPair *tlsutils.TlsPemPair,
+	pInformer kyvernoinformer.ClusterPolicyInformer,
+	rbInformer rbacinformer.RoleBindingInformer,
+	crbInformer rbacinformer.ClusterRoleBindingInformer,
+	eventGen event.Interface,
+	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
+	statusSync policystatus.Listener,
+	configHandler config.Interface,
+	pMetaStore policystore.LookupInterface,
+	pvGenerator policyviolation.GeneratorInterface,
+	grGenerator *generate.Generator,
+	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
+	cleanUp chan<- struct{}) (*WebhookServer, error) {
 
 	if tlsPair == nil {
 		return nil, errors.New("NewWebhookServer is not initialized properly")
 	}
+
 	var tlsConfig tls.Config
 	pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
 	if err != nil {
@@ -85,12 +101,32 @@ func NewWebhookServer(
 	}
 	tlsConfig.Certificates = []tls.Certificate{pair}
 
+	ws := &WebhookServer{
+		client:                    client,
+		kyvernoClient:             kyvernoClient,
+		pLister:                   pInformer.Lister(),
+		pSynced:                   pInformer.Informer().HasSynced,
+		rbLister:                  rbInformer.Lister(),
+		rbSynced:                  rbInformer.Informer().HasSynced,
+		crbLister:                 crbInformer.Lister(),
+		crbSynced:                 crbInformer.Informer().HasSynced,
+		eventGen:                  eventGen,
+		webhookRegistrationClient: webhookRegistrationClient,
+		statusListener:            statusSync,
+		configHandler:             configHandler,
+		cleanUp:                   cleanUp,
+		lastReqTime:               resourceWebhookWatcher.LastReqTime,
+		pvGenerator:               pvGenerator,
+		pMetaStore:                pMetaStore,
+		grGenerator:               grGenerator,
+		resourceWebhookWatcher:    resourceWebhookWatcher,
+	}
 	mux := http.NewServeMux()
-	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
-	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
-	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
-	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
+	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
@@ -102,50 +138,64 @@ func NewWebhookServer(
 	return ws, nil
 }
 
-func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		startTime := time.Now()
-		// for every request received on the ep update last request time,
-		// this is used to verify admission control
-		ws.LastReqTime.SetTime(time.Now())
-		admissionReview := ws.bodyToAdmissionReview(r, w)
-		if admissionReview == nil {
-			return
-		}
-		defer func() {
-			glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
-		}()
+// Main server endpoint for all requests
+func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
+	startTime := time.Now()
+	// for every request received on the ep update last request time,
+	// this is used to verify admission control
+	ws.lastReqTime.SetTime(time.Now())
+	admissionReview := ws.bodyToAdmissionReview(r, w)
+	if admissionReview == nil {
+		return
+	}
+	defer func() {
+		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
+	}()
 
-		admissionReview.Response = &v1beta1.AdmissionResponse{
-			Allowed: true,
-		}
+	admissionReview.Response = &v1beta1.AdmissionResponse{
+		Allowed: true,
+	}
 
-		// Do not process the admission requests for kinds that are in filterKinds for filtering
-		request := admissionReview.Request
-		if filter {
-			if !ws.ConfigHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-				admissionReview.Response = handler(request)
-			}
-		} else {
-			admissionReview.Response = handler(request)
+	// Do not process the admission requests for kinds that are in filterKinds for filtering
+	request := admissionReview.Request
+	switch r.URL.Path {
+	case config.VerifyMutatingWebhookServicePath:
+		// we do not apply filters as this endpoint is used explicitly
+		// to watch kyveno deployment and verify if admission control is enabled
+		admissionReview.Response = ws.handleVerifyRequest(request)
+	case config.MutatingWebhookServicePath:
+		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+			admissionReview.Response = ws.handleMutateAdmissionRequest(request)
 		}
-		admissionReview.Response.UID = request.UID
+	case config.ValidatingWebhookServicePath:
+		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+			admissionReview.Response = ws.handleValidateAdmissionRequest(request)
+		}
+	case config.PolicyValidatingWebhookServicePath:
+		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+			admissionReview.Response = ws.handlePolicyValidation(request)
+		}
+	case config.PolicyMutatingWebhookServicePath:
+		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+			admissionReview.Response = ws.handlePolicyMutation(request)
+		}
+	}
+	admissionReview.Response.UID = request.UID
 
-		responseJSON, err := json.Marshal(admissionReview)
-		if err != nil {
-			http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
-			return
-		}
+	responseJSON, err := json.Marshal(admissionReview)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
+		return
+	}
 
-		w.Header().Set("Content-Type", "application/json; charset=utf-8")
-		if _, err := w.Write(responseJSON); err != nil {
-			http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
-		}
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	if _, err := w.Write(responseJSON); err != nil {
+		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
 	}
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	policies, err := ws.PMetaStore.ListAll()
+	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
@@ -157,7 +207,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	// getRoleRef only if policy has roles/clusterroles defined
 	startTime := time.Now()
 	if containRBACinfo(policies) {
-		roles, clusterRoles, err = userinfo.GetRoleRef(ws.RbLister, ws.CrbLister, request)
+		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
 			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
@@ -197,7 +247,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	// patch the resource with patches before handling validation rules
 	patchedResource := processResourceWithPatches(patches, request.Object.Raw)
 
-	if ws.ResourceWebhookWatcher != nil && ws.ResourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
+	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
 		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
 		if !ok {
@@ -242,7 +292,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	policies, err := ws.PMetaStore.ListAll()
+	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
@@ -254,7 +304,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 	// getRoleRef only if policy has roles/clusterroles defined
 	startTime := time.Now()
 	if containRBACinfo(policies) {
-		roles, clusterRoles, err = userinfo.GetRoleRef(ws.RbLister, ws.CrbLister, request)
+		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
 			glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v",
@@ -286,7 +336,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 
 // RunAsync TLS server in separate thread and returns control immediately
 func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
-	if !cache.WaitForCacheSync(stopCh, ws.PSynced, ws.RbSynced, ws.CrbSynced) {
+	if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) {
 		glog.Error("webhook: failed to sync informer cache")
 	}
 
@@ -301,7 +351,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
 	// max deadline: deadline*3 (set the deployment annotation as false)
-	go ws.LastReqTime.Run(ws.PLister, ws.EventGen, ws.Client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
+	go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
 
 }
 
@@ -309,7 +359,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 func (ws *WebhookServer) Stop(ctx context.Context) {
 	// cleanUp
 	// remove the static webhookconfigurations
-	go ws.WebhookRegistrationClient.RemoveWebhookConfigurations(ws.CleanUp)
+	go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
 	// shutdown http.Server with context timeout
 	err := ws.server.Shutdown(ctx)
 	if err != nil {
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index cbfa142167..54a7fbdf3e 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -71,7 +71,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			continue
 		}
 		engineResponses = append(engineResponses, engineResponse)
-		ws.StatusListener.Send(validateStats{
+		ws.statusListener.Send(validateStats{
 			resp: engineResponse,
 		})
 		if !engineResponse.IsSuccesful() {
@@ -98,7 +98,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	//   all policies were applied succesfully.
 	//   create an event on the resource
 	events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update))
-	ws.EventGen.Add(events...)
+	ws.eventGen.Add(events...)
 	if blocked {
 		glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName())
 		return false, getEnforceFailureErrorMsg(engineResponses)
@@ -107,7 +107,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
-	ws.PvGenerator.Add(pvInfos...)
+	ws.pvGenerator.Add(pvInfos...)
 	// report time end
 	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name)
 	return true, ""

From ba0e3268e8d8693e287e6ceebd1ce6cb4500cac6 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sun, 29 Mar 2020 07:36:18 +0530
Subject: [PATCH 054/201] 767 unexporting webhook fields

---
 pkg/webhooks/server.go | 96 ++++++++++++++++++------------------------
 1 file changed, 41 insertions(+), 55 deletions(-)

diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index b0ca988449..1886c56030 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -122,11 +122,11 @@ func NewWebhookServer(
 		resourceWebhookWatcher:    resourceWebhookWatcher,
 	}
 	mux := http.NewServeMux()
-	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
+	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
+	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
+	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
@@ -138,59 +138,45 @@ func NewWebhookServer(
 	return ws, nil
 }
 
-// Main server endpoint for all requests
-func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
-	startTime := time.Now()
-	// for every request received on the ep update last request time,
-	// this is used to verify admission control
-	ws.lastReqTime.SetTime(time.Now())
-	admissionReview := ws.bodyToAdmissionReview(r, w)
-	if admissionReview == nil {
-		return
-	}
-	defer func() {
-		glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
-	}()
-
-	admissionReview.Response = &v1beta1.AdmissionResponse{
-		Allowed: true,
-	}
-
-	// Do not process the admission requests for kinds that are in filterKinds for filtering
-	request := admissionReview.Request
-	switch r.URL.Path {
-	case config.VerifyMutatingWebhookServicePath:
-		// we do not apply filters as this endpoint is used explicitly
-		// to watch kyveno deployment and verify if admission control is enabled
-		admissionReview.Response = ws.handleVerifyRequest(request)
-	case config.MutatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handleMutateAdmissionRequest(request)
+func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		startTime := time.Now()
+		// for every request received on the ep update last request time,
+		// this is used to verify admission control
+		ws.lastReqTime.SetTime(time.Now())
+		admissionReview := ws.bodyToAdmissionReview(r, w)
+		if admissionReview == nil {
+			return
 		}
-	case config.ValidatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handleValidateAdmissionRequest(request)
-		}
-	case config.PolicyValidatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handlePolicyValidation(request)
-		}
-	case config.PolicyMutatingWebhookServicePath:
-		if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-			admissionReview.Response = ws.handlePolicyMutation(request)
-		}
-	}
-	admissionReview.Response.UID = request.UID
+		defer func() {
+			glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name)
+		}()
 
-	responseJSON, err := json.Marshal(admissionReview)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
-		return
-	}
+		admissionReview.Response = &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
 
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	if _, err := w.Write(responseJSON); err != nil {
-		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+		// Do not process the admission requests for kinds that are in filterKinds for filtering
+		request := admissionReview.Request
+		if filter {
+			if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+				admissionReview.Response = handler(request)
+			}
+		} else {
+			admissionReview.Response = handler(request)
+		}
+		admissionReview.Response.UID = request.UID
+
+		responseJSON, err := json.Marshal(admissionReview)
+		if err != nil {
+			http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		if _, err := w.Write(responseJSON); err != nil {
+			http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+		}
 	}
 }
 

From 67d2bc224b8b0cdddc87410a6d7be5d8e13295ae Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 00:15:14 -0700
Subject: [PATCH 055/201] - update tag v1.1.4; - add update for deployment

allow update operation for kyverno deployment
---
 definitions/install.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 3e7825e878..8549cfa38f 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -619,6 +619,7 @@ rules:
   verbs:
   - get
   - list
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -681,10 +682,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.4-rc1
+          image: nirmata/kyvernopre:v1.1.4
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.4-rc1
+          image: nirmata/kyverno:v1.1.4
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout
@@ -693,4 +694,4 @@ spec:
           - containerPort: 443
           env:
           - name: INIT_CONFIG
-            value: init-config
\ No newline at end of file
+            value: init-config

From bbeefb955b74b5195f0b0ee7209b033efcdbb8f9 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 1 Apr 2020 19:06:13 +0530
Subject: [PATCH 056/201] 778 tested prototype

---
 pkg/openapi/validation.go      |  7 +++++--
 pkg/openapi/validation_test.go |  2 +-
 pkg/policy/validate.go         | 10 ++++++++--
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index f8f9ece2c9..f25edd428d 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -70,7 +70,7 @@ func (o *Controller) ValidatePolicyFields(policyRaw []byte) error {
 		return err
 	}
 
-	return o.validatePolicyMutation(policy)
+	return o.ValidatePolicyMutation(policy)
 }
 
 func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, kind string) error {
@@ -107,7 +107,10 @@ func (o *Controller) GetDefinitionNameFromKind(kind string) string {
 	return o.kindToDefinitionName[kind]
 }
 
-func (o *Controller) validatePolicyMutation(policy v1.ClusterPolicy) error {
+func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
+	o.mutex.RLock()
+	defer o.mutex.RUnlock()
+
 	var kindToRules = make(map[string][]v1.Rule)
 	for _, rule := range policy.Spec.Rules {
 		if rule.HasMutate() {
diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index ba4c5327f2..3472810554 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -54,7 +54,7 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 		_ = json.Unmarshal(tc.policy, &policy)
 
 		var errMessage string
-		err := o.validatePolicyMutation(policy)
+		err := o.ValidatePolicyMutation(policy)
 		if err != nil {
 			errMessage = err.Error()
 		}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 1816fa60fa..96efd07cce 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -75,8 +75,14 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 		}
 	}
 
-	if err := openAPIController.ValidatePolicyFields(policyRaw); err != nil {
-		return err
+	if !mock {
+		if err := openAPIController.ValidatePolicyFields(policyRaw); err != nil {
+			return err
+		}
+	} else {
+		if err := openAPIController.ValidatePolicyMutation(p); err != nil {
+			return err
+		}
 	}
 
 	return nil

From 5f9093a6aa5b6d2f8fa7b962a91b6764e12a2905 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 10:52:17 -0700
Subject: [PATCH 057/201] update clusterrole kyverno:webhook to approve csr for
 1.18 cluster

---
 definitions/install.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 8549cfa38f..59fb58085b 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -564,6 +564,28 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  - certificatesigningrequests/approval
+  - certificatesigningrequests/status
+  resourceNames:
+    - kubernetes.io/legacy-unknown
+  verbs:
+  - create
+  - delete
+  - get 
+  - update
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - kubernetes.io/legacy-unknown
+  verbs:
+  - approve 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

From 77d9634604b1125db337471fbdf2958d593d793e Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 11:45:30 -0700
Subject: [PATCH 058/201] tag 1.1.5

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 59fb58085b..80f1a9d67d 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -704,10 +704,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.4
+          image: nirmata/kyvernopre:v1.1.5
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.4
+          image: nirmata/kyverno:v1.1.5
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout

From 05d5d91afd5146a082e39633c6d6b7f58060c795 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 12:41:37 -0700
Subject: [PATCH 059/201] fix assign to nil map

---
 pkg/openapi/crdSync.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index bf55e3c033..20bc0bb351 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -127,6 +127,7 @@ func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
 	_ = json.Unmarshal(schemaRaw, &schema)
 
 	if schema.Properties["apiVersion"] == nil {
+		schema.Properties = make(map[string]interface{})
 		apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}`
 		apiVersionDef := make(map[string]interface{})
 		_ = json.Unmarshal([]byte(apiVersionDefRaw), &apiVersionDef)

From 0c87269a79e700db02e9905eee66940221416c90 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 13:03:21 -0700
Subject: [PATCH 060/201] revert tag to a stable release

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 80f1a9d67d..59fb58085b 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -704,10 +704,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.5
+          image: nirmata/kyvernopre:v1.1.4
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.5
+          image: nirmata/kyverno:v1.1.4
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout

From e3fcc2c4e53ccf69add039a54b6e6a8c94ad6c54 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 2 Apr 2020 09:09:49 +0530
Subject: [PATCH 061/201] 783 fixing panic

---
 pkg/openapi/crdSync.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 20bc0bb351..38832dc242 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -104,6 +104,11 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 
 	var schema yaml.MapSlice
 	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Versions[0].Schema.OpenAPIV3Schema)
+	if len(schemaRaw) < 1 {
+		log.Log.V(4).Info("could not parse crd schema")
+		return
+	}
+
 	schemaRaw = addingDefaultFieldsToSchema(schemaRaw)
 	_ = yaml.Unmarshal(schemaRaw, &schema)
 
@@ -126,8 +131,11 @@ func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
 	}
 	_ = json.Unmarshal(schemaRaw, &schema)
 
-	if schema.Properties["apiVersion"] == nil {
+	if len(schemaRaw) < 1 {
 		schema.Properties = make(map[string]interface{})
+	}
+
+	if schema.Properties["apiVersion"] == nil {
 		apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}`
 		apiVersionDef := make(map[string]interface{})
 		_ = json.Unmarshal([]byte(apiVersionDefRaw), &apiVersionDef)

From e079256742bf8cecaae4221d4c2791eca43abd17 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 20:48:32 -0700
Subject: [PATCH 062/201] tag v1.1.5

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 59fb58085b..80f1a9d67d 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -704,10 +704,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.4
+          image: nirmata/kyvernopre:v1.1.5
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.4
+          image: nirmata/kyverno:v1.1.5
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout

From f0300b7c49a09f80c7e004f2536ae49ac651bbfe Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 1 Apr 2020 20:59:58 -0700
Subject: [PATCH 063/201] ignore binaries

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 6e2acb1653..d40badd6c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ gh-pages/public
 _output
 coverage.txt
 .idea
+cmd/initContainer/kyvernopre
+cmd/kyverno/kyverno

From c0dbd1d6e672a3229acc7fb5abad436868ffbe03 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 2 Apr 2020 12:19:32 +0530
Subject: [PATCH 064/201] 783 tested prototype

---
 pkg/dclient/client.go  |  5 +++++
 pkg/openapi/crdSync.go | 30 ++++++++++++++----------------
 2 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index 557059bc15..a05204ef60 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -129,6 +129,11 @@ func (c *Client) PatchResource(kind string, namespace string, name string, patch
 	return c.getResourceInterface(kind, namespace).Patch(name, patchTypes.JSONPatchType, patch, meta.PatchOptions{})
 }
 
+// GetDynamicInterface fetches underlying dynamic interface
+func (c *Client) GetDynamicInterface() dynamic.Interface {
+	return c.client
+}
+
 // ListResource returns the list of resources in unstructured/json format
 // Access items using []Items
 func (c *Client) ListResource(kind string, namespace string, lselector *meta.LabelSelector) (*unstructured.UnstructuredList, error) {
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 38832dc242..494d49d7d5 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -5,6 +5,10 @@ import (
 	"fmt"
 	"time"
 
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	runtimeSchema "k8s.io/apimachinery/pkg/runtime/schema"
+
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"gopkg.in/yaml.v2"
@@ -49,12 +53,16 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	c.sync()
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.sync, time.Second*10, stopCh)
+		go wait.Until(c.sync, time.Second*25, stopCh)
 	}
 }
 
 func (c *crdSync) sync() {
-	crds, err := c.client.ListResource("CustomResourceDefinition", "", nil)
+	crds, err := c.client.GetDynamicInterface().Resource(runtimeSchema.GroupVersionResource{
+		Group:    "apiextensions.k8s.io",
+		Version:  "v1beta1",
+		Resource: "customresourcedefinitions",
+	}).List(v1.ListOptions{})
 	if err != nil {
 		log.Log.Error(err, "could not fetch crd's from server")
 		return
@@ -85,11 +93,9 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 			Names struct {
 				Kind string `json:"kind"`
 			} `json:"names"`
-			Versions []struct {
-				Schema struct {
-					OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
-				} `json:"schema"`
-			} `json:"versions"`
+			Validation struct {
+				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+			} `json:"validation"`
 		} `json:"spec"`
 	}
 
@@ -97,13 +103,9 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 	_ = json.Unmarshal(crdRaw, &crdDefinition)
 
 	crdName := crdDefinition.Spec.Names.Kind
-	if len(crdDefinition.Spec.Versions) < 1 {
-		log.Log.V(4).Info("could not parse crd schema, no versions present")
-		return
-	}
 
 	var schema yaml.MapSlice
-	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Versions[0].Schema.OpenAPIV3Schema)
+	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Validation.OpenAPIV3Schema)
 	if len(schemaRaw) < 1 {
 		log.Log.V(4).Info("could not parse crd schema")
 		return
@@ -131,10 +133,6 @@ func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
 	}
 	_ = json.Unmarshal(schemaRaw, &schema)
 
-	if len(schemaRaw) < 1 {
-		schema.Properties = make(map[string]interface{})
-	}
-
 	if schema.Properties["apiVersion"] == nil {
 		apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}`
 		apiVersionDef := make(map[string]interface{})

From 410e53bd9fe091f84c5af7932142648760fde8ef Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 2 Apr 2020 21:13:39 +0530
Subject: [PATCH 065/201] 787 tested prototype

---
 pkg/kyverno/apply/command.go | 13 +++++++++++++
 pkg/policy/generate/fake.go  |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index ce07f367c1..a99cff4646 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"regexp"
 
 	"github.com/nirmata/kyverno/pkg/utils"
 
@@ -81,6 +82,9 @@ func Command() *cobra.Command {
 				if err != nil {
 					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name))
 				}
+				if policyHasVariables(*policy) {
+					return sanitizedError.New(fmt.Sprintf("Policy %v is not valid - 'apply' does not support policies with variables", policy.Name))
+				}
 			}
 
 			var dClient discovery.CachedDiscoveryInterface
@@ -387,3 +391,12 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 
 	return nil
 }
+
+func policyHasVariables(policy v1.ClusterPolicy) bool {
+	policyRaw, _ := json.Marshal(policy)
+	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
+	if len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0 {
+		return true
+	}
+	return false
+}
diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go
index 0d561c7a94..22fcd408e9 100644
--- a/pkg/policy/generate/fake.go
+++ b/pkg/policy/generate/fake.go
@@ -3,6 +3,7 @@ package generate
 import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/policy/generate/fake"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 //FakeGenerate provides implementation for generate rule processing
@@ -17,5 +18,6 @@ func NewFakeGenerate(rule kyverno.Generation) *FakeGenerate {
 	g := FakeGenerate{}
 	g.rule = rule
 	g.authCheck = fake.NewFakeAuth()
+	g.log = log.Log
 	return &g
 }

From 7ce0c8d68a7d006454f80e88b362a3e05b7192b4 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 2 Apr 2020 21:19:51 +0530
Subject: [PATCH 066/201] 787 circle ci changes

---
 pkg/kyverno/apply/command.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index a99cff4646..75ee885986 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -395,8 +395,5 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 func policyHasVariables(policy v1.ClusterPolicy) bool {
 	policyRaw, _ := json.Marshal(policy)
 	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
-	if len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0 {
-		return true
-	}
-	return false
+	return len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0
 }

From c190f4600cd357608b10d7c99ee2d29675f838ad Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Thu, 2 Apr 2020 09:38:52 -0700
Subject: [PATCH 067/201] ignore cli binary

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index d40badd6c6..0117c88617 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ coverage.txt
 .idea
 cmd/initContainer/kyvernopre
 cmd/kyverno/kyverno
+cmd/cli/kubectl-kyverno/kyverno

From 77910a863ee45943d11ef6e386a9a9a0d887f13f Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 2 Apr 2020 22:18:26 +0530
Subject: [PATCH 068/201] 789 tested prototype

---
 definitions/install.yaml       | 2 ++
 definitions/install_debug.yaml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 80f1a9d67d..a4f2e544f8 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -219,6 +219,8 @@ spec:
                         type: string
                       name:
                         type: string
+                      namespace:
+                        type: string
                       clone: 
                         type: object
                         required:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index bf9194246d..e9a1343482 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -219,6 +219,8 @@ spec:
                         type: string
                       name:
                         type: string
+                      namespace:
+                        type: string
                       clone: 
                         type: object
                         required:

From 768d770b52a0b10ed7a691b18d3aa3d539cabf10 Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 19:05:29 -0700
Subject: [PATCH 069/201] Fixed some typos

---
 documentation/installation.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/documentation/installation.md b/documentation/installation.md
index 0bac6466b5..cb805fb622 100644
--- a/documentation/installation.md
+++ b/documentation/installation.md
@@ -4,7 +4,7 @@
 
 The Kyverno policy engine runs as an admission webhook and requires a CA-signed certificate and key to setup secure TLS communication with the kube-apiserver (the CA can be self-signed). 
 
-There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver:
+There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver.
 
 ## Option 1: Use kube-controller-manager to generate a CA-signed certificate
 
@@ -133,7 +133,7 @@ subjects:
 
 ### 4. Install Kyverno
 
-To install a specific version, change the image tag with git tag in `install.yaml`.
+To install a specific version, download `install.yaml` and then change the image tag.
 
 e.g., change image tag from `latest` to the specific tag `v1.0.0`.
 >>>
@@ -141,10 +141,10 @@ e.g., change image tag from `latest` to the specific tag `v1.0.0`.
       containers:
         - name: kyverno
           # image: nirmata/kyverno:latest
-          image: nirmata/kyverno:v0.3.0
+          image: nirmata/kyverno:v1.0.0
           
 ````sh
-kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
+kubectl create -f ./install.yaml
 ````
 
 To check the Kyverno controller status, run the command:
@@ -168,7 +168,7 @@ Here is a script that generates a self-signed CA, a TLS certificate-key pair, an
 
 # Configure a namespace admin to access policy violations
 
-During Kyverno installation, it creates a ClusterRole `kyverno:policyviolations` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure the following YAML file then apply to the cluster.
+During Kyverno installation, it creates a ClusterRole `kyverno:policyviolations` which has the `list,get,watch` operations on resource `policyviolations`. To grant access to a namespace admin, configure the following YAML file then apply to the cluster.
 
 - Replace `metadata.namespace` with namespace of the admin
 - Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation`
@@ -200,16 +200,16 @@ subjects:
 
 To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building
 
-To run controller in this mode you should prepare TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address.
+To run controller in this mode you should prepare a TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address.
 
-1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy.
+1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. it also registers a CustomResource policy.
 
 2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>`
 
-# Filter kuberenetes resources that admission webhook should not process
-The admission webhook checks if a policy is applicable on all admission requests. The kubernetes kinds that are not be processed can be filtered by adding the configmap named `init-config` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`
+# Filter Kubernetes resources that admission webhook should not process
+The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding the configmap named `init-config` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`.
 
-THe confimap is picked from the envenvironment variable `INIT_CONFIG` passed to the kyverno deployment spec. The resourceFilters configuration can be updated dynamically at runtime.
+The configmap is picked from the envenvironment variable `INIT_CONFIG` passed to the kyverno deployment spec. The resourceFilters configuration can be updated dynamically at runtime.
 
 ```
 apiVersion: v1
@@ -222,7 +222,7 @@ data:
   resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
 ```
 
-By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configmap
+By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration
 [install.yaml](https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml).
 
 

From b2ae45c856454962133ccb5429e1bbad8bbb9cfd Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 3 Apr 2020 10:30:52 +0530
Subject: [PATCH 070/201] 777 tested prototype

---
 pkg/kyverno/apply/command.go | 41 +++++++++++++-----------------------
 pkg/kyverno/apply/helper.go  | 37 --------------------------------
 2 files changed, 15 insertions(+), 63 deletions(-)
 delete mode 100644 pkg/kyverno/apply/helper.go

diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index 75ee885986..daea727a61 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -7,6 +7,9 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"time"
+
+	client "github.com/nirmata/kyverno/pkg/dclient"
 
 	"github.com/nirmata/kyverno/pkg/utils"
 
@@ -18,8 +21,6 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
-	"k8s.io/client-go/discovery"
-
 	"k8s.io/apimachinery/pkg/util/yaml"
 
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -87,15 +88,19 @@ func Command() *cobra.Command {
 				}
 			}
 
-			var dClient discovery.CachedDiscoveryInterface
+			var dClient *client.Client
 			if cluster {
-				dClient, err = kubernetesConfig.ToDiscoveryClient()
+				restConfig, err := kubernetesConfig.ToRESTConfig()
 				if err != nil {
-					return sanitizedError.New(fmt.Errorf("Issues with kubernetes Config").Error())
+					return err
+				}
+				dClient, err = client.NewClient(restConfig, 10*time.Second, make(chan struct{}), log.Log)
+				if err != nil {
+					return err
 				}
 			}
 
-			resources, err := getResources(policies, resourcePaths, dClient, openAPIController)
+			resources, err := getResources(policies, resourcePaths, dClient)
 			if err != nil {
 				return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error())
 			}
@@ -123,7 +128,7 @@ func Command() *cobra.Command {
 	return cmd
 }
 
-func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient discovery.CachedDiscoveryInterface, openAPIController *openapi.Controller) ([]*unstructured.Unstructured, error) {
+func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client) ([]*unstructured.Unstructured, error) {
 	var resources []*unstructured.Unstructured
 	var err error
 
@@ -142,7 +147,7 @@ func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 			resourceTypes = append(resourceTypes, kind)
 		}
 
-		resources, err = getResourcesOfTypeFromCluster(resourceTypes, dClient, openAPIController)
+		resources, err = getResourcesOfTypeFromCluster(resourceTypes, dClient)
 		if err != nil {
 			return nil, err
 		}
@@ -160,27 +165,11 @@ func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
 	return resources, nil
 }
 
-func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.CachedDiscoveryInterface, openAPIController *openapi.Controller) ([]*unstructured.Unstructured, error) {
+func getResourcesOfTypeFromCluster(resourceTypes []string, dClient *client.Client) ([]*unstructured.Unstructured, error) {
 	var resources []*unstructured.Unstructured
 
 	for _, kind := range resourceTypes {
-		// TODO use lister interface
-		endpoint, err := getListEndpointForKind(kind, openAPIController)
-		if err != nil {
-			return nil, err
-		}
-
-		listObjectRaw, err := dClient.RESTClient().Get().RequestURI(endpoint).Do().Raw()
-		if err != nil {
-			return nil, err
-		}
-
-		listObject, err := engineutils.ConvertToUnstructured(listObjectRaw)
-		if err != nil {
-			return nil, err
-		}
-
-		resourceList, err := listObject.ToList()
+		resourceList, err := dClient.ListResource(kind, "", nil)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/kyverno/apply/helper.go b/pkg/kyverno/apply/helper.go
deleted file mode 100644
index 4ad4b1b6d3..0000000000
--- a/pkg/kyverno/apply/helper.go
+++ /dev/null
@@ -1,37 +0,0 @@
-package apply
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/nirmata/kyverno/pkg/openapi"
-)
-
-func getListEndpointForKind(kind string, openAPIController *openapi.Controller) (string, error) {
-
-	definitionName := openAPIController.GetDefinitionNameFromKind(kind)
-	definitionNameWithoutPrefix := strings.Replace(definitionName, "io.k8s.", "", -1)
-
-	parts := strings.Split(definitionNameWithoutPrefix, ".")
-	definitionPrefix := strings.Join(parts[:len(parts)-1], ".")
-
-	defPrefixToApiPrefix := map[string]string{
-		"api.core.v1":                  "/api/v1",
-		"api.apps.v1":                  "/apis/apps/v1",
-		"api.batch.v1":                 "/apis/batch/v1",
-		"api.admissionregistration.v1": "/apis/admissionregistration.k8s.io/v1",
-		"kube-aggregator.pkg.apis.apiregistration.v1":       "/apis/apiregistration.k8s.io/v1",
-		"apiextensions-apiserver.pkg.apis.apiextensions.v1": "/apis/apiextensions.k8s.io/v1",
-		"api.autoscaling.v1":                                "/apis/autoscaling/v1/",
-		"api.storage.v1":                                    "/apis/storage.k8s.io/v1",
-		"api.coordination.v1":                               "/apis/coordination.k8s.io/v1",
-		"api.scheduling.v1":                                 "/apis/scheduling.k8s.io/v1",
-		"api.rbac.v1":                                       "/apis/rbac.authorization.k8s.io/v1",
-	}
-
-	if defPrefixToApiPrefix[definitionPrefix] == "" {
-		return "", fmt.Errorf("Unsupported resource type %v", kind)
-	}
-
-	return defPrefixToApiPrefix[definitionPrefix] + "/" + strings.ToLower(kind) + "s", nil
-}

From b698736e9cf4fc413ea4e85ec4881d1d2c5e52b1 Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:14:28 -0700
Subject: [PATCH 071/201] Fixed some more typos and always link `install.yaml`

---
 documentation/installation.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/documentation/installation.md b/documentation/installation.md
index cb805fb622..7ce390366c 100644
--- a/documentation/installation.md
+++ b/documentation/installation.md
@@ -18,7 +18,7 @@ To install Kyverno in a cluster that supports certificate signing, run the follo
 kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
 ````
 
-Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the `install.yaml` and update the image tag. 
+Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag. 
 
 To check the Kyverno controller status, run the command:
 
@@ -133,7 +133,7 @@ subjects:
 
 ### 4. Install Kyverno
 
-To install a specific version, download `install.yaml` and then change the image tag.
+To install a specific version, download [install.yaml] and then change the image tag.
 
 e.g., change image tag from `latest` to the specific tag `v1.0.0`.
 >>>
@@ -202,7 +202,7 @@ To build Kyverno in a development environment see: https://github.com/nirmata/ky
 
 To run controller in this mode you should prepare a TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address.
 
-1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. it also registers a CustomResource policy.
+1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy.
 
 2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>`
 
@@ -222,9 +222,10 @@ data:
   resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
 ```
 
-By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration
-[install.yaml](https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml).
+By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration [install.yaml].
 
 
 ---
 <small>*Read Next >> [Writing Policies](/documentation/writing-policies.md)*</small>
+
+[install.yaml]: https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml

From a2d6732adfd13f711d1dfb57209847bc9b0e00c9 Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:20:56 -0700
Subject: [PATCH 072/201] fixed some more typos

extra whitespace before `:` in YAML
---
 documentation/writing-policies-validate.md | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md
index 6b628ed0bd..bde1525e7f 100644
--- a/documentation/writing-policies-validate.md
+++ b/documentation/writing-policies-validate.md
@@ -83,11 +83,11 @@ The following rule prevents the creation of Deployment, StatefuleSet and DaemonS
 
 ````yaml
 
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : validation-example
-spec :
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validation-example
+spec:
   rules:
     - name: check-label
       match:
@@ -120,11 +120,11 @@ A variation of an anchor, is to check that in a list of elements at least one el
 For example, this pattern will check that at least one container has memory requests and limits defined and that the request is less than the limit:
 
 ````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : validation-example2
-spec :
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validation-example2
+spec:
   rules:
     - name: check-memory_requests_link_in_yaml_relative
       match:

From cbe20995b289257883deaac1361f30a5421a2772 Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:26:02 -0700
Subject: [PATCH 073/201] tyxed some typos

whitespace before `:` in YAML
---
 documentation/writing-policies-mutate.md | 48 ++++++++++++------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md
index 19110511e3..9486d33598 100644
--- a/documentation/writing-policies-mutate.md
+++ b/documentation/writing-policies-mutate.md
@@ -4,7 +4,7 @@
 
 The ```mutate``` rule can be used to add, replace, or delete elements in matching resources. A mutate rule can be written as a JSON Patch or as an overlay. 
 
-By using a ```patch``` in the (JSONPatch - RFC 6902)[http://jsonpatch.com/] format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource.
+By using a ```patch``` in the [JSONPatch - RFC 6902](http://jsonpatch.com/) format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource.
 
 Resource mutation occurs before validation, so the validation rules should not contradict the changes performed by the mutation section.
 
@@ -23,11 +23,11 @@ With Kyverno, the add and replace have the same behavior i.e. both operations wi
 This patch adds an init container to all deployments.
 
 ````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy-v1
-spec :
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: policy-v1
+spec:
   rules:
     - name: "add-init-secrets"
       match:
@@ -47,11 +47,11 @@ spec :
 Here is the example of a patch that removes a label from the secret:
 
 ````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy-remove-label
-spec :
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: policy-remove-label
+spec:
   rules:
     - name: "Remove unwanted label"
       match:
@@ -72,14 +72,14 @@ A mutation overlay describes the desired form of resource. The existing resource
 
 The overlay cannot be used to delete values in a resource: use **patches** for this purpose.
 
-The following mutation overlay will add (or replace) the memory request and limit to 10Gi for every Pod with a label ```memory: high```:
+The following mutation overlay will add (or replace) the memory request and limit to 10Gi for every Pod with a label `memory: high`:
 
 ````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy-change-memory-limit
-spec :
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: policy-change-memory-limit
+spec:
   rules:
     - name: "Set hard memory limit to 2Gi"
       match:
@@ -117,7 +117,7 @@ spec:
   - name: "Add IP to subsets"
     match:
       resources:
-        kinds :
+        kinds:
           - Endpoints
     mutate:
       overlay:
@@ -148,14 +148,14 @@ The **anchors** values support **wildcards**:
 
 A `conditional anchor` evaluates to `true` if the anchor tag exists and if the value matches the specified value. Processing stops if a tag does not exist or when the value does not match. Once processing stops, any child elements or any remaining siblings in a list, will not be processed.
 
- For example, this overlay will add or replace the value 6443 for the port field, for all ports with a name value that starts with "secure":
+ For example, this overlay will add or replace the value `6443` for the `port` field, for all ports with a name value that starts with "secure":
 
 ````yaml
 apiVersion: kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy-set-port
-spec :
+kind: ClusterPolicy
+metadata:
+  name: policy-set-port
+spec:
   rules:
   - name: "Set port"
     match:
@@ -174,7 +174,7 @@ If the anchor tag value is an object or array, the entire object or array must m
 
 ### Add if not present anchor
 
-A variation of an anchor, is to add a field value if it is not already defined. This is done by using the `add anchor` (short for `add if not present anchor`) with the notation ````+(...)```` for the tag.
+A variation of an anchor, is to add a field value if it is not already defined. This is done by using the `add anchor` (short for `add if not present anchor`) with the notation `+(...)` for the tag.
 
 An `add anchor` is processed as part of applying the mutation. Typically, every non-anchor tag-value is applied as part of the mutation. If the `add anchor` is set on a tag, the tag and value are only applied if they do not exist in the resource.
 

From 5252fe76d5923ae4c5ed97671da67cffbda8e5df Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:28:09 -0700
Subject: [PATCH 074/201] fixed some typos

---
 documentation/writing-policies-generate.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md
index e4dcda2b1e..d0fc16be0a 100644
--- a/documentation/writing-policies-generate.md
+++ b/documentation/writing-policies-generate.md
@@ -48,8 +48,8 @@ spec:
 ````
 
 In this example new namespaces will receive 2 new resources after its creation:
-  * A ConfigMap cloned from default/config-template.
-  * A Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```.
+  * A `ConfigMap` cloned from `default/config-template`.
+  * A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`.
 
 
 ## Example 2
@@ -81,7 +81,7 @@ spec:
             policyname: "default"
 ````
 
-In this example new namespaces will receive a NetworkPolicy that default denies all inbound and outbound traffic.
+In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic.
 
 ---
 

From 33352d131e96876230722d817682d0aacb43818d Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:31:21 -0700
Subject: [PATCH 075/201] fixed some typos

---
 documentation/writing-policies-variables.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/documentation/writing-policies-variables.md b/documentation/writing-policies-variables.md
index a0371e25b4..3cbcb3833b 100644
--- a/documentation/writing-policies-variables.md
+++ b/documentation/writing-policies-variables.md
@@ -14,9 +14,9 @@ The following data is available for use in context:
 
 Kyverno automatically creates a few useful variables:
 
-- `serviceAccountName` : the last part of a service account i.e. without the suffix `system:serviceaccount:<namespace>:` and stores the userName. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store the value `user1` in the variable `serviceAccountName`.
+- `serviceAccountName` : the "userName" which is last part of a service account i.e. without the prefix `system:serviceaccount:<namespace>:`. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store the value `user1` in the variable `serviceAccountName`.
 
-- `serviceAccountNamespace` : the `namespace` portion of the serviceAccount. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store `nirmata` in the variable `serviceAccountNamespace`.
+- `serviceAccountNamespace` : the "namespace" part of the serviceAccount. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store `nirmata` in the variable `serviceAccountNamespace`.
 
 ## Examples
 

From d40e3b886ecabb86736bfa6265461e1d06dd5fa4 Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Thu, 2 Apr 2020 22:34:45 -0700
Subject: [PATCH 076/201] Fixed some typos

---
 documentation/testing-policies.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md
index 9c46e18f53..15a91d9219 100644
--- a/documentation/testing-policies.md
+++ b/documentation/testing-policies.md
@@ -3,20 +3,20 @@
 
 # Testing Policies 
 
-The resources definitions for testing are located in [/test](/test) directory. Each test contains a pair of files: one is the resource definition, and the second is the kyverno policy for this definition.
+The resources definitions for testing are located in the [test](/test) directory. Each test contains a pair of files: one is the resource definition, and the second is the Kyverno policy for this definition.
 
 ## Test using kubectl
 
-To do this you should [install kyverno to the cluster](/documentation/installation.md).
+To do this you should [install Kyverno to the cluster](installation.md).
 
-For example, to test the simplest kyverno policy for ConfigMap, create the policy and then the resource itself via kubectl:
+For example, to test the simplest Kyverno policy for `ConfigMap`, create the policy and then the resource itself via `kubectl`:
 
 ````bash
 cd test/ConfigMap
 kubectl create -f policy-CM.yaml
 kubectl create -f CM.yaml
 ````
-Then compare the original resource definition in CM.yaml with the actual one:
+Then compare the original resource definition in `CM.yaml` with the actual one:
 
 ````bash
 kubectl get -f CM.yaml -o yaml

From c804750f44d55984cf05172cdaf74e6a3822915b Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 3 Apr 2020 18:29:21 +0530
Subject: [PATCH 077/201] 800 crd sync panic

---
 pkg/openapi/crdSync.go         | 16 +++++++++++++---
 pkg/openapi/validation_test.go |  5 +++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 494d49d7d5..01ccab88bb 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -2,6 +2,7 @@ package openapi
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"time"
 
@@ -88,6 +89,7 @@ func (o *Controller) deleteCRDFromPreviousSync() {
 }
 
 func (o *Controller) parseCRD(crd unstructured.Unstructured) {
+	var err error
 	var crdDefinition struct {
 		Spec struct {
 			Names struct {
@@ -111,7 +113,11 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 		return
 	}
 
-	schemaRaw = addingDefaultFieldsToSchema(schemaRaw)
+	schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
+	if err != nil {
+		log.Log.Error(err, "could not parse crd schema:")
+		return
+	}
 	_ = yaml.Unmarshal(schemaRaw, &schema)
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
@@ -127,12 +133,16 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 }
 
 // addingDefaultFieldsToSchema will add any default missing fields like apiVersion, metadata
-func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
+func addingDefaultFieldsToSchema(schemaRaw []byte) ([]byte, error) {
 	var schema struct {
 		Properties map[string]interface{} `json:"properties"`
 	}
 	_ = json.Unmarshal(schemaRaw, &schema)
 
+	if len(schema.Properties) < 1 {
+		return nil, errors.New("crd schema has no properties")
+	}
+
 	if schema.Properties["apiVersion"] == nil {
 		apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}`
 		apiVersionDef := make(map[string]interface{})
@@ -149,5 +159,5 @@ func addingDefaultFieldsToSchema(schemaRaw []byte) []byte {
 
 	schemaWithDefaultFields, _ := json.Marshal(schema)
 
-	return schemaWithDefaultFields
+	return schemaWithDefaultFields, nil
 }
diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go
index 3472810554..2e86215df3 100644
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@@ -65,3 +65,8 @@ func Test_ValidateMutationPolicy(t *testing.T) {
 	}
 
 }
+
+func Test_addDefaultFieldsToSchema(t *testing.T) {
+	addingDefaultFieldsToSchema([]byte(`null`))
+	addingDefaultFieldsToSchema(nil)
+}

From bd46e41f111dd823a128695177aafaa7e9579c5b Mon Sep 17 00:00:00 2001
From: Norbert Kiesel <nkiesel@metricstream.com>
Date: Fri, 3 Apr 2020 12:11:01 -0700
Subject: [PATCH 078/201] Clarified the resourceFilters usage

Not 100% sure that I got this correct. Please review and fix.

I also see in the source code that the entries can also be just `[<Kind>]` or `[<Kind>,<Namespace>]` (i.e. omitting trailing parts instead of using `*`) but I'm not sure if that should be used so I did not mention it.
---
 documentation/installation.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/documentation/installation.md b/documentation/installation.md
index 7ce390366c..41fea319b9 100644
--- a/documentation/installation.md
+++ b/documentation/installation.md
@@ -207,9 +207,9 @@ To run controller in this mode you should prepare a TLS key/certificate pair for
 2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>`
 
 # Filter Kubernetes resources that admission webhook should not process
-The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding the configmap named `init-config` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`.
+The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding a `ConfigMap` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`. The default name of this `ConfigMap` is `init-config` but can be changed by modifying the value of the environment variable `INIT_CONFIG` in the kyverno deployment dpec. `data.resourceFilters` must be a sequence of one or more `[<Kind>,<Namespace>,<Name>]` entries with `*` as wildcard. Thus, an item `[Node,*,*]` means that admissions of `Node` in any namespace and with any name will be ignored.
 
-The configmap is picked from the envenvironment variable `INIT_CONFIG` passed to the kyverno deployment spec. The resourceFilters configuration can be updated dynamically at runtime.
+By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration [install.yaml].
 
 ```
 apiVersion: v1
@@ -222,7 +222,8 @@ data:
   resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
 ```
 
-By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration [install.yaml].
+To modify the `ConfigMap`, either directly edit the `ConfigMap` `init-config` in the default configuration [install.yaml] and redeploy it or modify the `ConfigMap` use `kubectl`.  Changes to the `ConfigMap` through `kubectl` will automatically be picked up at runtime.
+
 
 
 ---

From 0b2aa90444b41baf005897f88d1b5d5957b2b3de Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 12:46:51 +0530
Subject: [PATCH 079/201] 753 new req save commit

---
 pkg/policy/validate.go      | 78 +++++++++++++++++++++++--------------
 pkg/policy/validate_test.go |  2 +-
 2 files changed, 49 insertions(+), 31 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index fd6acfdfb8..334787959b 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -9,6 +9,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/minio/minio/pkg/wildcard"
+
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -54,8 +56,8 @@ func Validate(p kyverno.ClusterPolicy) error {
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
 
-		if err := validateMatchExcludeConflict(rule); err != nil {
-			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
+		if doesMatchAndExcludeConflict(rule) {
+			return fmt.Errorf("path: spec.rules[%d]: rule is matching an empty set", i)
 		}
 
 		// Operation Validation
@@ -95,7 +97,9 @@ func Validate(p kyverno.ClusterPolicy) error {
 	return nil
 }
 
-func validateMatchExcludeConflict(rule kyverno.Rule) error {
+// doesMatchAndExcludeConflict checks if the resultant
+// of match and exclude block is not an empty set
+func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
 	excludeRoles := make(map[string]bool)
 	for _, role := range rule.ExcludeResources.UserInfo.Roles {
@@ -131,59 +135,73 @@ func validateMatchExcludeConflict(rule kyverno.Rule) error {
 		}
 	}
 
-	for _, role := range rule.MatchResources.UserInfo.Roles {
-		if excludeRoles[role] {
-			return fmt.Errorf("excluding role '%v' while also matching it - please remove from both match and exclude", role)
+	if len(excludeRoles) > 0 {
+		for _, role := range rule.MatchResources.UserInfo.Roles {
+			if !excludeRoles[role] {
+				return false
+			}
 		}
 	}
 
-	for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
-		if excludeClusterRoles[clusterRole] {
-			return fmt.Errorf("excluding cluster role '%v' while also matching it - please remove from both match and exclude", clusterRole)
+	if len(excludeClusterRoles) > 0 {
+		for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
+			if !excludeClusterRoles[clusterRole] {
+				return false
+			}
 		}
 	}
 
-	for _, subject := range rule.MatchResources.UserInfo.Subjects {
-		subjectRaw, _ := json.Marshal(subject)
-		if excludeSubjects[string(subjectRaw)] {
-			return fmt.Errorf("excluding subject '%v' while also matching it - please remove from both match and exclude", string(subjectRaw))
+	if len(excludeSubjects) > 0 {
+		for _, subject := range rule.MatchResources.UserInfo.Subjects {
+			subjectRaw, _ := json.Marshal(subject)
+			if !excludeSubjects[string(subjectRaw)] {
+				return false
+			}
 		}
 	}
 
-	if rule.MatchResources.ResourceDescription.Name != "" {
-		if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name {
-			return fmt.Errorf("excluding resource name '%v' while also matching it - please remove from both match and exclude", rule.MatchResources.ResourceDescription.Name)
+	if rule.ExcludeResources.ResourceDescription.Name != "" {
+		if !wildcard.Match(rule.ExcludeResources.ResourceDescription.Name, rule.MatchResources.ResourceDescription.Name) {
+			return false
 		}
 	}
 
-	for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
-		if excludeNamespaces[namespace] {
-			return fmt.Errorf("excluding resource namespace '%v' while also matching it - please remove from both match and exclude", namespace)
+	if len(excludeNamespaces) > 1 {
+		for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
+			if !excludeNamespaces[namespace] {
+				return false
+			}
 		}
 	}
 
-	for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
-		if excludeKinds[kind] {
-			return fmt.Errorf("excluding resource kind '%v' while also matching it - please remove from both match and exclude", kind)
+	if len(excludeKinds) > 1 {
+		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
+			if !excludeKinds[kind] {
+				return false
+			}
 		}
 	}
 
 	if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil {
-		for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
-			matchExpressionRaw, _ := json.Marshal(matchExpression)
-			if excludeMatchExpressions[string(matchExpressionRaw)] {
-				return fmt.Errorf("excluding resource match expression '%v' while also matching it - please remove from both match and exclude", string(matchExpressionRaw))
+		if len(excludeMatchExpressions) > 1 {
+			for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
+				matchExpressionRaw, _ := json.Marshal(matchExpression)
+				if excludeMatchExpressions[string(matchExpressionRaw)] {
+					return false
+				}
 			}
 		}
 
-		for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
-			if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] == value {
-				return fmt.Errorf("excluding resource label '%v' while also matching it - please remove from both match and exclude", label)
+		if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 1 {
+			for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
+				if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value {
+					return false
+				}
 			}
 		}
 	}
 
-	return nil
+	return true
 }
 
 func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 9f91ab8025..787908a76c 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1633,7 +1633,7 @@ func Test_validateMatchExcludeConflict(t *testing.T) {
 	for i, testcase := range testcases {
 		var rule kyverno.Rule
 		_ = json.Unmarshal(testcase.rule, &rule)
-		err := validateMatchExcludeConflict(rule)
+		err := doesMatchAndExcludeConflict(rule)
 
 		var gotError bool
 		if err != nil {

From fde5e5490fba441c2562535a2ffc88c18184960d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 14:49:50 +0530
Subject: [PATCH 080/201] 753 testcase and fixes

---
 pkg/policy/validate.go      |  15 ++---
 pkg/policy/validate_test.go | 109 +++++++++++++-----------------------
 2 files changed, 43 insertions(+), 81 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 334787959b..b5549c60ad 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -40,11 +40,6 @@ func Validate(p kyverno.ClusterPolicy) error {
 	}
 
 	for i, rule := range p.Spec.Rules {
-		// only one type of rule is allowed per rule
-		if err := validateRuleType(rule); err != nil {
-			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
-		}
-
 		// validate resource description
 		if path, err := validateResources(rule); err != nil {
 			return fmt.Errorf("path: spec.rules[%d].%s: %v", i, path, err)
@@ -166,7 +161,7 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 		}
 	}
 
-	if len(excludeNamespaces) > 1 {
+	if len(excludeNamespaces) > 0 {
 		for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
 			if !excludeNamespaces[namespace] {
 				return false
@@ -174,7 +169,7 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 		}
 	}
 
-	if len(excludeKinds) > 1 {
+	if len(excludeKinds) > 0 {
 		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 			if !excludeKinds[kind] {
 				return false
@@ -183,16 +178,16 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil {
-		if len(excludeMatchExpressions) > 1 {
+		if len(excludeMatchExpressions) > 0 {
 			for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
 				matchExpressionRaw, _ := json.Marshal(matchExpression)
-				if excludeMatchExpressions[string(matchExpressionRaw)] {
+				if !excludeMatchExpressions[string(matchExpressionRaw)] {
 					return false
 				}
 			}
 		}
 
-		if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 1 {
+		if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 0 {
 			for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
 				if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value {
 					return false
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 787908a76c..3bff390944 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1542,107 +1542,74 @@ func Test_ruleOnlyDealsWithResourceMetaData(t *testing.T) {
 	}
 }
 
-func Test_validateMatchExcludeConflict(t *testing.T) {
+func Test_doesMatchExcludeConflict(t *testing.T) {
 	testcases := []struct {
-		description   string
-		rule          []byte
-		expectedError bool
+		description    string
+		rule           []byte
+		expectedOutput bool
 	}{
 		{
-			description:   "Testing cluster roles - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"clusterroles":["something"]}}`),
-			expectedError: true,
+			description:    "Same match and exclude",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: true,
 		},
 		{
-			description:   "Testing cluster roles - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"clusterroles":["something2"]}}`),
-			expectedError: false,
+			description:    "Failed to exclude kind",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing roles - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"roles":["something"]}}`),
-			expectedError: true,
+			description:    "Failed to exclude name",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something-*","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing roles - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"roles":["something2"]}}`),
-			expectedError: false,
+			description:    "Failed to exclude namespace",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something3","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing subjects - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"}]}}`),
-			expectedError: true,
+			description:    "Failed to exclude labels",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"higha"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing subjects - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something1"}]}}`),
-			expectedError: false,
+			description:    "Failed to exclude expression",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["databases"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing resource kind - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace1"]}}}`),
-			expectedError: true,
+			description:    "Failed to exclude subjects",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something2","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing resource kind - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod1","Namespace1"]}}}`),
-			expectedError: false,
+			description:    "Failed to exclude clusterroles",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something3","something1"],"roles":["something","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing resource name - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"name":"something"}}}`),
-			expectedError: true,
+			description:    "Failed to exclude roles",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something3","something1"]}}`),
+			expectedOutput: false,
 		},
 		{
-			description:   "Testing resource name - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"name":"something1"}}}`),
-			expectedError: false,
+			description:    "simple",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`),
+			expectedOutput: true,
 		},
 		{
-			description:   "Testing resource namespace - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"namespaces":["something2","something1"]}}}`),
-			expectedError: true,
-		},
-		{
-			description:   "Testing resource namespace - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"namespaces":["something2","something3"]}}}`),
-			expectedError: false,
-		},
-		{
-			description:   "Testing resource selector label - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchLabels":{"memory":"high"}}}}}`),
-			expectedError: true,
-		},
-		{
-			description:   "Testing resource selector label - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchLabels":{"memory":"high1"}}}}}`),
-			expectedError: false,
-		},
-		{
-			description:   "Testing resource selector match expression - fail",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier","operator":"In","values":["database"]}]}}}}`),
-			expectedError: true,
-		},
-		{
-			description:   "Testing resource selector match expression - pass",
-			rule:          []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"selector":{"matchExpressions":[{"key":"tier1","operator":"In","values":["database"]},{"key":"tier2","operator":"In","values":["database"]}]}}}}`),
-			expectedError: false,
+			description:    "simple - fail",
+			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`),
+			expectedOutput: false,
 		},
 	}
 
 	for i, testcase := range testcases {
 		var rule kyverno.Rule
 		_ = json.Unmarshal(testcase.rule, &rule)
-		err := doesMatchAndExcludeConflict(rule)
 
-		var gotError bool
-		if err != nil {
-			gotError = true
-		} else {
-			gotError = false
-		}
-
-		if gotError != testcase.expectedError {
+		if doesMatchAndExcludeConflict(rule) != testcase.expectedOutput {
 			t.Errorf("Testcase [%d] failed - description - %v", i+1, testcase.description)
 		}
 	}

From d4baf44fd9f042926be488712f072db0c15cb28b Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 16:18:36 +0530
Subject: [PATCH 081/201] 753 practical test fixes

---
 pkg/policy/validate.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index a972fea0b2..04741669ea 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -56,7 +56,7 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 		}
 
 		if doesMatchAndExcludeConflict(rule) {
-			return fmt.Errorf("path: spec.rules[%d]: rule is matching an empty set", i)
+			return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
 		}
 
 		// validate rule actions
@@ -94,6 +94,14 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 // of match and exclude block is not an empty set
 func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
+	if reflect.DeepEqual(rule.MatchResources, kyverno.MatchResources{}) {
+		return true
+	}
+
+	if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
+		return false
+	}
+
 	excludeRoles := make(map[string]bool)
 	for _, role := range rule.ExcludeResources.UserInfo.Roles {
 		excludeRoles[role] = true

From 2599b29a0997afcd45bedef69efadd6239950c86 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 17:13:29 +0530
Subject: [PATCH 082/201] 753 final fixes

---
 pkg/webhooks/policymutation.go | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index dea2f87fff..134a558328 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -302,10 +302,10 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 	}
 
 	// overwrite Kinds by pod controllers defined in the annotation
-	controllerRule.MatchResources.Kinds = strings.Split(controllers, ",")
+	controllerRule.MatchResources.Kinds = replacePodWithPodControllers(controllerRule.MatchResources.Kinds, strings.Split(controllers, ","))
 	if len(exclude.Kinds) != 0 {
 		controllerRule.ExcludeResources = exclude.DeepCopy()
-		controllerRule.ExcludeResources.Kinds = strings.Split(controllers, ",")
+		controllerRule.ExcludeResources.Kinds = replacePodWithPodControllers(controllerRule.ExcludeResources.Kinds, strings.Split(controllers, ","))
 	}
 
 	if rule.Mutation.Overlay != nil {
@@ -395,3 +395,16 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 	}
 	return patchByte, nil
 }
+
+func replacePodWithPodControllers(kinds []string, controllers []string) []string {
+
+	var kindsWithoutPod []string
+	for _, kind := range kinds {
+		if strings.ToLower(kind) == "pod" {
+			continue
+		}
+		kindsWithoutPod = append(kindsWithoutPod, kind)
+	}
+
+	return append(kindsWithoutPod, controllers...)
+}

From d43456b681a4872b19bca334314b3be74e79975c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 21:06:55 +0530
Subject: [PATCH 083/201] 753_avoiding_duplicate_vals

---
 pkg/webhooks/policymutation.go | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index 134a558328..7dfef34588 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -398,13 +398,22 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 
 func replacePodWithPodControllers(kinds []string, controllers []string) []string {
 
-	var kindsWithoutPod []string
+	kindMap := make(map[string]bool)
+
 	for _, kind := range kinds {
-		if strings.ToLower(kind) == "pod" {
-			continue
-		}
-		kindsWithoutPod = append(kindsWithoutPod, kind)
+		kindMap[kind] = true
 	}
 
-	return append(kindsWithoutPod, controllers...)
+	delete(kindMap, "Pod")
+
+	for _, controller := range controllers {
+		kindMap[controller] = true
+	}
+
+	output := make([]string, 0, len(kindMap))
+	for kind := range kindMap {
+		output = append(output, kind)
+	}
+
+	return output
 }

From ed45dc12c09207713f483d31bc6da714f063171a Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 22:39:21 +0530
Subject: [PATCH 084/201] 775 working prototype

---
 pkg/engine/mutation.go | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index b147f5b490..0449698768 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -1,6 +1,7 @@
 package engine
 
 import (
+	"encoding/json"
 	"reflect"
 	"strings"
 	"time"
@@ -101,18 +102,19 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) {
 			continue
 		}
+	}
 
-		if strings.Contains(PodControllers, resource.GetKind()) {
+	if strings.Contains(PodControllers, resource.GetKind()) {
+		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, podTemplateRule, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)
 			if !ruleResponse.Success {
 				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
-				continue
-			}
-
-			if ruleResponse.Success && ruleResponse.Patches != nil {
-				logger.V(2).Info("inserted annotation for podTemplate")
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+			} else {
+				if ruleResponse.Success && ruleResponse.Patches != nil {
+					logger.V(2).Info("inserted annotation for podTemplate")
+					resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+				}
 			}
 		}
 	}
@@ -120,6 +122,24 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	resp.PatchedResource = patchedResource
 	return resp
 }
+
+func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructured) bool {
+	var podController struct {
+		Spec struct {
+			Template struct {
+				Metadata struct {
+					Annotations map[string]interface{} `json:"annotations"`
+				} `json:"metadata"`
+			} `json:"template"`
+		} `json:"spec"`
+	}
+
+	resourceRaw, _ := json.Marshal(resource.Object)
+	json.Unmarshal(resourceRaw, &podController)
+
+	_, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation]
+	return ok
+}
 func incrementAppliedRuleCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
@@ -150,7 +170,7 @@ var podTemplateRule = kyverno.Rule{
 				"template": map[string]interface{}{
 					"metadata": map[string]interface{}{
 						"annotations": map[string]interface{}{
-							"+(pod-policies.kyverno.io/autogen-applied)": "true",
+							"+(" + PodTemplateAnnotation + ")": "true",
 						},
 					},
 				},

From 23d2a215dc8c45a9185a61c8514b4e65f4b00bba Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 22:50:05 +0530
Subject: [PATCH 085/201] 753 fixing tests

---
 pkg/webhooks/policymutation.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index 7dfef34588..7211306adf 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -415,5 +416,9 @@ func replacePodWithPodControllers(kinds []string, controllers []string) []string
 		output = append(output, kind)
 	}
 
+	sort.Slice(output, func(i, j int) bool {
+		return output[i] < output[j]
+	})
+
 	return output
 }

From ad3fcb500feffe8c37e735235cfa51378eb8791a Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 4 Apr 2020 22:52:53 +0530
Subject: [PATCH 086/201] 775 circle ci fixes

---
 pkg/engine/mutation.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 0449698768..8f76efca9f 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -135,7 +135,7 @@ func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructure
 	}
 
 	resourceRaw, _ := json.Marshal(resource.Object)
-	json.Unmarshal(resourceRaw, &podController)
+	_ = json.Unmarshal(resourceRaw, &podController)
 
 	_, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation]
 	return ok

From 49e26aface611b352be94b7eed393214efdc1f69 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 9 Apr 2020 22:00:24 +0530
Subject: [PATCH 087/201] 786 tested prototype

---
 pkg/engine/variables/vars.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 59fd8f7fd5..89d1a93714 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -30,9 +30,17 @@ func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interfac
 func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
 	switch typedPattern := pattern.(type) {
 	case map[string]interface{}:
-		return subMap(log, ctx, typedPattern, path, errs)
+		mapCopy := make(map[string]interface{})
+		for k, v := range typedPattern {
+			mapCopy[k] = v
+		}
+
+		return subMap(log, ctx, mapCopy, path, errs)
 	case []interface{}:
-		return subArray(log, ctx, typedPattern, path, errs)
+		sliceCopy := make([]interface{}, len(typedPattern))
+		copy(sliceCopy, typedPattern)
+
+		return subArray(log, ctx, sliceCopy, path, errs)
 	case string:
 		return subValR(log, ctx, typedPattern, path, errs)
 	default:

From 9c457b9c1a7eb483ccb72610373fe49eb9c4471d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 9 Apr 2020 22:21:59 +0530
Subject: [PATCH 088/201] 786 fixed tests

---
 pkg/engine/variables/variables_test.go | 18 +++++++++---------
 pkg/generate/generate.go               |  5 ++++-
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go
index e01bf4f820..bb88cc13ac 100644
--- a/pkg/engine/variables/variables_test.go
+++ b/pkg/engine/variables/variables_test.go
@@ -85,7 +85,7 @@ func Test_variablesub1(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -175,7 +175,7 @@ func Test_variablesub_multiple(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -262,7 +262,7 @@ func Test_variablesubstitution(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -323,7 +323,7 @@ func Test_variableSubstitutionValue(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -381,7 +381,7 @@ func Test_variableSubstitutionValueOperatorNotEqual(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -440,7 +440,7 @@ func Test_variableSubstitutionValueFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Log("expected to fails")
 		t.Fail()
 	}
@@ -498,7 +498,7 @@ func Test_variableSubstitutionObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
@@ -562,7 +562,7 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err == nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err == nil {
 		t.Error(err)
 	}
 
@@ -621,7 +621,7 @@ func Test_variableSubstitutionMultipleObject(t *testing.T) {
 		t.Error(err)
 	}
 
-	if _, err := SubstituteVars(log.Log, ctx, patternCopy); err != nil {
+	if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil {
 		t.Error(err)
 	}
 	resultRaw, err := json.Marshal(patternCopy)
diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index 9f3edc4bc8..aab5ff1ae4 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -188,9 +188,12 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	// format : {{<variable_name}}
 	// - if there is variables that are not defined the context -> results in error and rule is not applied
 	// - valid variables are replaced with the values
-	if _, err := variables.SubstituteVars(log, ctx, genUnst.Object); err != nil {
+	object, err := variables.SubstituteVars(log, ctx, genUnst.Object)
+	if err != nil {
 		return noGenResource, err
 	}
+	genUnst.Object, _ = object.(map[string]interface{})
+
 	genKind, _, err := unstructured.NestedString(genUnst.Object, "kind")
 	if err != nil {
 		return noGenResource, err

From 2451756651bbb598249d37e7c122521e65294ad6 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Fri, 10 Apr 2020 23:24:54 +0530
Subject: [PATCH 089/201] 744 tested prototype

---
 definitions/install.yaml         | 14 +++++-
 definitions/install_debug.yaml   | 14 +++++-
 pkg/api/kyverno/v1/types.go      |  6 +++
 pkg/api/kyverno/v1/utils.go      |  4 ++
 pkg/engine/deny.go               | 26 ++++++++++
 pkg/policy/validate.go           | 12 ++---
 pkg/webhooks/checker.go          |  2 +-
 pkg/webhooks/generation.go       | 23 +--------
 pkg/webhooks/mutation.go         | 26 +---------
 pkg/webhooks/policymutation.go   |  2 +-
 pkg/webhooks/policyvalidation.go |  2 +-
 pkg/webhooks/server.go           | 86 +++++++++++++++++++++++++++-----
 pkg/webhooks/validation.go       | 23 +--------
 13 files changed, 146 insertions(+), 94 deletions(-)
 create mode 100644 pkg/engine/deny.go

diff --git a/definitions/install.yaml b/definitions/install.yaml
index a4f2e544f8..1d01a8cb8a 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -38,7 +38,6 @@ spec:
                 type: object
                 required:
                 - name
-                - match
                 properties:
                   name:
                     type: string
@@ -177,6 +176,19 @@ spec:
                       - key  # can be of any type
                       - operator # typed
                       - value # can be of any type
+                  deny:
+                    type: object
+                    properties:
+                      message:
+                        type: string
+                      conditions:
+                        type: array
+                        items:
+                          type: object
+                          required:
+                          - key  # can be of any type
+                          - operator # typed
+                          - value # can be of any type
                   mutate:
                     type: object
                     properties:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index e9a1343482..7c8812163e 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -38,7 +38,6 @@ spec:
                 type: object
                 required:
                 - name
-                - match
                 properties:
                   name:
                     type: string
@@ -177,6 +176,19 @@ spec:
                       - key  # can be of any type
                       - operator # typed
                       - value # can be of any type
+                  deny:
+                    type: object
+                    properties:
+                      message:
+                        type: string
+                      conditions:
+                        type: array
+                        items:
+                          type: object
+                          required:
+                          - key  # can be of any type
+                          - operator # typed
+                          - value # can be of any type
                   mutate:
                     type: object
                     properties:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index 29c44b4385..c4f57cce38 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -141,6 +141,12 @@ type Rule struct {
 	Mutation         Mutation         `json:"mutate,omitempty"`
 	Validation       Validation       `json:"validate,omitempty"`
 	Generation       Generation       `json:"generate,omitempty"`
+	Deny             *Deny            `json:"deny,omitempty"`
+}
+
+type Deny struct {
+	Message    string      `json:"message,omitempty"`
+	Conditions []Condition `json:"conditions,omitempty"`
 }
 
 //Condition defines the evaluation condition
diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go
index abe266eabd..f08b91ee5c 100644
--- a/pkg/api/kyverno/v1/utils.go
+++ b/pkg/api/kyverno/v1/utils.go
@@ -27,6 +27,10 @@ func (r Rule) HasGenerate() bool {
 	return !reflect.DeepEqual(r.Generation, Generation{})
 }
 
+func (r Rule) HasDeny() bool {
+	return r.Deny != nil
+}
+
 // DeepCopyInto is declared because k8s:deepcopy-gen is
 // not able to generate this method for interface{} member
 func (in *Mutation) DeepCopyInto(out *Mutation) {
diff --git a/pkg/engine/deny.go b/pkg/engine/deny.go
new file mode 100644
index 0000000000..0179f8a3f6
--- /dev/null
+++ b/pkg/engine/deny.go
@@ -0,0 +1,26 @@
+package engine
+
+import (
+	"fmt"
+
+	"github.com/go-logr/logr"
+	"github.com/nirmata/kyverno/pkg/engine/context"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine/variables"
+)
+
+func Deny(logger logr.Logger, policy v1.ClusterPolicy, ctx *context.Context) error {
+	for _, rule := range policy.Spec.Rules {
+		if rule.Deny != nil {
+			sliceCopy := make([]v1.Condition, len(rule.Deny.Conditions))
+			copy(sliceCopy, rule.Deny.Conditions)
+
+			if !variables.EvaluateConditions(logger, ctx, sliceCopy) {
+				return fmt.Errorf("request has been denied by policy %s due to - %s", policy.Name, rule.Deny.Message)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 96efd07cce..e835fde5d9 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -51,12 +51,6 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 		if path, err := validateResources(rule); err != nil {
 			return fmt.Errorf("path: spec.rules[%d].%s: %v", i, path, err)
 		}
-		// validate rule types
-		// only one type of rule is allowed per rule
-		if err := validateRuleType(rule); err != nil {
-			// as there are more than 1 operation in rule, not need to evaluate it further
-			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
-		}
 		// validate rule actions
 		// - Mutate
 		// - Validate
@@ -122,6 +116,10 @@ func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
 }
 
 func validateResources(rule kyverno.Rule) (string, error) {
+	if rule.HasDeny() {
+		return "", nil
+	}
+
 	// validate userInfo in match and exclude
 	if path, err := validateUserInfo(rule); err != nil {
 		return fmt.Sprintf("resources.%s", path), err
@@ -153,7 +151,7 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) {
 
 // validateRuleType checks only one type of rule is defined per rule
 func validateRuleType(r kyverno.Rule) error {
-	ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate()}
+	ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasDeny()}
 
 	operationCount := func() int {
 		count := 0
diff --git a/pkg/webhooks/checker.go b/pkg/webhooks/checker.go
index 4a52fa7649..a648a0034c 100644
--- a/pkg/webhooks/checker.go
+++ b/pkg/webhooks/checker.go
@@ -4,7 +4,7 @@ import (
 	"k8s.io/api/admission/v1beta1"
 )
 
-func (ws *WebhookServer) handleVerifyRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+func (ws *WebhookServer) verifyHandler(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("action", "verify", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 	return &v1beta1.AdmissionResponse{
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 7f0fc4a692..912349ebf8 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -16,7 +16,7 @@ import (
 )
 
 //HandleGenerate handles admission-requests for policies with generate rules
-func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
+func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo) (bool, string) {
 	logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 	var engineResponses []response.EngineResponse
@@ -31,27 +31,6 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 
 	// CREATE resources, do not have name, assigned in admission-request
 
-	userRequestInfo := kyverno.RequestInfo{
-		Roles:             roles,
-		ClusterRoles:      clusterRoles,
-		AdmissionUserInfo: request.UserInfo}
-	// build context
-	ctx := context.NewContext()
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
-	err = ctx.AddUserInfo(userRequestInfo)
-	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
-	}
-	// load service account in context
-	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
-	if err != nil {
-		logger.Error(err, "failed to load service account in context")
-	}
-
 	policyContext := engine.PolicyContext{
 		NewResource:   *resource,
 		AdmissionInfo: userRequestInfo,
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 0afdefa90a..2f1cf8af51 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -18,36 +18,12 @@ import (
 
 // HandleMutation handles mutating webhook admission request
 // return value: generated patches
-func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
+func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo) []byte {
 	logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 
 	var patches [][]byte
 	var engineResponses []response.EngineResponse
-
-	userRequestInfo := kyverno.RequestInfo{
-		Roles:             roles,
-		ClusterRoles:      clusterRoles,
-		AdmissionUserInfo: request.UserInfo}
-
-	// build context
-	ctx := context.NewContext()
-	var err error
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
-
-	err = ctx.AddUserInfo(userRequestInfo)
-	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
-	}
-	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
-	if err != nil {
-		logger.Error(err, "failed to load service account in context")
-	}
-
 	policyContext := engine.PolicyContext{
 		NewResource:   resource,
 		AdmissionInfo: userRequestInfo,
diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index dea2f87fff..e9535a735d 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -16,7 +16,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	var policy *kyverno.ClusterPolicy
 	raw := request.Object.Raw
diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go
index 2923037c98..5b2cf94c18 100644
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@@ -9,7 +9,7 @@ import (
 )
 
 //HandlePolicyValidation performs the validation check on policy resource
-func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
 	if err := policyvalidate.Validate(request.Object.Raw, ws.client, false, ws.openAPIController); err != nil {
 		return &v1beta1.AdmissionResponse{
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 83d1924931..bef9e6d6a5 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,6 +10,11 @@ import (
 	"net/http"
 	"time"
 
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	context2 "github.com/nirmata/kyverno/pkg/engine/context"
+
+	"github.com/nirmata/kyverno/pkg/engine"
+
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	"github.com/go-logr/logr"
@@ -131,11 +136,11 @@ func NewWebhookServer(
 		openAPIController:         openAPIController,
 	}
 	mux := http.NewServeMux()
-	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
-	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
-	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
-	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
+	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.resourceMutation, true))
+	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.resourceValidation, true))
+	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.policyMutation, true))
+	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.policyValidation, true))
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.verifyHandler, false))
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
@@ -190,7 +195,7 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 	}
 }
 
-func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
@@ -199,9 +204,8 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}
 
-	var roles, clusterRoles []string
-
 	// getRoleRef only if policy has roles/clusterroles defined
+	var roles, clusterRoles []string
 	if containRBACinfo(policies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
@@ -233,17 +237,51 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		}
 	}
 
+	userRequestInfo := v1.RequestInfo{
+		Roles:             roles,
+		ClusterRoles:      clusterRoles,
+		AdmissionUserInfo: request.UserInfo}
+
+	// build context
+	ctx := context2.NewContext()
+	// load incoming resource into the context
+	err = ctx.AddResource(request.Object.Raw)
+	if err != nil {
+		logger.Error(err, "failed to load incoming resource in context")
+	}
+
+	err = ctx.AddUserInfo(userRequestInfo)
+	if err != nil {
+		logger.Error(err, "failed to load userInfo in context")
+	}
+	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
+	if err != nil {
+		logger.Error(err, "failed to load service account in context")
+	}
+
+	for _, policy := range policies {
+		if err := engine.Deny(logger, policy, ctx); err != nil {
+			return &v1beta1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Status:  "Failure",
+					Message: err.Error(),
+				},
+			}
+		}
+	}
+
 	// MUTATION
 	// mutation failure should not block the resource creation
 	// any mutation failure is reported as the violation
-	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
+	patches := ws.HandleMutation(request, resource, policies, ctx, userRequestInfo)
 
 	// patch the resource with patches before handling validation rules
 	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
 
 	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 		// VALIDATION
-		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
+		ok, msg := ws.HandleValidation(request, policies, patchedResource, ctx, userRequestInfo)
 		if !ok {
 			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
@@ -261,7 +299,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	// Success -> Generate Request CR created successsfully
 	// Failed -> Failed to create Generate Request CR
 	if request.Operation == v1beta1.Create {
-		ok, msg := ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles)
+		ok, msg := ws.HandleGenerate(request, policies, ctx, userRequestInfo)
 		if !ok {
 			logger.Info("admission request denied")
 			return &v1beta1.AdmissionResponse{
@@ -285,7 +323,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 	}
 }
 
-func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
@@ -305,8 +343,30 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
+	userRequestInfo := v1.RequestInfo{
+		Roles:             roles,
+		ClusterRoles:      clusterRoles,
+		AdmissionUserInfo: request.UserInfo}
+
+	// build context
+	ctx := context2.NewContext()
+	// load incoming resource into the context
+	err = ctx.AddResource(request.Object.Raw)
+	if err != nil {
+		logger.Error(err, "failed to load incoming resource in context")
+	}
+
+	err = ctx.AddUserInfo(userRequestInfo)
+	if err != nil {
+		logger.Error(err, "failed to load userInfo in context")
+	}
+	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
+	if err != nil {
+		logger.Error(err, "failed to load service account in context")
+	}
+
 	// VALIDATION
-	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
+	ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
 	if !ok {
 		logger.Info("admission request denied")
 		return &v1beta1.AdmissionResponse{
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..e0d564e942 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -17,7 +17,7 @@ import (
 // HandleValidation handles validating webhook admission request
 // If there are no errors in validating rule we apply generation rules
 // patchedResource is the (resource + patches) after applying mutation rules
-func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
+func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, ctx *context.Context, userRequestInfo kyverno.RequestInfo) (bool, string) {
 	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 
@@ -28,27 +28,6 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 		logger.Error(err, "failed to extract resource")
 		return true, ""
 	}
-	userRequestInfo := kyverno.RequestInfo{
-		Roles:             roles,
-		ClusterRoles:      clusterRoles,
-		AdmissionUserInfo: request.UserInfo}
-	// build context
-	ctx := context.NewContext()
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
-
-	err = ctx.AddUserInfo(userRequestInfo)
-	if err != nil {
-		logger.Error(err, "failed to load userInfo in context")
-	}
-
-	err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
-	if err != nil {
-		logger.Error(err, "failed to load service account in context")
-	}
 
 	policyContext := engine.PolicyContext{
 		NewResource:   newR,

From 09b3172b8cf9b3e52b57c9ce0ee04fc3319463db Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 11 Apr 2020 22:11:28 +0530
Subject: [PATCH 090/201] 753 reverting autogen rule changes

---
 pkg/webhooks/policymutation.go | 31 ++-----------------------------
 1 file changed, 2 insertions(+), 29 deletions(-)

diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index 7211306adf..dea2f87fff 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
-	"sort"
 	"strconv"
 	"strings"
 
@@ -303,10 +302,10 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 	}
 
 	// overwrite Kinds by pod controllers defined in the annotation
-	controllerRule.MatchResources.Kinds = replacePodWithPodControllers(controllerRule.MatchResources.Kinds, strings.Split(controllers, ","))
+	controllerRule.MatchResources.Kinds = strings.Split(controllers, ",")
 	if len(exclude.Kinds) != 0 {
 		controllerRule.ExcludeResources = exclude.DeepCopy()
-		controllerRule.ExcludeResources.Kinds = replacePodWithPodControllers(controllerRule.ExcludeResources.Kinds, strings.Split(controllers, ","))
+		controllerRule.ExcludeResources.Kinds = strings.Split(controllers, ",")
 	}
 
 	if rule.Mutation.Overlay != nil {
@@ -396,29 +395,3 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 	}
 	return patchByte, nil
 }
-
-func replacePodWithPodControllers(kinds []string, controllers []string) []string {
-
-	kindMap := make(map[string]bool)
-
-	for _, kind := range kinds {
-		kindMap[kind] = true
-	}
-
-	delete(kindMap, "Pod")
-
-	for _, controller := range controllers {
-		kindMap[controller] = true
-	}
-
-	output := make([]string, 0, len(kindMap))
-	for kind := range kindMap {
-		output = append(output, kind)
-	}
-
-	sort.Slice(output, func(i, j int) bool {
-		return output[i] < output[j]
-	})
-
-	return output
-}

From 61918d9826a61f45feb1e2d9fd463ad4d47fe86c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sun, 12 Apr 2020 18:58:55 +0530
Subject: [PATCH 091/201] 808_prototype

---
 definitions/install.yaml       | 1 +
 definitions/install_debug.yaml | 1 +
 pkg/api/kyverno/v1/types.go    | 4 ++--
 pkg/policystatus/main.go       | 2 +-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index a4f2e544f8..b8950c12e6 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -20,6 +20,7 @@ spec:
   validation:
     openAPIV3Schema:
       properties:
+        status: {}
         spec:
           required:
           - rules
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index e9a1343482..d17c931004 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -20,6 +20,7 @@ spec:
   validation:
     openAPIV3Schema:
       properties:
+        status: {}
         spec:
           required:
           - rules
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index 29c44b4385..69605a0c05 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -121,7 +121,7 @@ type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 	Spec              Spec         `json:"spec"`
-	Status            PolicyStatus `json:"status"`
+	Status            PolicyStatus `json:"status,omitempty"`
 }
 
 // Spec describes policy behavior by its rules
@@ -230,7 +230,7 @@ type CloneFrom struct {
 // PolicyStatus mostly contains statistics related to policy
 type PolicyStatus struct {
 	// average time required to process the policy rules on a resource
-	AvgExecutionTime string `json:"averageExecutionTime"`
+	AvgExecutionTime string `json:"averageExecutionTime,omitempty"`
 	// number of violations created by this policy
 	ViolationCount int `json:"violationCount,omitempty"`
 	// Count of rules that failed
diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go
index b21ff2e505..6e89d41b9b 100644
--- a/pkg/policystatus/main.go
+++ b/pkg/policystatus/main.go
@@ -80,7 +80,7 @@ func (s *Sync) Run(workers int, stopCh <-chan struct{}) {
 		go s.updateStatusCache(stopCh)
 	}
 
-	wait.Until(s.updatePolicyStatus, 2*time.Second, stopCh)
+	wait.Until(s.updatePolicyStatus, 10*time.Second, stopCh)
 	<-stopCh
 }
 

From e3519d6b45c782d57eff2185679acdf9e85c976d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 13 Apr 2020 20:26:46 +0530
Subject: [PATCH 092/201] 808 test fixes

---
 pkg/generate/policyStatus_test.go        | 2 +-
 pkg/policystatus/status_test.go          | 2 +-
 pkg/policyviolation/policyStatus_test.go | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/generate/policyStatus_test.go b/pkg/generate/policyStatus_test.go
index b0fa04b591..b465a8547b 100644
--- a/pkg/generate/policyStatus_test.go
+++ b/pkg/generate/policyStatus_test.go
@@ -15,7 +15,7 @@ func Test_Stats(t *testing.T) {
 		expectedOutput     []byte
 		existingStatus     map[string]v1.PolicyStatus
 	}{
-		expectedOutput: []byte(`{"policy1":{"averageExecutionTime":"","resourcesGeneratedCount":2,"ruleStatus":[{"ruleName":"rule1","averageExecutionTime":"23ns","resourcesGeneratedCount":1},{"ruleName":"rule2","averageExecutionTime":"44ns","resourcesGeneratedCount":1},{"ruleName":"rule3"}]}}`),
+		expectedOutput: []byte(`{"policy1":{"resourcesGeneratedCount":2,"ruleStatus":[{"ruleName":"rule1","averageExecutionTime":"23ns","resourcesGeneratedCount":1},{"ruleName":"rule2","averageExecutionTime":"44ns","resourcesGeneratedCount":1},{"ruleName":"rule3"}]}}`),
 		generatedSyncStats: []generateSyncStats{
 			{
 				policyName: "policy1",
diff --git a/pkg/policystatus/status_test.go b/pkg/policystatus/status_test.go
index 310852cf2f..c36f1a5c0f 100644
--- a/pkg/policystatus/status_test.go
+++ b/pkg/policystatus/status_test.go
@@ -28,7 +28,7 @@ func (d dummyStatusUpdater) PolicyName() string {
 }
 
 func TestKeyToMutex(t *testing.T) {
-	expectedCache := `{"policy1":{"averageExecutionTime":"","rulesAppliedCount":100}}`
+	expectedCache := `{"policy1":{"rulesAppliedCount":100}}`
 
 	stopCh := make(chan struct{})
 	s := NewSync(nil, dummyStore{})
diff --git a/pkg/policyviolation/policyStatus_test.go b/pkg/policyviolation/policyStatus_test.go
index 8db26ae4a6..39f718ba13 100644
--- a/pkg/policyviolation/policyStatus_test.go
+++ b/pkg/policyviolation/policyStatus_test.go
@@ -33,7 +33,7 @@ func Test_Stats(t *testing.T) {
 				},
 			},
 		},
-		expectedOutput: []byte(`{"policy1":{"averageExecutionTime":"","violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]},"policy2":{"averageExecutionTime":"","violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]}}`),
+		expectedOutput: []byte(`{"policy1":{"violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]},"policy2":{"violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]}}`),
 		violationCountStats: []struct {
 			policyName    string
 			violatedRules []v1.ViolatedRule

From 5f20cdfb07e91c19ed88c9a6a6c41062a5f71fdd Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Mon, 13 Apr 2020 09:29:11 -0700
Subject: [PATCH 093/201] remove cpu limit in BP
 require_pod_requests_limits.yaml (#807)

* remove cpu limit in BP require_pod_requests_limits.yaml

* update test
---
 samples/RequirePodRequestsLimits.md                            | 1 -
 samples/best_practices/require_pod_requests_limits.yaml        | 3 +--
 .../samples/best_practices/require_pod_requests_limits.yaml    | 2 +-
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/samples/RequirePodRequestsLimits.md b/samples/RequirePodRequestsLimits.md
index 173492b408..d49220391b 100644
--- a/samples/RequirePodRequestsLimits.md
+++ b/samples/RequirePodRequestsLimits.md
@@ -31,5 +31,4 @@ spec:
                 cpu: "?*"
               limits:
                 memory: "?*"
-                cpu: "?*"
 ````
diff --git a/samples/best_practices/require_pod_requests_limits.yaml b/samples/best_practices/require_pod_requests_limits.yaml
index 3902b97c6b..175f5c01c7 100644
--- a/samples/best_practices/require_pod_requests_limits.yaml
+++ b/samples/best_practices/require_pod_requests_limits.yaml
@@ -26,5 +26,4 @@ spec:
                 memory: "?*"
                 cpu: "?*"
               limits:
-                memory: "?*"
-                cpu: "?*"
\ No newline at end of file
+                memory: "?*"
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml b/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml
index 31fa5d4df0..ee05cc8f5a 100644
--- a/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml
+++ b/test/scenarios/samples/best_practices/require_pod_requests_limits.yaml
@@ -14,4 +14,4 @@ expected:
       rules:
         - name: validate-resources
           type: Validation
-          success: false 
+          success: true 

From 4cb44bce09ceefe2e3864a5602f1d9a09987848e Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 14 Apr 2020 19:06:48 +0530
Subject: [PATCH 094/201] 744 save commit

---
 definitions/install.yaml       | 26 +++++++++++++-------------
 definitions/install_debug.yaml | 26 +++++++++++++-------------
 pkg/api/kyverno/v1/types.go    |  7 +------
 pkg/api/kyverno/v1/utils.go    |  4 ----
 pkg/engine/deny.go             | 26 --------------------------
 pkg/policy/validate.go         |  6 +-----
 pkg/webhooks/server.go         | 14 --------------
 7 files changed, 28 insertions(+), 81 deletions(-)
 delete mode 100644 pkg/engine/deny.go

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 1d01a8cb8a..72ba5cf550 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -176,19 +176,6 @@ spec:
                       - key  # can be of any type
                       - operator # typed
                       - value # can be of any type
-                  deny:
-                    type: object
-                    properties:
-                      message:
-                        type: string
-                      conditions:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                          - key  # can be of any type
-                          - operator # typed
-                          - value # can be of any type
                   mutate:
                     type: object
                     properties:
@@ -221,6 +208,19 @@ spec:
                         AnyValue: {}
                       anyPattern:
                         AnyValue: {}
+                      deny:
+                        type: object
+                        properties:
+                          message:
+                            type: string
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 7c8812163e..3c416a9ede 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -176,19 +176,6 @@ spec:
                       - key  # can be of any type
                       - operator # typed
                       - value # can be of any type
-                  deny:
-                    type: object
-                    properties:
-                      message:
-                        type: string
-                      conditions:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                          - key  # can be of any type
-                          - operator # typed
-                          - value # can be of any type
                   mutate:
                     type: object
                     properties:
@@ -221,6 +208,19 @@ spec:
                         AnyValue: {}
                       anyPattern:
                         AnyValue: {}
+                      deny:
+                        type: object
+                        properties:
+                          message:
+                            type: string
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index c4f57cce38..c85fe9a1a7 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -141,12 +141,6 @@ type Rule struct {
 	Mutation         Mutation         `json:"mutate,omitempty"`
 	Validation       Validation       `json:"validate,omitempty"`
 	Generation       Generation       `json:"generate,omitempty"`
-	Deny             *Deny            `json:"deny,omitempty"`
-}
-
-type Deny struct {
-	Message    string      `json:"message,omitempty"`
-	Conditions []Condition `json:"conditions,omitempty"`
 }
 
 //Condition defines the evaluation condition
@@ -217,6 +211,7 @@ type Validation struct {
 	Message    string        `json:"message,omitempty"`
 	Pattern    interface{}   `json:"pattern,omitempty"`
 	AnyPattern []interface{} `json:"anyPattern,omitempty"`
+	Deny       []Condition   `json:"deny,omitempty"`
 }
 
 // Generation describes which resources will be created when other resource is created
diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go
index f08b91ee5c..abe266eabd 100644
--- a/pkg/api/kyverno/v1/utils.go
+++ b/pkg/api/kyverno/v1/utils.go
@@ -27,10 +27,6 @@ func (r Rule) HasGenerate() bool {
 	return !reflect.DeepEqual(r.Generation, Generation{})
 }
 
-func (r Rule) HasDeny() bool {
-	return r.Deny != nil
-}
-
 // DeepCopyInto is declared because k8s:deepcopy-gen is
 // not able to generate this method for interface{} member
 func (in *Mutation) DeepCopyInto(out *Mutation) {
diff --git a/pkg/engine/deny.go b/pkg/engine/deny.go
deleted file mode 100644
index 0179f8a3f6..0000000000
--- a/pkg/engine/deny.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package engine
-
-import (
-	"fmt"
-
-	"github.com/go-logr/logr"
-	"github.com/nirmata/kyverno/pkg/engine/context"
-
-	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	"github.com/nirmata/kyverno/pkg/engine/variables"
-)
-
-func Deny(logger logr.Logger, policy v1.ClusterPolicy, ctx *context.Context) error {
-	for _, rule := range policy.Spec.Rules {
-		if rule.Deny != nil {
-			sliceCopy := make([]v1.Condition, len(rule.Deny.Conditions))
-			copy(sliceCopy, rule.Deny.Conditions)
-
-			if !variables.EvaluateConditions(logger, ctx, sliceCopy) {
-				return fmt.Errorf("request has been denied by policy %s due to - %s", policy.Name, rule.Deny.Message)
-			}
-		}
-	}
-
-	return nil
-}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index abc3cfad8a..04741669ea 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -239,10 +239,6 @@ func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
 }
 
 func validateResources(rule kyverno.Rule) (string, error) {
-	if rule.HasDeny() {
-		return "", nil
-	}
-
 	// validate userInfo in match and exclude
 	if path, err := validateUserInfo(rule); err != nil {
 		return fmt.Sprintf("resources.%s", path), err
@@ -274,7 +270,7 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) {
 
 // validateRuleType checks only one type of rule is defined per rule
 func validateRuleType(r kyverno.Rule) error {
-	ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasDeny()}
+	ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate()}
 
 	operationCount := func() int {
 		count := 0
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index bef9e6d6a5..350f3a6ccb 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -13,8 +13,6 @@ import (
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	context2 "github.com/nirmata/kyverno/pkg/engine/context"
 
-	"github.com/nirmata/kyverno/pkg/engine"
-
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	"github.com/go-logr/logr"
@@ -259,18 +257,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 		logger.Error(err, "failed to load service account in context")
 	}
 
-	for _, policy := range policies {
-		if err := engine.Deny(logger, policy, ctx); err != nil {
-			return &v1beta1.AdmissionResponse{
-				Allowed: false,
-				Result: &metav1.Status{
-					Status:  "Failure",
-					Message: err.Error(),
-				},
-			}
-		}
-	}
-
 	// MUTATION
 	// mutation failure should not block the resource creation
 	// any mutation failure is reported as the violation

From 11580e8ba52d3416acbd55a725001a7136faa6b1 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 14 Apr 2020 20:47:12 +0530
Subject: [PATCH 095/201] 744 save commit

---
 pkg/engine/validation.go | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 00c32f6791..87ff85dc69 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -101,14 +101,28 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 		}
 
 		// operate on the copy of the conditions, as we perform variable substitution
-		copyConditions := copyConditions(rule.Conditions)
+		preconditionsCopy := copyConditions(rule.Conditions)
 		// evaluate pre-conditions
 		// - handle variable subsitutions
-		if !variables.EvaluateConditions(log, ctx, copyConditions) {
+		if !variables.EvaluateConditions(log, ctx, preconditionsCopy) {
 			log.V(4).Info("resource fails the preconditions")
 			continue
 		}
 
+		if rule.Validation.Deny != nil {
+			denyConditionsCopy := copyConditions(rule.Validation.Deny)
+			if !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+				ruleResp := response.RuleResponse{
+					Name:    rule.Name,
+					Type:    utils.Validation.String(),
+					Message: rule.Validation.Message,
+					Success: false,
+				}
+				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
+			}
+			continue
+		}
+
 		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
 			ruleResponse := validatePatterns(log, ctx, resource, rule)
 			incrementAppliedCount(resp)

From 83ecd959451aa24f2b3170ae16fe51b788a18679 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 15 Apr 2020 21:17:14 +0530
Subject: [PATCH 096/201] 744 added all request values to context

---
 definitions/install.yaml        | 19 +++++++------------
 definitions/install_debug.yaml  | 19 +++++++------------
 pkg/engine/context/context.go   | 18 ++++++++++++++++++
 pkg/policy/validate/validate.go |  4 ++--
 pkg/webhooks/server.go          |  8 ++++++++
 5 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 72ba5cf550..d85ad4574d 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -209,18 +209,13 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: object
-                        properties:
-                          message:
-                            type: string
-                          conditions:
-                            type: array
-                            items:
-                              type: object
-                              required:
-                                - key  # can be of any type
-                                - operator # typed
-                                - value # can be of any type
+                        type: array
+                        items:
+                          type: object
+                          required:
+                            - key  # can be of any type
+                            - operator # typed
+                            - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 3c416a9ede..6984c76187 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -209,18 +209,13 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: object
-                        properties:
-                          message:
-                            type: string
-                          conditions:
-                            type: array
-                            items:
-                              type: object
-                              required:
-                                - key  # can be of any type
-                                - operator # typed
-                                - value # can be of any type
+                        type: array
+                        items:
+                          type: object
+                          required:
+                            - key  # can be of any type
+                            - operator # typed
+                            - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index 163e81fef0..eba01a1538 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -5,6 +5,8 @@ import (
 	"strings"
 	"sync"
 
+	"k8s.io/api/admission/v1beta1"
+
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -63,6 +65,22 @@ func (ctx *Context) AddJSON(dataRaw []byte) error {
 	return nil
 }
 
+//AddResource data at path: request.object
+func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
+	modifiedResource := struct {
+		Request interface{} `json:"request"`
+	}{
+		Request: request,
+	}
+
+	objRaw, err := json.Marshal(modifiedResource)
+	if err != nil {
+		ctx.log.Error(err, "failed to marshal the UserInfo")
+		return err
+	}
+	return ctx.AddJSON(objRaw)
+}
+
 //AddResource data at path: request.object
 func (ctx *Context) AddResource(dataRaw []byte) error {
 
diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
index 3889f9f163..1e705758aa 100644
--- a/pkg/policy/validate/validate.go
+++ b/pkg/policy/validate/validate.go
@@ -49,8 +49,8 @@ func (v *Validate) Validate() (string, error) {
 // validateOverlayPattern checks one of pattern/anyPattern must exist
 func (v *Validate) validateOverlayPattern() error {
 	rule := v.rule
-	if rule.Pattern == nil && len(rule.AnyPattern) == 0 {
-		return fmt.Errorf("a pattern or anyPattern must be specified")
+	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && len(rule.Deny) == 0 {
+		return fmt.Errorf("a pattern or anyPattern or deny must be specified")
 	}
 
 	if rule.Pattern != nil && len(rule.AnyPattern) != 0 {
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 350f3a6ccb..23e8ccd6e8 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -242,6 +242,10 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 
 	// build context
 	ctx := context2.NewContext()
+	err = ctx.AddRequest(request)
+	if err != nil {
+		logger.Error(err, "failed to load incoming request in context")
+	}
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {
@@ -336,6 +340,10 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 
 	// build context
 	ctx := context2.NewContext()
+	err = ctx.AddRequest(request)
+	if err != nil {
+		logger.Error(err, "failed to load incoming request in context")
+	}
 	// load incoming resource into the context
 	err = ctx.AddResource(request.Object.Raw)
 	if err != nil {

From 93fa54bf795ff51200696a26361602d8b79eba3b Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Sat, 18 Apr 2020 18:26:09 +0530
Subject: [PATCH 097/201] 744 deny all requests

---
 definitions/install.yaml        | 18 +++++++++++-------
 definitions/install_debug.yaml  | 18 +++++++++++-------
 pkg/api/kyverno/v1/types.go     |  7 ++++++-
 pkg/engine/validation.go        |  4 ++--
 pkg/policy/validate/validate.go |  2 +-
 5 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index d85ad4574d..5a4db02cf5 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -209,13 +209,17 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                            - key  # can be of any type
-                            - operator # typed
-                            - value # can be of any type
+                        properties:
+                          allRequests:
+                            type: boolean
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 6984c76187..eddfe71a8e 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -209,13 +209,17 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                            - key  # can be of any type
-                            - operator # typed
-                            - value # can be of any type
+                        properties:
+                          allRequests:
+                            type: boolean
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index c85fe9a1a7..a05adb96e4 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -211,7 +211,12 @@ type Validation struct {
 	Message    string        `json:"message,omitempty"`
 	Pattern    interface{}   `json:"pattern,omitempty"`
 	AnyPattern []interface{} `json:"anyPattern,omitempty"`
-	Deny       []Condition   `json:"deny,omitempty"`
+	Deny       *Deny         `json:"deny,omitempty"`
+}
+
+type Deny struct {
+	AllRequests bool        `json:"allRequests,omitempty"`
+	Conditions  []Condition `json:"conditions,omitempty"`
 }
 
 // Generation describes which resources will be created when other resource is created
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 87ff85dc69..0cd89e09da 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -110,8 +110,8 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 		}
 
 		if rule.Validation.Deny != nil {
-			denyConditionsCopy := copyConditions(rule.Validation.Deny)
-			if !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
+			if rule.Validation.Deny.AllRequests || !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
 				ruleResp := response.RuleResponse{
 					Name:    rule.Name,
 					Type:    utils.Validation.String(),
diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
index 1e705758aa..d120422d9d 100644
--- a/pkg/policy/validate/validate.go
+++ b/pkg/policy/validate/validate.go
@@ -49,7 +49,7 @@ func (v *Validate) Validate() (string, error) {
 // validateOverlayPattern checks one of pattern/anyPattern must exist
 func (v *Validate) validateOverlayPattern() error {
 	rule := v.rule
-	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && len(rule.Deny) == 0 {
+	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && rule.Deny == nil {
 		return fmt.Errorf("a pattern or anyPattern or deny must be specified")
 	}
 

From bd117aa65d34c650583018dc5128bbf939d74486 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sat, 18 Apr 2020 20:13:47 -0700
Subject: [PATCH 098/201] Fixes #797 - update example for mutate patch policy

---
 documentation/writing-policies-mutate.md | 35 +++++++++++++-----------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md
index 9486d33598..5ca26cc350 100644
--- a/documentation/writing-policies-mutate.md
+++ b/documentation/writing-policies-mutate.md
@@ -20,28 +20,31 @@ A JSON Patch rule provides an alternate way to mutate resources.
 
 With Kyverno, the add and replace have the same behavior i.e. both operations will add or replace the target element.
 
-This patch adds an init container to all deployments.
+This patch policy adds, or replaces, entries in a `ConfigMap` with the name `config-name` in any namespace.
 
 ````yaml
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: policy-v1
-spec:
+apiVersion : kyverno.io/v1
+kind : ClusterPolicy
+metadata :
+  name : policy-generate-cm
+spec :
   rules:
-    - name: "add-init-secrets"
+    - name: pCM1
       match:
         resources:
-          kinds:
-          - Deployment
+          name: "config-game"
+          kinds :
+          - ConfigMap
       mutate:
-        overlay:
-          spec:
-            template:
-              spec:
-                initContainers:
-                  - name: init-secrets
-                    image: nirmata.io/kube-vault-client:v2
+        patches:
+        - path: "/data/ship.properties"
+          op: add
+          value: |
+            type=starship
+            owner=utany.corp
+        - path : "/data/newKey1"
+          op : add
+          value : newValue1
 ````
 
 Here is the example of a patch that removes a label from the secret:

From bafc854bc596d9b93d6c6917c6f44f3d68a5a6f1 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 20 Apr 2020 18:51:04 +0530
Subject: [PATCH 099/201] 797 typo fix

---
 documentation/writing-policies-mutate.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md
index 5ca26cc350..68b6aaa45e 100644
--- a/documentation/writing-policies-mutate.md
+++ b/documentation/writing-policies-mutate.md
@@ -20,7 +20,7 @@ A JSON Patch rule provides an alternate way to mutate resources.
 
 With Kyverno, the add and replace have the same behavior i.e. both operations will add or replace the target element.
 
-This patch policy adds, or replaces, entries in a `ConfigMap` with the name `config-name` in any namespace.
+This patch policy adds, or replaces, entries in a `ConfigMap` with the name `config-game` in any namespace.
 
 ````yaml
 apiVersion : kyverno.io/v1

From c657ef1016dc51e06095369e8d95ea9e9b48aafd Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 20 Apr 2020 07:41:49 -0700
Subject: [PATCH 100/201] Fixes #817 - slack channel URL

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2335a3b78f..12506896d1 100644
--- a/README.md
+++ b/README.md
@@ -164,7 +164,7 @@ See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](htt
 ## Getting help
 
   * For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
-  * For discussions or questions, join our [Kubernetes Slack channel #kyverno](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
+  * For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
 
 ## Contributing
 

From 7a3f0012a912f10080c551eedbc9468faef01a65 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 22 Apr 2020 20:15:16 +0530
Subject: [PATCH 101/201] 744 untested prototype

---
 pkg/engine/validation.go      | 58 +++++++++++++----------------------
 pkg/webhookconfig/resource.go |  4 +--
 pkg/webhooks/server.go        | 24 ++++++++++++---
 3 files changed, 44 insertions(+), 42 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 0cd89e09da..2daadb08a9 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -17,7 +17,7 @@ import (
 )
 
 //Validate applies validation rules from policy on the resource
-func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
+func Validate(policyContext PolicyContext) response.EngineResponse {
 	startTime := time.Now()
 	policy := policyContext.Policy
 	newR := policyContext.NewResource
@@ -29,39 +29,22 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	// policy information
 	logger.V(4).Info("start processing", "startTime", startTime)
 
-	// Process new & old resource
-	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
-		// Create Mode
-		// Operate on New Resource only
-		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
-		startResultResponse(resp, policy, newR)
-		defer endResultResponse(logger, resp, startTime)
-		// set PatchedResource with origin resource if empty
-		// in order to create policy violation
-		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
-			resp.PatchedResource = newR
-		}
-		return *resp
+	var resp *response.EngineResponse
+	// handling delete requests
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		resp = validateResource(logger, ctx, policy, oldR, admissionInfo, true)
+	} else {
+		resp = validateResource(logger, ctx, policy, newR, admissionInfo, false)
 	}
-	// Update Mode
-	// Operate on New and Old Resource only
-	// New resource
-	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
-	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
 
-	// if the old and new response is same then return empty response
-	if !isSameResponse(oldResponse, newResponse) {
-		// there are changes send response
-		startResultResponse(newResponse, policy, newR)
-		defer endResultResponse(logger, newResponse, startTime)
-		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
-			newResponse.PatchedResource = newR
-		}
-		return *newResponse
+	startResultResponse(resp, policy, newR)
+	defer endResultResponse(logger, resp, startTime)
+	// set PatchedResource with origin resource if empty
+	// in order to create policy violation
+	if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
+		resp.PatchedResource = newR
 	}
-	// if there are no changes with old and new response then sent empty response
-	// skip processing
-	return response.EngineResponse{}
+	return *resp
 }
 
 func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPolicy, newR unstructured.Unstructured) {
@@ -85,7 +68,7 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, isDelete bool) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
@@ -123,11 +106,14 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 			continue
 		}
 
-		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-			ruleResponse := validatePatterns(log, ctx, resource, rule)
-			incrementAppliedCount(resp)
-			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+		if !isDelete {
+			if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
+				ruleResponse := validatePatterns(log, ctx, resource, rule)
+				incrementAppliedCount(resp)
+				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+			}
 		}
+
 	}
 	return resp
 }
diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go
index 050517da0a..7a91a24af5 100644
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@@ -100,7 +100,7 @@ func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caDa
 				"*/*",
 				"*",
 				"*",
-				[]admregapi.OperationType{admregapi.Create, admregapi.Update},
+				[]admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete},
 			),
 		},
 	}
@@ -124,7 +124,7 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []
 				"*/*",
 				"*",
 				"*",
-				[]admregapi.OperationType{admregapi.Create, admregapi.Update},
+				[]admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete},
 			),
 		},
 	}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 23e8ccd6e8..0e3fd35847 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"strings"
 	"time"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -171,13 +172,19 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 
 		// Do not process the admission requests for kinds that are in filterKinds for filtering
 		request := admissionReview.Request
-		if filter {
-			if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+
+		if !isValidUsername(request.UserInfo.Username) {
+			admissionReview.Response = &v1beta1.AdmissionResponse{Allowed: true}
+		} else {
+			if filter {
+				if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+					admissionReview.Response = handler(request)
+				}
+			} else {
 				admissionReview.Response = handler(request)
 			}
-		} else {
-			admissionReview.Response = handler(request)
 		}
+
 		admissionReview.Response.UID = request.UID
 
 		responseJSON, err := json.Marshal(admissionReview)
@@ -193,6 +200,15 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 	}
 }
 
+func isValidUsername(username string) bool {
+	if strings.HasPrefix(username, "system") {
+		if !strings.HasPrefix(username, "system:serviceaccount") {
+			return false
+		}
+	}
+	return true
+}
+
 func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()

From 34238188da792822c73a5918a61e66f85564e6cb Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 22 Apr 2020 20:45:15 +0530
Subject: [PATCH 102/201] 744 fixing broken delete

---
 pkg/webhooks/common.go | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 476606b468..fb6ac42021 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -5,10 +5,10 @@ import (
 	"strings"
 
 	"github.com/go-logr/logr"
-	yamlv2 "gopkg.in/yaml.v2"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
+	yamlv2 "gopkg.in/yaml.v2"
 	"k8s.io/api/admission/v1beta1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -129,31 +129,32 @@ func containRBACinfo(policies []kyverno.ClusterPolicy) bool {
 // extracts the new and old resource as unstructured
 func extractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
 	var emptyResource unstructured.Unstructured
+	var newResource unstructured.Unstructured
+	var oldResource unstructured.Unstructured
+	var err error
 
 	// New Resource
 	if newRaw == nil {
 		newRaw = request.Object.Raw
 	}
-	if newRaw == nil {
-		return emptyResource, emptyResource, fmt.Errorf("new resource is not defined")
+
+	if newRaw != nil {
+		newResource, err = convertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+		if err != nil {
+			return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)
+		}
 	}
 
-	new, err := convertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
-	if err != nil {
-		return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)
-	}
-
-	// Old Resource - Optional
+	// Old Resource
 	oldRaw := request.OldObject.Raw
-	if oldRaw == nil {
-		return new, emptyResource, nil
+	if oldRaw != nil {
+		oldResource, err = convertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+		if err != nil {
+			return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)
+		}
 	}
 
-	old, err := convertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
-	if err != nil {
-		return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)
-	}
-	return new, old, err
+	return newResource, oldResource, err
 }
 
 // convertResource converts raw bytes to an unstructured object

From 7dc7420ad9f19d205756a505306426e19d68c9c6 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 23 Apr 2020 01:05:00 +0530
Subject: [PATCH 103/201] 744 policy validation skip

---
 pkg/engine/validation.go |  2 +-
 pkg/policy/validate.go   |  6 +++---
 pkg/webhooks/server.go   | 10 ----------
 3 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 2daadb08a9..54c3806713 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -94,7 +94,7 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 
 		if rule.Validation.Deny != nil {
 			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
-			if rule.Validation.Deny.AllRequests || !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
 				ruleResp := response.RuleResponse{
 					Name:    rule.Name,
 					Type:    utils.Validation.String(),
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 04741669ea..dd8f336406 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -55,9 +55,9 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
 
-		if doesMatchAndExcludeConflict(rule) {
-			return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
-		}
+		//if doesMatchAndExcludeConflict(rule) {
+		//	return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
+		//}
 
 		// validate rule actions
 		// - Mutate
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 0e3fd35847..af489ddd8c 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -262,11 +262,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	if err != nil {
 		logger.Error(err, "failed to load incoming request in context")
 	}
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {
@@ -360,11 +355,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 	if err != nil {
 		logger.Error(err, "failed to load incoming request in context")
 	}
-	// load incoming resource into the context
-	err = ctx.AddResource(request.Object.Raw)
-	if err != nil {
-		logger.Error(err, "failed to load incoming resource in context")
-	}
 
 	err = ctx.AddUserInfo(userRequestInfo)
 	if err != nil {

From 3b96d1bfc244e1707bc6dfc090e181b1d6f00a31 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 27 Apr 2020 11:47:33 +0530
Subject: [PATCH 104/201] 744 save commit

---
 definitions/install.yaml       | 1 +
 definitions/install_debug.yaml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 5a4db02cf5..f7ebfb5590 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -38,6 +38,7 @@ spec:
                 type: object
                 required:
                 - name
+                - match
                 properties:
                   name:
                     type: string
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index eddfe71a8e..3598dbca1d 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -38,6 +38,7 @@ spec:
                 type: object
                 required:
                 - name
+                - match
                 properties:
                   name:
                     type: string

From 0a65a66cc009b789adfe6981e6cacd168aad24b5 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 27 Apr 2020 15:05:10 +0530
Subject: [PATCH 105/201] 823 tested prototype

---
 pkg/policy/validate.go      | 32 ++++++++++++++++++++++++++++----
 pkg/policy/validate_test.go |  5 +++++
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 04741669ea..c85eb18825 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -94,10 +94,6 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 // of match and exclude block is not an empty set
 func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
-	if reflect.DeepEqual(rule.MatchResources, kyverno.MatchResources{}) {
-		return true
-	}
-
 	if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
 		return false
 	}
@@ -137,6 +133,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeRoles) > 0 {
+		if len(rule.MatchResources.UserInfo.Roles) == 0 {
+			return false
+		}
+
 		for _, role := range rule.MatchResources.UserInfo.Roles {
 			if !excludeRoles[role] {
 				return false
@@ -145,6 +145,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeClusterRoles) > 0 {
+		if len(rule.MatchResources.UserInfo.ClusterRoles) == 0 {
+			return false
+		}
+
 		for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles {
 			if !excludeClusterRoles[clusterRole] {
 				return false
@@ -153,6 +157,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeSubjects) > 0 {
+		if len(rule.MatchResources.UserInfo.Subjects) == 0 {
+			return false
+		}
+
 		for _, subject := range rule.MatchResources.UserInfo.Subjects {
 			subjectRaw, _ := json.Marshal(subject)
 			if !excludeSubjects[string(subjectRaw)] {
@@ -168,6 +176,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeNamespaces) > 0 {
+		if len(rule.MatchResources.ResourceDescription.Namespaces) == 0 {
+			return false
+		}
+
 		for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces {
 			if !excludeNamespaces[namespace] {
 				return false
@@ -176,6 +188,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 	}
 
 	if len(excludeKinds) > 0 {
+		if len(rule.MatchResources.ResourceDescription.Kinds) == 0 {
+			return false
+		}
+
 		for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
 			if !excludeKinds[kind] {
 				return false
@@ -185,6 +201,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 
 	if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil {
 		if len(excludeMatchExpressions) > 0 {
+			if len(rule.MatchResources.ResourceDescription.Selector.MatchExpressions) == 0 {
+				return false
+			}
+
 			for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions {
 				matchExpressionRaw, _ := json.Marshal(matchExpression)
 				if !excludeMatchExpressions[string(matchExpressionRaw)] {
@@ -194,6 +214,10 @@ func doesMatchAndExcludeConflict(rule kyverno.Rule) bool {
 		}
 
 		if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 0 {
+			if len(rule.MatchResources.ResourceDescription.Selector.MatchLabels) == 0 {
+				return false
+			}
+
 			for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels {
 				if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value {
 					return false
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 0ca0778dd6..6b5717ea7f 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -1022,6 +1022,11 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
 			rule:           []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`),
 			expectedOutput: false,
 		},
+		{
+			description:    "empty case",
+			rule:           []byte(`{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.object.kind}}/{{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}`),
+			expectedOutput: false,
+		},
 	}
 
 	for i, testcase := range testcases {

From 0a34357921f32cd86952cedb8ac70d9ff560ac06 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 27 Apr 2020 16:02:02 +0530
Subject: [PATCH 106/201] 744 improving error message

---
 pkg/policy/validate/validate.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go
index d120422d9d..c14099cbad 100644
--- a/pkg/policy/validate/validate.go
+++ b/pkg/policy/validate/validate.go
@@ -50,7 +50,7 @@ func (v *Validate) Validate() (string, error) {
 func (v *Validate) validateOverlayPattern() error {
 	rule := v.rule
 	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && rule.Deny == nil {
-		return fmt.Errorf("a pattern or anyPattern or deny must be specified")
+		return fmt.Errorf("pattern, anyPattern or deny must be specified")
 	}
 
 	if rule.Pattern != nil && len(rule.AnyPattern) != 0 {

From 0932e9a147f21780f5be3e7924d9f125809c1ad8 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 27 Apr 2020 18:38:03 +0530
Subject: [PATCH 107/201] 664 tested prototype

---
 go.mod                 |  1 +
 go.sum                 |  2 ++
 pkg/webhooks/server.go | 14 ++++++++------
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index f5ba937e12..f8dcbdf549 100644
--- a/go.mod
+++ b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/imdario/mergo v0.3.8 // indirect
 	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
 	github.com/json-iterator/go v1.1.9 // indirect
+	github.com/julienschmidt/httprouter v1.3.0
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
 	github.com/spf13/cobra v0.0.5
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
diff --git a/go.sum b/go.sum
index 99c5af7f3b..a8e3e37eb8 100644
--- a/go.sum
+++ b/go.sum
@@ -516,6 +516,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/karrick/godirwalk v1.7.5/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
 github.com/karrick/godirwalk v1.7.7/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
 github.com/karrick/godirwalk v1.7.8/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34=
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 83d1924931..f1517ef66f 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/julienschmidt/httprouter"
+
 	"github.com/nirmata/kyverno/pkg/openapi"
 
 	"github.com/go-logr/logr"
@@ -130,12 +132,12 @@ func NewWebhookServer(
 		log:                       log,
 		openAPIController:         openAPIController,
 	}
-	mux := http.NewServeMux()
-	mux.HandleFunc(config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
-	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
-	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
-	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
+	mux := httprouter.New()
+	mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
+	mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
+	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
+	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
+	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,

From f8f27cea184595a1ef000c95215165356e023829 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Mon, 27 Apr 2020 22:01:33 +0530
Subject: [PATCH 108/201] 744 fixing policy validation

---
 pkg/policy/validate.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index a6693e4373..c85eb18825 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -55,9 +55,9 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 			return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
 		}
 
-		//if doesMatchAndExcludeConflict(rule) {
-		//	return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
-		//}
+		if doesMatchAndExcludeConflict(rule) {
+			return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name)
+		}
 
 		// validate rule actions
 		// - Mutate

From 80a02a1574592b09a680f60e8071004de66bcc89 Mon Sep 17 00:00:00 2001
From: danielnbalasoiu <46020698+danielnbalasoiu@users.noreply.github.com>
Date: Wed, 29 Apr 2020 09:12:37 +0000
Subject: [PATCH 109/201] Documentation update

Updated instructions with current locations of `policy-CM.yaml` and `CM.yaml`.
---
 documentation/testing-policies.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md
index 15a91d9219..e97ee2ea64 100644
--- a/documentation/testing-policies.md
+++ b/documentation/testing-policies.md
@@ -12,14 +12,14 @@ To do this you should [install Kyverno to the cluster](installation.md).
 For example, to test the simplest Kyverno policy for `ConfigMap`, create the policy and then the resource itself via `kubectl`:
 
 ````bash
-cd test/ConfigMap
-kubectl create -f policy-CM.yaml
-kubectl create -f CM.yaml
+cd test
+kubectl create -f policy/policy-CM.yaml
+kubectl create -f resources/CM.yaml
 ````
 Then compare the original resource definition in `CM.yaml` with the actual one:
 
 ````bash
-kubectl get -f CM.yaml -o yaml
+kubectl get -f resources/CM.yaml -o yaml
 ````
 
 ## Test using Kyverno CLI

From fc84eaaf3b7f543eac17572390cbe0c4f9813b26 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 29 Apr 2020 21:02:21 +0530
Subject: [PATCH 110/201] 744 relocating userRequestInfo to top level variable

---
 pkg/engine/context/context.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index eba01a1538..f8d8aceabb 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -111,13 +111,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 //AddUserInfo adds userInfo at path request.userInfo
 func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
-	modifiedResource := struct {
-		Request interface{} `json:"request"`
-	}{
-		Request: userRequestInfo,
-	}
-
-	objRaw, err := json.Marshal(modifiedResource)
+	objRaw, err := json.Marshal(userRequestInfo)
 	if err != nil {
 		ctx.log.Error(err, "failed to marshal the UserInfo")
 		return err

From b0c7cdbc812e33b868a84978de9e45baf505298e Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 5 May 2020 19:19:47 +0530
Subject: [PATCH 111/201] 744 save commit

---
 pkg/engine/context/context.go |   8 ++-
 pkg/engine/validation.go      | 110 +++++++++++++++++++++++-----------
 pkg/webhooks/server.go        |  22 ++-----
 3 files changed, 87 insertions(+), 53 deletions(-)

diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index f8d8aceabb..eba01a1538 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -111,7 +111,13 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 //AddUserInfo adds userInfo at path request.userInfo
 func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
-	objRaw, err := json.Marshal(userRequestInfo)
+	modifiedResource := struct {
+		Request interface{} `json:"request"`
+	}{
+		Request: userRequestInfo,
+	}
+
+	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
 		ctx.log.Error(err, "failed to marshal the UserInfo")
 		return err
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 54c3806713..577f42555f 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -29,22 +29,43 @@ func Validate(policyContext PolicyContext) response.EngineResponse {
 	// policy information
 	logger.V(4).Info("start processing", "startTime", startTime)
 
-	var resp *response.EngineResponse
-	// handling delete requests
-	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
-		resp = validateResource(logger, ctx, policy, oldR, admissionInfo, true)
-	} else {
-		resp = validateResource(logger, ctx, policy, newR, admissionInfo, false)
+	if resp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !resp.IsSuccesful() {
+		return *resp
 	}
 
-	startResultResponse(resp, policy, newR)
-	defer endResultResponse(logger, resp, startTime)
-	// set PatchedResource with origin resource if empty
-	// in order to create policy violation
-	if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
-		resp.PatchedResource = newR
+	// Process new & old resource
+	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
+		// Create Mode
+		// Operate on New Resource only
+		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
+		startResultResponse(resp, policy, newR)
+		defer endResultResponse(logger, resp, startTime)
+		// set PatchedResource with origin resource if empty
+		// in order to create policy violation
+		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
+			resp.PatchedResource = newR
+		}
+		return *resp
 	}
-	return *resp
+	// Update Mode
+	// Operate on New and Old Resource only
+	// New resource
+	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
+	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
+
+	// if the old and new response is same then return empty response
+	if !isSameResponse(oldResponse, newResponse) {
+		// there are changes send response
+		startResultResponse(newResponse, policy, newR)
+		defer endResultResponse(logger, newResponse, startTime)
+		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
+			newResponse.PatchedResource = newR
+		}
+		return *newResponse
+	}
+	// if there are no changes with old and new response then sent empty response
+	// skip processing
+	return response.EngineResponse{}
 }
 
 func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPolicy, newR unstructured.Unstructured) {
@@ -68,7 +89,44 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, isDelete bool) *response.EngineResponse {
+func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+	resp := &response.EngineResponse{}
+	for _, rule := range policy.Spec.Rules {
+		if !rule.HasValidate() {
+			continue
+		}
+
+		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
+			log.V(4).Info("resource fails the match description")
+			continue
+		}
+
+		preconditionsCopy := copyConditions(rule.Conditions)
+
+		if !variables.EvaluateConditions(log, ctx, preconditionsCopy) {
+			log.V(4).Info("resource fails the preconditions")
+			continue
+		}
+
+		if rule.Validation.Deny != nil {
+			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
+			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+				ruleResp := response.RuleResponse{
+					Name:    rule.Name,
+					Type:    utils.Validation.String(),
+					Message: rule.Validation.Message,
+					Success: false,
+				}
+				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
+			}
+			continue
+		}
+
+	}
+	return resp
+}
+
+func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
@@ -92,26 +150,10 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 			continue
 		}
 
-		if rule.Validation.Deny != nil {
-			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
-			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
-				ruleResp := response.RuleResponse{
-					Name:    rule.Name,
-					Type:    utils.Validation.String(),
-					Message: rule.Validation.Message,
-					Success: false,
-				}
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
-			}
-			continue
-		}
-
-		if !isDelete {
-			if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-				ruleResponse := validatePatterns(log, ctx, resource, rule)
-				incrementAppliedCount(resp)
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
-			}
+		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
+			ruleResponse := validatePatterns(log, ctx, resource, rule)
+			incrementAppliedCount(resp)
+			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 		}
 
 	}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index af489ddd8c..839677d5be 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"strings"
 	"time"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -173,16 +172,12 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 		// Do not process the admission requests for kinds that are in filterKinds for filtering
 		request := admissionReview.Request
 
-		if !isValidUsername(request.UserInfo.Username) {
-			admissionReview.Response = &v1beta1.AdmissionResponse{Allowed: true}
-		} else {
-			if filter {
-				if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-					admissionReview.Response = handler(request)
-				}
-			} else {
+		if filter {
+			if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
 				admissionReview.Response = handler(request)
 			}
+		} else {
+			admissionReview.Response = handler(request)
 		}
 
 		admissionReview.Response.UID = request.UID
@@ -200,15 +195,6 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 	}
 }
 
-func isValidUsername(username string) bool {
-	if strings.HasPrefix(username, "system") {
-		if !strings.HasPrefix(username, "system:serviceaccount") {
-			return false
-		}
-	}
-	return true
-}
-
 func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()

From d3311500af2e7865e27d3bbf8d1e997ee5b53ae8 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 5 May 2020 20:58:02 +0530
Subject: [PATCH 112/201] 744 tested version

---
 pkg/engine/validation.go | 56 +++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 30 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 577f42555f..0f17d68195 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -17,7 +17,7 @@ import (
 )
 
 //Validate applies validation rules from policy on the resource
-func Validate(policyContext PolicyContext) response.EngineResponse {
+func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	startTime := time.Now()
 	policy := policyContext.Policy
 	newR := policyContext.NewResource
@@ -25,46 +25,42 @@ func Validate(policyContext PolicyContext) response.EngineResponse {
 	ctx := policyContext.Context
 	admissionInfo := policyContext.AdmissionInfo
 	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name, "kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
-
-	// policy information
 	logger.V(4).Info("start processing", "startTime", startTime)
 
-	if resp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !resp.IsSuccesful() {
-		return *resp
+	defer func() {
+		if reflect.DeepEqual(resp, response.EngineResponse{}) {
+			return
+		}
+		startResultResponse(&resp, policy, newR)
+		endResultResponse(logger, &resp, startTime)
+		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
+			// for delete requests patched resource will be oldR since newR is empty
+			if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+				resp.PatchedResource = oldR
+			} else {
+				resp.PatchedResource = newR
+			}
+		}
+	}()
+
+	// If request is delete, newR will be empty
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
+	} else {
+		if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
+			return *denyResp
+		}
 	}
 
-	// Process new & old resource
 	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
-		// Create Mode
-		// Operate on New Resource only
-		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
-		startResultResponse(resp, policy, newR)
-		defer endResultResponse(logger, resp, startTime)
-		// set PatchedResource with origin resource if empty
-		// in order to create policy violation
-		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
-			resp.PatchedResource = newR
-		}
-		return *resp
+		return *validateResource(logger, ctx, policy, newR, admissionInfo)
 	}
-	// Update Mode
-	// Operate on New and Old Resource only
-	// New resource
+
 	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
 	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
-
-	// if the old and new response is same then return empty response
 	if !isSameResponse(oldResponse, newResponse) {
-		// there are changes send response
-		startResultResponse(newResponse, policy, newR)
-		defer endResultResponse(logger, newResponse, startTime)
-		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
-			newResponse.PatchedResource = newR
-		}
 		return *newResponse
 	}
-	// if there are no changes with old and new response then sent empty response
-	// skip processing
 	return response.EngineResponse{}
 }
 

From 717e8e72452fe7a1fe653a442e9e7f77d6315e1c Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Tue, 5 May 2020 23:52:52 +0530
Subject: [PATCH 113/201] 744 fixed error messages

---
 pkg/engine/validation.go          |  17 +++-
 pkg/engine/variables/vars.go      | 135 ++++++++----------------------
 pkg/engine/variables/vars_test.go |   2 +-
 3 files changed, 50 insertions(+), 104 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 0f17d68195..0f575748ea 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -31,16 +31,25 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 		if reflect.DeepEqual(resp, response.EngineResponse{}) {
 			return
 		}
-		startResultResponse(&resp, policy, newR)
-		endResultResponse(logger, &resp, startTime)
+		var resource unstructured.Unstructured
 		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
 			// for delete requests patched resource will be oldR since newR is empty
 			if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
-				resp.PatchedResource = oldR
+				resource = oldR
 			} else {
-				resp.PatchedResource = newR
+				resource = newR
 			}
 		}
+		for i := range resp.PolicyResponse.Rules {
+			messageInterface, err := variables.SubstituteVars(logger, ctx, resp.PolicyResponse.Rules[i].Message)
+			if err != nil {
+				continue
+			}
+			resp.PolicyResponse.Rules[i].Message, _ = messageInterface.(string)
+		}
+		resp.PatchedResource = resource
+		startResultResponse(&resp, policy, resource)
+		endResultResponse(logger, &resp, startTime)
 	}()
 
 	// If request is delete, newR will be empty
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 89d1a93714..0b0125a00d 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -11,8 +11,7 @@ import (
 )
 
 const (
-	variableRegex  = `\{\{([^{}]*)\}\}`
-	singleVarRegex = `^\{\{([^{}]*)\}\}$`
+	variableRegex = `\{\{([^{}]*)\}\}`
 )
 
 //SubstituteVars replaces the variables with the values defined in the context
@@ -42,7 +41,7 @@ func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, pa
 
 		return subArray(log, ctx, sliceCopy, path, errs)
 	case string:
-		return subValR(log, ctx, typedPattern, path, errs)
+		return subValR(ctx, typedPattern, path, errs)
 	default:
 		return pattern
 	}
@@ -68,108 +67,46 @@ func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interfac
 }
 
 // subValR resolves the variables if defined
-func subValR(log logr.Logger, ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+	originalPattern := valuePattern
+	var failedVars []interface{}
 
-	// variable values can be scalar values(string,int, float) or they can be obects(map,slice)
-	// - {{variable}}
-	// there is a single variable resolution so the value can be scalar or object
-	// - {{variable1--{{variable2}}}}}
-	// variable2 is evaluted first as an individual variable and can be have scalar or object values
-	// but resolving the outer variable, {{variable--<value>}}
-	// if <value> is scalar then it can replaced, but for object types its tricky
-	// as object cannot be directy replaced, if the object is stringyfied then it loses it structure.
-	// since this might be a potential place for error, required better error reporting and handling
+	defer func() {
+		if len(failedVars) > 0 {
+			*errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", failedVars, path))
+		}
+	}()
 
-	// object values are only suported for single variable substitution
-	if ok, retVal := processIfSingleVariable(log, ctx, valuePattern, path, errs); ok {
-		return retVal
-	}
-	// var emptyInterface interface{}
-	var failedVars []string
-	// process type string
+	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
 	for {
-		valueStr := valuePattern
-		if len(failedVars) != 0 {
-			log.Info("failed to resolve variablesl short-circuiting")
+		if vars := regex.FindAllString(valuePattern, -1); len(vars) > 0 {
+			for _, variable := range vars {
+				underlyingVariable := strings.ReplaceAll(strings.ReplaceAll(variable, "}}", ""), "{{", "")
+				substitutedVar, err := ctx.Query(underlyingVariable)
+				if err != nil {
+					failedVars = append(failedVars, underlyingVariable)
+					return nil
+				}
+				if val, ok := substitutedVar.(string); ok {
+					if val == "" {
+						failedVars = append(failedVars, underlyingVariable)
+						return nil
+					}
+					valuePattern = strings.Replace(valuePattern, variable, val, -1)
+				} else {
+					if substitutedVar != nil {
+						if originalPattern == variable {
+							return substitutedVar
+						}
+					}
+					failedVars = append(failedVars, underlyingVariable)
+					return nil
+				}
+			}
+		} else {
 			break
 		}
-		// get variables at this level
-		validRegex := regexp.MustCompile(variableRegex)
-		groups := validRegex.FindAllStringSubmatch(valueStr, -1)
-		if len(groups) == 0 {
-			// there was no match
-			// not variable defined
-			break
-		}
-		subs := map[string]interface{}{}
-		for _, group := range groups {
-			if _, ok := subs[group[0]]; ok {
-				// value has already been substituted
-				continue
-			}
-			// here we do the querying of the variables from the context
-			variable, err := ctx.Query(group[1])
-			if err != nil {
-				// error while evaluating
-				failedVars = append(failedVars, group[1])
-				continue
-			}
-			// path not found in context and value stored in null/nill
-			if variable == nil {
-				failedVars = append(failedVars, group[1])
-				continue
-			}
-			// get values for each and replace
-			subs[group[0]] = variable
-		}
-		// perform substitutions
-		newVal := valueStr
-		for k, v := range subs {
-			// if value is of type string then cast else consider it as direct replacement
-			if val, ok := v.(string); ok {
-				newVal = strings.Replace(newVal, k, val, -1)
-				continue
-			}
-			// if type is not scalar then consider this as a failed variable
-			log.Info("variable resolves to non-scalar value. Non-Scalar values are not supported for nested variables", "variable", k, "value", v)
-			failedVars = append(failedVars, k)
-		}
-		valuePattern = newVal
-	}
-	// update errors if any
-	if len(failedVars) > 0 {
-		*errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", failedVars, path))
 	}
 
 	return valuePattern
 }
-
-// processIfSingleVariable will process the evaluation of single variables
-// {{variable-{{variable}}}} -> compound/nested variables
-// {{variable}}{{variable}} -> multiple variables
-// {{variable}} -> single variable
-// if the value can be evaluted return the value
-// -> return value can be scalar or object type
-// -> if the variable is not present in the context then add an error and dont process further
-func processIfSingleVariable(log logr.Logger, ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) {
-	valueStr, ok := valuePattern.(string)
-	if !ok {
-		log.Info("failed to convert to string", "pattern", valuePattern)
-		return false, nil
-	}
-	// get variables at this level
-	validRegex := regexp.MustCompile(singleVarRegex)
-	groups := validRegex.FindAllStringSubmatch(valueStr, -1)
-	if len(groups) == 0 {
-		return false, nil
-	}
-	// as there will be exactly one variable based on the above regex
-	group := groups[0]
-	variable, err := ctx.Query(group[1])
-	if err != nil || variable == nil {
-		*errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", group[1], path))
-		// return the same value pattern, and add un-resolvable variable error
-		return true, valuePattern
-	}
-	return true, variable
-}
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index aae517a082..85d4537cd8 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -153,5 +153,5 @@ func Test_SubvarRecursive(t *testing.T) {
 	ctx := context.NewContext()
 	assert.Assert(t, ctx.AddResource(resourceRaw))
 	errs := []error{}
-	subValR(log.Log, ctx, string(patternRaw), "/", &errs)
+	subValR(ctx, string(patternRaw), "/", &errs)
 }

From 1b2868620ea53c69964d8c3778b0b8a9f7eff6e3 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 00:29:40 +0530
Subject: [PATCH 114/201] 744 fixing tests and making sure policy with
 variables that are not request.object are not allowed in background mode

---
 pkg/engine/context/evaluate.go |  5 +++--
 pkg/engine/mutation_test.go    |  2 +-
 pkg/engine/variables/vars.go   |  2 +-
 pkg/policy/background.go       |  6 +++---
 pkg/policy/controller.go       |  8 ++++----
 pkg/policy/validate.go         |  2 +-
 pkg/policy/validate_test.go    | 18 +++++++++---------
 7 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go
index f15a8a1e17..c80e2d57db 100644
--- a/pkg/engine/context/evaluate.go
+++ b/pkg/engine/context/evaluate.go
@@ -3,6 +3,7 @@ package context
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	jmespath "github.com/jmespath/go-jmespath"
 )
@@ -11,7 +12,7 @@ import (
 func (ctx *Context) Query(query string) (interface{}, error) {
 	var emptyResult interface{}
 	// check for white-listed variables
-	if ctx.isWhiteListed(query) {
+	if !ctx.isWhiteListed(query) {
 		return emptyResult, fmt.Errorf("variable %s cannot be used", query)
 	}
 
@@ -41,7 +42,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 
 func (ctx *Context) isWhiteListed(variable string) bool {
 	for _, wVar := range ctx.whiteListVars {
-		if wVar == variable {
+		if strings.HasPrefix(variable, wVar) {
 			return true
 		}
 	}
diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 07f345e265..55f79c442f 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -159,7 +159,7 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 		Context:     ctx,
 		NewResource: *resourceUnstructured}
 	er := Mutate(policyContext)
-	expectedErrorStr := "[failed to resolve request.object.metadata.name1 at path /spec/name]"
+	expectedErrorStr := "[failed to resolve [request.object.metadata.name1] at path /spec/name]"
 	t.Log(er.PolicyResponse.Rules[0].Message)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
 }
diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 0b0125a00d..b4ca3f3951 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -69,7 +69,7 @@ func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interfac
 // subValR resolves the variables if defined
 func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
 	originalPattern := valuePattern
-	var failedVars []interface{}
+	var failedVars []string
 
 	defer func() {
 		if len(failedVars) > 0 {
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 2331359534..35611efa74 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -9,8 +9,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-//ContainsUserInfo returns error is userInfo is defined
-func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
+//ContainsVariablesOtherThanObject returns error if variable that does not start from request.object is defined
+func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 	var err error
 	// iterate of the policy rules to identify if userInfo is used
 	for idx, rule := range policy.Spec.Rules {
@@ -33,7 +33,7 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error {
 		// - serviceAccountName
 		// - serviceAccountNamespace
 
-		filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"}
+		filterVars := []string{"request.object"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
 			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 2a471a37fe..94396fbcdf 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -157,7 +157,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
 	if p.Spec.Background == nil {
 		// if userInfo is not defined in policy we process the policy
-		if err := ContainsUserInfo(*p); err != nil {
+		if err := ContainsVariablesOtherThanObject(*p); err != nil {
 			return
 		}
 	} else {
@@ -166,7 +166,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 		}
 		// If userInfo is used then skip the policy
 		// ideally this should be handled by background flag only
-		if err := ContainsUserInfo(*p); err != nil {
+		if err := ContainsVariablesOtherThanObject(*p); err != nil {
 			// contains userInfo used in policy
 			return
 		}
@@ -192,7 +192,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
 	if curP.Spec.Background == nil {
 		// if userInfo is not defined in policy we process the policy
-		if err := ContainsUserInfo(*curP); err != nil {
+		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
 			return
 		}
 	} else {
@@ -201,7 +201,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 		}
 		// If userInfo is used then skip the policy
 		// ideally this should be handled by background flag only
-		if err := ContainsUserInfo(*curP); err != nil {
+		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
 			// contains userInfo used in policy
 			return
 		}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index c85eb18825..f06d83b1de 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -35,7 +35,7 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 		return nil
 	}
 	if *p.Spec.Background {
-		if err := ContainsUserInfo(p); err != nil {
+		if err := ContainsVariablesOtherThanObject(p); err != nil {
 			// policy.spec.background -> "true"
 			// - cannot use variables with request.userInfo
 			// - cannot define userInfo(roles, cluserRoles, subjects) for filtering (match & exclude)
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 6b5717ea7f..8f10eddfae 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -608,7 +608,7 @@ func Test_BackGroundUserInfo_match_roles(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/roles")
 }
 
@@ -640,7 +640,7 @@ func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/clusterRoles")
 }
@@ -676,7 +676,7 @@ func Test_BackGroundUserInfo_match_subjects(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/subjects")
 }
@@ -708,7 +708,7 @@ func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
@@ -743,7 +743,7 @@ func Test_BackGroundUserInfo_mutate_overlay2(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
@@ -778,7 +778,7 @@ func Test_BackGroundUserInfo_validate_pattern(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/pattern" {
 		t.Log(err)
@@ -817,7 +817,7 @@ func Test_BackGroundUserInfo_validate_anyPattern(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
@@ -856,7 +856,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_multiple_var(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
@@ -895,7 +895,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) {
 	err = json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 
-	err = ContainsUserInfo(*policy)
+	err = ContainsVariablesOtherThanObject(*policy)
 
 	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)

From 2bd484d5b8dd658f5cb9cde378ff49614b4bc118 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 01:02:39 +0530
Subject: [PATCH 115/201] 744 fixing error message

---
 pkg/engine/context/context.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index eba01a1538..bfa48b9670 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -75,7 +75,7 @@ func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
 
 	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
-		ctx.log.Error(err, "failed to marshal the UserInfo")
+		ctx.log.Error(err, "failed to marshal the request")
 		return err
 	}
 	return ctx.AddJSON(objRaw)

From ee9b478f425e8b3fe200f4f65e3265cac83de749 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 01:08:49 +0530
Subject: [PATCH 116/201] 744 fixing broken tests

---
 pkg/engine/context/evaluate.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go
index c80e2d57db..e6d57c66c0 100644
--- a/pkg/engine/context/evaluate.go
+++ b/pkg/engine/context/evaluate.go
@@ -41,6 +41,9 @@ func (ctx *Context) Query(query string) (interface{}, error) {
 }
 
 func (ctx *Context) isWhiteListed(variable string) bool {
+	if len(ctx.whiteListVars) == 0 {
+		return true
+	}
 	for _, wVar := range ctx.whiteListVars {
 		if strings.HasPrefix(variable, wVar) {
 			return true

From 6b1498b77025a91f62f490172a3411ac022f0156 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 19:46:32 +0530
Subject: [PATCH 117/201] 744 fixing policy validation and removing allRequests
 field

---
 definitions/install.yaml       |  2 --
 definitions/install_debug.yaml |  2 --
 pkg/api/kyverno/v1/types.go    |  3 +--
 pkg/engine/validation.go       |  2 +-
 pkg/policy/background.go       | 41 +++++++++++++++++-----------------
 pkg/policy/validate.go         | 11 ++-------
 pkg/policy/validate_test.go    | 18 +++++++--------
 7 files changed, 34 insertions(+), 45 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index d5c433bb77..9a5776959a 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -212,8 +212,6 @@ spec:
                         AnyValue: {}
                       deny:
                         properties:
-                          allRequests:
-                            type: boolean
                           conditions:
                             type: array
                             items:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index d0193eb91e..8bdb8662fb 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -212,8 +212,6 @@ spec:
                         AnyValue: {}
                       deny:
                         properties:
-                          allRequests:
-                            type: boolean
                           conditions:
                             type: array
                             items:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index 4c7bc74c59..5c2c4e329b 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -215,8 +215,7 @@ type Validation struct {
 }
 
 type Deny struct {
-	AllRequests bool        `json:"allRequests,omitempty"`
-	Conditions  []Condition `json:"conditions,omitempty"`
+	Conditions []Condition `json:"conditions,omitempty"`
 }
 
 // Generation describes which resources will be created when other resource is created
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 0f575748ea..7515c9d26d 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -115,7 +115,7 @@ func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.
 
 		if rule.Validation.Deny != nil {
 			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
-			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+			if len(rule.Validation.Deny.Conditions) == 0 || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
 				ruleResp := response.RuleResponse{
 					Name:    rule.Name,
 					Type:    utils.Validation.String(),
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 35611efa74..b6af9d2d23 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -9,51 +9,52 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-//ContainsVariablesOtherThanObject returns error if variable that does not start from request.object is defined
+//ContainsVariablesOtherThanObject returns error if variable that does not start from request.object
 func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 	var err error
-	// iterate of the policy rules to identify if userInfo is used
 	for idx, rule := range policy.Spec.Rules {
 		if path := userInfoDefined(rule.MatchResources.UserInfo); path != "" {
-			return fmt.Errorf("userInfo variable used at path: spec/rules[%d]/match/%s", idx, path)
+			return fmt.Errorf("invalid variable used at path: spec/rules[%d]/match/%s", idx, path)
 		}
 
 		if path := userInfoDefined(rule.ExcludeResources.UserInfo); path != "" {
-			return fmt.Errorf("userInfo variable used at path: spec/rules[%d]/exclude/%s", idx, path)
+			return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path)
 		}
 
-		// variable defined with user information
-		// - condition.key
-		// - condition.value
-		// - mutate.overlay
-		// - validate.pattern
-		// - validate.anyPattern[*]
-		// variables to filter
-		// - request.userInfo*
-		// - serviceAccountName
-		// - serviceAccountNamespace
-
 		filterVars := []string{"request.object"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
 			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
-				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
 			}
 
 			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); err != nil {
-				return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
 			}
 		}
 
 		if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); err != nil {
-			return fmt.Errorf("userInfo variable used at spec/rules[%d]/mutate/overlay", idx)
+			return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay", idx)
 		}
 		if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); err != nil {
-			return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/pattern", idx)
+			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern", idx)
 		}
 		for idx2, pattern := range rule.Validation.AnyPattern {
 			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); err != nil {
-				return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
+			}
+		}
+		if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Message); err != nil {
+			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/message", idx)
+		}
+		if rule.Validation.Deny != nil {
+			for i := range rule.Validation.Deny.Conditions {
+				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Key); err != nil {
+					return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/key", idx, i)
+				}
+				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Value); err != nil {
+					return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/value", idx, i)
+				}
 			}
 		}
 	}
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index f06d83b1de..de7b791f04 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -30,16 +30,9 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 	if path, err := validateUniqueRuleName(p); err != nil {
 		return fmt.Errorf("path: spec.%s: %v", path, err)
 	}
-	if p.Spec.Background == nil {
-		//skipped policy mutation default -> skip validation -> will not be processed for background processing
-		return nil
-	}
-	if *p.Spec.Background {
+	if p.Spec.Background == nil || (p.Spec.Background != nil && *p.Spec.Background) {
 		if err := ContainsVariablesOtherThanObject(p); err != nil {
-			// policy.spec.background -> "true"
-			// - cannot use variables with request.userInfo
-			// - cannot define userInfo(roles, cluserRoles, subjects) for filtering (match & exclude)
-			return fmt.Errorf("userInfo is not allowed in match or exclude when backgroud policy mode is true. Set spec.background=false to disable background mode for this policy rule. %s ", err)
+			return fmt.Errorf("only variables referring request.object are allowed in background mode. Set spec.background=false to disable background mode for this policy rule. %s ", err)
 		}
 	}
 
diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
index 8f10eddfae..9855f2130c 100644
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@@ -609,7 +609,7 @@ func Test_BackGroundUserInfo_match_roles(t *testing.T) {
 	assert.NilError(t, err)
 
 	err = ContainsVariablesOtherThanObject(*policy)
-	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/roles")
+	assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/roles")
 }
 
 func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) {
@@ -642,7 +642,7 @@ func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/clusterRoles")
+	assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/clusterRoles")
 }
 
 func Test_BackGroundUserInfo_match_subjects(t *testing.T) {
@@ -678,7 +678,7 @@ func Test_BackGroundUserInfo_match_subjects(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/subjects")
+	assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/subjects")
 }
 
 func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) {
@@ -710,7 +710,7 @@ func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
+	if err.Error() != "invalid variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}
@@ -745,7 +745,7 @@ func Test_BackGroundUserInfo_mutate_overlay2(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" {
+	if err.Error() != "invalid variable used at spec/rules[0]/mutate/overlay" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}
@@ -780,7 +780,7 @@ func Test_BackGroundUserInfo_validate_pattern(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/validate/pattern" {
+	if err.Error() != "invalid variable used at spec/rules[0]/validate/pattern" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}
@@ -819,7 +819,7 @@ func Test_BackGroundUserInfo_validate_anyPattern(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
+	if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}
@@ -858,7 +858,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_multiple_var(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
+	if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}
@@ -897,7 +897,7 @@ func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) {
 
 	err = ContainsVariablesOtherThanObject(*policy)
 
-	if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" {
+	if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" {
 		t.Log(err)
 		t.Error("Incorrect Path")
 	}

From c6dd8443effd0f865fde063a08c2361a3e0c969b Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 20:46:34 +0530
Subject: [PATCH 118/201] 744 added validation for operator property in
 condition

---
 definitions/install.yaml       | 10 ++++++++++
 definitions/install_debug.yaml | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 9a5776959a..37ff3e8da4 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -220,6 +220,16 @@ spec:
                                 - key  # can be of any type
                                 - operator # typed
                                 - value # can be of any type
+                              properties:
+                                operator:
+                                  type: string
+                                  enum:
+                                  - Equal
+                                  - NotEqual
+                                key:
+                                  type: string
+                                value:
+                                  type: string
                   generate:
                     type: object
                     required:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 8bdb8662fb..22ae2da832 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -220,6 +220,16 @@ spec:
                                 - key  # can be of any type
                                 - operator # typed
                                 - value # can be of any type
+                              properties:
+                                operator:
+                                  type: string
+                                  enum:
+                                    - Equal
+                                    - NotEqual
+                                key:
+                                  type: string
+                                value:
+                                  type: string
                   generate:
                     type: object
                     required:

From 09310d19e169101706ed3e0c4f29d486633bd4c7 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 22:27:06 +0530
Subject: [PATCH 119/201] 744 fixing policy validation

---
 pkg/engine/variables/vars.go      | 62 ++++++++++++++-----------------
 pkg/engine/variables/vars_test.go |  3 +-
 pkg/policy/background.go          | 37 +++++++++++++-----
 3 files changed, 55 insertions(+), 47 deletions(-)

diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index b4ca3f3951..3f519a9a73 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -17,16 +17,14 @@ const (
 //SubstituteVars replaces the variables with the values defined in the context
 // - if any variable is invaid or has nil value, it is considered as a failed varable substitution
 func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) {
-	errs := []error{}
-	pattern = subVars(log, ctx, pattern, "", &errs)
-	if len(errs) == 0 {
-		// no error while parsing the pattern
-		return pattern, nil
+	pattern, err := subVars(log, ctx, pattern, "")
+	if err != nil {
+		return pattern, err
 	}
-	return pattern, fmt.Errorf("%v", errs)
+	return pattern, nil
 }
 
-func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} {
+func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string) (interface{}, error) {
 	switch typedPattern := pattern.(type) {
 	case map[string]interface{}:
 		mapCopy := make(map[string]interface{})
@@ -34,48 +32,47 @@ func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, pa
 			mapCopy[k] = v
 		}
 
-		return subMap(log, ctx, mapCopy, path, errs)
+		return subMap(log, ctx, mapCopy, path)
 	case []interface{}:
 		sliceCopy := make([]interface{}, len(typedPattern))
 		copy(sliceCopy, typedPattern)
 
-		return subArray(log, ctx, sliceCopy, path, errs)
+		return subArray(log, ctx, sliceCopy, path)
 	case string:
-		return subValR(ctx, typedPattern, path, errs)
+		return subValR(ctx, typedPattern, path)
 	default:
-		return pattern
+		return pattern, nil
 	}
 }
 
-func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} {
+func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string) (map[string]interface{}, error) {
 	for key, patternElement := range patternMap {
 		curPath := path + "/" + key
-		value := subVars(log, ctx, patternElement, curPath, errs)
+		value, err := subVars(log, ctx, patternElement, curPath)
+		if err != nil {
+			return nil, err
+		}
 		patternMap[key] = value
 
 	}
-	return patternMap
+	return patternMap, nil
 }
 
-func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} {
+func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string) ([]interface{}, error) {
 	for idx, patternElement := range patternList {
 		curPath := path + "/" + strconv.Itoa(idx)
-		value := subVars(log, ctx, patternElement, curPath, errs)
+		value, err := subVars(log, ctx, patternElement, curPath)
+		if err != nil {
+			return nil, err
+		}
 		patternList[idx] = value
 	}
-	return patternList
+	return patternList, nil
 }
 
 // subValR resolves the variables if defined
-func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} {
+func subValR(ctx context.EvalInterface, valuePattern string, path string) (interface{}, error) {
 	originalPattern := valuePattern
-	var failedVars []string
-
-	defer func() {
-		if len(failedVars) > 0 {
-			*errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", failedVars, path))
-		}
-	}()
 
 	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
 	for {
@@ -84,23 +81,18 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 				underlyingVariable := strings.ReplaceAll(strings.ReplaceAll(variable, "}}", ""), "{{", "")
 				substitutedVar, err := ctx.Query(underlyingVariable)
 				if err != nil {
-					failedVars = append(failedVars, underlyingVariable)
-					return nil
+					return nil, fmt.Errorf("failed to resolve %v at path %s", underlyingVariable, path)
 				}
 				if val, ok := substitutedVar.(string); ok {
-					if val == "" {
-						failedVars = append(failedVars, underlyingVariable)
-						return nil
-					}
 					valuePattern = strings.Replace(valuePattern, variable, val, -1)
 				} else {
 					if substitutedVar != nil {
 						if originalPattern == variable {
-							return substitutedVar
+							return substitutedVar, nil
 						}
+						return nil, fmt.Errorf("failed to resolve %v at path %s", underlyingVariable, path)
 					}
-					failedVars = append(failedVars, underlyingVariable)
-					return nil
+					return nil, fmt.Errorf("could not find variable %v at path %v", underlyingVariable, path)
 				}
 			}
 		} else {
@@ -108,5 +100,5 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *
 		}
 	}
 
-	return valuePattern
+	return valuePattern, nil
 }
diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go
index 85d4537cd8..0e25e269e1 100644
--- a/pkg/engine/variables/vars_test.go
+++ b/pkg/engine/variables/vars_test.go
@@ -152,6 +152,5 @@ func Test_SubvarRecursive(t *testing.T) {
 
 	ctx := context.NewContext()
 	assert.Assert(t, ctx.AddResource(resourceRaw))
-	errs := []error{}
-	subValR(ctx, string(patternRaw), "/", &errs)
+	subValR(ctx, string(patternRaw), "/")
 }
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index b6af9d2d23..639281f075 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -2,6 +2,7 @@ package policy
 
 import (
 	"fmt"
+	"strings"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -24,35 +25,40 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 		filterVars := []string{"request.object"}
 		ctx := context.NewContext(filterVars...)
 		for condIdx, condition := range rule.Conditions {
-			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); err != nil {
+			if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); !checkNotFoundErr(err) {
 				return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx)
 			}
 
-			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); err != nil {
+			if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); !checkNotFoundErr(err) {
 				return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx)
 			}
 		}
 
-		if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); err != nil {
-			return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay", idx)
+		if rule.Mutation.Overlay != nil {
+			if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); !checkNotFoundErr(err) {
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay", idx)
+			}
 		}
-		if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); err != nil {
-			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern", idx)
+
+		if rule.Validation.Pattern != nil {
+			if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); !checkNotFoundErr(err) {
+				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern", idx)
+			}
 		}
 		for idx2, pattern := range rule.Validation.AnyPattern {
-			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); err != nil {
+			if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); !checkNotFoundErr(err) {
 				return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2)
 			}
 		}
-		if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Message); err != nil {
+		if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Message); !checkNotFoundErr(err) {
 			return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/message", idx)
 		}
 		if rule.Validation.Deny != nil {
 			for i := range rule.Validation.Deny.Conditions {
-				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Key); err != nil {
+				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Key); !checkNotFoundErr(err) {
 					return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/key", idx, i)
 				}
-				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Value); err != nil {
+				if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Value); !checkNotFoundErr(err) {
 					return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/value", idx, i)
 				}
 			}
@@ -61,6 +67,17 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 	return nil
 }
 
+func checkNotFoundErr(err error) bool {
+	if err != nil {
+		if strings.HasPrefix(err.Error(), "could not find variable") {
+			return true
+		} else {
+			return false
+		}
+	}
+	return true
+}
+
 func userInfoDefined(ui kyverno.UserInfo) string {
 	if len(ui.Roles) > 0 {
 		return "roles"

From f08f7e22c7d078f0fec8c65033b043ff155ee887 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 22:43:17 +0530
Subject: [PATCH 120/201] 744 supporting Equals and NotEquals as operater types

---
 definitions/install.yaml                  | 2 ++
 definitions/install_debug.yaml            | 2 ++
 pkg/api/kyverno/v1/types.go               | 6 ++++--
 pkg/engine/variables/operator/operator.go | 4 ++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 37ff3e8da4..d8936136c4 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -225,7 +225,9 @@ spec:
                                   type: string
                                   enum:
                                   - Equal
+                                  - Equals
                                   - NotEqual
+                                  - NotEquals
                                 key:
                                   type: string
                                 value:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 22ae2da832..c3f35fa475 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -225,7 +225,9 @@ spec:
                                   type: string
                                   enum:
                                     - Equal
+                                    - Equals
                                     - NotEqual
+                                    - NotEquals
                                 key:
                                   type: string
                                 value:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index 5c2c4e329b..5eed72f672 100644
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -155,9 +155,11 @@ type ConditionOperator string
 
 const (
 	//Equal for Equal operator
-	Equal ConditionOperator = "Equal"
+	Equal  ConditionOperator = "Equal"
+	Equals ConditionOperator = "Equals"
 	//NotEqual for NotEqual operator
-	NotEqual ConditionOperator = "NotEqual"
+	NotEqual  ConditionOperator = "NotEqual"
+	NotEquals ConditionOperator = "NotEquals"
 	//In for In operator
 	In ConditionOperator = "In"
 	//NotIn for NotIn operator
diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go
index adafe69982..8dbc6cf0bc 100644
--- a/pkg/engine/variables/operator/operator.go
+++ b/pkg/engine/variables/operator/operator.go
@@ -26,6 +26,10 @@ func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyvern
 		return NewEqualHandler(log, ctx, subHandler)
 	case kyverno.NotEqual:
 		return NewNotEqualHandler(log, ctx, subHandler)
+	case kyverno.Equals:
+		return NewEqualHandler(log, ctx, subHandler)
+	case kyverno.NotEquals:
+		return NewNotEqualHandler(log, ctx, subHandler)
 	default:
 		log.Info("operator not supported", "operator", string(op))
 	}

From 768293570114d702476cd0714c3bb7cf4a31b3c0 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 6 May 2020 22:52:29 +0530
Subject: [PATCH 121/201] 744 fixing broken tests

---
 pkg/engine/mutation_test.go   | 2 +-
 pkg/engine/validation_test.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go
index 55f79c442f..d019361026 100644
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@@ -159,7 +159,7 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
 		Context:     ctx,
 		NewResource: *resourceUnstructured}
 	er := Mutate(policyContext)
-	expectedErrorStr := "[failed to resolve [request.object.metadata.name1] at path /spec/name]"
+	expectedErrorStr := "could not find variable request.object.metadata.name1 at path /spec/name"
 	t.Log(er.PolicyResponse.Rules[0].Message)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
 }
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index fb6f272966..ebd889a183 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -1327,7 +1327,7 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
 		NewResource: *resourceUnstructured}
 	er := Validate(policyContext)
 	assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
-	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation error: ; Validation rule 'test-path-not-exist' failed. '[failed to resolve [request.object.metadata.name1] at path /spec/containers/0/name]'")
+	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation error: ; Validation rule 'test-path-not-exist' failed. 'could not find variable request.object.metadata.name1 at path /spec/containers/0/name'")
 }
 
 func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *testing.T) {
@@ -1509,7 +1509,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
 		NewResource: *resourceUnstructured}
 	er := Validate(policyContext)
 	assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
-	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Substitutions failed: [[failed to resolve [request.object.metadata.name1] at path /spec/template/spec/containers/0/name] [failed to resolve [request.object.metadata.name2] at path /spec/template/spec/containers/0/name]]")
+	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Substitutions failed: [could not find variable request.object.metadata.name1 at path /spec/template/spec/containers/0/name could not find variable request.object.metadata.name2 at path /spec/template/spec/containers/0/name]")
 }
 
 func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatternSatisfy(t *testing.T) {

From 5ec300a12db3c7b9c11ddeeb761c9b73147ba2ff Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 02:35:24 +0530
Subject: [PATCH 122/201] 744 added tests

---
 pkg/engine/validation_test.go | 115 ++++++++++++++++++++++++++++++++++
 pkg/utils/util.go             |  48 ++++++++++++++
 pkg/webhooks/common.go        |  46 --------------
 pkg/webhooks/server.go        |   4 +-
 pkg/webhooks/validation.go    |   4 +-
 5 files changed, 169 insertions(+), 48 deletions(-)

diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index ebd889a183..3fff7a0153 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -4,9 +4,12 @@ import (
 	"encoding/json"
 	"testing"
 
+	"k8s.io/api/admission/v1beta1"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
+	utils2 "github.com/nirmata/kyverno/pkg/utils"
 	"gotest.tools/assert"
 )
 
@@ -1604,3 +1607,115 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter
 	assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
 	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' has failed")
 }
+
+func Test_denyFeatureIssue744(t *testing.T) {
+	testcases := []struct {
+		description   string
+		policy        []byte
+		request       []byte
+		userInfo      []byte
+		expectedError bool
+	}{
+		{
+			description:   "Blocks delete requests for resources with label allow-deletes(success case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			request:       []byte(`{"uid":"b553344a-172a-4257-8ec4-a8f379f8b844","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"DELETE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":null,"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f093e3da-f13a-474f-87e8-43e98fe363bf","resourceVersion":"1983","creationTimestamp":"2020-05-06T20:28:43Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:28:43Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"DeleteOptions","apiVersion":"meta.k8s.io/v1","gracePeriodSeconds":30,"propagationPolicy":"Background"}}`),
+			userInfo:      []byte(`{"roles":null,"clusterRoles":["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Blocks delete requests for resources with label allow-deletes(failure case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			request:       []byte(`{"uid":"9a83234d-95d1-4105-b6bf-7d72fd0183ce","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:36:51Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Blocks update requests for resources with label allow-updates(success case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-updates","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Updating {{request.object.kind}} / {{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equals","value":"UPDATE"}]}}}]}}`),
+			request:       []byte(`{"uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","podIP":"10.244.0.8","podIPs":[{"ip":"10.244.0.8"}],"startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-05-06T20:42:01Z","finishedAt":"2020-05-06T20:42:01Z","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/library/hello-world:latest","imageID":"docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Blocks update requests for resources with label allow-updates(failure case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			request:       []byte(`{"uid":"9c284cdb-b0de-42aa-adf5-649a44bc861b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"41a928a7-73f4-419f-bd64-de11f4f0a8ca","creationTimestamp":"2020-05-06T20:43:50Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":null,"clusterRoles":["system:public-info-viewer","cluster-admin","system:discovery","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Blocks certain fields(success case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
+			request:       []byte(`{"uid":"11d46f83-a31b-444e-8209-c43b24f1af8a","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"exists","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"exists\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
+			expectedError: true,
+		},
+		{
+			description:   "Blocks certain fields(failure case)",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
+			request:       []byte(`{"uid":"cbdce9bb-741d-466a-a440-36155eb4b45b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"kube-system","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"kube-system","uid":"490c240c-f96a-4d5a-8860-75597bab0a7e","creationTimestamp":"2020-05-06T21:01:50Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"hello-world\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-8h2h8","secret":{"secretName":"default-token-8h2h8"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-8h2h8","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
+			expectedError: false,
+		},
+		{
+			description:   "Deny all requests on a namespace",
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-request"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"block-request","match":{"resources":{"namespaces":["kube-system"]}},"validate":{"deny":{}}}]}}`),
+			request:       []byte(`{"uid":"2cf2b192-2c25-4f14-ac3a-315408d398f2","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
+			expectedError: false,
+		},
+	}
+
+	var err error
+	for _, testcase := range testcases {
+		var policy kyverno.ClusterPolicy
+		err = json.Unmarshal(testcase.policy, &policy)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		var request *v1beta1.AdmissionRequest
+		err = json.Unmarshal(testcase.request, &request)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		var userInfo kyverno.RequestInfo
+		err = json.Unmarshal(testcase.userInfo, &userInfo)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		ctx := context.NewContext()
+		err = ctx.AddRequest(request)
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = ctx.AddUserInfo(userInfo)
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = ctx.AddSA(userInfo.AdmissionUserInfo.Username)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		newR, oldR, err := utils2.ExtractResources(nil, request)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		pc := PolicyContext{
+			Policy:        policy,
+			NewResource:   newR,
+			OldResource:   oldR,
+			AdmissionInfo: userInfo,
+			Context:       ctx,
+		}
+		resp := Validate(pc)
+		if resp.IsSuccesful() != !testcase.expectedError {
+			t.Errorf("Testcase has failed")
+		}
+	}
+}
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index 5fe0602e71..521872c037 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -1,8 +1,13 @@
 package utils
 
 import (
+	"fmt"
 	"reflect"
 
+	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
+	"k8s.io/api/admission/v1beta1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
 	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@@ -86,3 +91,46 @@ func CleanupOldCrd(client *dclient.Client, log logr.Logger) {
 		}
 	}
 }
+
+// extracts the new and old resource as unstructured
+func ExtractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
+	var emptyResource unstructured.Unstructured
+	var newResource unstructured.Unstructured
+	var oldResource unstructured.Unstructured
+	var err error
+
+	// New Resource
+	if newRaw == nil {
+		newRaw = request.Object.Raw
+	}
+
+	if newRaw != nil {
+		newResource, err = ConvertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+		if err != nil {
+			return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)
+		}
+	}
+
+	// Old Resource
+	oldRaw := request.OldObject.Raw
+	if oldRaw != nil {
+		oldResource, err = ConvertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+		if err != nil {
+			return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)
+		}
+	}
+
+	return newResource, oldResource, err
+}
+
+// convertResource converts raw bytes to an unstructured object
+func ConvertResource(raw []byte, group, version, kind, namespace string) (unstructured.Unstructured, error) {
+	obj, err := engineutils.ConvertToUnstructured(raw)
+	if err != nil {
+		return unstructured.Unstructured{}, fmt.Errorf("failed to convert raw to unstructured: %v", err)
+	}
+
+	obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind})
+	obj.SetNamespace(namespace)
+	return *obj, nil
+}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index fb6ac42021..324185c109 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -9,9 +9,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
 	yamlv2 "gopkg.in/yaml.v2"
-	"k8s.io/api/admission/v1beta1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 // isResponseSuccesful return true if all responses are successful
@@ -125,46 +122,3 @@ func containRBACinfo(policies []kyverno.ClusterPolicy) bool {
 	}
 	return false
 }
-
-// extracts the new and old resource as unstructured
-func extractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
-	var emptyResource unstructured.Unstructured
-	var newResource unstructured.Unstructured
-	var oldResource unstructured.Unstructured
-	var err error
-
-	// New Resource
-	if newRaw == nil {
-		newRaw = request.Object.Raw
-	}
-
-	if newRaw != nil {
-		newResource, err = convertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
-		if err != nil {
-			return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)
-		}
-	}
-
-	// Old Resource
-	oldRaw := request.OldObject.Raw
-	if oldRaw != nil {
-		oldResource, err = convertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
-		if err != nil {
-			return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)
-		}
-	}
-
-	return newResource, oldResource, err
-}
-
-// convertResource converts raw bytes to an unstructured object
-func convertResource(raw []byte, group, version, kind, namespace string) (unstructured.Unstructured, error) {
-	obj, err := engineutils.ConvertToUnstructured(raw)
-	if err != nil {
-		return unstructured.Unstructured{}, fmt.Errorf("failed to convert raw to unstructured: %v", err)
-	}
-
-	obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind})
-	obj.SetNamespace(namespace)
-	return *obj, nil
-}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 6935322d56..a8e9f652e2 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/nirmata/kyverno/pkg/utils"
+
 	"github.com/julienschmidt/httprouter"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -217,7 +219,7 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	}
 
 	// convert RAW to unstructured
-	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+	resource, err := utils.ConvertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
 		logger.Error(err, "failed to convert RAW resource to unstructured format")
 
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index e0d564e942..2326e7d89c 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -5,6 +5,8 @@ import (
 	"sort"
 	"time"
 
+	"github.com/nirmata/kyverno/pkg/utils"
+
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine"
@@ -22,7 +24,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	logger.V(4).Info("incoming request")
 
 	// Get new and old resource
-	newR, oldR, err := extractResources(patchedResource, request)
+	newR, oldR, err := utils.ExtractResources(patchedResource, request)
 	if err != nil {
 		// as resource cannot be parsed, we skip processing
 		logger.Error(err, "failed to extract resource")

From 6f01bb4d59a9b73c560b7329b23d5831afe0d161 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 14:18:42 +0530
Subject: [PATCH 123/201] 744 only user requests will be denied

---
 pkg/engine/validation.go      | 15 +++++++++------
 pkg/engine/validation_test.go |  4 ++--
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 7515c9d26d..aaef06efa2 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -52,12 +52,15 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 		endResultResponse(logger, &resp, startTime)
 	}()
 
-	// If request is delete, newR will be empty
-	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
-		return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
-	} else {
-		if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
-			return *denyResp
+	// deny logic will only be applied to requests from user - system related requests are ignored.
+	if admissionInfo.AdmissionUserInfo.Username == "kubernetes-admin" {
+		// If request is delete, newR will be empty
+		if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+			return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
+		} else {
+			if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
+				return *denyResp
+			}
 		}
 	}
 
diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index 3fff7a0153..9fb0f448d2 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -1627,14 +1627,14 @@ func Test_denyFeatureIssue744(t *testing.T) {
 			description:   "Blocks delete requests for resources with label allow-deletes(failure case)",
 			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
 			request:       []byte(`{"uid":"9a83234d-95d1-4105-b6bf-7d72fd0183ce","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:36:51Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
-			userInfo:      []byte(`{"roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]}}`),
+			userInfo:      []byte(`{"roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}}`),
 			expectedError: false,
 		},
 		{
 			description:   "Blocks update requests for resources with label allow-updates(success case)",
 			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-updates","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Updating {{request.object.kind}} / {{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equals","value":"UPDATE"}]}}}]}}`),
 			request:       []byte(`{"uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","podIP":"10.244.0.8","podIPs":[{"ip":"10.244.0.8"}],"startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-05-06T20:42:01Z","finishedAt":"2020-05-06T20:42:01Z","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/library/hello-world:latest","imageID":"docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
-			userInfo:      []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]}}`),
+			userInfo:      []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}}`),
 			expectedError: true,
 		},
 		{

From ba0de32454b61bd603356f2ff30e372b79e3d939 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 14:38:15 +0530
Subject: [PATCH 124/201] 744 fixing previous commit implementation

---
 pkg/engine/validation.go | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index aaef06efa2..e1611fb7c6 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -52,15 +52,12 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 		endResultResponse(logger, &resp, startTime)
 	}()
 
-	// deny logic will only be applied to requests from user - system related requests are ignored.
-	if admissionInfo.AdmissionUserInfo.Username == "kubernetes-admin" {
-		// If request is delete, newR will be empty
-		if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
-			return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
-		} else {
-			if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
-				return *denyResp
-			}
+	// If request is delete, newR will be empty
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
+	} else {
+		if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
+			return *denyResp
 		}
 	}
 
@@ -99,6 +96,12 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 
 func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
+
+	// deny logic will only be applied to requests from user - system related requests are ignored.
+	if admissionInfo.AdmissionUserInfo.Username != "kubernetes-admin" {
+		return resp
+	}
+
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue

From 717e42dd0b69530408c2e8394ece7b5cd1b02d3d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 23:04:15 +0530
Subject: [PATCH 125/201] 744 ignoring resources with deletionTimestamp

---
 pkg/engine/validation.go | 5 -----
 pkg/webhooks/server.go   | 9 +++++++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index e1611fb7c6..a578eabdf4 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -97,11 +97,6 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 
-	// deny logic will only be applied to requests from user - system related requests are ignored.
-	if admissionInfo.AdmissionUserInfo.Username != "kubernetes-admin" {
-		return resp
-	}
-
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index a8e9f652e2..2a9c7551d8 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -355,6 +355,15 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		logger.Error(err, "failed to load service account in context")
 	}
 
+	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
 	if !ok {

From 43d412039cf585174f8e76677a583c8bf7a7ea8a Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 23:11:04 +0530
Subject: [PATCH 126/201] 744 relocating logic

---
 pkg/webhooks/server.go     | 9 ---------
 pkg/webhooks/validation.go | 4 ++++
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 2a9c7551d8..a8e9f652e2 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -355,15 +355,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		logger.Error(err, "failed to load service account in context")
 	}
 
-	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
-		return &v1beta1.AdmissionResponse{
-			Allowed: true,
-			Result: &metav1.Status{
-				Status: "Success",
-			},
-		}
-	}
-
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
 	if !ok {
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 2326e7d89c..781421111a 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -23,6 +23,10 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 
+	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
+		return true, ""
+	}
+
 	// Get new and old resource
 	newR, oldR, err := utils.ExtractResources(patchedResource, request)
 	if err != nil {

From a3889d8c39720d700d327c4e4907ff663daef4a4 Mon Sep 17 00:00:00 2001
From: Michael Barrientos <mbarrientos@chanzuckerberg.com>
Date: Fri, 8 May 2020 19:04:40 -0700
Subject: [PATCH 127/201] Add Helm chart for Kyverno - #835

---
 charts/kyverno/Chart.yaml                     |  19 +
 charts/kyverno/README.md                      | 102 ++++
 charts/kyverno/crds/crds.yaml                 | 446 ++++++++++++++++++
 charts/kyverno/templates/_helpers.tpl         |  62 +++
 charts/kyverno/templates/clusterrole.yaml     | 147 ++++++
 .../kyverno/templates/clusterrolebinding.yaml |  66 +++
 charts/kyverno/templates/configmap.yaml       |  10 +
 charts/kyverno/templates/deployment.yaml      |  65 +++
 charts/kyverno/templates/secret.yaml          |  23 +
 charts/kyverno/templates/service.yaml         |  19 +
 charts/kyverno/templates/serviceaccount.yaml  |  10 +
 charts/kyverno/values.yaml                    | 126 +++++
 12 files changed, 1095 insertions(+)
 create mode 100644 charts/kyverno/Chart.yaml
 create mode 100644 charts/kyverno/README.md
 create mode 100644 charts/kyverno/crds/crds.yaml
 create mode 100644 charts/kyverno/templates/_helpers.tpl
 create mode 100644 charts/kyverno/templates/clusterrole.yaml
 create mode 100644 charts/kyverno/templates/clusterrolebinding.yaml
 create mode 100644 charts/kyverno/templates/configmap.yaml
 create mode 100644 charts/kyverno/templates/deployment.yaml
 create mode 100644 charts/kyverno/templates/secret.yaml
 create mode 100644 charts/kyverno/templates/service.yaml
 create mode 100644 charts/kyverno/templates/serviceaccount.yaml
 create mode 100644 charts/kyverno/values.yaml

diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
new file mode 100644
index 0000000000..048d983557
--- /dev/null
+++ b/charts/kyverno/Chart.yaml
@@ -0,0 +1,19 @@
+apiVersion: v2
+name: kyverno
+version: 0.0.1
+appVersion: v1.1.5
+description: Kubernetes Native Policy Management
+keywords:
+  - kubernetes
+  - nirmata
+  - policy agent
+  - validating webhook
+  - admissions controller
+home: https://kyverno.io/
+sources:
+  - https://github.com/nirmata/kyverno
+maintainers:
+  - name: Nirmata
+    url: https://kyverno.io/
+engine: gotpl
+kubeVersion: ">=1.10.0-0"
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
new file mode 100644
index 0000000000..20747b4b43
--- /dev/null
+++ b/charts/kyverno/README.md
@@ -0,0 +1,102 @@
+# kyverno
+
+[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to
+
+* Manage policies as Kubernetes resources.
+* Validate, mutate, and generate configurations.
+* Select resources based on labels and wildcards.
+* View policy enforcement as events.
+* Detect policy violations for existing resources.
+
+## TL;DR;
+
+```console
+$ helm install -n kyverno ./kyverno
+```
+
+## Introduction
+
+This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Installing the Chart
+
+Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno':
+
+```console
+$ helm install --namespace kyverno --name kyverno ./kyverno
+```
+
+The command deploys kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `kyverno` deployment:
+
+```console
+$ helm delete -n kyverno
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Configuration
+
+The following table lists the configurable parameters of the kyverno chart and their default values.
+
+Parameter | Description | Default
+--- | --- | ---
+`affinity` | node/pod affinities | `nil`
+`createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false`
+`config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil`
+`config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]`
+`extraArgs` | list of extra arguments to give the binary | `[]`
+`fullnameOverride` | override the expanded name of the chart | `nil`
+`generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]`
+`image.pullPolicy` | Image pull policy | `IfNotPresent`
+`image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods)
+`image.repository` | Image repository | `nirmata/kyverno`
+`image.tag` | Image tag | `nil`
+`initImage.pullPolicy` | Init image pull policy | `nil`
+`initImage.repository` | Init image repository | `nirmata/kyvernopre`
+`initImage.tag` | Init image tag | `nil`
+`livenessProbe` | liveness probe configuration | `{}`
+`nameOverride` | override the name of the chart | `nil`
+`nodeSelector` | node labels for pod assignment | `{}`
+`podAnnotations` | annotations to add to each pod | `{}`
+`podLabels` | additional labels to add to each pod | `{}`
+`podSecurityContext` | security context for the pod | `{}`
+`priorityClassName` | priorityClassName | `nil`
+`rbac.create` | create cluster roles, cluster role bindings, and service account | `true`
+`rbac.serviceAccount.create` | create a service account | `true`
+`rbac.serviceAccount.name` | the service account name | `nil`
+`rbac.serviceAccount.annotations` | annotations for the service account | `{}`
+`readinessProbe` | readiness probe configuration | `{}`
+`replicaCount` | desired number of pods | `1`
+`resources` | pod resource requests & limits | `{}`
+`service.annotations` | annotations to add to the service | `{}`
+`service.nodePort` | node port | `nil`
+`service.port` | port for the service | `443`
+`service.type` | type of service | `ClusterIP`
+`tolerations` | list of node taints to tolerate | `[]`
+`securityContext` | security context configuration | `{}`
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+$ helm install --namespace kyverno --name kyverno ./kyverno \
+  --set=image.tag=v0.0.2,resources.limits.cpu=200m
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install --namespace kyverno --name kyverno ./kyverno -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## TLS Configuration
+
+If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate describe in option 2 of the [installation documentation](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#option-2-use-your-own-ca-signed-certificate)
+
+If `createSelfSignedCert` is `false`, Kyverno will generate a pair using the kube-controller-manager., or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation.
\ No newline at end of file
diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
new file mode 100644
index 0000000000..e73ad35c65
--- /dev/null
+++ b/charts/kyverno/crds/crds.yaml
@@ -0,0 +1,446 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterpolicies.kyverno.io
+spec:
+  group: kyverno.io
+  versions:
+    - name: v1
+      served: true
+      storage: true
+  scope: Cluster
+  names:
+    kind: ClusterPolicy
+    plural: clusterpolicies
+    singular: clusterpolicy
+    shortNames:
+    - cpol
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        status: {}
+        spec:
+          required:
+          - rules
+          properties:
+          # default values to be handled by user
+            validationFailureAction:
+              type: string
+              enum: 
+              - enforce # blocks the resorce api-reques if a rule fails.
+              - audit # allows resource creation and reports the failed validation rules as violations. Default
+            background:
+              type: boolean
+            rules:
+              type: array
+              items:
+                type: object
+                required:
+                - name
+                - match
+                properties:
+                  name:
+                    type: string
+                  match:
+                    type: object
+                    required:
+                    - resources
+                    properties:
+                      roles:
+                        type: array
+                        items:
+                          type: string
+                      clusterRoles:
+                        type: array
+                        items:
+                          type: string
+                      subjects:
+                        type: array
+                        items:
+                          type: object
+                          required:
+                          - kind
+                          - name
+                          properties:
+                            kind:
+                              type: string
+                            apiGroup:
+                              type: string
+                            name:
+                              type: string
+                            Namespace:
+                              type: string
+                      resources:
+                        type: object
+                        minProperties: 1
+                        properties:
+                          kinds:
+                            type: array
+                            items:
+                              type: string
+                          name:
+                            type: string
+                          namespaces:
+                            type: array
+                            items:
+                              type: string
+                          selector:
+                            properties:
+                              matchLabels:
+                                type: object
+                                additionalProperties:
+                                  type: string
+                              matchExpressions:
+                                type: array
+                                items:
+                                  type: object
+                                  required:
+                                  - key
+                                  - operator
+                                  properties:
+                                    key:
+                                      type: string
+                                    operator:
+                                      type: string
+                                    values:
+                                      type: array
+                                      items:
+                                        type: string
+                  exclude:
+                    type: object
+                    properties:
+                      roles:
+                        type: array
+                        items:
+                          type: string
+                      clusterRoles:
+                        type: array
+                        items:
+                          type: string
+                      subjects:
+                        type: array
+                        items:
+                          type: object
+                          required:
+                          - kind
+                          - name
+                          properties:
+                            kind:
+                              type: string
+                            apiGroup:
+                              type: string
+                            name:
+                              type: string
+                            Namespace:
+                              type: string
+                      resources:
+                        type: object
+                        properties:
+                          kinds:
+                            type: array
+                            items:
+                              type: string
+                          name:
+                            type: string
+                          namespaces:
+                            type: array
+                            items:
+                              type: string
+                          selector:
+                            properties:
+                              matchLabels:
+                                type: object
+                                additionalProperties:
+                                  type: string
+                              matchExpressions:
+                                type: array
+                                items:
+                                  type: object
+                                  required:
+                                  - key
+                                  - operator
+                                  properties:
+                                    key:
+                                      type: string
+                                    operator:
+                                      type: string
+                                    values:
+                                      type: array
+                                      items:
+                                        type: string
+                  preconditions:
+                    type: array
+                    items:
+                      type: object
+                      required:
+                      - key  # can be of any type
+                      - operator # typed
+                      - value # can be of any type
+                  mutate:
+                    type: object
+                    properties:
+                      overlay:
+                        AnyValue: {}
+                      patches:
+                        type: array
+                        items:
+                          type: object
+                          required:
+                          - path
+                          - op
+                          properties:
+                            path:
+                              type: string
+                            op:
+                              type: string
+                              enum:
+                              - add
+                              - replace
+                              - remove
+                            value:
+                              AnyValue: {}
+                  validate:
+                    type: object
+                    properties:
+                      message:
+                        type: string
+                      pattern:
+                        AnyValue: {}
+                      anyPattern:
+                        AnyValue: {}
+                  generate:
+                    type: object
+                    required:
+                    - kind
+                    - name
+                    properties:
+                      kind:
+                        type: string
+                      name:
+                        type: string
+                      namespace:
+                        type: string
+                      clone: 
+                        type: object
+                        required:
+                        - namespace
+                        - name
+                        properties:
+                          namespace:
+                            type: string
+                          name:
+                            type: string
+                      data:
+                        AnyValue: {}
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterpolicyviolations.kyverno.io
+spec:
+  group: kyverno.io
+  versions:
+    - name: v1
+      served: true
+      storage: true
+  scope: Cluster
+  names:
+    kind: ClusterPolicyViolation
+    plural: clusterpolicyviolations
+    singular: clusterpolicyviolation
+    shortNames:
+    - cpolv
+  subresources:
+    status: {}
+  additionalPrinterColumns:
+  - name: Policy
+    type: string
+    description: The policy that resulted in the violation
+    JSONPath: .spec.policy
+  - name: ResourceKind
+    type: string
+    description: The resource kind that cause the violation
+    JSONPath: .spec.resource.kind
+  - name: ResourceName
+    type: string
+    description: The resource name that caused the violation
+    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          required:
+          - policy
+          - resource
+          - rules
+          properties:
+            policy:
+              type: string
+            resource:
+              type: object
+              required:
+              - kind
+              - name
+              properties:
+                kind:
+                  type: string
+                name:
+                  type: string
+            rules:
+              type: array
+              items:
+                type: object
+                required:
+                - name
+                - type
+                - message
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                  message:
+                    type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: policyviolations.kyverno.io
+spec:
+  group: kyverno.io
+  versions:
+    - name: v1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    kind: PolicyViolation
+    plural: policyviolations
+    singular: policyviolation
+    shortNames:
+    - polv
+  subresources:
+    status: {}
+  additionalPrinterColumns:
+  - name: Policy
+    type: string
+    description: The policy that resulted in the violation
+    JSONPath: .spec.policy
+  - name: ResourceKind
+    type: string
+    description: The resource kind that cause the violation
+    JSONPath: .spec.resource.kind
+  - name: ResourceName
+    type: string
+    description: The resource name that caused the violation
+    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          required:
+          - policy
+          - resource
+          - rules
+          properties:
+            policy:
+              type: string
+            resource:
+              type: object
+              required:
+              - kind
+              - name
+              properties:
+                kind:
+                  type: string
+                name:
+                  type: string
+            rules:
+              type: array
+              items:
+                type: object
+                required:
+                - name
+                - type
+                - message
+                properties:
+                  name:
+                    type: string
+                  type:
+                    type: string
+                  message:
+                    type: string
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: generaterequests.kyverno.io
+spec:
+  group: kyverno.io
+  versions:
+    - name: v1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    kind: GenerateRequest
+    plural: generaterequests
+    singular: generaterequest
+    shortNames:
+    - gr
+  subresources:
+    status: {}
+  additionalPrinterColumns:
+  - name: Policy
+    type: string
+    description: The policy that resulted in the violation
+    JSONPath: .spec.policy
+  - name: ResourceKind
+    type: string
+    description: The resource kind that cause the violation
+    JSONPath: .spec.resource.kind
+  - name: ResourceName
+    type: string
+    description: The resource name that caused the violation
+    JSONPath: .spec.resource.name
+  - name: ResourceNamespace
+    type: string
+    description: The resource namespace that caused the violation
+    JSONPath: .spec.resource.namespace
+  - name: status
+    type : string
+    description: Current state of generate request
+    JSONPath: .status.state
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          required:
+          - policy
+          - resource
+          properties:
+            policy:
+              type: string
+            resource:
+              type: object
+              required:
+              - kind 
+              - name
+              properties:
+                kind:
+                  type: string
+                name: 
+                  type: string
+                namespace:
+                  type: string
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
new file mode 100644
index 0000000000..fe0880e71c
--- /dev/null
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* Expand the name of the chart. */}}
+{{- define "kyverno.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kyverno.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "kyverno.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "kyverno.labels" -}}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}
+helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/* matchLabels */}}
+{{- define "kyverno.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/* Get the config map name. */}}
+{{- define "kyverno.configMapName" -}}
+{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
+{{- end -}}
+
+{{/* Create the name of the service to use */}}
+{{- define "kyverno.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Create the name of the service account to use */}}
+{{- define "kyverno.serviceAccountName" -}}
+{{- if .Values.rbac.serviceAccount.create -}}
+    {{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/kyverno/templates/clusterrole.yaml b/charts/kyverno/templates/clusterrole.yaml
new file mode 100644
index 0000000000..a4185b118c
--- /dev/null
+++ b/charts/kyverno/templates/clusterrole.yaml
@@ -0,0 +1,147 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:policyviolations
+rules:
+- apiGroups: ["kyverno.io"]
+  resources:
+  - policyviolations
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:webhook
+rules:
+# Dynamic creation of webhooks, events & certs
+- apiGroups:
+  - '*'
+  resources:
+  - events
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  - certificatesigningrequests
+  - certificatesigningrequests/approval
+  verbs:
+  - create
+  - delete
+  - get 
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  - certificatesigningrequests/approval
+  - certificatesigningrequests/status
+  resourceNames:
+    - kubernetes.io/legacy-unknown
+  verbs:
+  - create
+  - delete
+  - get 
+  - update
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - kubernetes.io/legacy-unknown
+  verbs:
+  - approve 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:userinfo
+rules:
+# get the roleRef for incoming api-request user
+- apiGroups:
+  - "*"
+  resources:
+  - rolebindings
+  - clusterrolebindings
+  - configmaps
+  verbs:
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:customresources
+rules:
+# Kyverno CRs
+- apiGroups:
+  - '*'
+  resources:
+  - clusterpolicies
+  - clusterpolicies/status
+  - clusterpolicyviolations
+  - clusterpolicyviolations/status
+  - policyviolations
+  - policyviolations/status
+  - generaterequests
+  - generaterequests/status
+  verbs:
+  - create
+  - delete
+  - get 
+  - list 
+  - patch
+  - update
+  - watch
+---  
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:policycontroller
+rules:
+# background processing, identify all existing resources
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:generatecontroller
+rules:
+# process generate rules to generate resources
+- apiGroups:
+  - "*"
+  resources:
+  - namespaces
+  - networkpolicies
+  - secrets
+  - configmaps
+  - resourcequotas
+  - limitranges
+  - clusterroles
+  - rolebindings
+  - clusterrolebindings
+  {{- range .Values.generatecontrollerExtraResources }}
+  - {{ . }}
+  {{- end }}
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+# dynamic watches on trigger resources for generate rules
+# re-evaluate the policy if the resource is updated
+- apiGroups:
+  - '*'
+  resources:
+  - namespaces
+  verbs:
+  - watch
+{{- end }}
diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..87b413a1b7
--- /dev/null
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@@ -0,0 +1,66 @@
+{{- if .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:webhook
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:userinfo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:userinfo
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:customresources
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:customresources
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:policycontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:policycontroller
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:generatecontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:generatecontroller
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml
new file mode 100644
index 0000000000..cfe30c62ae
--- /dev/null
+++ b/charts/kyverno/templates/configmap.yaml
@@ -0,0 +1,10 @@
+{{- if (not .Values.config.existingConfig) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  name: {{ template "kyverno.configMapName" . }}
+data:
+  # resource types to be skipped by kyverno policy engine
+  resourceFilters: {{ join "" .Values.config.resourceFilters | quote }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml
new file mode 100644
index 0000000000..4e2c115620
--- /dev/null
+++ b/charts/kyverno/templates/deployment.yaml
@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.fullname" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+  replicas: {{ .Values.replicaCount }}
+  template:
+    metadata:
+      labels: {{ include "kyverno.labels" . | nindent 8 }}
+        {{- range $key, $value := .Values.podLabels }}
+        {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- with .Values.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      initContainers:
+        - name: kyverno-pre
+          image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
+          imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
+      containers:
+        - name: kyverno
+          image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.extraArgs }}
+          args: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.configMapName" . }}
+        {{- with .Values.livenessProbe }}
+          livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
+        {{- end }}
+        {{- with .Values.readinessProbe }}
+          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
+        {{- end }}
diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml
new file mode 100644
index 0000000000..ad5ba7cf76
--- /dev/null
+++ b/charts/kyverno/templates/secret.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.createSelfSignedCert }}
+{{- $ca := .ca | default (genCA (printf "*.%s.svc" .Release.Namespace) 1024) -}}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) .Release.Namespace) nil nil 1024 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-ca
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+data:
+  rootCA.crt: {{ $ca.Cert | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-pair
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+{{- end -}}
diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/service.yaml
new file mode 100644
index 0000000000..45c6889180
--- /dev/null
+++ b/charts/kyverno/templates/service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.serviceName" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.service.port }}
+    targetPort: https
+    protocol: TCP
+    name: https
+    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
+    nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+  type: {{ .Values.service.type }}
diff --git a/charts/kyverno/templates/serviceaccount.yaml b/charts/kyverno/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..8a77c6ec59
--- /dev/null
+++ b/charts/kyverno/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.serviceAccountName" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  {{- if .Values.rbac.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
new file mode 100644
index 0000000000..85a79299d6
--- /dev/null
+++ b/charts/kyverno/values.yaml
@@ -0,0 +1,126 @@
+nameOverride:
+fullnameOverride:
+
+rbac:
+  create: true
+  serviceAccount:
+    create: true
+    name:
+    annotations: {}
+    #   example.com/annotation: value
+
+image:
+  repository: nirmata/kyverno
+  # Defaults to appVersion in Chart.yaml if omitted
+  tag:
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+  # - secretName
+initImage:
+  repository: nirmata/kyvernopre
+  # If initImage.tag is missing, defaults to image.tag
+  tag:
+  # If initImage.pullPolicy is missing, defaults to image.pullPolicy
+  pullPolicy:
+  # No pull secrets just for initImage; just add to image.pullSecrets
+
+replicaCount: 1
+
+podLabels: {}
+#   example.com/label: foo
+
+podAnnotations: {}
+#   example.com/annotation: foo
+
+podSecurityContext: {}
+
+affinity: {}
+nodeSelector: {}
+tolerations: []
+
+extraArgs: []
+# - --fqdn-as-cn
+# - --webhooktimeout=4
+
+resources:
+#   limits:
+#     cpu: 1000m
+#     memory: 500Mi
+#   requests:
+#     cpu: 100m
+#     memory: 100Mi
+
+## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+##
+livenessProbe:
+#   httpGet:
+#     path: /healthz
+#     port: https
+#     scheme: HTTPS
+#   initialDelaySeconds: 10
+#   periodSeconds: 10
+#   timeoutSeconds: 5
+#   failureThreshold: 2
+#   successThreshold: 1
+
+## Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+##
+readinessProbe:
+#   httpGet:
+#     path: /healthz
+#     port: https
+#     scheme: HTTPS
+#   initialDelaySeconds: 5
+#   periodSeconds: 10
+#   timeoutSeconds: 5
+#   failureThreshold: 6
+#   successThreshold: 1
+
+# TODO(mbarrien): Should we just list all resources for the
+# generatecontroller in here rather than having defaults hard-coded?
+generatecontrollerExtraResources:
+# - ResourceA
+# - ResourceB
+
+config:
+  # resource types to be skipped by kyverno policy engine
+  # Make sure to surround each entry in quotes so that it doesn't get parsed
+  # as a nested YAML list. These are joined together without spaces in the configmap
+  resourceFilters:
+  - "[Event,*,*]"
+  - "[*,kube-system,*]"
+  - "[*,kube-public,*]"
+  - "[*,kube-node-lease,*]"
+  - "[Node,*,*]"
+  - "[APIService,*,*]"
+  - "[TokenReview,*,*]"
+  - "[SubjectAccessReview,*,*]"
+  - "[*,kyverno,*]"
+  # Or give the name of an existing config map (ignores default/provided resourceFilters)
+  existingConfig:
+  # existingConfig: init-config
+
+service:
+  port: 443
+  type: ClusterIP
+  # Only used if service.type is NodePort
+  nodePort:
+  ## Provide any additional annotations which may be required. This can be used to
+  ## set the LoadBalancer service type to internal only.
+  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+  ##
+  annotations: {}
+
+# Kyverno requires a certificate key pair and corresponding certificate authority
+# to properly register its webhooks. This can be done in one of 3 ways:
+# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
+# 2) Provide your own CA and cert.
+#    In this case, you will need to create a certificate with a specific name and data structure.
+#    As long as you follow the naming scheme, it will be automatically picked up.
+#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)
+#    kyverno-svc.kyverno.svc.kyverno-tls-key-pair (with data entries named tls.key and tls.crt)
+# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
+# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
+createSelfSignedCert: false
\ No newline at end of file

From 3a146a595288bb1e5c8c630e9edbd7de7fc172db Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 13 May 2020 10:06:21 +0530
Subject: [PATCH 128/201] 744 added not found error type

---
 pkg/engine/variables/vars.go | 14 +++++++++++++-
 pkg/policy/background.go     |  7 ++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go
index 3f519a9a73..b57bfbfd7b 100644
--- a/pkg/engine/variables/vars.go
+++ b/pkg/engine/variables/vars.go
@@ -70,6 +70,15 @@ func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interfac
 	return patternList, nil
 }
 
+type NotFoundVariableErr struct {
+	variable string
+	path     string
+}
+
+func (n NotFoundVariableErr) Error() string {
+	return fmt.Sprintf("could not find variable %v at path %v", n.variable, n.path)
+}
+
 // subValR resolves the variables if defined
 func subValR(ctx context.EvalInterface, valuePattern string, path string) (interface{}, error) {
 	originalPattern := valuePattern
@@ -92,7 +101,10 @@ func subValR(ctx context.EvalInterface, valuePattern string, path string) (inter
 						}
 						return nil, fmt.Errorf("failed to resolve %v at path %s", underlyingVariable, path)
 					}
-					return nil, fmt.Errorf("could not find variable %v at path %v", underlyingVariable, path)
+					return nil, NotFoundVariableErr{
+						variable: underlyingVariable,
+						path:     path,
+					}
 				}
 			}
 		} else {
diff --git a/pkg/policy/background.go b/pkg/policy/background.go
index 639281f075..a495cfaa60 100644
--- a/pkg/policy/background.go
+++ b/pkg/policy/background.go
@@ -2,7 +2,6 @@ package policy
 
 import (
 	"fmt"
-	"strings"
 
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
@@ -69,12 +68,14 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 
 func checkNotFoundErr(err error) bool {
 	if err != nil {
-		if strings.HasPrefix(err.Error(), "could not find variable") {
+		switch err.(type) {
+		case variables.NotFoundVariableErr:
 			return true
-		} else {
+		default:
 			return false
 		}
 	}
+
 	return true
 }
 

From 5461b63a258953b71d0db7f62bace1f81f622d71 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 13 May 2020 10:27:08 +0530
Subject: [PATCH 129/201] 744 removed uneeded comment

---
 pkg/engine/context/context.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
index bfa48b9670..732b4eeb48 100644
--- a/pkg/engine/context/context.go
+++ b/pkg/engine/context/context.go
@@ -65,7 +65,6 @@ func (ctx *Context) AddJSON(dataRaw []byte) error {
 	return nil
 }
 
-//AddResource data at path: request.object
 func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
 	modifiedResource := struct {
 		Request interface{} `json:"request"`

From b328dc6ff1fb7a14a4d263872501826230c3f261 Mon Sep 17 00:00:00 2001
From: Michael Barrientos <mbarrientos@chanzuckerberg.com>
Date: Wed, 13 May 2020 02:15:36 -0700
Subject: [PATCH 130/201] Fix Helm chart README.md for Helm 3

---
 charts/kyverno/README.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 20747b4b43..a3f02629f9 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -11,7 +11,7 @@
 ## TL;DR;
 
 ```console
-$ helm install -n kyverno ./kyverno
+$ helm install --create-namespace -n kyverno kyverno ./kyverno
 ```
 
 ## Introduction
@@ -23,9 +23,11 @@ This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.i
 Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno':
 
 ```console
-$ helm install --namespace kyverno --name kyverno ./kyverno
+$ helm install --namespace kyverno kyverno ./kyverno
 ```
 
+Note that Helm by default expects the namespace to already exist before running helm install. If you want Helm to create the namespace, add --create-namespace to the command.
+
 The command deploys kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
 ## Uninstalling the Chart
@@ -33,7 +35,7 @@ The command deploys kyverno on the Kubernetes cluster in the default configurati
 To uninstall/delete the `kyverno` deployment:
 
 ```console
-$ helm delete -n kyverno
+$ helm delete -n kyverno kyverno
 ```
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -83,14 +85,14 @@ Parameter | Description | Default
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
 ```console
-$ helm install --namespace kyverno --name kyverno ./kyverno \
+$ helm install --namespace kyverno kyverno ./kyverno \
   --set=image.tag=v0.0.2,resources.limits.cpu=200m
 ```
 
 Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
 
 ```console
-$ helm install --namespace kyverno --name kyverno ./kyverno -f values.yaml
+$ helm install --namespace kyverno kyverno ./kyverno -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
@@ -99,4 +101,4 @@ $ helm install --namespace kyverno --name kyverno ./kyverno -f values.yaml
 
 If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate describe in option 2 of the [installation documentation](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#option-2-use-your-own-ca-signed-certificate)
 
-If `createSelfSignedCert` is `false`, Kyverno will generate a pair using the kube-controller-manager., or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation.
\ No newline at end of file
+If `createSelfSignedCert` is `false`, Kyverno will generate a pair using the kube-controller-manager., or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation.

From 63b3f81e674f17e43bd7483d5c160d11caeaa3c3 Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Wed, 13 May 2020 15:53:26 +0530
Subject: [PATCH 131/201] chart readme fixes

---
 charts/kyverno/README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index a3f02629f9..2c34eba456 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -11,7 +11,7 @@
 ## TL;DR;
 
 ```console
-$ helm install --create-namespace -n kyverno kyverno ./kyverno
+$ helm install --create-namespace -n kyverno kyverno ./charts/kyverno
 ```
 
 ## Introduction
@@ -23,7 +23,7 @@ This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.i
 Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno':
 
 ```console
-$ helm install --namespace kyverno kyverno ./kyverno
+$ helm install --namespace kyverno kyverno ./charts/kyverno
 ```
 
 Note that Helm by default expects the namespace to already exist before running helm install. If you want Helm to create the namespace, add --create-namespace to the command.
@@ -85,14 +85,14 @@ Parameter | Description | Default
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
 ```console
-$ helm install --namespace kyverno kyverno ./kyverno \
+$ helm install --namespace kyverno kyverno ./charts/kyverno \
   --set=image.tag=v0.0.2,resources.limits.cpu=200m
 ```
 
 Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
 
 ```console
-$ helm install --namespace kyverno kyverno ./kyverno -f values.yaml
+$ helm install --namespace kyverno kyverno ./charts/kyverno -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)

From 6f039147c8d593370ae3c7693666ec7bde33a3ed Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Thu, 14 May 2020 12:32:11 -0700
Subject: [PATCH 132/201] fix 843 (#844)

---
 pkg/dclient/client.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index a05204ef60..e660ad797a 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -52,7 +52,7 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}
 		client:       dclient,
 		clientConfig: config,
 		kclient:      kclient,
-		log:          log.WithName("Client"),
+		log:          log.WithName("dclient"),
 	}
 	// Set discovery client
 	discoveryClient := ServerPreferredResources{cachedClient: memory.NewMemCacheClient(kclient.Discovery()), log: client.log}
@@ -292,8 +292,7 @@ func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log l
 	emptyGVR := schema.GroupVersionResource{}
 	serverresources, err := cdi.ServerPreferredResources()
 	if err != nil {
-		logger.Error(err, "failed to get registered preferred resources")
-		return emptyGVR, err
+		logger.V(4).Info("failed to get registered preferred resources", "err", err.Error())
 	}
 	for _, serverresource := range serverresources {
 		for _, resource := range serverresource.APIResources {

From ddf89b4803e13021bbf8353d0d2fc14906a8ab09 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 13:11:28 -0700
Subject: [PATCH 133/201] - fix 811; - suppress log

---
 Makefile                 |  2 +-
 definitions/install.yaml |  2 +-
 pkg/webhooks/mutation.go |  4 +++-
 pkg/webhooks/server.go   | 26 ++++++++++++++++++++++++--
 4 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 824f8b92e4..337e4fef43 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
 
 REGISTRY=index.docker.io
 REPO=$(REGISTRY)/nirmata/kyverno
-IMAGE_TAG=$(GIT_VERSION)
+IMAGE_TAG?=$(GIT_VERSION)
 GOOS ?= $(shell go env GOOS)
 PACKAGE ?=github.com/nirmata/kyverno
 LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
diff --git a/definitions/install.yaml b/definitions/install.yaml
index b8950c12e6..5fcc327d47 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -712,7 +712,7 @@ spec:
         - name: kyverno
           image: nirmata/kyverno:v1.1.5
           args:
-          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
+          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout
           # - "--webhooktimeout=4"
           ports:
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 0afdefa90a..a058bd852f 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -72,7 +72,9 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
-		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
+		if len(engineResponse.GetPatches()) != 0 {
+			logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
+		}
 
 		policyContext.NewResource = engineResponse.PatchedResource
 	}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index f1517ef66f..9171dda8f5 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -193,7 +193,7 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger := ws.log.WithName("handleMutateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@@ -288,7 +288,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger := ws.log.WithName("handleValidateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@@ -307,6 +307,28 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
+	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+	if err != nil {
+		logger.Error(err, "failed to convert RAW resource to unstructured format")
+
+		return &v1beta1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Status:  "Failure",
+				Message: err.Error(),
+			},
+		}
+	}
+
+	if checkPodTemplateAnn(resource) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
 	if !ok {

From 0952ccec829e89c8c44f77cfc148ebbd1389e88d Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 14:49:34 -0700
Subject: [PATCH 134/201] set log to higher level

---
 pkg/webhooks/mutation.go   | 2 +-
 pkg/webhooks/validation.go | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index a058bd852f..b2c912b2ae 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -55,7 +55,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..a87b7e3133 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -58,7 +58,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
@@ -74,6 +74,8 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
+
+		logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name)
 	}
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"

From cc4fa3777ebeba380b4197db99a7396e90cb74df Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 16:57:26 -0700
Subject: [PATCH 135/201] Add crd 1.16+ spec

---
 Makefile                   |  2 +-
 pkg/openapi/crdSync.go     | 69 ++++++++++++++++++++++++++++----------
 pkg/webhooks/mutation.go   |  2 +-
 pkg/webhooks/validation.go |  2 +-
 4 files changed, 54 insertions(+), 21 deletions(-)

diff --git a/Makefile b/Makefile
index 824f8b92e4..337e4fef43 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
 
 REGISTRY=index.docker.io
 REPO=$(REGISTRY)/nirmata/kyverno
-IMAGE_TAG=$(GIT_VERSION)
+IMAGE_TAG?=$(GIT_VERSION)
 GOOS ?= $(shell go env GOOS)
 PACKAGE ?=github.com/nirmata/kyverno
 LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 01ccab88bb..c7bed83bf9 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -28,6 +28,36 @@ type crdSync struct {
 	controller *Controller
 }
 
+// crdDefinitionPrior represents CRD's version prior to 1.16
+var crdDefinitionPrior struct {
+	Spec struct {
+		Names struct {
+			Kind string `json:"kind"`
+		} `json:"names"`
+		Validation struct {
+			OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+		} `json:"validation"`
+	} `json:"spec"`
+}
+
+// crdDefinitionNew represents CRD in version 1.16+
+var crdDefinitionNew struct {
+	Spec struct {
+		Names struct {
+			Kind string `json:"kind"`
+		} `json:"names"`
+		Versions []struct {
+			Schema struct {
+				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+			} `json:"schema"`
+			Storage bool `json:"storage"`
+		} `json:"versions"`
+	} `json:"spec"`
+}
+
+var crdVersion struct {
+}
+
 func NewCRDSync(client *client.Client, controller *Controller) *crdSync {
 	if controller == nil {
 		panic(fmt.Errorf("nil controller sent into crd sync"))
@@ -54,7 +84,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	c.sync()
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.sync, time.Second*25, stopCh)
+		go wait.Until(c.sync, 10*time.Minute, stopCh)
 	}
 }
 
@@ -90,39 +120,42 @@ func (o *Controller) deleteCRDFromPreviousSync() {
 
 func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 	var err error
-	var crdDefinition struct {
-		Spec struct {
-			Names struct {
-				Kind string `json:"kind"`
-			} `json:"names"`
-			Validation struct {
-				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
-			} `json:"validation"`
-		} `json:"spec"`
-	}
 
 	crdRaw, _ := json.Marshal(crd.Object)
-	_ = json.Unmarshal(crdRaw, &crdDefinition)
+	_ = json.Unmarshal(crdRaw, &crdDefinitionPrior)
 
-	crdName := crdDefinition.Spec.Names.Kind
+	openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema
+	crdName := crdDefinitionPrior.Spec.Names.Kind
 
-	var schema yaml.MapSlice
-	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Validation.OpenAPIV3Schema)
+	if openV3schema == nil {
+		_ = json.Unmarshal(crdRaw, &crdDefinitionNew)
+		for _, crdVersion := range crdDefinitionNew.Spec.Versions {
+			if crdVersion.Storage {
+				openV3schema = crdVersion.Schema.OpenAPIV3Schema
+				crdName = crdDefinitionNew.Spec.Names.Kind
+				break
+			}
+		}
+	}
+
+	schemaRaw, _ := json.Marshal(openV3schema)
 	if len(schemaRaw) < 1 {
-		log.Log.V(4).Info("could not parse crd schema")
+		log.Log.V(3).Info("could not parse crd schema", "name", crdName)
 		return
 	}
 
 	schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
 	if err != nil {
-		log.Log.Error(err, "could not parse crd schema:")
+		log.Log.Error(err, "could not parse crd schema", "name", crdName)
 		return
 	}
+
+	var schema yaml.MapSlice
 	_ = yaml.Unmarshal(schemaRaw, &schema)
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
 	if err != nil {
-		log.Log.Error(err, "could not parse crd schema:")
+		log.Log.Error(err, "could not parse crd schema", "name", crdName)
 		return
 	}
 
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 0afdefa90a..2a6120bb04 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -55,7 +55,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..048b27d140 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -58,7 +58,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {

From a1957bee4a3bdb641da4f9cc4e806328b727ac3f Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:33:52 -0700
Subject: [PATCH 136/201] suppress log

---
 pkg/event/controller.go | 2 +-
 pkg/policy/apply.go     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index a33e50f756..848dad3911 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -67,7 +67,7 @@ func initRecorder(client *client.Client, eventSource Source, log logr.Logger) re
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(klog.Infof)
+	eventBroadcaster.StartLogging(klog.V(5).Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		log.Error(err, "failed to get event interface for logging")
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index ad60ad5d6d..d8bca269c3 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -22,9 +22,9 @@ import (
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
 	startTime := time.Now()
 
-	logger.Info("start applying policy", "startTime", startTime)
+	logger.V(3).Info("start applying policy", "startTime", startTime)
 	defer func() {
-		logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime))
+		logger.V(3).Info("finisnhed applying policy", "processingTime", time.Since(startTime))
 	}()
 
 	var engineResponses []response.EngineResponse

From 126fcd738414108669d8283bcc119b986f81bb3f Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:51:45 -0700
Subject: [PATCH 137/201] fix error "failed to list resources"

---
 pkg/policy/existing.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index af8dfc09c6..49dfe8019f 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -83,9 +83,14 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
 	log.V(4).Info("list resources to be processed")
+
+	if kind == "Namespace" {
+		namespace = ""
+	}
+
 	list, err := client.ListResource(kind, namespace, ls)
 	if err != nil {
-		log.Error(err, "failed to list resources", "kind", kind)
+		log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace)
 		return nil
 	}
 	// filter based on name

From ddc9a8389b208caccf96ce0bb5fd4f3fd09f5fec Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:54:31 -0700
Subject: [PATCH 138/201] increase background sync period to 5 mins

---
 pkg/policyviolation/generator.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index ed3ffe76a2..0a40b9dad4 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -153,7 +153,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, time.Second, stopCh)
+		go wait.Until(gen.runWorker, 5*time.Minute, stopCh)
 	}
 	<-stopCh
 }

From eec21ea5caf5fa9136dbcd0167724f8a94f646fa Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 21:24:37 -0700
Subject: [PATCH 139/201] Rename function

---
 pkg/webhooks/annotations.go | 2 +-
 pkg/webhooks/server.go      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index eddded1cde..c44e03017d 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -152,7 +152,7 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log lo
 }
 
 // checkPodTemplateAnn checks if a Pod has annotation "pod-policies.kyverno.io/autogen-applied"
-func checkPodTemplateAnn(resource unstructured.Unstructured) bool {
+func checkPodTemplateAnnotation(resource unstructured.Unstructured) bool {
 	if resource.GetKind() == "Pod" {
 		ann := resource.GetAnnotations()
 		if _, ok := ann[engine.PodTemplateAnnotation]; ok {
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 9171dda8f5..605198310d 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -226,7 +226,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		}
 	}
 
-	if checkPodTemplateAnn(resource) {
+	if checkPodTemplateAnnotation(resource) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -320,7 +320,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
-	if checkPodTemplateAnn(resource) {
+	if checkPodTemplateAnnotation(resource) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{

From fa06cace5ff74fcacb38fe46a1a0300d4d445090 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Sat, 16 May 2020 21:29:23 -0700
Subject: [PATCH 140/201] 802 set kind in generate (#846)

* set generate.data.kind from generate.kind

* remove setting generate.data.apiversion
---
 pkg/generate/generate.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go
index aab5ff1ae4..edfc12e0e9 100644
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@@ -247,6 +247,9 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	newResource.SetUnstructuredContent(rdata)
 	newResource.SetName(genName)
 	newResource.SetNamespace(genNamespace)
+	if newResource.GetKind() == "" {
+		newResource.SetKind(genKind)
+	}
 
 	// manage labels
 	// - app.kubernetes.io/managed-by: kyverno

From ee1f0f286c24e7ca9950b2e98ab1c41eaa7d09fa Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 22:15:09 -0700
Subject: [PATCH 141/201] extract controller resync period to a constant file

---
 pkg/event/controller.go            | 5 ++---
 pkg/generate/cleanup/controller.go | 3 ++-
 pkg/generate/controller.go         | 3 ++-
 pkg/openapi/crdSync.go             | 4 ++--
 pkg/policy/controller.go           | 3 ++-
 pkg/policyviolation/generator.go   | 4 ++--
 pkg/webhooks/generate/generate.go  | 3 ++-
 7 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index 848dad3911..db39f1d9d6 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -1,13 +1,12 @@
 package event
 
 import (
-	"time"
-
 	"github.com/go-logr/logr"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -109,7 +108,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, time.Second, stopCh)
+		go wait.Until(gen.runWorker, constant.EventControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index 2c31254219..a232dd4813 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -8,6 +8,7 @@ import (
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -199,7 +200,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
 		return
 	}
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.worker, time.Second, stopCh)
+		go wait.Until(c.worker, constant.GenerateRequestControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go
index b848609177..a03dfe2734 100644
--- a/pkg/generate/controller.go
+++ b/pkg/generate/controller.go
@@ -8,6 +8,7 @@ import (
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policystatus"
@@ -219,7 +220,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
 		return
 	}
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.worker, time.Second, stopCh)
+		go wait.Until(c.worker, constant.GenerateControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index c7bed83bf9..6edfc03ad1 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"
 
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -19,6 +18,7 @@ import (
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/util/wait"
 )
@@ -84,7 +84,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	c.sync()
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.sync, 10*time.Minute, stopCh)
+		go wait.Until(c.sync, constant.CRDControllerResync, stopCh)
 	}
 }
 
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 2a471a37fe..ce7504e6c2 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -10,6 +10,7 @@ import (
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policystore"
@@ -261,7 +262,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(pc.worker, time.Second, stopCh)
+		go wait.Until(pc.worker, constant.PolicyControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index 0a40b9dad4..e25ae23c6f 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -6,7 +6,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -14,6 +13,7 @@ import (
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	"github.com/nirmata/kyverno/pkg/policystatus"
 
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -153,7 +153,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, 5*time.Minute, stopCh)
+		go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go
index 3631845541..3e1ded7530 100644
--- a/pkg/webhooks/generate/generate.go
+++ b/pkg/webhooks/generate/generate.go
@@ -8,6 +8,7 @@ import (
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	"github.com/nirmata/kyverno/pkg/constant"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 )
@@ -60,7 +61,7 @@ func (g *Generator) Run(workers int) {
 		logger.V(4).Info("shutting down")
 	}()
 	for i := 0; i < workers; i++ {
-		go wait.Until(g.process, time.Second, g.stopCh)
+		go wait.Until(g.process, constant.GenerateControllerResync, g.stopCh)
 	}
 	<-g.stopCh
 }

From 231bfade735e5b8de169672430a9c907a9bf0a6a Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 23:27:54 -0700
Subject: [PATCH 142/201] add constant.go

---
 pkg/constant/constant.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 pkg/constant/constant.go

diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go
new file mode 100644
index 0000000000..055a4b092e
--- /dev/null
+++ b/pkg/constant/constant.go
@@ -0,0 +1,12 @@
+package constant
+
+import "time"
+
+const (
+	CRDControllerResync             = 10 * time.Minute
+	PolicyViolationControllerResync = 5 * time.Minute
+	PolicyControllerResync          = time.Second
+	EventControllerResync           = time.Second
+	GenerateControllerResync        = time.Second
+	GenerateRequestControllerResync = time.Second
+)

From bc37d27de6ba83b4dee987c1cf24da6866c9b981 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 09:51:18 -0700
Subject: [PATCH 143/201] remove unnecessary comments and reduce cache resync
 intervals

---
 cmd/kyverno/main.go    | 44 +++++++++++++++++-------------------------
 pkg/policy/existing.go | 35 ++++++++++++++++++++-------------
 2 files changed, 40 insertions(+), 39 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 83046b6f7c..2413177ad2 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -33,6 +33,8 @@ import (
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+const resyncPeriod = 15 * time.Minute
+
 var (
 	kubeconfig                     string
 	serverIP                       string
@@ -61,15 +63,11 @@ func main() {
 
 	// Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542
 	flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR")
-
 	flag.Parse()
 
 	version.PrintVersionInfo(log.Log)
-	// cleanUp Channel
 	cleanUp := make(chan struct{})
-	//  handle os signals
 	stopCh := signal.SetupSignalHandler()
-	// CLIENT CONFIG
 	clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log)
 	if err != nil {
 		setupLog.Error(err, "Failed to build kubeconfig")
@@ -88,39 +86,31 @@ func main() {
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	// - invalidate local cache of registered resource every 10 seconds
-	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
+	client, err := dclient.NewClient(clientConfig, 5*time.Minute, stopCh, log.Log)
 	if err != nil {
 		setupLog.Error(err, "Failed to create client")
 		os.Exit(1)
 	}
+
 	// CRD CHECK
 	// - verify if the CRD for Policy & PolicyViolation are available
 	if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
 		setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
 		os.Exit(1)
 	}
-	// KUBERNETES CLIENT
+
 	kubeClient, err := utils.NewKubeClient(clientConfig)
 	if err != nil {
 		setupLog.Error(err, "Failed to create kubernetes client")
 		os.Exit(1)
 	}
 
-	// TODO(shuting): To be removed for v1.2.0
+	// TODO: To be removed for v1.2.0
 	utils.CleanupOldCrd(client, log.Log)
 
-	// KUBERNETES RESOURCES INFORMER
-	// watches namespace resource
-	// - cache resync time: 10 seconds
-	kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(
-		kubeClient,
-		10*time.Second)
-	// KUBERNETES Dynamic informer
-	// - cahce resync time: 10 seconds
-	kubedynamicInformer := client.NewDynamicSharedInformerFactory(10 * time.Second)
+	kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod)
+	kubedynamicInformer := client.NewDynamicSharedInformerFactory(resyncPeriod)
 
-	// WERBHOOK REGISTRATION CLIENT
 	webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient(
 		clientConfig,
 		client,
@@ -143,10 +133,7 @@ func main() {
 	// watches CRD resources:
 	//		- Policy
 	//		- PolicyVolation
-	// - cache resync time: 10 seconds
-	pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(
-		pclient,
-		10*time.Second)
+	pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod)
 
 	// Configuration Data
 	// dynamically load the configuration from configMap
@@ -187,8 +174,7 @@ func main() {
 	// POLICY CONTROLLER
 	// - reconciliation policy and policy violation
 	// - process policy on existing resources
-	// - status aggregator: receives stats when a policy is applied
-	//					    & updates the policy status
+	// - status aggregator: receives stats when a policy is applied & updates the policy status
 	pc, err := policy.NewPolicyController(pclient,
 		client,
 		pInformer.Kyverno().V1().ClusterPolicies(),
@@ -201,6 +187,7 @@ func main() {
 		rWebhookWatcher,
 		log.Log.WithName("PolicyController"),
 	)
+
 	if err != nil {
 		setupLog.Error(err, "Failed to create policy controller")
 		os.Exit(1)
@@ -222,6 +209,7 @@ func main() {
 		statusSync.Listener,
 		log.Log.WithName("GenerateController"),
 	)
+
 	// GENERATE REQUEST CLEANUP
 	// -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout
 	grcc := generatecleanup.NewController(
@@ -257,7 +245,7 @@ func main() {
 	}
 
 	// Sync openAPI definitions of resources
-	openApiSync := openapi.NewCRDSync(client, openAPIController)
+	openAPISync := openapi.NewCRDSync(client, openAPIController)
 
 	// WEBHOOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
@@ -284,10 +272,12 @@ func main() {
 		log.Log.WithName("WebhookServer"),
 		openAPIController,
 	)
+
 	if err != nil {
 		setupLog.Error(err, "Failed to create webhook server")
 		os.Exit(1)
 	}
+
 	// Start the components
 	pInformer.Start(stopCh)
 	kubeInformer.Start(stopCh)
@@ -302,7 +292,7 @@ func main() {
 	go grcc.Run(1, stopCh)
 	go pvgen.Run(1, stopCh)
 	go statusSync.Run(1, stopCh)
-	openApiSync.Run(1, stopCh)
+	openAPISync.Run(1, stopCh)
 
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
@@ -319,8 +309,10 @@ func main() {
 	defer func() {
 		cancel()
 	}()
+
 	// cleanup webhookconfigurations followed by webhook shutdown
 	server.Stop(ctx)
+
 	// resource cleanup
 	// remove webhook configurations
 	<-cleanUp
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index af8dfc09c6..3af6c6f67e 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -53,26 +53,35 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
 	resourceMap := map[string]unstructured.Unstructured{}
 
 	for _, rule := range policy.Spec.Rules {
-		// resources that match
 		for _, k := range rule.MatchResources.Kinds {
-			var namespaces []string
-			if len(rule.MatchResources.Namespaces) > 0 {
-				namespaces = append(namespaces, rule.MatchResources.Namespaces...)
-				log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
-			} else {
-				log.V(4).Info("processing all namespaces", "rule", rule.Name)
-				// get all namespaces
-				namespaces = getAllNamespaces(client, log)
+
+			resourceSchema, _, err := client.DiscoveryClient.FindResource(k)
+			if err != nil {
+				log.Error(err, "failed to find resource", "kind", k)
+				continue
 			}
 
-			// get resources in the namespaces
-			for _, ns := range namespaces {
-				rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
+			if !resourceSchema.Namespaced {
+				rMap := getResourcesPerNamespace(k, client, "", rule, configHandler, log)
 				mergeresources(resourceMap, rMap)
-			}
+			} else {
+				var namespaces []string
+				if len(rule.MatchResources.Namespaces) > 0 {
+					log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
+					namespaces = append(namespaces, rule.MatchResources.Namespaces...)
+				} else {
+					log.V(4).Info("processing all namespaces", "rule", rule.Name)
+					namespaces = getAllNamespaces(client, log)
+				}
 
+				for _, ns := range namespaces {
+					rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
+					mergeresources(resourceMap, rMap)
+				}
+			}
 		}
 	}
+
 	return resourceMap
 }
 

From bf1aaba99b57320ef1411197ae33bcc7d943dee3 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 09:51:46 -0700
Subject: [PATCH 144/201] allow cross platform builds

---
 Makefile                              |  4 +++
 pkg/policy/controller.go              | 37 +++++++++++++++++----------
 pkg/webhookconfig/rwebhookregister.go |  2 +-
 3 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/Makefile b/Makefile
index 824f8b92e4..1dcc807402 100644
--- a/Makefile
+++ b/Makefile
@@ -53,6 +53,10 @@ docker-push-initContainer:
 .PHONY: docker-build-kyverno docker-tag-repo-kyverno docker-push-kyverno
 KYVERNO_PATH := cmd/kyverno
 KYVERNO_IMAGE := kyverno
+
+local:
+	go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/
+
 kyverno:
 	GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go
 
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 2a471a37fe..a0d3934be3 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -206,6 +206,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 			return
 		}
 	}
+
 	logger.V(4).Info("updating policy", "name", oldP.Name)
 	pc.enqueuePolicy(curP)
 }
@@ -225,11 +226,13 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 			return
 		}
 	}
+
 	logger.V(4).Info("deleting policy", "name", p.Name)
 	// Unregister from policy meta-store
 	if err := pc.pMetaStore.UnRegister(*p); err != nil {
 		logger.Error(err, "failed to unregister policy", "name", p.Name)
 	}
+
 	// we process policies that are not set of background processing as we need to perform policy violation
 	// cleanup when a policy is deleted.
 	pc.enqueuePolicy(p)
@@ -263,6 +266,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
 	for i := 0; i < workers; i++ {
 		go wait.Until(pc.worker, time.Second, stopCh)
 	}
+
 	<-stopCh
 }
 
@@ -315,49 +319,54 @@ func (pc *PolicyController) syncPolicy(key string) error {
 	defer func() {
 		logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime))
 	}()
+
 	policy, err := pc.pLister.Get(key)
 	if errors.IsNotFound(err) {
-		logger.V(2).Info("policy deleted", "key", key)
-		// delete cluster policy violation
-		if err := pc.deleteClusterPolicyViolations(key); err != nil {
-			return err
-		}
-		// delete namespaced policy violation
-		if err := pc.deleteNamespacedPolicyViolations(key); err != nil {
-			return err
-		}
+		go pc.deletePolicyViolations(key)
 
 		// remove webhook configurations if there are no policies
 		if err := pc.removeResourceWebhookConfiguration(); err != nil {
 			// do not fail, if unable to delete resource webhook config
 			logger.Error(err, "failed to remove resource webhook configurations")
 		}
+
 		return nil
 	}
+
 	if err != nil {
 		return err
 	}
 
 	pc.resourceWebhookWatcher.RegisterResourceWebhook()
 
-	// process policies on existing resources
 	engineResponses := pc.processExistingResources(*policy)
-	// report errors
 	pc.cleanupAndReport(engineResponses)
 
 	return nil
 }
 
+func (pc *PolicyController) deletePolicyViolations(key string) {
+	if err := pc.deleteClusterPolicyViolations(key); err != nil {
+		pc.log.Error(err, "failed to delete policy violation", "key", key)
+	}
+
+	if err := pc.deleteNamespacedPolicyViolations(key); err != nil {
+		pc.log.Error(err, "failed to delete policy violation", "key", key)
+	}
+}
+
 func (pc *PolicyController) deleteClusterPolicyViolations(policy string) error {
 	cpvList, err := pc.getClusterPolicyViolationForPolicy(policy)
 	if err != nil {
 		return err
 	}
+
 	for _, cpv := range cpvList {
 		if err := pc.pvControl.DeleteClusterPolicyViolation(cpv.Name); err != nil {
-			return err
+			pc.log.Error(err, "failed to delete policy violation", "name", cpv.Name)
 		}
 	}
+
 	return nil
 }
 
@@ -366,11 +375,13 @@ func (pc *PolicyController) deleteNamespacedPolicyViolations(policy string) erro
 	if err != nil {
 		return err
 	}
+
 	for _, nspv := range nspvList {
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {
-			return err
+			pc.log.Error(err, "failed to delete policy violation", "name", nspv.Name)
 		}
 	}
+
 	return nil
 }
 
diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go
index a312e07277..06e2e51c57 100644
--- a/pkg/webhookconfig/rwebhookregister.go
+++ b/pkg/webhookconfig/rwebhookregister.go
@@ -121,7 +121,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error {
 		if err != nil {
 			return err
 		}
-		logger.V(3).Info("emoved mutating resource webhook configuration")
+		logger.V(3).Info("removed mutating resource webhook configuration")
 	}
 
 	if rww.RunValidationInMutatingWebhook != "true" {

From b463dbf6a8ce4664721f3dab7513b92628641909 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 09:54:13 -0700
Subject: [PATCH 145/201] - allow fetching resource from dynamic client -

---
 pkg/dclient/client.go | 68 +++++++++++++++++++++++++------------------
 1 file changed, 40 insertions(+), 28 deletions(-)

diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index e660ad797a..a074b767c5 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -221,6 +221,7 @@ func convertToCSR(obj *unstructured.Unstructured) (*certificates.CertificateSign
 
 //IDiscovery provides interface to mange Kind and GVR mapping
 type IDiscovery interface {
+	FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error)
 	GetGVRFromKind(kind string) schema.GroupVersionResource
 	GetServerVersion() (*version.Info, error)
 	OpenAPISchema() (*openapi_v2.Document, error)
@@ -257,56 +258,67 @@ func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struc
 	}
 }
 
+// OpenAPISchema returns the API server OpenAPI schema document
 func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) {
 	return c.cachedClient.OpenAPISchema()
 }
 
-//GetGVRFromKind get the Group Version Resource from kind
-// if kind is not found in first attempt we invalidate the cache,
-// the retry will then fetch the new registered resources and check again
-// if not found after 2 attempts, we declare kind is not found
-// kind is Case sensitive
+// GetGVRFromKind get the Group Version Resource from kind
 func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource {
-	var gvr schema.GroupVersionResource
-	var err error
-	gvr, err = loadServerResources(kind, c.cachedClient, c.log)
-	if err != nil && !c.cachedClient.Fresh() {
-
-		// invalidate cahce & re-try once more
-		c.cachedClient.Invalidate()
-		gvr, err = loadServerResources(kind, c.cachedClient, c.log)
-		if err == nil {
-			return gvr
-		}
+	_, gvr, err := c.FindResource(kind)
+	if err != nil {
+		return schema.GroupVersionResource{}
 	}
+
 	return gvr
 }
 
-//GetServerVersion returns the server version of the cluster
+// GetServerVersion returns the server version of the cluster
 func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) {
 	return c.cachedClient.ServerVersion()
 }
 
-func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface, log logr.Logger) (schema.GroupVersionResource, error) {
-	logger := log.WithName("loadServerResources")
-	emptyGVR := schema.GroupVersionResource{}
-	serverresources, err := cdi.ServerPreferredResources()
-	if err != nil {
-		logger.V(4).Info("failed to get registered preferred resources", "err", err.Error())
+// FindResource finds an API resource that matches 'kind'. If the resource is not
+// found and the Cache is not fresh, the cache is invalidated and a retry is attempted
+func (c ServerPreferredResources) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) {
+	r, gvr, err := c.findResource(kind)
+	if err == nil {
+		return r, gvr, nil
 	}
+
+	if !c.cachedClient.Fresh() {
+		c.cachedClient.Invalidate()
+		if r, gvr, err = c.findResource(kind); err == nil {
+			return r, gvr, nil
+		}
+	}
+
+	c.log.Error(err, "failed to find resource", "kind", kind)
+	return nil, schema.GroupVersionResource{}, err
+}
+
+func (c ServerPreferredResources) findResource(k string) (*meta.APIResource, schema.GroupVersionResource, error) {
+	serverresources, err := c.cachedClient.ServerPreferredResources()
+	if err != nil {
+		c.log.Error(err, "failed to get registered preferred resources")
+		return nil, schema.GroupVersionResource{}, err
+	}
+
 	for _, serverresource := range serverresources {
 		for _, resource := range serverresource.APIResources {
-			// skip the resource names with "/", to avoid comparison with subresources
 
+			// skip the resource names with "/", to avoid comparison with subresources
 			if resource.Kind == k && !strings.Contains(resource.Name, "/") {
 				gv, err := schema.ParseGroupVersion(serverresource.GroupVersion)
 				if err != nil {
-					logger.Error(err, "failed to parse groupVersion from schema", "groupVersion", serverresource.GroupVersion)
-					return emptyGVR, err
+					c.log.Error(err, "failed to parse groupVersion", "groupVersion", serverresource.GroupVersion)
+					return nil, schema.GroupVersionResource{}, err
 				}
-				return gv.WithResource(resource.Name), nil
+
+				return &resource, gv.WithResource(resource.Name), nil
 			}
 		}
 	}
-	return emptyGVR, fmt.Errorf("kind '%s' not found", k)
+
+	return nil, schema.GroupVersionResource{}, fmt.Errorf("kind '%s' not found", k)
 }

From 993bad7b65d663cc65f8803c59631f3a3b98a5ea Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 09:54:32 -0700
Subject: [PATCH 146/201] improve comments

---
 pkg/policy/apply.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index ad60ad5d6d..6ec7666c70 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -21,10 +21,14 @@ import (
 //TODO: generation rules
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
 	startTime := time.Now()
-
-	logger.Info("start applying policy", "startTime", startTime)
 	defer func() {
-		logger.Info("finisnhed applying policy", "processingTime", time.Since(startTime))
+		name := resource.GetKind() + "/" + resource.GetName()
+		ns := resource.GetNamespace()
+		if ns != "" {
+			name = ns + "/" + name
+		}
+
+		logger.V(3).Info("applyPolicy", "resource", name, "processingTime", time.Since(startTime))
 	}()
 
 	var engineResponses []response.EngineResponse

From 304c75403e2231aa9f0ff8c645b1e99fa0cceb59 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 14:37:05 -0700
Subject: [PATCH 147/201] - skip resource schema validation when no mutate
 rules are applied - cleanup webhook registration logic and logs

---
 go.mod                                |   1 +
 go.sum                                |   9 +++
 pkg/checker/checker.go                |  28 ++++---
 pkg/checker/status.go                 |  41 ++++++----
 pkg/dclient/client.go                 |   2 +-
 pkg/webhookconfig/checker.go          |  18 +++--
 pkg/webhookconfig/registration.go     |  48 +++++++-----
 pkg/webhookconfig/resource.go         |  23 ++++--
 pkg/webhookconfig/rwebhookregister.go | 104 ++++++++++++++------------
 pkg/webhooks/mutation.go              |  27 +++++--
 pkg/webhooks/policymutation.go        |  16 ++--
 pkg/webhooks/server.go                |  48 ++++++------
 pkg/webhooks/validation.go            |  17 ++++-
 13 files changed, 237 insertions(+), 145 deletions(-)

diff --git a/go.mod b/go.mod
index f8dcbdf549..5ea14164c1 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
+	github.com/rogpeppe/godef v1.1.2 // indirect
 	github.com/spf13/cobra v0.0.5
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
 	golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 // indirect
diff --git a/go.sum b/go.sum
index a8e3e37eb8..fd8613ac08 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+9fans.net/go v0.0.0-20181112161441-237454027057 h1:OcHlKWkAMJEF1ndWLGxp5dnJQkYM/YImUOvsBoz6h5E=
+9fans.net/go v0.0.0-20181112161441-237454027057/go.mod h1:diCsxrliIURU9xsYtjCp5AbpQKqdhKmf0ujWDUSkfoY=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -732,6 +734,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.0.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/godef v1.1.2 h1:c5mCx0EcCORJOdVMREX7Lgh1raTxAHFmOfXdEB9u8Jw=
+github.com/rogpeppe/godef v1.1.2/go.mod h1:WtY9A/ovuQ+UakAJ1/CEqwwulX/WJjb2kgkokCHi/GY=
 github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/rubenv/sql-migrate v0.0.0-20190212093014-1007f53448d7/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
@@ -872,6 +876,7 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -886,6 +891,7 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180816102801-aaf60122140d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1036,7 +1042,10 @@ golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
 golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200226224502-204d844ad48d h1:loGv/4fxITSrCD4t2P8ZF4oUC4RlRFDAsczcoUS2g6c=
+golang.org/x/tools v0.0.0-20200226224502-204d844ad48d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go
index 16b8276d40..b0a3016b31 100644
--- a/pkg/checker/checker.go
+++ b/pkg/checker/checker.go
@@ -1,6 +1,7 @@
 package checker
 
 import (
+	"fmt"
 	"sync"
 	"time"
 
@@ -32,10 +33,11 @@ func (t *LastReqTime) Time() time.Time {
 	return t.t
 }
 
-//SetTime stes the lastrequest time
+//SetTime updates the lastrequest time
 func (t *LastReqTime) SetTime(tm time.Time) {
 	t.mu.Lock()
 	defer t.mu.Unlock()
+
 	t.t = tm
 }
 
@@ -52,6 +54,7 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic
 	if err != nil {
 		log.Error(err, "failed to list cluster policies")
 	}
+
 	for _, policy := range policies {
 		if policy.HasMutateOrValidateOrGenerate() {
 			// as there exists one policy with mutate or validate rule
@@ -59,13 +62,14 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic
 			return true
 		}
 	}
+
 	return false
 }
 
 //Run runs the checker and verify the resource update
 func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) {
 	logger := t.log
-	logger.V(2).Info("tarting default resync for webhook checker", "resyncTime", defaultResync)
+	logger.V(4).Info("starting default resync for webhook checker", "resyncTime", defaultResync)
 	maxDeadline := deadline * time.Duration(MaxRetryCount)
 	ticker := time.NewTicker(defaultResync)
 	/// interface to update and increment kyverno webhook status via annotations
@@ -85,35 +89,37 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev
 	for {
 		select {
 		case <-ticker.C:
-			// if there are no policies then we dont have a webhook on resource.
-			// we indirectly check if the resource
 			if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) {
 				continue
 			}
-			// get current time
+
 			timeDiff := time.Since(t.Time())
 			if timeDiff > maxDeadline {
-				logger.Info("request exceeded max deadline", "deadline", maxDeadline)
-				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
-				// set the status unavailable
+				err := fmt.Errorf("Admission control configuration error")
+				logger.Error(err, "webhook check failed", "deadline", maxDeadline)
 				if err := statuscontrol.FailedStatus(); err != nil {
-					logger.Error(err, "failed to set 'failed' status")
+					logger.Error(err, "error setting webhook check status to failed")
 				}
+
 				continue
 			}
+
 			if timeDiff > deadline {
-				logger.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations")
+				logger.V(3).Info("webhook check deadline exceeded", "deadline", deadline)
 				// send request to update the kyverno deployment
 				if err := statuscontrol.IncrementAnnotation(); err != nil {
 					logger.Error(err, "failed to increment annotation")
 				}
+
 				continue
 			}
+
 			// if the status was false before then we update it to true
 			// send request to update the kyverno deployment
 			if err := statuscontrol.SuccessStatus(); err != nil {
-				logger.Error(err, "failed to update success status")
+				logger.Error(err, "error setting webhook check status to success")
 			}
+
 		case <-stopCh:
 			// handler termination signal
 			logger.V(2).Info("stopping default resync for webhook checker")
diff --git a/pkg/checker/status.go b/pkg/checker/status.go
index 110abf8eef..2c466e1c95 100644
--- a/pkg/checker/status.go
+++ b/pkg/checker/status.go
@@ -13,7 +13,7 @@ const deployName string = "kyverno"
 const deployNamespace string = "kyverno"
 
 const annCounter string = "kyverno.io/generationCounter"
-const annWebhookStats string = "kyverno.io/webhookActive"
+const annWebhookStatus string = "kyverno.io/webhookActive"
 
 //StatusInterface provides api to update webhook active annotations on kyverno deployments
 type StatusInterface interface {
@@ -52,37 +52,42 @@ func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr
 }
 
 func (vc StatusControl) setStatus(status string) error {
-	logger := vc.log
-	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status))
+	logger := vc.log.WithValues("name", deployName, "namespace", deployNamespace)
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		logger.Error(err, "failed to get deployment resource")
+		logger.Error(err, "failed to get deployment")
 		return err
 	}
+
 	ann = deploy.GetAnnotations()
 	if ann == nil {
 		ann = map[string]string{}
-		ann[annWebhookStats] = status
+		ann[annWebhookStatus] = status
 	}
-	webhookAction, ok := ann[annWebhookStats]
+
+	deployStatus, ok := ann[annWebhookStatus]
 	if ok {
 		// annotatiaion is present
-		if webhookAction == status {
-			logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStats, status))
+		if deployStatus == status {
+			logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStatus, status))
 			return nil
 		}
 	}
+
 	// set the status
-	ann[annWebhookStats] = status
+	logger.Info("updating deployment annotation", "key", annWebhookStatus, "val", status)
+	ann[annWebhookStatus] = status
 	deploy.SetAnnotations(ann)
+
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
-		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annWebhookStats, deployName, deployNamespace))
+		logger.Error(err, "failed to update deployment annotation", "key", annWebhookStatus, "val", status)
 		return err
 	}
+
 	// create event on kyverno deployment
 	createStatusUpdateEvent(status, vc.eventGen)
 	return nil
@@ -101,34 +106,42 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) {
 //IncrementAnnotation ...
 func (vc StatusControl) IncrementAnnotation() error {
 	logger := vc.log
-	logger.Info(fmt.Sprintf("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter))
 	var ann map[string]string
 	var err error
 	deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName)
 	if err != nil {
-		logger.Error(err, "failed to get deployment %s in namespace %s", deployName, deployNamespace)
+		logger.Error(err, "failed to find deployment %s in namespace %s", deployName, deployNamespace)
 		return err
 	}
+
 	ann = deploy.GetAnnotations()
 	if ann == nil {
 		ann = map[string]string{}
+	}
+
+	if ann[annCounter] == "" {
 		ann[annCounter] = "0"
 	}
+
 	counter, err := strconv.Atoi(ann[annCounter])
 	if err != nil {
-		logger.Error(err, "Failed to parse string")
+		logger.Error(err, "Failed to parse string", "name", annCounter, "value", ann[annCounter])
 		return err
 	}
+
 	// increment counter
 	counter++
 	ann[annCounter] = strconv.Itoa(counter)
-	logger.Info("incrementing annotation", "old", annCounter, "new", counter)
+
+	logger.V(3).Info("updating webhook test annotation", "key", annCounter, "value", counter, "deployment", deployName, "namespace", deployNamespace)
 	deploy.SetAnnotations(ann)
+
 	// update counter
 	_, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false)
 	if err != nil {
 		logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace))
 		return err
 	}
+
 	return nil
 }
diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go
index a074b767c5..7c27f01b2a 100644
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@@ -267,6 +267,7 @@ func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error)
 func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource {
 	_, gvr, err := c.FindResource(kind)
 	if err != nil {
+		c.log.Info("schema not found", "kind", kind)
 		return schema.GroupVersionResource{}
 	}
 
@@ -293,7 +294,6 @@ func (c ServerPreferredResources) FindResource(kind string) (*meta.APIResource,
 		}
 	}
 
-	c.log.Error(err, "failed to find resource", "kind", kind)
 	return nil, schema.GroupVersionResource{}, err
 }
 
diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go
index db1e765629..50a8c100f2 100644
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@@ -60,7 +60,7 @@ func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(
 
 func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup) {
 	defer wg.Done()
-	// Mutating webhook configuration
+
 	var err error
 	var mutatingConfig string
 	if wrc.serverIP != "" {
@@ -68,14 +68,18 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w
 	} else {
 		mutatingConfig = config.VerifyMutatingWebhookConfigurationName
 	}
+
 	logger := wrc.log.WithValues("name", mutatingConfig)
-	logger.V(4).Info("removing webhook configuration")
 	err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "verify webhook configuration, does not exits. not deleting")
-	} else if err != nil {
-		logger.Error(err, "failed to delete verify wwebhook configuration")
-	} else {
-		logger.V(4).Info("successfully deleted verify webhook configuration")
+		logger.V(5).Info("verify webhook configuration not found")
+		return
 	}
+
+	if err != nil {
+		logger.Error(err, "failed to delete verify wwebhook configuration")
+		return
+	}
+
+	logger.V(4).Info("successfully deleted verify webhook configuration")
 }
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 8124ad39d4..32bd6a9dd0 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -51,7 +51,7 @@ func NewWebhookRegistrationClient(
 func (wrc *WebhookRegistrationClient) Register() error {
 	logger := wrc.log.WithName("Register")
 	if wrc.serverIP != "" {
-		logger.Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP))
+		logger.V(4).Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP))
 	}
 
 	// For the case if cluster already has this configs
@@ -249,20 +249,23 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration()
 // Register will fail if the config exists, so there is no need to fail on error
 func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	startTime := time.Now()
-	wrc.log.Info("Started cleaning up webhookconfigurations")
+	wrc.log.Info("removing prior webhook configurations")
 	defer func() {
-		wrc.log.V(4).Info("Finished cleaning up webhookcongfigurations", "processingTime", time.Since(startTime))
+		wrc.log.V(4).Info("removed webhookcongfigurations", "processingTime", time.Since(startTime))
 	}()
 
 	var wg sync.WaitGroup
 
 	wg.Add(5)
+
 	// mutating and validating webhook configuration for Kubernetes resources
 	go wrc.removeResourceMutatingWebhookConfiguration(&wg)
 	go wrc.removeResourceValidatingWebhookConfiguration(&wg)
+
 	// mutating and validating webhook configurtion for Policy CRD resource
 	go wrc.removePolicyMutatingWebhookConfiguration(&wg)
 	go wrc.removePolicyValidatingWebhookConfiguration(&wg)
+
 	// mutating webhook configuration for verifying webhook
 	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)
 
@@ -285,48 +288,53 @@ func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfigurati
 	}
 }
 
-// delete policy mutating webhookconfigurations
-// handle wait group
 func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
-	// Mutating webhook configuration
+
 	var mutatingConfig string
 	if wrc.serverIP != "" {
 		mutatingConfig = config.PolicyMutatingWebhookConfigurationDebugName
 	} else {
 		mutatingConfig = config.PolicyMutatingWebhookConfigurationName
 	}
+
 	logger := wrc.log.WithValues("name", mutatingConfig)
-	logger.V(4).Info("removing mutating webhook configuration")
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "policy mutating webhook configuration does not exist, not deleting")
-	} else if err != nil {
-		logger.Error(err, "failed to delete policy mutating webhook configuration")
-	} else {
-		logger.V(4).Info("successfully deleted policy mutating webhook configutation")
+		logger.V(5).Info("policy mutating webhook configuration not found")
+		return
 	}
+
+	if err != nil {
+		logger.Error(err, "failed to delete policy mutating webhook configuration")
+		return
+	}
+
+	logger.V(4).Info("successfully deleted policy mutating webhook configutation")
 }
 
-// delete policy validating webhookconfigurations
-// handle wait group
 func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGroup) {
 	defer wg.Done()
-	// Validating webhook configuration
+
 	var validatingConfig string
 	if wrc.serverIP != "" {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationDebugName
 	} else {
 		validatingConfig = config.PolicyValidatingWebhookConfigurationName
 	}
+
 	logger := wrc.log.WithValues("name", validatingConfig)
 	logger.V(4).Info("removing validating webhook configuration")
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false)
 	if errorsapi.IsNotFound(err) {
-		logger.Error(err, "policy validating webhook configuration does not exist, not deleting")
-	} else if err != nil {
-		logger.Error(err, "failed to delete policy validating webhook configuration")
-	} else {
-		logger.V(4).Info("successfully deleted policy validating webhook configutation")
+		logger.V(5).Info("policy validating webhook configuration not found")
+		return
 	}
+
+	if err != nil {
+		logger.Error(err, "failed to delete policy validating webhook configuration")
+		return
+	}
+
+	logger.V(4).Info("successfully deleted policy validating webhook configutation")
 }
diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go
index 050517da0a..82170d3604 100644
--- a/pkg/webhookconfig/resource.go
+++ b/pkg/webhookconfig/resource.go
@@ -12,7 +12,7 @@ import (
 func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration {
 	logger := wrc.log
 	url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath)
-	logger.V(4).Info("Debug MutatingWebhookConfig registed", "url", url)
+	logger.V(4).Info("Debug MutatingWebhookConfig registered", "url", url)
 	return &admregapi.MutatingWebhookConfiguration{
 		ObjectMeta: v1.ObjectMeta{
 			Name: config.MutatingWebhookConfigurationDebugName,
@@ -57,7 +57,7 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by
 	}
 }
 
-//GetResourceMutatingWebhookConfigName provi
+//GetResourceMutatingWebhookConfigName returns the webhook configuration name
 func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() string {
 	if wrc.serverIP != "" {
 		return config.MutatingWebhookConfigurationDebugName
@@ -72,14 +72,16 @@ func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration
 	// delete webhook configuration
 	err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		logger.Error(err, "resource does not exit")
+		logger.V(5).Info("webhook configuration not found")
 		return nil
 	}
+
 	if err != nil {
-		logger.V(4).Info("failed to delete resource")
+		logger.V(4).Info("failed to delete webhook configuration")
 		return err
 	}
-	logger.V(4).Info("deleted resource")
+
+	logger.V(4).Info("deleted webhook configuration")
 	return nil
 }
 
@@ -130,25 +132,30 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData []
 	}
 }
 
+// GetResourceValidatingWebhookConfigName returns the webhook configuration name
 func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() string {
 	if wrc.serverIP != "" {
 		return config.ValidatingWebhookConfigurationDebugName
 	}
+
 	return config.ValidatingWebhookConfigurationName
 }
 
+// RemoveResourceValidatingWebhookConfiguration deletes an existing webhook configuration
 func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error {
 	configName := wrc.GetResourceValidatingWebhookConfigName()
 	logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName)
 	err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false)
 	if errors.IsNotFound(err) {
-		logger.Error(err, "resource does not exist; deleted already")
+		logger.V(5).Info("webhook configuration not found")
 		return nil
 	}
+
 	if err != nil {
-		logger.Error(err, "failed to delete the resource")
+		logger.Error(err, "failed to delete the webhook configuration")
 		return err
 	}
-	logger.Info("resource deleted")
+
+	logger.Info("webhook configuration deleted")
 	return nil
 }
diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go
index 06e2e51c57..38a3fbfb7a 100644
--- a/pkg/webhookconfig/rwebhookregister.go
+++ b/pkg/webhookconfig/rwebhookregister.go
@@ -14,11 +14,11 @@ import (
 //ResourceWebhookRegister manages the resource webhook registration
 type ResourceWebhookRegister struct {
 	// pendingCreation indicates the status of resource webhook creation
-	pendingCreation      *abool.AtomicBool
-	LastReqTime          *checker.LastReqTime
-	mwebhookconfigSynced cache.InformerSynced
-	vwebhookconfigSynced cache.InformerSynced
-	// list/get mutatingwebhookconfigurations
+	pendingMutateWebhookCreation   *abool.AtomicBool
+	pendingValidateWebhookCreation *abool.AtomicBool
+	LastReqTime                    *checker.LastReqTime
+	mwebhookconfigSynced           cache.InformerSynced
+	vwebhookconfigSynced           cache.InformerSynced
 	mWebhookConfigLister           mconfiglister.MutatingWebhookConfigurationLister
 	vWebhookConfigLister           mconfiglister.ValidatingWebhookConfigurationLister
 	webhookRegistrationClient      *WebhookRegistrationClient
@@ -36,7 +36,8 @@ func NewResourceWebhookRegister(
 	log logr.Logger,
 ) *ResourceWebhookRegister {
 	return &ResourceWebhookRegister{
-		pendingCreation:                abool.New(),
+		pendingMutateWebhookCreation:   abool.New(),
+		pendingValidateWebhookCreation: abool.New(),
 		LastReqTime:                    lastReqTime,
 		mwebhookconfigSynced:           mconfigwebhookinformer.Informer().HasSynced,
 		mWebhookConfigLister:           mconfigwebhookinformer.Lister(),
@@ -50,51 +51,60 @@ func NewResourceWebhookRegister(
 
 //RegisterResourceWebhook registers a resource webhook
 func (rww *ResourceWebhookRegister) RegisterResourceWebhook() {
-	logger := rww.log
-	// drop the request if creation is in processing
-	if rww.pendingCreation.IsSet() {
-		logger.V(3).Info("resource webhook configuration is in pending creation, skip the request")
+	timeDiff := time.Since(rww.LastReqTime.Time())
+	if timeDiff < checker.DefaultDeadline {
+		if !rww.pendingMutateWebhookCreation.IsSet() {
+			go rww.createMutatingWebhook()
+		}
+
+		if !rww.pendingValidateWebhookCreation.IsSet() {
+			go rww.createValidateWebhook()
+		}
+	}
+}
+
+func (rww *ResourceWebhookRegister) createMutatingWebhook() {
+	rww.pendingMutateWebhookCreation.Set()
+	defer rww.pendingMutateWebhookCreation.UnSet()
+
+	mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
+	mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName)
+	if mutatingConfig != nil {
+		rww.log.V(5).Info("mutating webhoook configuration exists", "name", mutatingConfigName)
+	} else {
+		err := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
+		if err != nil {
+			rww.log.Error(err, "failed to create resource mutating webhook configuration, re-queue creation request")
+			rww.RegisterResourceWebhook()
+			return
+		}
+
+		rww.log.V(2).Info("created mutating webhook", "name", mutatingConfigName)
+	}
+}
+
+func (rww *ResourceWebhookRegister) createValidateWebhook() {
+	rww.pendingValidateWebhookCreation.Set()
+	defer rww.pendingValidateWebhookCreation.UnSet()
+
+	if rww.RunValidationInMutatingWebhook == "true" {
+		rww.log.V(2).Info("validation is configured to run during mutate webhook")
 		return
 	}
 
-	timeDiff := time.Since(rww.LastReqTime.Time())
-	if timeDiff < checker.DefaultDeadline {
-		logger.V(3).Info("verified webhook status, creating webhook configuration")
-		go func() {
-			mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName()
-			mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName)
-			if mutatingConfig != nil {
-				logger.V(4).Info("mutating webhoook configuration already exists")
-			} else {
-				rww.pendingCreation.Set()
-				err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration()
-				rww.pendingCreation.UnSet()
-				if err1 != nil {
-					logger.Error(err1, "failed to create resource mutating webhook configuration, re-queue creation request")
-					rww.RegisterResourceWebhook()
-					return
-				}
-				logger.V(3).Info("successfully created mutating webhook configuration for resources")
-			}
+	validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
+	validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName)
+	if validatingConfig != nil {
+		rww.log.V(4).Info("validating webhoook configuration exists", "name", validatingConfigName)
+	} else {
+		err := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration()
+		if err != nil {
+			rww.log.Error(err, "failed to create resource validating webhook configuration; re-queue creation request")
+			rww.RegisterResourceWebhook()
+			return
+		}
 
-			if rww.RunValidationInMutatingWebhook != "true" {
-				validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName()
-				validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName)
-				if validatingConfig != nil {
-					logger.V(4).Info("validating webhoook configuration already exists")
-				} else {
-					rww.pendingCreation.Set()
-					err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration()
-					rww.pendingCreation.UnSet()
-					if err2 != nil {
-						logger.Error(err2, "failed to create resource validating webhook configuration; re-queue creation request")
-						rww.RegisterResourceWebhook()
-						return
-					}
-					logger.V(3).Info("successfully created validating webhook configuration for resources")
-				}
-			}
-		}()
+		rww.log.V(2).Info("created validating webhook", "name", validatingConfigName)
 	}
 }
 
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 0afdefa90a..0c057d81b6 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -18,9 +18,17 @@ import (
 
 // HandleMutation handles mutating webhook admission request
 // return value: generated patches
-func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
-	logger := ws.log.WithValues("action", "mutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
+func (ws *WebhookServer) HandleMutation(
+	request *v1beta1.AdmissionRequest,
+	resource unstructured.Unstructured,
+	policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
+
+	resourceName := request.Kind.Kind + "/" + request.Name
+	if request.Namespace != "" {
+		resourceName = request.Namespace + "/" + resourceName
+	}
+
+	logger := ws.log.WithValues("action", "mutate", "resource", resourceName, "operation", request.Operation)
 
 	var patches [][]byte
 	var engineResponses []response.EngineResponse
@@ -55,21 +63,27 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
+		if engineResponse.PolicyResponse.RulesAppliedCount <= 0 {
+			continue
+		}
+
 		engineResponses = append(engineResponses, engineResponse)
 		ws.statusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
-			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
+			logger.Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
+
 		err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind())
 		if err != nil {
-			logger.Error(err, "failed to validate resource")
+			logger.Error(err, "validation error", "policy", policy.Name)
 			continue
 		}
+
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
 		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
@@ -86,6 +100,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// generate violation when response fails
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
 	ws.pvGenerator.Add(pvInfos...)
+
 	// REPORTING EVENTS
 	// Scenario 1:
 	//   some/all policies failed to apply on the resource. a policy volation is generated.
diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index dea2f87fff..ef69173329 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -81,7 +81,7 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logg
 }
 
 func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
-	// default 'Background' flag to 'true' if not specified
+	// set 'Background' flag to 'true' if not specified
 	defaultVal := true
 	if policy.Spec.Background == nil {
 		log.V(4).Info("setting default value", "spec.background", true)
@@ -94,19 +94,22 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]by
 			"add",
 			&defaultVal,
 		}
+
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
 			log.Error(err, "failed to set default value", "spec.background", true)
 			return nil, ""
 		}
-		log.Info("generated JSON Patch to set default", "spec.background", true)
+
+		log.V(3).Info("generated JSON Patch to set default", "spec.background", true)
 		return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true))
 	}
+
 	return nil, ""
 }
 
 func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) {
-	// default ValidationFailureAction to "audit" if not specified
+	// set ValidationFailureAction to "audit" if not specified
 	if policy.Spec.ValidationFailureAction == "" {
 		log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit)
 		jsonPatch := struct {
@@ -116,16 +119,19 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg
 		}{
 			"/spec/validationFailureAction",
 			"add",
-			Audit, //audit
+			Audit,
 		}
+
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
 			log.Error(err, "failed to default value", "spec.validationFailureAction", Audit)
 			return nil, ""
 		}
-		log.Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit)
+
+		log.V(3).Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit)
 		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit)
 	}
+
 	return nil, ""
 }
 
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index f1517ef66f..ea4963a963 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -37,7 +37,6 @@ import (
 )
 
 // WebhookServer contains configured TLS server with MutationWebhook.
-// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
 type WebhookServer struct {
 	server        http.Server
 	client        *client.Client
@@ -150,15 +149,16 @@ func NewWebhookServer(
 }
 
 func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
+	return func(rw http.ResponseWriter, r *http.Request) {
 		startTime := time.Now()
-		// for every request received on the ep update last request time,
-		// this is used to verify admission control
-		ws.lastReqTime.SetTime(time.Now())
-		admissionReview := ws.bodyToAdmissionReview(r, w)
+		ws.lastReqTime.SetTime(startTime)
+
+		admissionReview := ws.bodyToAdmissionReview(r, rw)
 		if admissionReview == nil {
+			ws.log.Info("failed to parse admission review request", "request", r)
 			return
 		}
+
 		logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name)
 		defer func() {
 			logger.V(4).Info("request processed", "processingTime", time.Since(startTime))
@@ -166,29 +166,32 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 
 		admissionReview.Response = &v1beta1.AdmissionResponse{
 			Allowed: true,
+			UID:     admissionReview.Request.UID,
 		}
 
 		// Do not process the admission requests for kinds that are in filterKinds for filtering
 		request := admissionReview.Request
-		if filter {
-			if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-				admissionReview.Response = handler(request)
-			}
-		} else {
-			admissionReview.Response = handler(request)
-		}
-		admissionReview.Response.UID = request.UID
-
-		responseJSON, err := json.Marshal(admissionReview)
-		if err != nil {
-			http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
+		if filter && ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
+			writeResponse(rw, admissionReview)
 			return
 		}
 
-		w.Header().Set("Content-Type", "application/json; charset=utf-8")
-		if _, err := w.Write(responseJSON); err != nil {
-			http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
-		}
+		admissionReview.Response = handler(request)
+		writeResponse(rw, admissionReview)
+		return
+	}
+}
+
+func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionReview) {
+	responseJSON, err := json.Marshal(admissionReview)
+	if err != nil {
+		http.Error(rw, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
+	if _, err := rw.Write(responseJSON); err != nil {
+		http.Error(rw, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
 	}
 }
 
@@ -342,6 +345,7 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 		}
 	}(ws)
 	logger.Info("starting")
+
 	// verifys if the admission control is enabled and active
 	// resync: 60 seconds
 	// deadline: 60 seconds (send request)
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..d35b7027fd 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -17,9 +17,17 @@ import (
 // HandleValidation handles validating webhook admission request
 // If there are no errors in validating rule we apply generation rules
 // patchedResource is the (resource + patches) after applying mutation rules
-func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
-	logger := ws.log.WithValues("action", "validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	logger.V(4).Info("incoming request")
+func (ws *WebhookServer) HandleValidation(
+	request *v1beta1.AdmissionRequest,
+	policies []kyverno.ClusterPolicy,
+	patchedResource []byte, roles, clusterRoles []string) (bool, string) {
+
+	resourceName := request.Kind.Kind + "/" + request.Name
+	if request.Namespace != "" {
+		resourceName = request.Namespace + "/" + resourceName
+	}
+
+	logger := ws.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation)
 
 	// Get new and old resource
 	newR, oldR, err := extractResources(patchedResource, request)
@@ -28,6 +36,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 		logger.Error(err, "failed to extract resource")
 		return true, ""
 	}
+
 	userRequestInfo := kyverno.RequestInfo{
 		Roles:             roles,
 		ClusterRoles:      clusterRoles,
@@ -58,7 +67,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {

From 573eb9cf13313d95b2a249cd06192fc280794d01 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 14:48:17 -0700
Subject: [PATCH 148/201] increase worker count for policyController

---
 cmd/kyverno/main.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 2413177ad2..42cea9532b 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -175,7 +175,7 @@ func main() {
 	// - reconciliation policy and policy violation
 	// - process policy on existing resources
 	// - status aggregator: receives stats when a policy is applied & updates the policy status
-	pc, err := policy.NewPolicyController(pclient,
+	policyCtrl, err := policy.NewPolicyController(pclient,
 		client,
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		pInformer.Kyverno().V1().ClusterPolicyViolations(),
@@ -286,7 +286,7 @@ func main() {
 	go rWebhookWatcher.Run(stopCh)
 	go configData.Run(stopCh)
 	go policyMetaStore.Run(stopCh)
-	go pc.Run(1, stopCh)
+	go policyCtrl.Run(3, stopCh)
 	go egen.Run(1, stopCh)
 	go grc.Run(1, stopCh)
 	go grcc.Run(1, stopCh)

From b763c33a292f11445edba124cd5b47ea4b6b89f2 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 17 May 2020 17:58:57 -0700
Subject: [PATCH 149/201] fix mock discover client

---
 pkg/dclient/utils.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/dclient/utils.go b/pkg/dclient/utils.go
index 8b170eb094..0ed2459901 100644
--- a/pkg/dclient/utils.go
+++ b/pkg/dclient/utils.go
@@ -1,10 +1,12 @@
 package client
 
 import (
+	"fmt"
 	"strings"
 
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
 
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -76,6 +78,10 @@ func (c *fakeDiscoveryClient) GetGVRFromKind(kind string) schema.GroupVersionRes
 	return c.getGVR(resource)
 }
 
+func (c *fakeDiscoveryClient) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) {
+	return nil, schema.GroupVersionResource{}, fmt.Errorf("Not implemented")
+}
+
 func (c *fakeDiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) {
 	return nil, nil
 }

From 0635df7b116c05157529735f4b135725fac052fd Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Sun, 17 May 2020 18:51:56 -0700
Subject: [PATCH 150/201] Bug - annotation inserted to podTemplate by auto-gen
 should reflect the policy name (#850)

* Added check for  annotation inserted to podTemplate by auto-gen

* skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied

* Revert Changes

* typo fixed

* Update condition for skiping the pods
---
 pkg/policy/existing.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index af8dfc09c6..16a1113647 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -34,8 +34,13 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 		}
 
 		// skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied
-		if skipPodApplication(resource, logger) {
-			continue
+		ann := policy.GetAnnotations()
+		if _, ok := ann[engine.PodTemplateAnnotation]; ok {
+			if ann[engine.PodTemplateAnnotation] != "none" {
+				if skipPodApplication(resource, logger) {
+					continue
+				}
+			}
 		}
 
 		// apply the policy on each

From c4c28b709bd187b5de23b98996c9f6f555ecae76 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Mon, 18 May 2020 11:50:54 -0700
Subject: [PATCH 151/201] Feature - Change annotation for auto-generate pod
 controllers policy (#849)

* replace auto-generate pod controllers policy

* replace auto-generate pod controllers policy

* handled backword compatibility

* added backword compatibility

* Change annotation for auto-generate pod controllers

* Typo fixed
---
 pkg/webhooks/policymutation.go      | 32 ++++++++++++++++++++++++-----
 pkg/webhooks/policymutation_test.go |  6 +++---
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go
index ef69173329..78af777c4c 100644
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@@ -151,7 +151,7 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p
 
 	// scenario A
 	if !ok {
-		controllers = "all"
+		controllers = "DaemonSet,Deployment,Job,StatefulSet"
 		annPatch, err := defaultPodControllerAnnotation(ann)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("failed to generate pod controller annotation for policy '%s': %v", policy.Name, err))
@@ -164,6 +164,7 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (p
 	if controllers == "none" {
 		return nil, nil
 	}
+
 	log.V(3).Info("auto generating rule for pod controllers", "controlers", controllers)
 
 	p, err := generateRulePatches(policy, controllers, log)
@@ -203,6 +204,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
 // generateRulePatches generates rule for podControllers based on scenario A and C
 func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
 	var genRule kyvernoRule
+
 	insertIdx := len(policy.Spec.Rules)
 
 	ruleMap := createRuleMap(policy.Spec.Rules)
@@ -292,14 +294,34 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 		return kyvernoRule{}
 	}
 
-	// scenario A
+	// Support backword compatibility
+	skipAutoGeneration := false
+	var controllersValidated []string
 	if controllers == "all" {
+		skipAutoGeneration = true
+	} else if controllers != "none" && controllers != "all" {
+		controllersList := map[string]int{"DaemonSet": 1, "Deployment": 1, "Job": 1, "StatefulSet": 1}
+		for _, value := range strings.Split(controllers, ",") {
+			if _, ok := controllersList[value]; ok {
+				controllersValidated = append(controllersValidated, value)
+			}
+		}
+		if len(controllersValidated) > 0 {
+			skipAutoGeneration = true
+		}
+	}
+
+	if skipAutoGeneration {
 		if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil ||
 			exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil {
 			log.Info("skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", "rule", rule.Name)
 			return kyvernoRule{}
 		}
-		controllers = engine.PodControllers
+		if controllers == "all" {
+			controllers = engine.PodControllers
+		} else {
+			controllers = strings.Join(controllersValidated, ",")
+		}
 	}
 
 	controllerRule := &kyvernoRule{
@@ -367,7 +389,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 	if ann == nil {
 		ann = make(map[string]string)
-		ann[engine.PodControllersAnnotation] = "all"
+		ann[engine.PodControllersAnnotation] = "DaemonSet,Deployment,Job,StatefulSet"
 		jsonPatch := struct {
 			Path  string      `json:"path"`
 			Op    string      `json:"op"`
@@ -392,7 +414,7 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 	}{
 		"/metadata/annotations/pod-policies.kyverno.io~1autogen-controllers",
 		"add",
-		"all",
+		"DaemonSet,Deployment,Job,StatefulSet",
 	}
 
 	patchByte, err := json.Marshal(jsonPatch)
diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go
index d887cd6ee2..3df5873922 100644
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@@ -41,7 +41,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
 		"metadata": {
 		  "name": "add-safe-to-evict",
 		  "annotations": {
-			"pod-policies.kyverno.io/autogen-controllers": "all"
+			"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet"
 		  }
 		}
 	  }`)
@@ -274,7 +274,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
 		"metadata": {
 		  "name": "add-safe-to-evict",
 		  "annotations": {
-			"pod-policies.kyverno.io/autogen-controllers": "all",
+			"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet",
 			"test": "annotation"
 		  }
 		}
@@ -483,7 +483,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) {
 		"kind": "ClusterPolicy",
 		"metadata": {
 		  "annotations": {
-			"pod-policies.kyverno.io/autogen-controllers": "all"
+			"pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet"
 		  },
 		  "name": "add-safe-to-evict"
 		},

From 57e9aaea5f6b6de6a775740b6e040f428afff9c3 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 16:57:26 -0700
Subject: [PATCH 152/201] Add crd 1.16+ spec

---
 pkg/openapi/crdSync.go | 69 +++++++++++++++++++++++++++++++-----------
 1 file changed, 51 insertions(+), 18 deletions(-)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 01ccab88bb..c7bed83bf9 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -28,6 +28,36 @@ type crdSync struct {
 	controller *Controller
 }
 
+// crdDefinitionPrior represents CRD's version prior to 1.16
+var crdDefinitionPrior struct {
+	Spec struct {
+		Names struct {
+			Kind string `json:"kind"`
+		} `json:"names"`
+		Validation struct {
+			OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+		} `json:"validation"`
+	} `json:"spec"`
+}
+
+// crdDefinitionNew represents CRD in version 1.16+
+var crdDefinitionNew struct {
+	Spec struct {
+		Names struct {
+			Kind string `json:"kind"`
+		} `json:"names"`
+		Versions []struct {
+			Schema struct {
+				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
+			} `json:"schema"`
+			Storage bool `json:"storage"`
+		} `json:"versions"`
+	} `json:"spec"`
+}
+
+var crdVersion struct {
+}
+
 func NewCRDSync(client *client.Client, controller *Controller) *crdSync {
 	if controller == nil {
 		panic(fmt.Errorf("nil controller sent into crd sync"))
@@ -54,7 +84,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	c.sync()
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.sync, time.Second*25, stopCh)
+		go wait.Until(c.sync, 10*time.Minute, stopCh)
 	}
 }
 
@@ -90,39 +120,42 @@ func (o *Controller) deleteCRDFromPreviousSync() {
 
 func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 	var err error
-	var crdDefinition struct {
-		Spec struct {
-			Names struct {
-				Kind string `json:"kind"`
-			} `json:"names"`
-			Validation struct {
-				OpenAPIV3Schema interface{} `json:"openAPIV3Schema"`
-			} `json:"validation"`
-		} `json:"spec"`
-	}
 
 	crdRaw, _ := json.Marshal(crd.Object)
-	_ = json.Unmarshal(crdRaw, &crdDefinition)
+	_ = json.Unmarshal(crdRaw, &crdDefinitionPrior)
 
-	crdName := crdDefinition.Spec.Names.Kind
+	openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema
+	crdName := crdDefinitionPrior.Spec.Names.Kind
 
-	var schema yaml.MapSlice
-	schemaRaw, _ := json.Marshal(crdDefinition.Spec.Validation.OpenAPIV3Schema)
+	if openV3schema == nil {
+		_ = json.Unmarshal(crdRaw, &crdDefinitionNew)
+		for _, crdVersion := range crdDefinitionNew.Spec.Versions {
+			if crdVersion.Storage {
+				openV3schema = crdVersion.Schema.OpenAPIV3Schema
+				crdName = crdDefinitionNew.Spec.Names.Kind
+				break
+			}
+		}
+	}
+
+	schemaRaw, _ := json.Marshal(openV3schema)
 	if len(schemaRaw) < 1 {
-		log.Log.V(4).Info("could not parse crd schema")
+		log.Log.V(3).Info("could not parse crd schema", "name", crdName)
 		return
 	}
 
 	schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
 	if err != nil {
-		log.Log.Error(err, "could not parse crd schema:")
+		log.Log.Error(err, "could not parse crd schema", "name", crdName)
 		return
 	}
+
+	var schema yaml.MapSlice
 	_ = yaml.Unmarshal(schemaRaw, &schema)
 
 	parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil))
 	if err != nil {
-		log.Log.Error(err, "could not parse crd schema:")
+		log.Log.Error(err, "could not parse crd schema", "name", crdName)
 		return
 	}
 

From 5128a00e9147c67627ceeb5a4897b6c4fc3cef15 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:33:52 -0700
Subject: [PATCH 153/201] suppress log

---
 pkg/event/controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index a33e50f756..848dad3911 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -67,7 +67,7 @@ func initRecorder(client *client.Client, eventSource Source, log logr.Logger) re
 		return nil
 	}
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(klog.Infof)
+	eventBroadcaster.StartLogging(klog.V(5).Infof)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		log.Error(err, "failed to get event interface for logging")

From b9d38d2fd32424ac856a188c953ada8267d9a44f Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:51:45 -0700
Subject: [PATCH 154/201] fix error "failed to list resources"

---
 pkg/policy/existing.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 5f6fe09c67..44850b4df0 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -97,9 +97,14 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
 	log.V(4).Info("list resources to be processed")
+
+	if kind == "Namespace" {
+		namespace = ""
+	}
+
 	list, err := client.ListResource(kind, namespace, ls)
 	if err != nil {
-		log.Error(err, "failed to list resources", "kind", kind)
+		log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace)
 		return nil
 	}
 	// filter based on name

From c79f166dd352e1831c48ac1c7b96799f29a498f6 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 18:54:31 -0700
Subject: [PATCH 155/201] increase background sync period to 5 mins

---
 pkg/policyviolation/generator.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index ed3ffe76a2..0a40b9dad4 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -153,7 +153,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, time.Second, stopCh)
+		go wait.Until(gen.runWorker, 5*time.Minute, stopCh)
 	}
 	<-stopCh
 }

From f97c202d52678cec63a857d3bb3af8c42934f8c1 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 22:15:09 -0700
Subject: [PATCH 156/201] extract controller resync period to a constant file

---
 pkg/event/controller.go            | 5 ++---
 pkg/generate/cleanup/controller.go | 3 ++-
 pkg/generate/controller.go         | 3 ++-
 pkg/openapi/crdSync.go             | 4 ++--
 pkg/policy/controller.go           | 3 ++-
 pkg/policyviolation/generator.go   | 4 ++--
 pkg/webhooks/generate/generate.go  | 3 ++-
 7 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/pkg/event/controller.go b/pkg/event/controller.go
index 848dad3911..db39f1d9d6 100644
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@@ -1,13 +1,12 @@
 package event
 
 import (
-	"time"
-
 	"github.com/go-logr/logr"
 
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -109,7 +108,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, time.Second, stopCh)
+		go wait.Until(gen.runWorker, constant.EventControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go
index 2c31254219..a232dd4813 100644
--- a/pkg/generate/cleanup/controller.go
+++ b/pkg/generate/cleanup/controller.go
@@ -8,6 +8,7 @@ import (
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -199,7 +200,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
 		return
 	}
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.worker, time.Second, stopCh)
+		go wait.Until(c.worker, constant.GenerateRequestControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go
index b848609177..a03dfe2734 100644
--- a/pkg/generate/controller.go
+++ b/pkg/generate/controller.go
@@ -8,6 +8,7 @@ import (
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policystatus"
@@ -219,7 +220,7 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
 		return
 	}
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.worker, time.Second, stopCh)
+		go wait.Until(c.worker, constant.GenerateControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index c7bed83bf9..6edfc03ad1 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"
 
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -19,6 +18,7 @@ import (
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"k8s.io/apimachinery/pkg/util/wait"
 )
@@ -84,7 +84,7 @@ func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	c.sync()
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(c.sync, 10*time.Minute, stopCh)
+		go wait.Until(c.sync, constant.CRDControllerResync, stopCh)
 	}
 }
 
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index a0d3934be3..250aab5fe4 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -10,6 +10,7 @@ import (
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
+	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policystore"
@@ -264,7 +265,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(pc.worker, time.Second, stopCh)
+		go wait.Until(pc.worker, constant.PolicyControllerResync, stopCh)
 	}
 
 	<-stopCh
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index 0a40b9dad4..e25ae23c6f 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -6,7 +6,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -14,6 +13,7 @@ import (
 	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
 	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/constant"
 	"github.com/nirmata/kyverno/pkg/policystatus"
 
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -153,7 +153,7 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
 	}
 
 	for i := 0; i < workers; i++ {
-		go wait.Until(gen.runWorker, 5*time.Minute, stopCh)
+		go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh)
 	}
 	<-stopCh
 }
diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go
index 3631845541..3e1ded7530 100644
--- a/pkg/webhooks/generate/generate.go
+++ b/pkg/webhooks/generate/generate.go
@@ -8,6 +8,7 @@ import (
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	"github.com/nirmata/kyverno/pkg/constant"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 )
@@ -60,7 +61,7 @@ func (g *Generator) Run(workers int) {
 		logger.V(4).Info("shutting down")
 	}()
 	for i := 0; i < workers; i++ {
-		go wait.Until(g.process, time.Second, g.stopCh)
+		go wait.Until(g.process, constant.GenerateControllerResync, g.stopCh)
 	}
 	<-g.stopCh
 }

From df59b97bc7f933b0470a9f2b18c9d8ec57dfce89 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 23:27:54 -0700
Subject: [PATCH 157/201] add constant.go

---
 pkg/constant/constant.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 pkg/constant/constant.go

diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go
new file mode 100644
index 0000000000..055a4b092e
--- /dev/null
+++ b/pkg/constant/constant.go
@@ -0,0 +1,12 @@
+package constant
+
+import "time"
+
+const (
+	CRDControllerResync             = 10 * time.Minute
+	PolicyViolationControllerResync = 5 * time.Minute
+	PolicyControllerResync          = time.Second
+	EventControllerResync           = time.Second
+	GenerateControllerResync        = time.Second
+	GenerateRequestControllerResync = time.Second
+)

From 277402ba4c6f1ab264e56ac3116a7c1a11d228c4 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Mon, 18 May 2020 17:00:52 -0700
Subject: [PATCH 158/201] Feature - Add checks for k8s version when Kyverno
 starts (#831)

* Added k8s version check for mutating and validating'

* version check adde

* middelware added

* formate

* Added timeout flag value to webhook server timeout middelware and refactore kubernetes version check

* Fixed test cases

* Removed log

* Update kubernetes version check

* Added check for mutate and validate

* Skip Validation in handleValidateAdmissionRequest if kubernetes version is below 1.14

* Update return object AdmissionResponse

* fixed condition for skiping mutation

* Handle condition for skip feature in case of kubernetes version 1.14.2
---
 cmd/initContainer/main.go         | 43 ++--------------
 pkg/utils/util.go                 | 39 ++++++++++++++
 pkg/webhookconfig/registration.go |  5 ++
 pkg/webhooks/middleware.go        | 15 ++++++
 pkg/webhooks/server.go            | 85 ++++++++++++++++++-------------
 5 files changed, 113 insertions(+), 74 deletions(-)
 create mode 100644 pkg/webhooks/middleware.go

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index e9e377cb7f..ba07577665 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -7,14 +7,13 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"regexp"
-	"strconv"
 	"sync"
 	"time"
 
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/signal"
+	"github.com/nirmata/kyverno/pkg/utils"
 	"k8s.io/apimachinery/pkg/api/errors"
 	rest "k8s.io/client-go/rest"
 	clientcmd "k8s.io/client-go/tools/clientcmd"
@@ -63,7 +62,9 @@ func main() {
 	// Exit for unsupported version of kubernetes cluster
 	// https://github.com/nirmata/kyverno/issues/700
 	// - supported from v1.12.7+
-	isVersionSupported(client)
+	if !utils.CompareKubernetesVersion(client, log.Log, 1, 12, 7) {
+		os.Exit(1)
+	}
 
 	requests := []request{
 		// Resource
@@ -222,39 +223,3 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err
 	}()
 	return out
 }
-
-func isVersionSupported(client *client.Client) {
-	logger := log.Log
-	serverVersion, err := client.DiscoveryClient.GetServerVersion()
-	if err != nil {
-		logger.Error(err, "Failed to get kubernetes server version")
-		os.Exit(1)
-	}
-	exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`)
-	groups := exp.FindAllStringSubmatch(serverVersion.String(), -1)
-	if len(groups) != 1 || len(groups[0]) != 4 {
-		logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion)
-		os.Exit(1)
-	}
-	// convert string to int
-	// assuming the version are always intergers
-	major, err := strconv.Atoi(groups[0][1])
-	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion)
-		os.Exit(1)
-	}
-	minor, err := strconv.Atoi(groups[0][2])
-	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion)
-		os.Exit(1)
-	}
-	sub, err := strconv.Atoi(groups[0][3])
-	if err != nil {
-		logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion)
-		os.Exit(1)
-	}
-	if major <= 1 && minor <= 12 && sub < 7 {
-		logger.Info("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", "serverVersion", serverVersion)
-		os.Exit(1)
-	}
-}
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index 5fe0602e71..5766fe83f9 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -2,6 +2,8 @@ package utils
 
 import (
 	"reflect"
+	"regexp"
+	"strconv"
 
 	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
@@ -86,3 +88,40 @@ func CleanupOldCrd(client *dclient.Client, log logr.Logger) {
 		}
 	}
 }
+
+// CompareKubernetesVersion compare kuberneates client version to user given version
+func CompareKubernetesVersion(client *client.Client, log logr.Logger, k8smajor, k8sminor, k8ssub int) bool {
+	logger := log.WithName("CompareKubernetesVersion")
+	serverVersion, err := client.DiscoveryClient.GetServerVersion()
+	if err != nil {
+		logger.Error(err, "Failed to get kubernetes server version")
+		return false
+	}
+	exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`)
+	groups := exp.FindAllStringSubmatch(serverVersion.String(), -1)
+	if len(groups) != 1 || len(groups[0]) != 4 {
+		logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion)
+		return false
+	}
+	// convert string to int
+	// assuming the version are always intergers
+	major, err := strconv.Atoi(groups[0][1])
+	if err != nil {
+		logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion)
+		return false
+	}
+	minor, err := strconv.Atoi(groups[0][2])
+	if err != nil {
+		logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion)
+		return false
+	}
+	sub, err := strconv.Atoi(groups[0][3])
+	if err != nil {
+		logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion)
+		return false
+	}
+	if major <= k8smajor && minor <= k8sminor && sub < k8ssub {
+		return false
+	}
+	return true
+}
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 32bd6a9dd0..1ed8d3b4e4 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -338,3 +338,8 @@ func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration
 
 	logger.V(4).Info("successfully deleted policy validating webhook configutation")
 }
+
+// GetWebhookTimeOut returns the value of webhook timeout
+func (wrc *WebhookRegistrationClient) GetWebhookTimeOut() time.Duration {
+	return time.Duration(wrc.timeoutSeconds)
+}
diff --git a/pkg/webhooks/middleware.go b/pkg/webhooks/middleware.go
new file mode 100644
index 0000000000..4fb44ae4f8
--- /dev/null
+++ b/pkg/webhooks/middleware.go
@@ -0,0 +1,15 @@
+package webhooks
+
+import (
+	"net/http"
+	"time"
+)
+
+func timeoutHandler(h http.Handler, timeout time.Duration) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var timeoutHandler http.Handler
+		msg := "ok"
+		timeoutHandler = http.TimeoutHandler(h, timeout*time.Second, msg)
+		timeoutHandler.ServeHTTP(w, r)
+	}
+}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index e04f7bb690..338d454e85 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -11,8 +11,8 @@ import (
 	"time"
 
 	"github.com/julienschmidt/httprouter"
-
 	"github.com/nirmata/kyverno/pkg/openapi"
+	"github.com/nirmata/kyverno/pkg/utils"
 
 	"github.com/go-logr/logr"
 	"github.com/nirmata/kyverno/pkg/checker"
@@ -131,12 +131,14 @@ func NewWebhookServer(
 		log:                       log,
 		openAPIController:         openAPIController,
 	}
+
 	mux := httprouter.New()
-	mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.handlerFunc(ws.handleMutateAdmissionRequest, true))
-	mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.handlerFunc(ws.handleValidateAdmissionRequest, true))
-	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyMutation, true))
-	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.handlePolicyValidation, true))
-	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.handleVerifyRequest, false))
+
+	mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.handleValidateAdmissionRequest, true), ws.webhookRegistrationClient.GetWebhookTimeOut()))
+	mux.HandlerFunc("POST", config.MutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.handleMutateAdmissionRequest, true), ws.webhookRegistrationClient.GetWebhookTimeOut()))
+	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.handlePolicyValidation, true), ws.webhookRegistrationClient.GetWebhookTimeOut()))
+	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.handlePolicyMutation, true), ws.webhookRegistrationClient.GetWebhookTimeOut()))
+	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.handleVerifyRequest, false), ws.webhookRegistrationClient.GetWebhookTimeOut()))
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
@@ -238,29 +240,37 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		}
 	}
 
-	// MUTATION
-	// mutation failure should not block the resource creation
-	// any mutation failure is reported as the violation
-	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
+	var patches, patchedResource []byte
 
-	// patch the resource with patches before handling validation rules
-	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
+	versionCheck := utils.CompareKubernetesVersion(ws.client, ws.log, 1, 14, 0)
 
-	if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
-		// VALIDATION
-		ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
-		if !ok {
-			logger.Info("admission request denied")
-			return &v1beta1.AdmissionResponse{
-				Allowed: false,
-				Result: &metav1.Status{
-					Status:  "Failure",
-					Message: msg,
-				},
+	if versionCheck {
+		// MUTATION
+		// mutation failure should not block the resource creation
+		// any mutation failure is reported as the violation
+		patches = ws.HandleMutation(request, resource, policies, roles, clusterRoles)
+
+		// patch the resource with patches before handling validation rules
+		patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
+
+		if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
+			// VALIDATION
+			ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
+			if !ok {
+				logger.Info("admission request denied")
+				return &v1beta1.AdmissionResponse{
+					Allowed: false,
+					Result: &metav1.Status{
+						Status:  "Failure",
+						Message: msg,
+					},
+				}
 			}
 		}
+	} else {
+		// patch the resource with patches before handling validation rules
+		patchedResource = processResourceWithPatches(patches, request.Object.Raw, logger)
 	}
-
 	// GENERATE
 	// Only applied during resource creation
 	// Success -> Generate Request CR created successsfully
@@ -278,6 +288,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 			}
 		}
 	}
+
 	// Succesfful processing of mutation & validation rules in policy
 	patchType := v1beta1.PatchTypeJSONPatch
 	return &v1beta1.AdmissionResponse{
@@ -288,6 +299,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		Patch:     patches,
 		PatchType: &patchType,
 	}
+
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
@@ -332,19 +344,22 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
-	// VALIDATION
-	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
-	if !ok {
-		logger.Info("admission request denied")
-		return &v1beta1.AdmissionResponse{
-			Allowed: false,
-			Result: &metav1.Status{
-				Status:  "Failure",
-				Message: msg,
-			},
+	versionCheck := utils.CompareKubernetesVersion(ws.client, ws.log, 1, 14, 0)
+
+	if !versionCheck {
+		// VALIDATION
+		ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
+		if !ok {
+			logger.Info("admission request denied")
+			return &v1beta1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Status:  "Failure",
+					Message: msg,
+				},
+			}
 		}
 	}
-
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 		Result: &metav1.Status{

From 852f2bec2df734223dfdd9305f53c9de3a93fccc Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 17:10:35 -0700
Subject: [PATCH 159/201] Fix CRD definition

---
 Makefile                       | 2 +-
 definitions/install.yaml       | 4 ++--
 definitions/install_debug.yaml | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index fb6acc3434..cb6d878fa2 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ GIT_BRANCH := $(shell git branch | grep \* | cut -d ' ' -f2)
 GIT_HASH := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H")
 TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
 
-REGISTRY=index.docker.io
+REGISTRY?=index.docker.io
 REPO=$(REGISTRY)/nirmata/kyverno
 IMAGE_TAG?=$(GIT_VERSION)
 GOOS ?= $(shell go env GOOS)
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 07843f1a72..7dc32ee76e 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -70,7 +70,7 @@ spec:
                               type: string
                             name:
                               type: string
-                            Namespace:
+                            namespace:
                               type: string
                       resources:
                         type: object
@@ -133,7 +133,7 @@ spec:
                               type: string
                             name:
                               type: string
-                            Namespace:
+                            namespace:
                               type: string
                       resources:
                         type: object
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index c3f35fa475..20e458ec85 100644
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -133,7 +133,7 @@ spec:
                               type: string
                             name:
                               type: string
-                            Namespace:
+                            namespace:
                               type: string
                       resources:
                         type: object

From 90bd8ee3065eafaa520e26af06f9bfda18404ccc Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 17:10:49 -0700
Subject: [PATCH 160/201] Fix match/exclude is not working

---
 pkg/engine/utils.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 1ee8449d23..77f0690305 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -163,7 +163,8 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
 	}
 
 	// checking if resource matches the rule
-	if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) {
+	if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) ||
+		!reflect.DeepEqual(rule.MatchResources.UserInfo, kyverno.UserInfo{}) {
 		matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource)
 		reasonsForFailure = append(reasonsForFailure, matchErrs...)
 	} else {
@@ -171,7 +172,8 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
 	}
 
 	// checking if resource has been excluded
-	if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) {
+	if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) ||
+		!reflect.DeepEqual(rule.ExcludeResources.UserInfo, kyverno.UserInfo{}) {
 		excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource)
 		if excludeErrs == nil {
 			reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource has been excluded since it matches the exclude block"))

From 7348eda222e65ada015512dd7b05c1b634cd080e Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 17:11:08 -0700
Subject: [PATCH 161/201] Fix convert resource with DELETION request

---
 pkg/engine/validation.go |  2 +-
 pkg/webhooks/server.go   | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index a578eabdf4..e7659069f1 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -143,7 +143,7 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-			log.V(4).Info("resource fails the match description")
+			log.V(4).Info("resource fails the match description", "reason", err.Error())
 			continue
 		}
 
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 3d365d6c08..4512e5e437 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -219,8 +219,13 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 		}
 	}
 
+	raw := request.Object.Raw
+	if request.Operation == v1beta1.Delete {
+		raw = request.OldObject.Raw
+	}
+
 	// convert RAW to unstructured
-	resource, err := utils.ConvertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+	resource, err := utils.ConvertResource(raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
 		logger.Error(err, "failed to convert RAW resource to unstructured format")
 
@@ -356,7 +361,12 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		logger.Error(err, "failed to load service account in context")
 	}
 
-	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+	raw := request.Object.Raw
+	if request.Operation == v1beta1.Delete {
+		raw = request.OldObject.Raw
+	}
+
+	resource, err := convertResource(raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
 	if err != nil {
 		logger.Error(err, "failed to convert RAW resource to unstructured format")
 

From 962b8f986583b4238ec397d02c6d75c4751233cb Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 18:30:39 -0700
Subject: [PATCH 162/201] Fix bug

---
 pkg/utils/util.go      |  4 ++--
 pkg/webhooks/server.go | 13 ++++++-------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index d38508be95..d5ff649d6e 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -137,8 +137,8 @@ func ConvertResource(raw []byte, group, version, kind, namespace string) (unstru
 	return *obj, nil
 }
 
-// CompareKubernetesVersion compare kuberneates client version to user given version
-func CompareKubernetesVersion(client *client.Client, log logr.Logger, k8smajor, k8sminor, k8ssub int) bool {
+// HigherThanKubernetesVersion compare kuberneates client version to user given version
+func HigherThanKubernetesVersion(client *client.Client, log logr.Logger, k8smajor, k8sminor, k8ssub int) bool {
 	logger := log.WithName("CompareKubernetesVersion")
 	serverVersion, err := client.DiscoveryClient.GetServerVersion()
 	if err != nil {
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 0606529ded..0fcb6b7385 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -164,9 +164,6 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 		}
 
 		logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name)
-		defer func() {
-			logger.V(4).Info("request processed", "processingTime", time.Since(startTime))
-		}()
 
 		admissionReview.Response = &v1beta1.AdmissionResponse{
 			Allowed: true,
@@ -182,6 +179,8 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 
 		admissionReview.Response = handler(request)
 		writeResponse(rw, admissionReview)
+		logger.V(4).Info("request processed", "processingTime", time.Since(startTime).Milliseconds())
+
 		return
 	}
 }
@@ -265,8 +264,8 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	var patches []byte
 	patchedResource := request.Object.Raw
 
-	versionCheck := utils.CompareKubernetesVersion(ws.client, ws.log, 1, 14, 0)
-	if versionCheck {
+	higherVersion := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0)
+	if higherVersion {
 		// MUTATION
 		// mutation failure should not block the resource creation
 		// any mutation failure is reported as the violation
@@ -390,8 +389,8 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		}
 	}
 
-	versionCheck := utils.CompareKubernetesVersion(ws.client, ws.log, 1, 14, 0)
-	if !versionCheck {
+	higherVersion := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0)
+	if higherVersion {
 		ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
 		if !ok {
 			logger.Info("admission request denied")

From 0e803ae532d04bd4a8b4b51d5b01108506d30438 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 20:01:20 -0700
Subject: [PATCH 163/201] fix DENY pending for DELETE request

---
 pkg/engine/utils.go        |  7 +++++++
 pkg/webhooks/common.go     | 10 ++++++++++
 pkg/webhooks/server.go     | 18 ++++++++++++++++++
 pkg/webhooks/validation.go |  5 +----
 4 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 77f0690305..f5a1ab4c1b 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -114,6 +114,13 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User
 	const SaPrefix = "system:serviceaccount:"
 
 	userGroups := append(userInfo.Groups, userInfo.Username)
+
+	ruleSubjects = append(ruleSubjects,
+		rbacv1.Subject{Kind: "Group", Name: "system:serviceaccounts:kube-system"},
+		rbacv1.Subject{Kind: "Group", Name: "system:nodes"},
+		rbacv1.Subject{Kind: "Group", Name: "system:kube-scheduler"},
+	)
+
 	for _, subject := range ruleSubjects {
 		switch subject.Kind {
 		case "ServiceAccount":
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 4d60732c03..8eda6c69c3 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -167,3 +167,13 @@ func convertResource(raw []byte, group, version, kind, namespace string) (unstru
 	obj.SetNamespace(namespace)
 	return *obj, nil
 }
+
+func excludeKyvernoResources(kind string) bool {
+	switch kind {
+	case "ClusterPolicy", "ClusterPolicyViolation", "PolicyViolation", "GenerateRequest":
+		return true
+	default:
+		return false
+	}
+
+}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 0fcb6b7385..cfd19d5bbc 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -199,6 +199,15 @@ func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionRev
 }
 
 func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	if excludeKyvernoResources(request.Kind.Kind) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	logger := ws.log.WithName("resourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
@@ -322,6 +331,15 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 }
 
 func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	if excludeKyvernoResources(request.Kind.Kind) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index fdbe5e8353..2e0f885db3 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -33,10 +33,6 @@ func (ws *WebhookServer) HandleValidation(
 
 	logger := ws.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation)
 
-	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
-		return true, ""
-	}
-
 	// Get new and old resource
 	newR, oldR, err := utils.ExtractResources(patchedResource, request)
 	if err != nil {
@@ -51,6 +47,7 @@ func (ws *WebhookServer) HandleValidation(
 		Context:       ctx,
 		AdmissionInfo: userRequestInfo,
 	}
+
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)

From 74387d2ee4bea2044cbb5165a144e992a4fd3c84 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 20:10:30 -0700
Subject: [PATCH 164/201] Fix CI

---
 cmd/initContainer/main.go | 2 +-
 pkg/engine/utils.go       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index ba07577665..f239ec7cbd 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -62,7 +62,7 @@ func main() {
 	// Exit for unsupported version of kubernetes cluster
 	// https://github.com/nirmata/kyverno/issues/700
 	// - supported from v1.12.7+
-	if !utils.CompareKubernetesVersion(client, log.Log, 1, 12, 7) {
+	if !utils.HigherThanKubernetesVersion(client, log.Log, 1, 12, 7) {
 		os.Exit(1)
 	}
 
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index f5a1ab4c1b..4f2f7badec 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -115,6 +115,7 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User
 
 	userGroups := append(userInfo.Groups, userInfo.Username)
 
+	// TODO: see issue https://github.com/nirmata/kyverno/issues/861
 	ruleSubjects = append(ruleSubjects,
 		rbacv1.Subject{Kind: "Group", Name: "system:serviceaccounts:kube-system"},
 		rbacv1.Subject{Kind: "Group", Name: "system:nodes"},

From 140d638a9b5ad53278b8063d2756af22f0673d2e Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 21:02:21 -0700
Subject: [PATCH 165/201] fix #838 - skip if crd has no schema defined

---
 pkg/openapi/crdSync.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 6edfc03ad1..7af05eecd9 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -138,6 +138,11 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 		}
 	}
 
+	if openV3schema == nil {
+		log.Log.V(3).Info("skip adding schema, CRD has no properties", "name", crdName)
+		return
+	}
+
 	schemaRaw, _ := json.Marshal(openV3schema)
 	if len(schemaRaw) < 1 {
 		log.Log.V(3).Info("could not parse crd schema", "name", crdName)

From 0670abe2d20eec7b5884bf4e8e1ac97f58a3d619 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Mon, 18 May 2020 21:16:48 -0700
Subject: [PATCH 166/201] set log level

---
 pkg/policy/controller.go          | 2 +-
 pkg/webhookconfig/registration.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index b49a74b604..b896d528b3 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -89,7 +89,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	log logr.Logger) (*PolicyController, error) {
 	// Event broad caster
 	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartLogging(log.Info)
+	eventBroadcaster.StartLogging(log.V(5).Info)
 	eventInterface, err := client.GetEventsInterface()
 	if err != nil {
 		return nil, err
diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go
index 1ed8d3b4e4..9dd7ef1eb6 100644
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@@ -114,7 +114,7 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 	}
 	_, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		logger.V(4).Info("resource mutating webhook configuration already exists. not creating one", "name", config.Name)
+		logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name)
 		return nil
 	}
 	if err != nil {
@@ -145,7 +145,7 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati
 
 	_, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false)
 	if errorsapi.IsAlreadyExists(err) {
-		logger.V(4).Info("resource already exists. not create one")
+		logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name)
 		return nil
 	}
 	if err != nil {

From 9eb2534d63ef0af50704305b0559c15fd4fbe3aa Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 19 May 2020 00:14:23 -0700
Subject: [PATCH 167/201] - fix pending delete for denying deletion rule -
 revert timeoutHandler - update log level

---
 pkg/engine/mutation.go     |  2 +-
 pkg/engine/utils.go        | 17 ++++++++++++-----
 pkg/engine/validation.go   | 11 +++++++++--
 pkg/userinfo/roleRef.go    | 10 ++++++++--
 pkg/webhooks/mutation.go   |  2 +-
 pkg/webhooks/server.go     | 11 +++++------
 pkg/webhooks/validation.go | 15 ++++++++++++++-
 7 files changed, 50 insertions(+), 18 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 8f76efca9f..5e66b4d0e3 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -48,7 +48,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont statisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
-			logger.V(4).Info("resource fails the match description")
+			logger.V(4).Info("resource fails the match description", "reason", err.Error())
 			continue
 		}
 
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 4f2f7badec..035c2d5f07 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -18,6 +18,8 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 )
 
+var ExcludeRoles = []string{"system:nodes", "system:serviceaccounts:kube-system", "system:kube-scheduler"}
+
 //EngineStats stores in the statistics for a single application of resource
 type EngineStats struct {
 	// average time required to process the policy rules on a resource
@@ -90,13 +92,18 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription,
 			}
 		}
 	}
-	if len(userInfo.Roles) > 0 {
-		if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
+
+	keys := append(admissionInfo.AdmissionUserInfo.Groups, admissionInfo.AdmissionUserInfo.Username)
+
+	if len(userInfo.Roles) > 0 &&
+		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeRoles...) {
+		if !DoesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
 			errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
 		}
 	}
-	if len(userInfo.ClusterRoles) > 0 {
-		if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
+	if len(userInfo.ClusterRoles) > 0 &&
+		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeRoles...) {
+		if !DoesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
 			errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
 		}
 	}
@@ -142,7 +149,7 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User
 	return false
 }
 
-func doesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool {
+func DoesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool {
 
 	var sliceElementsMap = make(map[string]bool, len(slice))
 	for _, sliceElement := range slice {
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index e7659069f1..0d28fcb32b 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -24,7 +24,14 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
 	oldR := policyContext.OldResource
 	ctx := policyContext.Context
 	admissionInfo := policyContext.AdmissionInfo
-	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name, "kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
+	logger := log.Log.WithName("Validate").WithValues("policy", policy.Name)
+
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		logger = logger.WithValues("kind", oldR.GetKind(), "namespace", oldR.GetNamespace(), "name", oldR.GetName())
+	} else {
+		logger = logger.WithValues("kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName())
+	}
+
 	logger.V(4).Info("start processing", "startTime", startTime)
 
 	defer func() {
@@ -103,7 +110,7 @@ func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.
 		}
 
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
-			log.V(4).Info("resource fails the match description")
+			log.V(4).Info("resource fails the match description", "reason", err.Error())
 			continue
 		}
 
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index d813f07f4e..f0c11f2fd0 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/nirmata/kyverno/pkg/engine"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -20,6 +21,11 @@ const (
 
 //GetRoleRef gets the list of roles and cluster roles for the incoming api-request
 func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
+	keys := append(request.UserInfo.Groups, request.UserInfo.Username)
+	if engine.DoesSliceContainsAnyOfTheseValues(keys, engine.ExcludeRoles...) {
+		return
+	}
+
 	// rolebindings
 	roleBindings, err := rbLister.List(labels.NewSelector())
 	if err != nil {
@@ -101,7 +107,7 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
 	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
-		log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
+		log.Log.V(6).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
 		return false
 	}
 
@@ -117,6 +123,6 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 		}
 	}
 
-	log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
+	log.Log.V(6).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
 	return false
 }
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 08db69c2b7..4ad5b35e94 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -52,7 +52,7 @@ func (ws *WebhookServer) HandleMutation(
 		engineResponses = append(engineResponses, engineResponse)
 		ws.statusListener.Send(mutateStats{resp: engineResponse})
 		if !engineResponse.IsSuccesful() {
-			logger.Info("failed to apply policy", "policy", policy.Name)
+			logger.Info("failed to apply policy", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules())
 			continue
 		}
 
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index cfd19d5bbc..4607639557 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -134,12 +134,11 @@ func NewWebhookServer(
 	}
 
 	mux := httprouter.New()
-	webhookTimeout := ws.webhookRegistrationClient.GetWebhookTimeOut()
-	mux.HandlerFunc("POST", config.MutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.resourceMutation, true), webhookTimeout))
-	mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.resourceValidation, true), webhookTimeout))
-	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.policyMutation, true), webhookTimeout))
-	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.policyValidation, true), webhookTimeout))
-	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, timeoutHandler(ws.handlerFunc(ws.verifyHandler, false), webhookTimeout))
+	mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.handlerFunc(ws.resourceMutation, true))
+	mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.handlerFunc(ws.resourceValidation, true))
+	mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.policyMutation, true))
+	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.policyValidation, true))
+	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.verifyHandler, false))
 
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 2e0f885db3..6bd9ed1d25 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -14,6 +14,8 @@ import (
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
 	v1beta1 "k8s.io/api/admission/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 // HandleValidation handles validating webhook admission request
@@ -41,6 +43,17 @@ func (ws *WebhookServer) HandleValidation(
 		return true, ""
 	}
 
+	var deletionTimeStamp *metav1.Time
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		deletionTimeStamp = newR.GetDeletionTimestamp()
+	} else {
+		deletionTimeStamp = oldR.GetDeletionTimestamp()
+	}
+
+	if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
+		return true, ""
+	}
+
 	policyContext := engine.PolicyContext{
 		NewResource:   newR,
 		OldResource:   oldR,
@@ -63,7 +76,7 @@ func (ws *WebhookServer) HandleValidation(
 			resp: engineResponse,
 		})
 		if !engineResponse.IsSuccesful() {
-			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
+			logger.V(4).Info("failed to apply policy", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules())
 			continue
 		}
 

From df452187bf19fc90fdcfbd34fbb2694eda5ebcb2 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 19 May 2020 10:32:42 -0700
Subject: [PATCH 168/201] fix CI

---
 pkg/engine/validation_test.go | 38 ++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index 9fb0f448d2..c3a9ffae9a 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -1614,56 +1614,56 @@ func Test_denyFeatureIssue744(t *testing.T) {
 		policy        []byte
 		request       []byte
 		userInfo      []byte
-		expectedError bool
+		requestDenied bool
 	}{
 		{
 			description:   "Blocks delete requests for resources with label allow-deletes(success case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
 			request:       []byte(`{"uid":"b553344a-172a-4257-8ec4-a8f379f8b844","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"DELETE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":null,"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f093e3da-f13a-474f-87e8-43e98fe363bf","resourceVersion":"1983","creationTimestamp":"2020-05-06T20:28:43Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:28:43Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"DeleteOptions","apiVersion":"meta.k8s.io/v1","gracePeriodSeconds":30,"propagationPolicy":"Background"}}`),
 			userInfo:      []byte(`{"roles":null,"clusterRoles":["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
-			expectedError: true,
+			requestDenied: true,
 		},
 		{
 			description:   "Blocks delete requests for resources with label allow-deletes(failure case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
 			request:       []byte(`{"uid":"9a83234d-95d1-4105-b6bf-7d72fd0183ce","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:36:51Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
 			userInfo:      []byte(`{"roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}}`),
-			expectedError: false,
+			requestDenied: false,
 		},
 		{
 			description:   "Blocks update requests for resources with label allow-updates(success case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-updates","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Updating {{request.object.kind}} / {{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equals","value":"UPDATE"}]}}}]}}`),
-			request:       []byte(`{"uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","podIP":"10.244.0.8","podIPs":[{"ip":"10.244.0.8"}],"startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-05-06T20:42:01Z","finishedAt":"2020-05-06T20:42:01Z","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/library/hello-world:latest","imageID":"docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
-			userInfo:      []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}}`),
-			expectedError: true,
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-updates","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Updating {{request.object.kind}} / {{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equals","value":"UPDATE"}]}}}]}}`),
+			request:       []byte(`{"uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","podIP":"10.244.0.8","podIPs":[{"ip":"10.244.0.8"}],"startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-05-06T20:42:01Z","finishedAt":"2020-05-06T20:42:01Z","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/library/hello-world:latest","imageID":"docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
+			userInfo:      []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"kubernetes-admin","groups":["system:authenticated"]}}`),
+			requestDenied: true,
 		},
 		{
 			description:   "Blocks update requests for resources with label allow-updates(failure case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`),
 			request:       []byte(`{"uid":"9c284cdb-b0de-42aa-adf5-649a44bc861b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"41a928a7-73f4-419f-bd64-de11f4f0a8ca","creationTimestamp":"2020-05-06T20:43:50Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`),
 			userInfo:      []byte(`{"roles":null,"clusterRoles":["system:public-info-viewer","cluster-admin","system:discovery","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
-			expectedError: false,
+			requestDenied: false,
 		},
 		{
 			description:   "Blocks certain fields(success case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
 			request:       []byte(`{"uid":"11d46f83-a31b-444e-8209-c43b24f1af8a","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"exists","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"exists\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
 			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
-			expectedError: true,
+			requestDenied: true,
 		},
 		{
 			description:   "Blocks certain fields(failure case)",
-			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
+			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`),
 			request:       []byte(`{"uid":"cbdce9bb-741d-466a-a440-36155eb4b45b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"kube-system","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"kube-system","uid":"490c240c-f96a-4d5a-8860-75597bab0a7e","creationTimestamp":"2020-05-06T21:01:50Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"hello-world\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-8h2h8","secret":{"secretName":"default-token-8h2h8"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-8h2h8","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`),
 			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
-			expectedError: false,
+			requestDenied: false,
 		},
 		{
 			description:   "Deny all requests on a namespace",
 			policy:        []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-request"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"block-request","match":{"resources":{"namespaces":["kube-system"]}},"validate":{"deny":{}}}]}}`),
 			request:       []byte(`{"uid":"2cf2b192-2c25-4f14-ac3a-315408d398f2","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`),
 			userInfo:      []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`),
-			expectedError: false,
+			requestDenied: false,
 		},
 	}
 
@@ -1714,8 +1714,10 @@ func Test_denyFeatureIssue744(t *testing.T) {
 			Context:       ctx,
 		}
 		resp := Validate(pc)
-		if resp.IsSuccesful() != !testcase.expectedError {
-			t.Errorf("Testcase has failed")
+		if resp.IsSuccesful() == !testcase.requestDenied {
+			continue
 		}
+
+		t.Errorf("Testcase has failed, policy: %v", policy.Name)
 	}
 }

From 21571ba2755590e0fcf0cea9ee00089378e9fb03 Mon Sep 17 00:00:00 2001
From: sgandon <sgandon@talend.com>
Date: Tue, 19 May 2020 19:33:44 +0200
Subject: [PATCH 169/201] fixed a documentation typo (#864)

---
 documentation/writing-policies-autogen.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/writing-policies-autogen.md b/documentation/writing-policies-autogen.md
index 97a6c922c6..2688159602 100644
--- a/documentation/writing-policies-autogen.md
+++ b/documentation/writing-policies-autogen.md
@@ -2,7 +2,7 @@
 
 # Auto Generating Rules for Pod Controllers
 
-Writing policies on pods helps address all pod creation flows. However, when pod cotrollers are used pod level policies result in errors not being reported when the pod controller object is created. 
+Writing policies on pods helps address all pod creation flows. However, when pod controllers are used, pod level policies result in errors not being reported when the pod controller object is created. 
 
 Kyverno solves this issue by supporting automatic generation of policy rules for pod controllers from a rule written for a pod.
 

From f0bd8eae11fc653c507c072f80d0e759a8f7e270 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 19 May 2020 12:41:13 -0700
Subject: [PATCH 170/201] clarify names

---
 pkg/engine/utils.go     | 6 +++---
 pkg/userinfo/roleRef.go | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 035c2d5f07..4a7cc23257 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -18,7 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 )
 
-var ExcludeRoles = []string{"system:nodes", "system:serviceaccounts:kube-system", "system:kube-scheduler"}
+var ExcludeUserInfo = []string{"system:nodes", "system:serviceaccounts:kube-system", "system:kube-scheduler"}
 
 //EngineStats stores in the statistics for a single application of resource
 type EngineStats struct {
@@ -96,13 +96,13 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription,
 	keys := append(admissionInfo.AdmissionUserInfo.Groups, admissionInfo.AdmissionUserInfo.Username)
 
 	if len(userInfo.Roles) > 0 &&
-		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeRoles...) {
+		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeUserInfo...) {
 		if !DoesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
 			errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
 		}
 	}
 	if len(userInfo.ClusterRoles) > 0 &&
-		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeRoles...) {
+		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeUserInfo...) {
 		if !DoesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
 			errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
 		}
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index f0c11f2fd0..78e4d0a7dc 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -22,7 +22,7 @@ const (
 //GetRoleRef gets the list of roles and cluster roles for the incoming api-request
 func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
 	keys := append(request.UserInfo.Groups, request.UserInfo.Username)
-	if engine.DoesSliceContainsAnyOfTheseValues(keys, engine.ExcludeRoles...) {
+	if engine.DoesSliceContainsAnyOfTheseValues(keys, engine.ExcludeUserInfo...) {
 		return
 	}
 

From 34d05c58c2f8662a06e99632c8cf71532db94325 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 19 May 2020 13:04:06 -0700
Subject: [PATCH 171/201] PR fixes

---
 pkg/engine/mutation.go   |  2 +-
 pkg/engine/utils.go      | 24 ++++--------------------
 pkg/engine/validation.go |  2 +-
 pkg/userinfo/roleRef.go  |  7 ++++---
 pkg/utils/util.go        | 16 ++++++++++++++++
 5 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 5e66b4d0e3..0127e15b72 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -46,7 +46,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
-		// dont statisfy a policy rule resource description
+		// dont satisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
 			logger.V(4).Info("resource fails the match description", "reason", err.Error())
 			continue
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 4a7cc23257..3824cd0b19 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -96,14 +96,14 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription,
 	keys := append(admissionInfo.AdmissionUserInfo.Groups, admissionInfo.AdmissionUserInfo.Username)
 
 	if len(userInfo.Roles) > 0 &&
-		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeUserInfo...) {
-		if !DoesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
+		!utils.SliceContains(keys, ExcludeUserInfo...) {
+		if !utils.SliceContains(userInfo.Roles, admissionInfo.Roles...) {
 			errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
 		}
 	}
 	if len(userInfo.ClusterRoles) > 0 &&
-		!DoesSliceContainsAnyOfTheseValues(keys, ExcludeUserInfo...) {
-		if !DoesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
+		!utils.SliceContains(keys, ExcludeUserInfo...) {
+		if !utils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
 			errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
 		}
 	}
@@ -149,22 +149,6 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User
 	return false
 }
 
-func DoesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool {
-
-	var sliceElementsMap = make(map[string]bool, len(slice))
-	for _, sliceElement := range slice {
-		sliceElementsMap[sliceElement] = true
-	}
-
-	for _, value := range values {
-		if sliceElementsMap[value] {
-			return true
-		}
-	}
-
-	return false
-}
-
 //MatchesResourceDescription checks if the resource matches resource description of the rule or not
 func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo) error {
 	rule := *ruleRef.DeepCopy()
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 0d28fcb32b..94f18a346b 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -148,7 +148,7 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 
 		// check if the resource satisfies the filter conditions defined in the rule
 		// TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
-		// dont statisfy a policy rule resource description
+		// dont satisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
 			log.V(4).Info("resource fails the match description", "reason", err.Error())
 			continue
diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go
index 78e4d0a7dc..93517dd1c9 100644
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/nirmata/kyverno/pkg/engine"
+	"github.com/nirmata/kyverno/pkg/utils"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -22,7 +23,7 @@ const (
 //GetRoleRef gets the list of roles and cluster roles for the incoming api-request
 func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
 	keys := append(request.UserInfo.Groups, request.UserInfo.Username)
-	if engine.DoesSliceContainsAnyOfTheseValues(keys, engine.ExcludeUserInfo...) {
+	if utils.SliceContains(keys, engine.ExcludeUserInfo...) {
 		return
 	}
 
@@ -107,10 +108,10 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
 	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
-		log.Log.V(6).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
 		return false
 	}
 
+	log.Log.V(3).Info(fmt.Sprintf("found a matched service account not match: %s", subjectServiceAccount))
 	return true
 }
 
@@ -119,10 +120,10 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 	keys := append(userInfo.Groups, userInfo.Username)
 	for _, key := range keys {
 		if subject.Name == key {
+			log.Log.V(3).Info(fmt.Sprintf("found a matched user/group '%v' in request userInfo: %v", subject.Name, keys))
 			return true
 		}
 	}
 
-	log.Log.V(6).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
 	return false
 }
diff --git a/pkg/utils/util.go b/pkg/utils/util.go
index d5ff649d6e..13920a02c4 100644
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@@ -173,3 +173,19 @@ func HigherThanKubernetesVersion(client *client.Client, log logr.Logger, k8smajo
 	}
 	return true
 }
+
+func SliceContains(slice []string, values ...string) bool {
+
+	var sliceElementsMap = make(map[string]bool, len(slice))
+	for _, sliceElement := range slice {
+		sliceElementsMap[sliceElement] = true
+	}
+
+	for _, value := range values {
+		if sliceElementsMap[value] {
+			return true
+		}
+	}
+
+	return false
+}

From 6cf630d3f4250667fd030d02d81ada3fad121142 Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Wed, 20 May 2020 00:24:14 -0700
Subject: [PATCH 172/201] Added cpu & memory resource requests and limits

---
 definitions/install.yaml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 7dc32ee76e..f018853a80 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -729,16 +729,23 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.5
+          image: evalsocket/kyvernopre:latest
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.5
+          image: evalsocket/kyverno:latest
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout
-          # - "--webhooktimeout=4"
+          #- "--webhooktimeout=4"
           ports:
           - containerPort: 443
           env:
           - name: INIT_CONFIG
             value: init-config
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "250m"
+            limits:
+              memory: "128Mi"
+              cpu: "500m"

From b9da2ab96ea49e1ea0213f8fb980ce66c20e9c0c Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Wed, 20 May 2020 01:41:00 -0700
Subject: [PATCH 173/201] Revert kyverno image version

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index f018853a80..5d4c65a052 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -729,10 +729,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: evalsocket/kyvernopre:latest
+          image: evalsocket/kyvernopre:v1.1.5
       containers:
         - name: kyverno
-          image: evalsocket/kyverno:latest
+          image: evalsocket/kyverno:v1.1.5
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout

From 7f2be174fbba91817e2d32e581d7e4d8771e3b22 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Wed, 20 May 2020 01:41:27 -0700
Subject: [PATCH 174/201] Typo fixed

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 5d4c65a052..bbc8acf29d 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -729,10 +729,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: evalsocket/kyvernopre:v1.1.5
+          image: nirmata/kyvernopre:v1.1.5
       containers:
         - name: kyverno
-          image: evalsocket/kyverno:v1.1.5
+          image: nirmata/kyverno:v1.1.5
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout

From ecbc14d559cf36cab76338d3ba8f603ffe137bb5 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 13:36:00 -0700
Subject: [PATCH 175/201] add clusterrole "admin" "edit" "view" to Kyverno

---
 definitions/install.yaml | 41 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 7dc32ee76e..1865150215 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -699,6 +699,45 @@ rules:
   - namespaces
   verbs:
   - watch
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kyverno:admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kyverno:edit
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kyverno:view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -707,7 +746,7 @@ metadata:
   namespace: kyverno
 data:
   # resource types to be skipped by kyverno policy engine
-  resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
+  resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
 ---
 apiVersion: apps/v1
 kind: Deployment

From bc981f9a11b3c844356d5b0cf0304374c8f7bf85 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 13:42:23 -0700
Subject: [PATCH 176/201] fix 869

---
 pkg/policy/existing.go   | 4 ++--
 pkg/webhooks/mutation.go | 3 ---
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 44850b4df0..75e7dfcbe4 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -35,8 +35,8 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 
 		// skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied
 		ann := policy.GetAnnotations()
-		if _, ok := ann[engine.PodTemplateAnnotation]; ok {
-			if ann[engine.PodTemplateAnnotation] != "none" {
+		if annValue, ok := ann[engine.PodControllersAnnotation]; ok {
+			if annValue != "none" {
 				if skipPodApplication(resource, logger) {
 					continue
 				}
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 4ad5b35e94..d3155d2b74 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -45,9 +45,6 @@ func (ws *WebhookServer) HandleMutation(
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
-		if engineResponse.PolicyResponse.RulesAppliedCount <= 0 {
-			continue
-		}
 
 		engineResponses = append(engineResponses, engineResponse)
 		ws.statusListener.Send(mutateStats{resp: engineResponse})

From bda81f0b93696a39b6405649b9a7c70b2e93f815 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 13:43:12 -0700
Subject: [PATCH 177/201] - fix variable scope - debug log

---
 pkg/engine/validation.go | 2 +-
 pkg/webhooks/server.go   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 94f18a346b..152774c04c 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -242,7 +242,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 		if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
 			// validation failed
 			resp.Success = false
-			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed at path '%s'",
+			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule %s failed at path %s",
 				rule.Validation.Message, rule.Name, path)
 			return resp
 		}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 4607639557..3a6cd733b4 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -277,10 +277,12 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 		// MUTATION
 		// mutation failure should not block the resource creation
 		// any mutation failure is reported as the violation
-		patches := ws.HandleMutation(request, resource, policies, ctx, userRequestInfo)
+		patches = ws.HandleMutation(request, resource, policies, ctx, userRequestInfo)
+		logger.V(7).Info("", "generated patches", string(patches))
 
 		// patch the resource with patches before handling validation rules
 		patchedResource = processResourceWithPatches(patches, request.Object.Raw, logger)
+		logger.V(7).Info("", "patchedResource", string(patchedResource))
 
 		if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 			// VALIDATION

From ea66d7a7b8f5f135d9dfcfdd24c2266a3f86fe6e Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 13:58:56 -0700
Subject: [PATCH 178/201] fix CI

---
 pkg/engine/validation_test.go                          | 10 +++++-----
 ...nario_validate_disallow_default_serviceaccount.yaml |  2 +-
 .../other/scenario_validate_selinux_context.yaml       |  2 +-
 .../best_practices/disallow_docker_sock_mount.yaml     |  2 +-
 .../scenario_validate_disallow_helm_tiller.yaml        |  2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go
index c3a9ffae9a..03c3361768 100644
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@@ -125,7 +125,7 @@ func TestValidate_image_tag_fail(t *testing.T) {
 	assert.NilError(t, err)
 	msgs := []string{
 		"Validation rule 'validate-tag' succeeded.",
-		"Validation error: imagePullPolicy 'Always' required with tag 'latest'; Validation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'",
+		"Validation error: imagePullPolicy 'Always' required with tag 'latest'; Validation rule validate-latest failed at path /spec/containers/0/imagePullPolicy/",
 	}
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
 	for index, r := range er.PolicyResponse.Rules {
@@ -383,7 +383,7 @@ func TestValidate_host_network_port(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation error: Host network and port are not allowed; Validation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'"}
+	msgs := []string{"Validation error: Host network and port are not allowed; Validation rule validate-host-network-port failed at path /spec/containers/0/ports/0/hostPort/"}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -561,7 +561,7 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation error: Host path '/var/lib/' is not allowed; Validation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'"}
+	msgs := []string{"Validation error: Host path '/var/lib/' is not allowed; Validation rule validate-host-path failed at path /spec/volumes/0/hostPath/path/"}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -777,7 +777,7 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation error: pod: validate run as non root user; Validation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'"}
+	msgs := []string{"Validation error: pod: validate run as non root user; Validation rule pod rule 2 failed at path /spec/securityContext/runAsNonRoot/"}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
@@ -1166,7 +1166,7 @@ func TestValidate_negationAnchor_deny(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation error: Host path is not allowed; Validation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'"}
+	msgs := []string{"Validation error: Host path is not allowed; Validation rule validate-host-path failed at path /spec/volumes/0/hostPath/"}
 
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml
index 9d69addcaf..8c8e82693d 100644
--- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml
+++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml
@@ -14,5 +14,5 @@ expected:
       rules:
         - name: prevent-mounting-default-serviceaccount
           type: Validation
-          message: "Validation error: Prevent mounting of default service account; Validation rule 'prevent-mounting-default-serviceaccount' failed at path '/spec/serviceAccountName/'"
+          message: "Validation error: Prevent mounting of default service account; Validation rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/"
           success: false
\ No newline at end of file
diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml
index 8847a64980..91d0f4e0df 100644
--- a/test/scenarios/other/scenario_validate_selinux_context.yaml
+++ b/test/scenarios/other/scenario_validate_selinux_context.yaml
@@ -15,5 +15,5 @@ expected:
       rules:
         - name: validate-selinux-options
           type: Validation
-          message: "Validation error: SELinux level is required; Validation rule 'validate-selinux-options' failed at path '/spec/containers/0/securityContext/seLinuxOptions/'"
+          message: "Validation error: SELinux level is required; Validation rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/"
           success: false
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml b/test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml
index a0de3a847f..acb30560e9 100644
--- a/test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml
+++ b/test/scenarios/samples/best_practices/disallow_docker_sock_mount.yaml
@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-docker-sock-mount
           type: Validation
-          message: "Validation error: Use of the Docker Unix socket is not allowed; Validation rule 'validate-docker-sock-mount' failed at path '/spec/volumes/0/hostPath/path/'"          
+          message: "Validation error: Use of the Docker Unix socket is not allowed; Validation rule validate-docker-sock-mount failed at path /spec/volumes/0/hostPath/path/"
           success: false
\ No newline at end of file
diff --git a/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml b/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml
index ecadd7dca5..4febde8ad1 100644
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml
@@ -12,5 +12,5 @@ expected:
       rules:
         - name: validate-helm-tiller
           type: Validation
-          message: "Validation error: Helm Tiller is not allowed; Validation rule 'validate-helm-tiller' failed at path '/spec/containers/0/image/'"
+          message: "Validation error: Helm Tiller is not allowed; Validation rule validate-helm-tiller failed at path /spec/containers/0/image/"
           success: false

From e1bdfbce27ed94e402b917bf6143dea1eb9ebc26 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 17:08:30 -0700
Subject: [PATCH 179/201] update log

---
 pkg/webhooks/server.go | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 3a6cd733b4..a434a29acc 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -278,11 +278,11 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 		// mutation failure should not block the resource creation
 		// any mutation failure is reported as the violation
 		patches = ws.HandleMutation(request, resource, policies, ctx, userRequestInfo)
-		logger.V(7).Info("", "generated patches", string(patches))
+		logger.V(6).Info("", "generated patches", string(patches))
 
 		// patch the resource with patches before handling validation rules
 		patchedResource = processResourceWithPatches(patches, request.Object.Raw, logger)
-		logger.V(7).Info("", "patchedResource", string(patchedResource))
+		logger.V(6).Info("", "patchedResource", string(patchedResource))
 
 		if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
 			// VALIDATION
@@ -298,6 +298,8 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 				}
 			}
 		}
+	} else {
+		logger.Info("mutate/validate is not supported prior to Kubernetes 1.14.0")
 	}
 
 	// GENERATE
@@ -332,6 +334,18 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 }
 
 func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+
+	if ok := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0); !ok {
+		logger.Info("mutate/validate is not supported prior to Kubernetes 1.14.0")
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	if excludeKyvernoResources(request.Kind.Kind) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
@@ -341,7 +355,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		}
 	}
 
-	logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@@ -408,18 +421,15 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		}
 	}
 
-	higherVersion := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0)
-	if higherVersion {
-		ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
-		if !ok {
-			logger.Info("admission request denied")
-			return &v1beta1.AdmissionResponse{
-				Allowed: false,
-				Result: &metav1.Status{
-					Status:  "Failure",
-					Message: msg,
-				},
-			}
+	ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
+	if !ok {
+		logger.Info("admission request denied")
+		return &v1beta1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Status:  "Failure",
+				Message: msg,
+			},
 		}
 	}
 

From 980ad39df82a5e2f1b00e54a383cd173c46e13b5 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 20 May 2020 19:18:03 -0700
Subject: [PATCH 180/201] update helm chart

---
 charts/kyverno/crds/crds.yaml                 | 26 ++++++++++++-
 .../kyverno/templates/clusterrolebinding.yaml | 39 +++++++++++++++++++
 2 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
index e73ad35c65..72b50024b6 100644
--- a/charts/kyverno/crds/crds.yaml
+++ b/charts/kyverno/crds/crds.yaml
@@ -70,7 +70,7 @@ spec:
                               type: string
                             name:
                               type: string
-                            Namespace:
+                            namespace:
                               type: string
                       resources:
                         type: object
@@ -133,7 +133,7 @@ spec:
                               type: string
                             name:
                               type: string
-                            Namespace:
+                            namespace:
                               type: string
                       resources:
                         type: object
@@ -210,6 +210,28 @@ spec:
                         AnyValue: {}
                       anyPattern:
                         AnyValue: {}
+                      deny:
+                        properties:
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
+                              properties:
+                                operator:
+                                  type: string
+                                  enum:
+                                  - Equal
+                                  - Equals
+                                  - NotEqual
+                                  - NotEquals
+                                key:
+                                  type: string
+                                value:
+                                  type: string
                   generate:
                     type: object
                     required:
diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
index 87b413a1b7..5e318342a4 100644
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@@ -60,6 +60,45 @@ roleRef:
   kind: ClusterRole
   name: {{ template "kyverno.fullname" . }}:generatecontroller
 subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }} 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:edit
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }} 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:view
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}

From 2dda3e2a427eadd686464ee3ea8fe23266cc735e Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Thu, 21 May 2020 08:29:35 -0700
Subject: [PATCH 181/201] pr fix

---
 .../kyverno/templates/clusterrolebinding.yaml | 13 -------------
 definitions/install.yaml                      | 19 ++++---------------
 pkg/webhooks/server.go                        |  4 ++--
 3 files changed, 6 insertions(+), 30 deletions(-)

diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
index 5e318342a4..228986b0b2 100644
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@@ -66,19 +66,6 @@ subjects:
 ---  
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }} 
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ template "kyverno.fullname" . }}:edit
 roleRef:
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 1865150215..64befaa491 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -702,19 +702,6 @@ rules:
 ---  
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kyverno:admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account
-  namespace: kyverno 
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: kyverno:edit
 roleRef:
@@ -768,14 +755,16 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.5
+          image: nirmata/kyvernopre:v1.1.6-rc1
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.5
+          image: registry-v2.nirmata.io/nirmata/kyverno:latest
+          imagePullPolicy: Always
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout
           # - "--webhooktimeout=4"
+          - "-v=6"
           ports:
           - containerPort: 443
           env:
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index a434a29acc..65794956bc 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -299,7 +299,7 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 			}
 		}
 	} else {
-		logger.Info("mutate/validate is not supported prior to Kubernetes 1.14.0")
+		logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0")
 	}
 
 	// GENERATE
@@ -337,7 +337,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 	logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 
 	if ok := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0); !ok {
-		logger.Info("mutate/validate is not supported prior to Kubernetes 1.14.0")
+		logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0")
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{

From 3952aa555086fe1f533ccb921355296b858db74d Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Thu, 21 May 2020 08:49:33 -0700
Subject: [PATCH 182/201] remove unused code

---
 pkg/engine/mutation.go | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 0127e15b72..e2312f3090 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -2,7 +2,6 @@ package engine
 
 import (
 	"encoding/json"
-	"reflect"
 	"strings"
 	"time"
 
@@ -96,15 +95,11 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount(&resp)
 		}
-
-		// insert annotation to podtemplate if resource is pod controller
-		// skip inserting on existing resource
-		if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) {
-			continue
-		}
 	}
 
-	if strings.Contains(PodControllers, resource.GetKind()) {
+	pocliyAnnotation := policy.GetAnnotations()
+	givenPodControllers := pocliyAnnotation[PodControllersAnnotation]
+	if strings.Contains(givenPodControllers, resource.GetKind()) {
 		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
 			var ruleResponse response.RuleResponse
 			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)

From bc0c733fa2905ac6ce4fb8ab94d7b502645effb3 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Thu, 21 May 2020 10:22:19 -0700
Subject: [PATCH 183/201] remove roles

---
 .../kyverno/templates/clusterrolebinding.yaml | 26 -------------------
 definitions/install.yaml                      | 26 -------------------
 2 files changed, 52 deletions(-)

diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
index 228986b0b2..87b413a1b7 100644
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@@ -60,32 +60,6 @@ roleRef:
   kind: ClusterRole
   name: {{ template "kyverno.fullname" . }}:generatecontroller
 subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}:edit
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: edit
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }} 
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}:view
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: view
-subjects:
 - kind: ServiceAccount
   name: {{ template "kyverno.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 64befaa491..53ae2661ec 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -699,32 +699,6 @@ rules:
   - namespaces
   verbs:
   - watch
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kyverno:edit
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: edit
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account
-  namespace: kyverno 
----  
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kyverno:view
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: view
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account
-  namespace: kyverno 
 ---
 apiVersion: v1
 kind: ConfigMap

From 30c2e879e25328cee8f372cd47dfcdbf548f1414 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Thu, 21 May 2020 10:56:35 -0700
Subject: [PATCH 184/201] update cpu  request limit and remove cpu limit

---
 definitions/install.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index bbc8acf29d..001994bbfb 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -735,7 +735,7 @@ spec:
           image: nirmata/kyverno:v1.1.5
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
-          # customize webhook timout
+          # customize webhook timeout
           #- "--webhooktimeout=4"
           ports:
           - containerPort: 443
@@ -745,7 +745,6 @@ spec:
           resources:
             requests:
               memory: "64Mi"
-              cpu: "250m"
+              cpu: "100m"
             limits:
-              memory: "128Mi"
-              cpu: "500m"
+              memory: "128Mi""

From 3204b16559c066f6f604240a52b2ba69465e2cfa Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Thu, 21 May 2020 12:18:05 -0700
Subject: [PATCH 185/201] resource limit added to kyverno defination and kyvrno
 chart

Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
---
 charts/kyverno/values.yaml | 11 +++++------
 definitions/install.yaml   |  6 +++---
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 85a79299d6..d223c2105a 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -43,12 +43,11 @@ extraArgs: []
 # - --webhooktimeout=4
 
 resources:
-#   limits:
-#     cpu: 1000m
-#     memory: 500Mi
-#   requests:
-#     cpu: 100m
-#     memory: 100Mi
+  limits:
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 50Mi
 
 ## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
diff --git a/definitions/install.yaml b/definitions/install.yaml
index ae70f0426f..51f598071e 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -738,7 +738,7 @@ spec:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timeout
           #- "--webhooktimeout=4"
-          - "-v=6"
+          - "-v=2"
           ports:
           - containerPort: 443
           env:
@@ -746,7 +746,7 @@ spec:
             value: init-config
           resources:
             requests:
-              memory: "64Mi"
+              memory: "50Mi"
               cpu: "100m"
             limits:
-              memory: "128Mi""
+              memory: "128Mi"

From 838d02c4758626cc575a15b8c5bbf987dd1539ae Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Tue, 26 May 2020 10:36:56 -0700
Subject: [PATCH 186/201] Bugfix/659 support wildcards for namespaces (#871)

* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
---
 Makefile                                      |   3 +-
 cmd/kyverno/main.go                           |  27 ++-
 go.mod                                        |   1 +
 go.sum                                        |   6 +
 pkg/api/kyverno/v1/utils.go                   |  10 +-
 pkg/engine/mutate/overlay.go                  |  19 +-
 pkg/engine/mutation.go                        |  26 ++-
 pkg/engine/utils.go                           |  20 +--
 pkg/engine/utils/utils.go                     |   4 +-
 pkg/engine/validate/validate.go               |   6 +-
 pkg/engine/validation.go                      |   3 +-
 pkg/policy/controller.go                      | 100 +++++------
 pkg/policy/existing.go                        | 109 ++++++++----
 pkg/policystatus/main.go                      |  16 +-
 pkg/policystatus/status_test.go               |  28 ++-
 pkg/policystore/policystore.go                | 168 ------------------
 pkg/testrunner/scenario.go                    |   4 +-
 pkg/testrunner/testrunner_test.go             |   4 +
 pkg/webhooks/common.go                        |   2 +-
 pkg/webhooks/generation.go                    |   4 +-
 pkg/webhooks/mutation.go                      |   4 +-
 pkg/webhooks/server.go                        |  44 +++--
 pkg/webhooks/validation.go                    |   4 +-
 test/output/output_mutate_pod_spec.yaml       |  24 +++
 .../policy/mutate/policy_mutate_pod_spec.yaml |  23 +++
 test/resources/resource_mutate_pod_spec.yaml  |  22 +++
 .../other/scenario_mutate_pod_spec.yaml       |  19 ++
 27 files changed, 356 insertions(+), 344 deletions(-)
 delete mode 100644 pkg/policystore/policystore.go
 create mode 100644 test/output/output_mutate_pod_spec.yaml
 create mode 100644 test/policy/mutate/policy_mutate_pod_spec.yaml
 create mode 100644 test/resources/resource_mutate_pod_spec.yaml
 create mode 100644 test/scenarios/other/scenario_mutate_pod_spec.yaml

diff --git a/Makefile b/Makefile
index cb6d878fa2..56c3b92ddd 100644
--- a/Makefile
+++ b/Makefile
@@ -55,7 +55,8 @@ KYVERNO_PATH := cmd/kyverno
 KYVERNO_IMAGE := kyverno
 
 local:
-	go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/
+	go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)
+	go build -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)
 
 kyverno:
 	GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 42cea9532b..930ca68a8c 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -19,7 +19,6 @@ import (
 	generatecleanup "github.com/nirmata/kyverno/pkg/generate/cleanup"
 	"github.com/nirmata/kyverno/pkg/policy"
 	"github.com/nirmata/kyverno/pkg/policystatus"
-	"github.com/nirmata/kyverno/pkg/policystore"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
 	"github.com/nirmata/kyverno/pkg/signal"
 	"github.com/nirmata/kyverno/pkg/utils"
@@ -74,7 +73,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	// KYVENO CRD CLIENT
+	// KYVERNO CRD CLIENT
 	// access CRD resources
 	//		- Policy
 	//		- PolicyViolation
@@ -95,7 +94,7 @@ func main() {
 	// CRD CHECK
 	// - verify if the CRD for Policy & PolicyViolation are available
 	if !utils.CRDInstalled(client.DiscoveryClient, log.Log) {
-		setupLog.Error(fmt.Errorf("pre-requisite CRDs not installed"), "Failed to create watch on kyverno CRDs")
+		setupLog.Error(fmt.Errorf("CRDs not installed"), "Failed to access Kyverno CRDs")
 		os.Exit(1)
 	}
 
@@ -146,20 +145,18 @@ func main() {
 		log.Log.WithName("ConfigData"),
 	)
 
-	// Policy meta-data store
-	policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies(), log.Log.WithName("PolicyStore"))
-
 	// EVENT GENERATOR
 	// - generate event with retry mechanism
-	egen := event.NewEventGenerator(
+	eventGenerator := event.NewEventGenerator(
 		client,
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		log.Log.WithName("EventGenerator"))
 
+
 	// Policy Status Handler - deals with all logic related to policy status
 	statusSync := policystatus.NewSync(
 		pclient,
-		policyMetaStore)
+		pInformer.Kyverno().V1().ClusterPolicies().Lister(),)
 
 	// POLICY VIOLATION GENERATOR
 	// -- generate policy violation
@@ -181,10 +178,10 @@ func main() {
 		pInformer.Kyverno().V1().ClusterPolicyViolations(),
 		pInformer.Kyverno().V1().PolicyViolations(),
 		configData,
-		egen,
+		eventGenerator,
 		pvgen,
-		policyMetaStore,
 		rWebhookWatcher,
+		kubeInformer.Core().V1().Namespaces(),
 		log.Log.WithName("PolicyController"),
 	)
 
@@ -203,7 +200,7 @@ func main() {
 		client,
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		pInformer.Kyverno().V1().GenerateRequests(),
-		egen,
+		eventGenerator,
 		pvgen,
 		kubedynamicInformer,
 		statusSync.Listener,
@@ -247,7 +244,7 @@ func main() {
 	// Sync openAPI definitions of resources
 	openAPISync := openapi.NewCRDSync(client, openAPIController)
 
-	// WEBHOOOK
+	// WEBHOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
 	// - reports the results based on the response from the policy engine:
 	// -- annotations on resources with update details on mutation JSON patches
@@ -260,11 +257,10 @@ func main() {
 		pInformer.Kyverno().V1().ClusterPolicies(),
 		kubeInformer.Rbac().V1().RoleBindings(),
 		kubeInformer.Rbac().V1().ClusterRoleBindings(),
-		egen,
+		eventGenerator,
 		webhookRegistrationClient,
 		statusSync.Listener,
 		configData,
-		policyMetaStore,
 		pvgen,
 		grgen,
 		rWebhookWatcher,
@@ -285,9 +281,8 @@ func main() {
 	go grgen.Run(1)
 	go rWebhookWatcher.Run(stopCh)
 	go configData.Run(stopCh)
-	go policyMetaStore.Run(stopCh)
 	go policyCtrl.Run(3, stopCh)
-	go egen.Run(1, stopCh)
+	go eventGenerator.Run(1, stopCh)
 	go grc.Run(1, stopCh)
 	go grcc.Run(1, stopCh)
 	go pvgen.Run(1, stopCh)
diff --git a/go.mod b/go.mod
index 5ea14164c1..fb142d89bd 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,7 @@ require (
 	github.com/json-iterator/go v1.1.9 // indirect
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
+	github.com/ory/go-acc v0.2.1 // indirect
 	github.com/rogpeppe/godef v1.1.2 // indirect
 	github.com/spf13/cobra v0.0.5
 	github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
diff --git a/go.sum b/go.sum
index fd8613ac08..a1dcba8344 100644
--- a/go.sum
+++ b/go.sum
@@ -426,6 +426,7 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OI
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.0 h1:Jf4mxPC/ziBnoPIdpQdPJ9OeiomAUHLvxmPRSPH9m4s=
 github.com/google/uuid v1.1.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@@ -680,6 +681,8 @@ github.com/ory/fosite v0.29.0/go.mod h1:0atSZmXO7CAcs6NPMI/Qtot8tmZYj04Nddoold4S
 github.com/ory/go-acc v0.0.0-20181118080137-ddc355013f90/go.mod h1:sxnvPCxChFuSmTJGj8FdMupeq1BezCiEpDjTUXQ4hf4=
 github.com/ory/go-acc v0.1.0 h1:ibxdv3n2k4cqh0VXWa9RHARtbR7tcT7jsnSnmGZkDIM=
 github.com/ory/go-acc v0.1.0/go.mod h1:0omgy2aa3nDBJ45VAKeLHH8ccPBudxLeic4xiDRtug0=
+github.com/ory/go-acc v0.2.1 h1:Pwcmwd/cSnwJsYN76+w3HU7oXeWFTkwj/KUj1qGDrVw=
+github.com/ory/go-acc v0.2.1/go.mod h1:0omgy2aa3nDBJ45VAKeLHH8ccPBudxLeic4xiDRtug0=
 github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
 github.com/ory/gojsonreference v0.0.0-20190720135523-6b606c2d8ee8/go.mod h1:wsH1C4nIeeQClDtD5AH7kF1uTS6zWyqfjVDTmB0Em7A=
 github.com/ory/gojsonschema v1.1.1-0.20190919112458-f254ca73d5e9/go.mod h1:BNZpdJgB74KOLSsWFvzw6roXg1I6O51WO8roMmW+T7Y=
@@ -1140,6 +1143,7 @@ k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEj
 k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
 k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw=
 k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g=
+k8s.io/apimachinery v0.18.3 h1:pOGcbVAhxADgUYnjS08EFXs9QMl8qaH5U4fr5LGUrSk=
 k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a h1:REMzGxu+NpG9dPRsE9my/fw9iYIecz1S8UFFl6hbe18=
 k8s.io/cli-runtime v0.0.0-20191004110135-b9eb767d2e1a/go.mod h1:qWnH3/b8sp/l7EvlDh7ulDU3UWA4P4N1NFbEEP791tM=
@@ -1148,6 +1152,8 @@ k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc
 k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
 k8s.io/client-go v0.17.4 h1:VVdVbpTY70jiNHS1eiFkUt7ZIJX3txd29nDxxXH4en8=
 k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc=
+k8s.io/client-go v1.5.1 h1:XaX/lo2/u3/pmFau8HN+sB5C/b4dc4Dmm2eXjBH4p1E=
+k8s.io/client-go v11.0.0+incompatible h1:LBbX2+lOwY9flffWlJM7f1Ct8V2SRNiMRDFeiwnJo9o=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible h1:bK03DJulJi9j05gwnXUufcs2j7h4M85YFvJ0dIlQ9k4=
 k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s=
 k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go
index abe266eabd..6a5bfe12b3 100644
--- a/pkg/api/kyverno/v1/utils.go
+++ b/pkg/api/kyverno/v1/utils.go
@@ -3,7 +3,7 @@ package v1
 import "reflect"
 
 //HasMutateOrValidateOrGenerate checks for rule types
-func (p ClusterPolicy) HasMutateOrValidateOrGenerate() bool {
+func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool {
 	for _, rule := range p.Spec.Rules {
 		if rule.HasMutate() || rule.HasValidate() || rule.HasGenerate() {
 			return true
@@ -12,6 +12,14 @@ func (p ClusterPolicy) HasMutateOrValidateOrGenerate() bool {
 	return false
 }
 
+func (p *ClusterPolicy) BackgroundProcessingEnabled() bool {
+	if p.Spec.Background == nil {
+		return true
+	}
+
+	return *p.Spec.Background
+}
+
 //HasMutate checks for mutate rule
 func (r Rule) HasMutate() bool {
 	return !reflect.DeepEqual(r.Mutation, Mutation{})
diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go
index 5e4982260e..06b6151994 100644
--- a/pkg/engine/mutate/overlay.go
+++ b/pkg/engine/mutate/overlay.go
@@ -24,7 +24,7 @@ import (
 func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
 	startTime := time.Now()
 	logger := log.WithValues("rule", ruleName)
-	logger.V(4).Info("started applying overlay rule ", "startTime", startTime)
+	logger.V(4).Info("started applying overlay rule", "startTime", startTime)
 	resp.Name = ruleName
 	resp.Type = utils.Mutation.String()
 	defer func() {
@@ -33,28 +33,27 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 	}()
 
 	patches, overlayerr := processOverlayPatches(logger, resource.UnstructuredContent(), overlay)
-	// resource does not satisfy the overlay pattern, we don't apply this rule
 	if !reflect.DeepEqual(overlayerr, overlayError{}) {
 		switch overlayerr.statusCode {
-		// condition key is not present in the resource, don't apply this rule
-		// consider as success
+
 		case conditionNotPresent:
-			logger.V(3).Info("skip applying rule")
+			logger.V(3).Info("skip applying rule", "reason", "conditionNotPresent")
 			resp.Success = true
 			return resp, resource
-		// conditions are not met, don't apply this rule
+
 		case conditionFailure:
-			logger.V(3).Info("skip applying rule")
+			logger.V(3).Info("skip applying rule", "reason", "conditionFailure")
 			//TODO: send zero response and not consider this as applied?
 			resp.Success = true
 			resp.Message = overlayerr.ErrorMsg()
 			return resp, resource
-		// rule application failed
+
 		case overlayFailure:
 			logger.Info("failed to process overlay")
 			resp.Success = false
 			resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg())
 			return resp, resource
+
 		default:
 			logger.Info("failed to process overlay")
 			resp.Success = false
@@ -63,6 +62,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 		}
 	}
 
+	logger.V(4).Info("processing overlay rule", "patches", len(patches))
 	if len(patches) == 0 {
 		resp.Success = true
 		return resp, resource
@@ -78,15 +78,16 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
 	}
 
 	var patchResource []byte
+	logger.V(5).Info("applying overlay patches", "patches", string(utils.JoinPatches(patches)))
 	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
 	if err != nil {
 		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
-		logger.V(2).Info("applying patches", "patches", string(utils.JoinPatches(patches)))
 		resp.Success = false
 		resp.Message = msg
 		return resp, resource
 	}
 
+	logger.V(5).Info("patched resource", "patches", string(patchResource))
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
 		logger.Error(err, "failed to unmarshal resource")
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index e2312f3090..b1e1385078 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -30,7 +30,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	resource := policyContext.NewResource
 	ctx := policyContext.Context
 	logger := log.Log.WithName("Mutate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
-	logger.V(4).Info("start processing", "startTime", startTime)
+	logger.V(4).Info("start policy processing", "startTime", startTime)
 	startMutateResultResponse(&resp, policy, resource)
 	defer endMutateResultResponse(logger, &resp, startTime)
 
@@ -47,7 +47,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
 		// dont satisfy a policy rule resource description
 		if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil {
-			logger.V(4).Info("resource fails the match description", "reason", err.Error())
+			logger.V(3).Info("resource not matched", "reason", err.Error())
 			continue
 		}
 
@@ -56,7 +56,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		// evaluate pre-conditions
 		// - handle variable subsitutions
 		if !variables.EvaluateConditions(logger, ctx, copyConditions) {
-			logger.V(4).Info("resource fails the preconditions")
+			logger.V(3).Info("resource fails the preconditions")
 			continue
 		}
 
@@ -97,9 +97,9 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		}
 	}
 
-	pocliyAnnotation := policy.GetAnnotations()
-	givenPodControllers := pocliyAnnotation[PodControllersAnnotation]
-	if strings.Contains(givenPodControllers, resource.GetKind()) {
+	// insert annotation to podtemplate if resource is pod controller
+	// skip inserting on existing resource
+	if autoGenPolicy(&policy) && strings.Contains(PodControllers, resource.GetKind()) {
 		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
 			var ruleResponse response.RuleResponse
 			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)
@@ -113,11 +113,18 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			}
 		}
 	}
+
 	// send the patched resource
 	resp.PatchedResource = patchedResource
 	return resp
 }
 
+func autoGenPolicy(policy *kyverno.ClusterPolicy) bool {
+	annotations := policy.GetObjectMeta().GetAnnotations()
+	_, ok := annotations[PodControllersAnnotation]
+	return ok
+}
+
 func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructured) bool {
 	var podController struct {
 		Spec struct {
@@ -132,7 +139,10 @@ func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructure
 	resourceRaw, _ := json.Marshal(resource.Object)
 	_ = json.Unmarshal(resourceRaw, &podController)
 
-	_, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation]
+	val, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation]
+
+	log.Log.Info("patchedResourceHasPodControllerAnnotation", "resourceRaw", string(resourceRaw), "val", val, "ok", ok)
+
 	return ok
 }
 func incrementAppliedRuleCount(resp *response.EngineResponse) {
@@ -152,7 +162,7 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 
 func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
 	resp.PolicyResponse.ProcessingTime = time.Since(startTime)
-	logger.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
+	logger.V(4).Info("finished processing policy", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
 }
 
 // podTemplateRule mutate pod template with annotation
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
index 3824cd0b19..2c544331a4 100644
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@@ -44,7 +44,7 @@ func checkName(name, resourceName string) bool {
 
 func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
 	for _, namespace := range namespaces {
-		if resourceNameSpace == namespace {
+		if wildcard.Match(namespace, resourceNameSpace) {
 			return true
 		}
 	}
@@ -69,26 +69,26 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription,
 	var errs []error
 	if len(conditionBlock.Kinds) > 0 {
 		if !checkKind(conditionBlock.Kinds, resource.GetKind()) {
-			errs = append(errs, fmt.Errorf("resource kind does not match conditionBlock"))
+			errs = append(errs, fmt.Errorf("kind does not match"))
 		}
 	}
 	if conditionBlock.Name != "" {
 		if !checkName(conditionBlock.Name, resource.GetName()) {
-			errs = append(errs, fmt.Errorf("resource name does not match conditionBlock"))
+			errs = append(errs, fmt.Errorf("name does not match"))
 		}
 	}
 	if len(conditionBlock.Namespaces) > 0 {
 		if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) {
-			errs = append(errs, fmt.Errorf("resource namespace does not match conditionBlock"))
+			errs = append(errs, fmt.Errorf("namespace does not match"))
 		}
 	}
 	if conditionBlock.Selector != nil {
 		hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
 		if err != nil {
-			errs = append(errs, fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err))
+			errs = append(errs, fmt.Errorf("failed to parse selector: %v", err))
 		} else {
 			if !hasPassed {
-				errs = append(errs, fmt.Errorf("resource does not match selector of given conditionBlock"))
+				errs = append(errs, fmt.Errorf("selector does not match"))
 			}
 		}
 	}
@@ -167,7 +167,7 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
 		matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource)
 		reasonsForFailure = append(reasonsForFailure, matchErrs...)
 	} else {
-		reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match block in rule cannot be empty"))
+		reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match cannot be empty"))
 	}
 
 	// checking if resource has been excluded
@@ -175,15 +175,15 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
 		!reflect.DeepEqual(rule.ExcludeResources.UserInfo, kyverno.UserInfo{}) {
 		excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource)
 		if excludeErrs == nil {
-			reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource has been excluded since it matches the exclude block"))
+			reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource excluded"))
 		}
 	}
 
 	// creating final error
-	var errorMessage = "rule has failed to match resource for the following reasons:"
+	var errorMessage = "rule not matched:"
 	for i, reasonForFailure := range reasonsForFailure {
 		if reasonForFailure != nil {
-			errorMessage += "\n" + fmt.Sprint(i+1) + ". " + reasonForFailure.Error()
+			errorMessage += "\n " + fmt.Sprint(i+1) + ". " + reasonForFailure.Error()
 		}
 	}
 
diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go
index 62b132f3ed..c5f7fafe6a 100644
--- a/pkg/engine/utils/utils.go
+++ b/pkg/engine/utils/utils.go
@@ -30,7 +30,7 @@ func (ri RuleType) String() string {
 }
 
 // ApplyPatches patches given resource with given patches and returns patched document
-// return origin resource if any error occurs
+// return original resource if any error occurs
 func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) {
 	joinedPatches := JoinPatches(patches)
 	patch, err := jsonpatch.DecodePatch(joinedPatches)
@@ -42,6 +42,7 @@ func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) {
 	if err != nil {
 		return resource, err
 	}
+
 	return patchedDocument, err
 }
 
@@ -56,6 +57,7 @@ func ApplyPatchNew(resource, patch []byte) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	return patchedResource, err
 
 }
diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go
index 6e3d40da7d..f148f88f85 100644
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@@ -3,7 +3,7 @@ package validate
 import (
 	"errors"
 	"fmt"
-	"path/filepath"
+	"path"
 	"reflect"
 	"strconv"
 	"strings"
@@ -188,11 +188,11 @@ func valFromReferenceToString(value interface{}, operator string) (string, error
 
 // returns absolute path
 func formAbsolutePath(referencePath, absolutePath string) string {
-	if filepath.IsAbs(referencePath) {
+	if path.IsAbs(referencePath) {
 		return referencePath
 	}
 
-	return filepath.Join(absolutePath, referencePath)
+	return path.Join(absolutePath, referencePath)
 }
 
 //Prepares original pattern, path to value, and call traverse function
diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index 152774c04c..6b20426999 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -221,8 +221,9 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 	resp.Type = utils.Validation.String()
 	defer func() {
 		resp.RuleStats.ProcessingTime = time.Since(startTime)
-		logger.V(4).Info("finshed processing", "processingTime", resp.RuleStats.ProcessingTime)
+		logger.V(4).Info("finished processing rule", "processingTime", resp.RuleStats.ProcessingTime)
 	}()
+
 	// work on a copy of validation rule
 	validationRule := rule.Validation.DeepCopy()
 
diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index b896d528b3..36928555ca 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -1,6 +1,7 @@
 package policy
 
 import (
+	informers "k8s.io/client-go/informers/core/v1"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -13,7 +14,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/event"
-	"github.com/nirmata/kyverno/pkg/policystore"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
 	"github.com/nirmata/kyverno/pkg/webhookconfig"
 	v1 "k8s.io/api/core/v1"
@@ -48,30 +48,42 @@ type PolicyController struct {
 
 	//pvControl is used for adoptin/releasing policy violation
 	pvControl PVControlInterface
+
 	// Policys that need to be synced
 	queue workqueue.RateLimitingInterface
+
 	// pLister can list/get policy from the shared informer's store
 	pLister kyvernolister.ClusterPolicyLister
+
 	// pvLister can list/get policy violation from the shared informer's store
 	cpvLister kyvernolister.ClusterPolicyViolationLister
+
 	// nspvLister can list/get namespaced policy violation from the shared informer's store
 	nspvLister kyvernolister.PolicyViolationLister
+
 	// pListerSynced returns true if the Policy store has been synced at least once
 	pListerSynced cache.InformerSynced
+
 	// pvListerSynced returns true if the Policy store has been synced at least once
 	cpvListerSynced cache.InformerSynced
+
 	// pvListerSynced returns true if the Policy Violation store has been synced at least once
 	nspvListerSynced cache.InformerSynced
+
+	nsInformer informers.NamespaceInformer
+
 	// Resource manager, manages the mapping for already processed resource
 	rm resourceManager
+
 	// helpers to validate against current loaded configuration
 	configHandler config.Interface
-	// store to hold policy meta data for faster lookup
-	pMetaStore policystore.UpdateInterface
+
 	// policy violation generator
 	pvGenerator policyviolation.GeneratorInterface
+
 	// resourceWebhookWatcher queues the webhook creation request, creates the webhook
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
+
 	log                    logr.Logger
 }
 
@@ -81,12 +93,12 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	pInformer kyvernoinformer.ClusterPolicyInformer,
 	cpvInformer kyvernoinformer.ClusterPolicyViolationInformer,
 	nspvInformer kyvernoinformer.PolicyViolationInformer,
-	configHandler config.Interface,
-	eventGen event.Interface,
+	configHandler config.Interface, eventGen event.Interface,
 	pvGenerator policyviolation.GeneratorInterface,
-	pMetaStore policystore.UpdateInterface,
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
+	namespaces informers.NamespaceInformer,
 	log logr.Logger) (*PolicyController, error) {
+
 	// Event broad caster
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartLogging(log.V(5).Info)
@@ -103,9 +115,9 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 		eventRecorder:          eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "policy_controller"}),
 		queue:                  workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "policy"),
 		configHandler:          configHandler,
-		pMetaStore:             pMetaStore,
 		pvGenerator:            pvGenerator,
 		resourceWebhookWatcher: resourceWebhookWatcher,
+		nsInformer: namespaces,
 		log:                    log,
 	}
 
@@ -147,32 +159,30 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	return &pc, nil
 }
 
+func  (pc *PolicyController)  canBackgroundProcess(p *kyverno.ClusterPolicy) bool {
+	logger := pc.log.WithValues("policy", p.Name)
+	if !p.BackgroundProcessingEnabled() {
+		logger.V(4).Info("background processed is disabled")
+		return false
+	}
+
+	if err := ContainsVariablesOtherThanObject(*p); err != nil {
+		logger.V(4).Info("policy cannot be processed in the background")
+		return false
+	}
+
+	return true
+}
+
+
 func (pc *PolicyController) addPolicy(obj interface{}) {
 	logger := pc.log
 	p := obj.(*kyverno.ClusterPolicy)
-	// Only process policies that are enabled for "background" execution
-	// policy.spec.background -> "True"
-	// register with policy meta-store
-	pc.pMetaStore.Register(*p)
-
-	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
-	if p.Spec.Background == nil {
-		// if userInfo is not defined in policy we process the policy
-		if err := ContainsVariablesOtherThanObject(*p); err != nil {
-			return
-		}
-	} else {
-		if !*p.Spec.Background {
-			return
-		}
-		// If userInfo is used then skip the policy
-		// ideally this should be handled by background flag only
-		if err := ContainsVariablesOtherThanObject(*p); err != nil {
-			// contains userInfo used in policy
-			return
-		}
+	if !pc.canBackgroundProcess(p) {
+		return
 	}
-	logger.V(4).Info("adding policy", "name", p.Name)
+
+	logger.V(4).Info("queuing policy for background processing", "name", p.Name)
 	pc.enqueuePolicy(p)
 }
 
@@ -180,32 +190,9 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 	logger := pc.log
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
-	// TODO: optimize this : policy meta-store
-	// Update policy-> (remove,add)
-	err := pc.pMetaStore.UnRegister(*oldP)
-	if err != nil {
-		logger.Error(err, "failed to unregister policy", "name", oldP.Name)
-	}
-	pc.pMetaStore.Register(*curP)
 
-	// Only process policies that are enabled for "background" execution
-	// policy.spec.background -> "True"
-	// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
-	if curP.Spec.Background == nil {
-		// if userInfo is not defined in policy we process the policy
-		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
-			return
-		}
-	} else {
-		if !*curP.Spec.Background {
-			return
-		}
-		// If userInfo is used then skip the policy
-		// ideally this should be handled by background flag only
-		if err := ContainsVariablesOtherThanObject(*curP); err != nil {
-			// contains userInfo used in policy
-			return
-		}
+	if !pc.canBackgroundProcess(curP) {
+		return
 	}
 
 	logger.V(4).Info("updating policy", "name", oldP.Name)
@@ -221,6 +208,7 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 			logger.Info("couldnt get object from tomstone", "obj", obj)
 			return
 		}
+
 		p, ok = tombstone.Obj.(*kyverno.ClusterPolicy)
 		if !ok {
 			logger.Info("tombstone container object that is not a policy", "obj", obj)
@@ -229,10 +217,6 @@ func (pc *PolicyController) deletePolicy(obj interface{}) {
 	}
 
 	logger.V(4).Info("deleting policy", "name", p.Name)
-	// Unregister from policy meta-store
-	if err := pc.pMetaStore.UnRegister(*p); err != nil {
-		logger.Error(err, "failed to unregister policy", "name", p.Name)
-	}
 
 	// we process policies that are not set of background processing as we need to perform policy violation
 	// cleanup when a policy is deleted.
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 75e7dfcbe4..fdef1bb34c 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -1,7 +1,9 @@
 package policy
 
 import (
+	informers "k8s.io/client-go/informers/core/v1"
 	"reflect"
+	"strings"
 	"sync"
 	"time"
 
@@ -25,7 +27,7 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 	pc.rm.Drop()
 	var engineResponses []response.EngineResponse
 	// get resource that are satisfy the resource description defined in the rules
-	resourceMap := listResources(pc.client, policy, pc.configHandler, logger)
+	resourceMap := pc.listResources(policy)
 	for _, resource := range resourceMap {
 		// pre-processing, check if the policy and resource version has been processed before
 		if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {
@@ -53,35 +55,27 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic
 	return engineResponses
 }
 
-func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
+func (pc *PolicyController) listResources(policy kyverno.ClusterPolicy) map[string]unstructured.Unstructured {
 	// key uid
 	resourceMap := map[string]unstructured.Unstructured{}
 
 	for _, rule := range policy.Spec.Rules {
 		for _, k := range rule.MatchResources.Kinds {
 
-			resourceSchema, _, err := client.DiscoveryClient.FindResource(k)
+			resourceSchema, _, err := pc.client.DiscoveryClient.FindResource(k)
 			if err != nil {
-				log.Error(err, "failed to find resource", "kind", k)
+				pc.log.Error(err, "failed to find resource", "kind", k)
 				continue
 			}
 
 			if !resourceSchema.Namespaced {
-				rMap := getResourcesPerNamespace(k, client, "", rule, configHandler, log)
-				mergeresources(resourceMap, rMap)
+				rMap := getResourcesPerNamespace(k, pc.client, "", rule, pc.configHandler, pc.log)
+				mergeResources(resourceMap, rMap)
 			} else {
-				var namespaces []string
-				if len(rule.MatchResources.Namespaces) > 0 {
-					log.V(4).Info("namespaces included", "namespaces", rule.MatchResources.Namespaces)
-					namespaces = append(namespaces, rule.MatchResources.Namespaces...)
-				} else {
-					log.V(4).Info("processing all namespaces", "rule", rule.Name)
-					namespaces = getAllNamespaces(client, log)
-				}
-
+				namespaces := getNamespacesForRule(&rule, pc.nsInformer, pc.log)
 				for _, ns := range namespaces {
-					rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler, log)
-					mergeresources(resourceMap, rMap)
+					rMap := getResourcesPerNamespace(k, pc.client, ns, rule, pc.configHandler, pc.log)
+					mergeResources(resourceMap, rMap)
 				}
 			}
 		}
@@ -90,6 +84,70 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHa
 	return resourceMap
 }
 
+func getNamespacesForRule(rule *kyverno.Rule, nsInformer informers.NamespaceInformer, log logr.Logger) []string {
+	if len(rule.MatchResources.Namespaces) > 0 {
+		return getAllNamespaces(nsInformer, log)
+	}
+
+	var wildcards []string
+	var results []string
+	for _, nsName := range rule.MatchResources.Namespaces {
+		if hasWildcard(nsName) {
+			wildcards = append(wildcards, nsName)
+		}
+
+		results = append(results, nsName)
+	}
+
+	if len(wildcards) > 0 {
+		wildcardMatches := getMatchingNamespaces(wildcards, nsInformer, log)
+		results = append (results, wildcardMatches...)
+	}
+
+	return results
+}
+
+func hasWildcard(s string) bool {
+	if s == "" {
+		return false
+	}
+
+	return strings.Contains(s, "*") || strings.Contains(s, "?")
+}
+
+func getMatchingNamespaces(wildcards []string, nsInformer informers.NamespaceInformer, log logr.Logger) []string {
+	all := getAllNamespaces(nsInformer, log)
+	if len(all) == 0 {
+		return all
+	}
+
+	var results []string
+	for _, wc := range wildcards {
+		for _, ns := range all {
+			if wildcard.Match(wc, ns) {
+				results = append(results, ns)
+			}
+		}
+	}
+
+	return results
+}
+
+func getAllNamespaces(nsInformer informers.NamespaceInformer, log logr.Logger) []string {
+	var results []string
+	namespaces, err := nsInformer.Lister().List(labels.NewSelector())
+	if err != nil {
+		log.Error(err, "Failed to list namespaces")
+	}
+
+	for _, n := range namespaces {
+		name := n.GetName()
+		results = append(results, name)
+	}
+
+	return results
+}
+
 func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}
 	// merge include and exclude label selector values
@@ -243,27 +301,12 @@ const (
 )
 
 // merge b into a map
-func mergeresources(a, b map[string]unstructured.Unstructured) {
+func mergeResources(a, b map[string]unstructured.Unstructured) {
 	for k, v := range b {
 		a[k] = v
 	}
 }
 
-func getAllNamespaces(client *client.Client, log logr.Logger) []string {
-
-	var namespaces []string
-	// get all namespaces
-	nsList, err := client.ListResource("Namespace", "", nil)
-	if err != nil {
-		log.Error(err, "failed to list namespaces")
-		return namespaces
-	}
-	for _, ns := range nsList.Items {
-		namespaces = append(namespaces, ns.GetName())
-	}
-	return namespaces
-}
-
 //NewResourceManager returns a new ResourceManager
 func NewResourceManager(rebuildTime int64) *ResourceManager {
 	rm := ResourceManager{
diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go
index 6e89d41b9b..34d849cc55 100644
--- a/pkg/policystatus/main.go
+++ b/pkg/policystatus/main.go
@@ -3,6 +3,7 @@ package policystatus
 import (
 	"encoding/json"
 	"fmt"
+	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"sync"
 	"time"
 
@@ -35,10 +36,6 @@ type statusUpdater interface {
 	UpdateStatus(status v1.PolicyStatus) v1.PolicyStatus
 }
 
-type policyStore interface {
-	Get(policyName string) (*v1.ClusterPolicy, error)
-}
-
 type Listener chan statusUpdater
 
 func (l Listener) Send(s statusUpdater) {
@@ -53,7 +50,7 @@ type Sync struct {
 	cache       *cache
 	Listener    Listener
 	client      *versioned.Clientset
-	policyStore policyStore
+	lister kyvernolister.ClusterPolicyLister
 }
 
 type cache struct {
@@ -62,7 +59,7 @@ type cache struct {
 	keyToMutex *keyToMutex
 }
 
-func NewSync(c *versioned.Clientset, p policyStore) *Sync {
+func NewSync(c *versioned.Clientset, lister kyvernolister.ClusterPolicyLister) *Sync {
 	return &Sync{
 		cache: &cache{
 			dataMu:     sync.RWMutex{},
@@ -70,7 +67,7 @@ func NewSync(c *versioned.Clientset, p policyStore) *Sync {
 			keyToMutex: newKeyToMutex(),
 		},
 		client:      c,
-		policyStore: p,
+		lister: lister,
 		Listener:    make(chan statusUpdater, 20),
 	}
 }
@@ -96,7 +93,7 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) {
 			status, exist := s.cache.data[statusUpdater.PolicyName()]
 			s.cache.dataMu.RUnlock()
 			if !exist {
-				policy, _ := s.policyStore.Get(statusUpdater.PolicyName())
+				policy, _ := s.lister.Get(statusUpdater.PolicyName())
 				if policy != nil {
 					status = policy.Status
 				}
@@ -129,10 +126,11 @@ func (s *Sync) updatePolicyStatus() {
 	s.cache.dataMu.Unlock()
 
 	for policyName, status := range nameToStatus {
-		policy, err := s.policyStore.Get(policyName)
+		policy, err := s.lister.Get(policyName)
 		if err != nil {
 			continue
 		}
+
 		policy.Status = status
 		_, err = s.client.KyvernoV1().ClusterPolicies().UpdateStatus(policy)
 		if err != nil {
diff --git a/pkg/policystatus/status_test.go b/pkg/policystatus/status_test.go
index c36f1a5c0f..1f768c21e7 100644
--- a/pkg/policystatus/status_test.go
+++ b/pkg/policystatus/status_test.go
@@ -2,6 +2,8 @@ package policystatus
 
 import (
 	"encoding/json"
+	"fmt"
+	"k8s.io/apimachinery/pkg/labels"
 	"testing"
 	"time"
 
@@ -27,11 +29,35 @@ func (d dummyStatusUpdater) PolicyName() string {
 	return "policy1"
 }
 
+
+type dummyLister struct {
+}
+
+func (dl dummyLister) List(selector labels.Selector) (ret []*v1.ClusterPolicy, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (dl dummyLister) Get(name string) (*v1.ClusterPolicy, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (dl dummyLister) GetPolicyForPolicyViolation(pv *v1.ClusterPolicyViolation) ([]*v1.ClusterPolicy, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (dl dummyLister) GetPolicyForNamespacedPolicyViolation(pv *v1.PolicyViolation) ([]*v1.ClusterPolicy, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (dl dummyLister) ListResources(selector labels.Selector) (ret []*v1.ClusterPolicy, err error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
 func TestKeyToMutex(t *testing.T) {
 	expectedCache := `{"policy1":{"rulesAppliedCount":100}}`
 
 	stopCh := make(chan struct{})
-	s := NewSync(nil, dummyStore{})
+	s := NewSync(nil, dummyLister{})
 	for i := 0; i < 100; i++ {
 		go s.updateStatusCache(stopCh)
 	}
diff --git a/pkg/policystore/policystore.go b/pkg/policystore/policystore.go
deleted file mode 100644
index 0ecfd5ea32..0000000000
--- a/pkg/policystore/policystore.go
+++ /dev/null
@@ -1,168 +0,0 @@
-package policystore
-
-import (
-	"sync"
-
-	"github.com/go-logr/logr"
-	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
-	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
-	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/client-go/tools/cache"
-)
-
-type policyMap map[string]interface{}
-type namespaceMap map[string]policyMap
-type kindMap map[string]namespaceMap
-
-//PolicyStore Store the meta-data information to faster lookup policies
-type PolicyStore struct {
-	data map[string]namespaceMap
-	mu   sync.RWMutex
-	// list/get cluster policy
-	pLister kyvernolister.ClusterPolicyLister
-	// returns true if the cluster policy store has been synced at least once
-	pSynched cache.InformerSynced
-	log      logr.Logger
-}
-
-//UpdateInterface provides api to update policies
-type UpdateInterface interface {
-	// Register a new policy
-	Register(policy kyverno.ClusterPolicy)
-	// Remove policy information
-	UnRegister(policy kyverno.ClusterPolicy) error
-}
-
-//LookupInterface provides api to lookup policies
-type LookupInterface interface {
-	ListAll() ([]kyverno.ClusterPolicy, error)
-}
-
-// NewPolicyStore returns a new policy store
-func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,
-	log logr.Logger) *PolicyStore {
-	ps := PolicyStore{
-		data:     make(kindMap),
-		pLister:  pInformer.Lister(),
-		pSynched: pInformer.Informer().HasSynced,
-		log:      log,
-	}
-	return &ps
-}
-
-//Run checks syncing
-func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
-	logger := ps.log
-	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
-		logger.Info("failed to sync informer cache")
-	}
-}
-
-//Register a new policy
-func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
-	logger := ps.log
-	logger.V(4).Info("adding policy", "name", policy.Name)
-	ps.mu.Lock()
-	defer ps.mu.Unlock()
-	var pmap policyMap
-	// add an entry for each rule in policy
-	for _, rule := range policy.Spec.Rules {
-		//		rule.MatchResources.Kinds - List - mandatory - atleast on entry
-		for _, kind := range rule.MatchResources.Kinds {
-			kindMap := ps.addKind(kind)
-			// namespaces
-			if len(rule.MatchResources.Namespaces) == 0 {
-				// all namespaces - *
-				pmap = addNamespace(kindMap, "*")
-			} else {
-				for _, ns := range rule.MatchResources.Namespaces {
-					pmap = addNamespace(kindMap, ns)
-				}
-			}
-			// add policy to the pmap
-			addPolicyElement(pmap, policy.Name)
-		}
-	}
-}
-
-func (ps *PolicyStore) ListAll() ([]kyverno.ClusterPolicy, error) {
-	policyPointers, err := ps.pLister.List(labels.NewSelector())
-	if err != nil {
-		return nil, err
-	}
-
-	var policies = make([]kyverno.ClusterPolicy, 0, len(policyPointers))
-	for _, policy := range policyPointers {
-		policies = append(policies, *policy)
-	}
-
-	return policies, nil
-}
-
-func (ps *PolicyStore) Get(policyName string) (*kyverno.ClusterPolicy, error) {
-	return ps.pLister.Get(policyName)
-}
-
-//UnRegister Remove policy information
-func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error {
-	ps.mu.Lock()
-	defer ps.mu.Unlock()
-	for _, rule := range policy.Spec.Rules {
-		for _, kind := range rule.MatchResources.Kinds {
-			// get kind Map
-			kindMap := ps.getKind(kind)
-			if kindMap == nil {
-				// kind does not exist
-				return nil
-			}
-			if len(rule.MatchResources.Namespaces) == 0 {
-				namespace := "*"
-				pmap := getNamespace(kindMap, namespace)
-				// remove element
-				delete(pmap, policy.Name)
-			} else {
-				for _, ns := range rule.MatchResources.Namespaces {
-					pmap := getNamespace(kindMap, ns)
-					// remove element
-					delete(pmap, policy.Name)
-				}
-			}
-		}
-	}
-	return nil
-}
-
-func (ps *PolicyStore) addKind(kind string) namespaceMap {
-	val, ok := ps.data[kind]
-	if ok {
-		return val
-	}
-	ps.data[kind] = make(namespaceMap)
-	return ps.data[kind]
-}
-
-func (ps *PolicyStore) getKind(kind string) namespaceMap {
-	return ps.data[kind]
-}
-
-func addNamespace(kindMap map[string]policyMap, namespace string) policyMap {
-	val, ok := kindMap[namespace]
-	if ok {
-		return val
-	}
-	kindMap[namespace] = make(policyMap)
-	return kindMap[namespace]
-}
-
-func getNamespace(kindMap map[string]policyMap, namespace string) policyMap {
-	return kindMap[namespace]
-}
-
-func addPolicyElement(pmap policyMap, name string) {
-	var emptyInterface interface{}
-
-	if _, ok := pmap[name]; !ok {
-		pmap[name] = emptyInterface
-	}
-}
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index 6ca1ed583a..33e58656ac 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -161,7 +161,7 @@ func runTestCase(t *testing.T, tc scaseT) bool {
 			er = engine.Generate(policyContext)
 			t.Log(("---Generation---"))
 			validateResponse(t, er.PolicyResponse, tc.Expected.Generation.PolicyResponse)
-			// Expected generate resource will be in same namesapces as resource
+			// Expected generate resource will be in same namespaces as resource
 			validateGeneratedResources(t, client, *policy, resource.GetName(), tc.Expected.Generation.GeneratedResources)
 		}
 	}
@@ -196,7 +196,7 @@ func validateResource(t *testing.T, responseResource unstructured.Unstructured,
 	// load expected resource
 	expectedResource := loadPolicyResource(t, expectedResourceFile)
 	if expectedResource == nil {
-		t.Log("failed to get the expected resource")
+		t.Logf("failed to get the expected resource: %s", expectedResourceFile)
 		return
 	}
 
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 6e13f58ded..163c34cf13 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -137,3 +137,7 @@ func Test_known_ingress(t *testing.T) {
 func Test_unknown_ingress(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml")
 }
+
+func Test_mutate_pod_spec(t *testing.T) {
+	testScenario(t, "test/scenarios/other/scenario_mutate_pod_spec.yaml")
+}
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 8eda6c69c3..3bdbb569df 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -115,7 +115,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
 	return resource
 }
 
-func containRBACinfo(policies []kyverno.ClusterPolicy) bool {
+func containRBACinfo(policies []*kyverno.ClusterPolicy) bool {
 	for _, policy := range policies {
 		for _, rule := range policy.Spec.Rules {
 			if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 {
diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go
index 912349ebf8..7ea5c96780 100644
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@@ -16,7 +16,7 @@ import (
 )
 
 //HandleGenerate handles admission-requests for policies with generate rules
-func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo) (bool, string) {
+func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo) (bool, string) {
 	logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	logger.V(4).Info("incoming request")
 	var engineResponses []response.EngineResponse
@@ -39,7 +39,7 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 
 	// engine.Generate returns a list of rules that are applicable on this resource
 	for _, policy := range policies {
-		policyContext.Policy = policy
+		policyContext.Policy = *policy
 		engineResponse := engine.Generate(policyContext)
 		if len(engineResponse.PolicyResponse.Rules) > 0 {
 			// some generate rules do apply to the resource
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index d3155d2b74..ace0c41e5f 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -21,7 +21,7 @@ import (
 func (ws *WebhookServer) HandleMutation(
 	request *v1beta1.AdmissionRequest,
 	resource unstructured.Unstructured,
-	policies []kyverno.ClusterPolicy,
+	policies []*kyverno.ClusterPolicy,
 	ctx *context.Context,
 	userRequestInfo kyverno.RequestInfo) []byte {
 
@@ -43,7 +43,7 @@ func (ws *WebhookServer) HandleMutation(
 	for _, policy := range policies {
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 
-		policyContext.Policy = policy
+		policyContext.Policy = *policy
 		engineResponse := engine.Mutate(policyContext)
 
 		engineResponses = append(engineResponses, engineResponse)
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 65794956bc..03ab8b5863 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"k8s.io/apimachinery/pkg/labels"
 	"net/http"
 	"time"
 
@@ -23,7 +24,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/openapi"
 	"github.com/nirmata/kyverno/pkg/policystatus"
-	"github.com/nirmata/kyverno/pkg/policystore"
 	"github.com/nirmata/kyverno/pkg/policyviolation"
 	tlsutils "github.com/nirmata/kyverno/pkg/tls"
 	userinfo "github.com/nirmata/kyverno/pkg/userinfo"
@@ -42,36 +42,49 @@ type WebhookServer struct {
 	server        http.Server
 	client        *client.Client
 	kyvernoClient *kyvernoclient.Clientset
+
 	// list/get cluster policy resource
 	pLister kyvernolister.ClusterPolicyLister
+
 	// returns true if the cluster policy store has synced atleast
 	pSynced cache.InformerSynced
+
 	// list/get role binding resource
 	rbLister rbaclister.RoleBindingLister
+
 	// return true if role bining store has synced atleast once
 	rbSynced cache.InformerSynced
+
 	// list/get cluster role binding resource
 	crbLister rbaclister.ClusterRoleBindingLister
+
 	// return true if cluster role binding store has synced atleast once
 	crbSynced cache.InformerSynced
+
 	// generate events
 	eventGen event.Interface
+
 	// webhook registration client
 	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
+
 	// API to send policy stats for aggregation
 	statusListener policystatus.Listener
+
 	// helpers to validate against current loaded configuration
 	configHandler config.Interface
+
 	// channel for cleanup notification
 	cleanUp chan<- struct{}
+
 	// last request time
 	lastReqTime *checker.LastReqTime
-	// store to hold policy meta data for faster lookup
-	pMetaStore policystore.LookupInterface
+
 	// policy violation generator
 	pvGenerator policyviolation.GeneratorInterface
+
 	// generate request generator
 	grGenerator            *generate.Generator
+
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
 	log                    logr.Logger
 	openAPIController      *openapi.Controller
@@ -90,7 +103,6 @@ func NewWebhookServer(
 	webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
 	statusSync policystatus.Listener,
 	configHandler config.Interface,
-	pMetaStore policystore.LookupInterface,
 	pvGenerator policyviolation.GeneratorInterface,
 	grGenerator *generate.Generator,
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
@@ -126,7 +138,6 @@ func NewWebhookServer(
 		cleanUp:                   cleanUp,
 		lastReqTime:               resourceWebhookWatcher.LastReqTime,
 		pvGenerator:               pvGenerator,
-		pMetaStore:                pMetaStore,
 		grGenerator:               grGenerator,
 		resourceWebhookWatcher:    resourceWebhookWatcher,
 		log:                       log,
@@ -208,7 +219,7 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	}
 
 	logger := ws.log.WithName("resourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
-	policies, err := ws.pMetaStore.ListAll()
+	policies, err := ws.pLister.ListResources(labels.NewSelector())
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		logger.Error(err, "failed to list policies. Policies are NOT being applied")
@@ -355,7 +366,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		}
 	}
 
-	policies, err := ws.pMetaStore.ListAll()
+	policies, err := ws.pLister.ListResources(labels.NewSelector())
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
 		logger.Error(err, "failed to list policies. Policies are NOT being applied")
@@ -369,7 +380,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request)
 		if err != nil {
 			// TODO(shuting): continue apply policy if error getting roleRef?
-			logger.Error(err, "failed to get RBAC infromation for request")
+			logger.Error(err, "failed to get RBAC information for request")
 		}
 	}
 
@@ -482,18 +493,19 @@ func (ws *WebhookServer) Stop(ctx context.Context) {
 // Answers to the http.ResponseWriter if request is not valid
 func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
 	logger := ws.log
-	var body []byte
-	if request.Body != nil {
-		if data, err := ioutil.ReadAll(request.Body); err == nil {
-			body = data
-		}
-	}
-	if len(body) == 0 {
-		logger.Info("empty body")
+	if request.Body == nil {
+		logger.Info("empty body", "req", request.URL.String())
 		http.Error(writer, "empty body", http.StatusBadRequest)
 		return nil
 	}
 
+	defer request.Body.Close()
+	body, err := ioutil.ReadAll(request.Body)
+	if err != nil {
+		logger.Info("failed to read HTTP body", "req", request.URL.String())
+		http.Error(writer, "failed to read HTTP body", http.StatusBadRequest)
+	}
+
 	contentType := request.Header.Get("Content-Type")
 	if contentType != "application/json" {
 		logger.Info("invalid Content-Type", "contextType", contentType)
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 6bd9ed1d25..6d38fba2dc 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -23,7 +23,7 @@ import (
 // patchedResource is the (resource + patches) after applying mutation rules
 func (ws *WebhookServer) HandleValidation(
 	request *v1beta1.AdmissionRequest,
-	policies []kyverno.ClusterPolicy,
+	policies []*kyverno.ClusterPolicy,
 	patchedResource []byte,
 	ctx *context.Context,
 	userRequestInfo kyverno.RequestInfo) (bool, string) {
@@ -64,7 +64,7 @@ func (ws *WebhookServer) HandleValidation(
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)
-		policyContext.Policy = policy
+		policyContext.Policy = *policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
 			// we get an empty response if old and new resources created the same response
diff --git a/test/output/output_mutate_pod_spec.yaml b/test/output/output_mutate_pod_spec.yaml
new file mode 100644
index 0000000000..cfca34f4e5
--- /dev/null
+++ b/test/output/output_mutate_pod_spec.yaml
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+  namespace: test-foo-aaaaaaaaa-bbbbbbbb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      enableServiceLinks: false
+      automountServiceAccountToken: false
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80
diff --git a/test/policy/mutate/policy_mutate_pod_spec.yaml b/test/policy/mutate/policy_mutate_pod_spec.yaml
new file mode 100644
index 0000000000..6b6f2df995
--- /dev/null
+++ b/test/policy/mutate/policy_mutate_pod_spec.yaml
@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-pods-spec
+spec:
+  rules:
+    - name: "disable-servicelink-and-token"
+      match:
+        resources:
+          kinds:
+            - DaemonSet
+            - Deployment
+            - Job
+            - StatefulSet
+          namespaces:
+            - test-foo-*
+      mutate:
+        overlay:
+          spec:
+            template:
+              spec:
+                automountServiceAccountToken: false
+                enableServiceLinks: false
diff --git a/test/resources/resource_mutate_pod_spec.yaml b/test/resources/resource_mutate_pod_spec.yaml
new file mode 100644
index 0000000000..575783f089
--- /dev/null
+++ b/test/resources/resource_mutate_pod_spec.yaml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+  namespace: test-foo-aaaaaaaaa-bbbbbbbb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80
diff --git a/test/scenarios/other/scenario_mutate_pod_spec.yaml b/test/scenarios/other/scenario_mutate_pod_spec.yaml
new file mode 100644
index 0000000000..84e20738ce
--- /dev/null
+++ b/test/scenarios/other/scenario_mutate_pod_spec.yaml
@@ -0,0 +1,19 @@
+# file path relative to project root
+input:
+  policy: test/policy/mutate/policy_mutate_pod_spec.yaml
+  resource: test/resources/resource_mutate_pod_spec.yaml
+expected:
+  mutation:
+    patchedresource: test/output/output_mutate_pod_spec.yaml
+    policyresponse:
+      policy: mutate-pods-spec
+      resource:
+        kind: Deployment
+        apiVersion: apps/v1
+        namespace: test-foo-aaaaaaaaa-bbbbbbbb
+        name: nginx-deployment
+      rules:
+        - name: disable-servicelink-and-token
+          type: Mutation
+          success: true
+          message: successfully processed overlay
\ No newline at end of file

From fd0e96b55133322f1c371e281759a9297d81f020 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 13:56:07 -0700
Subject: [PATCH 187/201] - fix violations re-create on the same resource -
 skip background processing if a resource is to be deleted

---
 pkg/policy/apply.go                 | 46 ++++++++++++++++++++++-------
 pkg/policy/existing.go              |  4 +++
 pkg/policyviolation/clusterpv.go    | 11 ++++++-
 pkg/policyviolation/common.go       | 14 +++++++--
 pkg/policyviolation/namespacedpv.go | 11 ++++++-
 5 files changed, 72 insertions(+), 14 deletions(-)

diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 6ec7666c70..9387401d4c 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -32,7 +32,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	}()
 
 	var engineResponses []response.EngineResponse
-	var engineResponse response.EngineResponse
+	var engineResponseMutation, engineResponseValidation response.EngineResponse
 	var err error
 	// build context
 	ctx := context.NewContext()
@@ -41,15 +41,14 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		logger.Error(err, "enable to add transform resource to ctx")
 	}
 	//MUTATION
-	engineResponse, err = mutation(policy, resource, ctx, logger)
-	engineResponses = append(engineResponses, engineResponse)
+	engineResponseMutation, err = mutation(policy, resource, ctx, logger)
 	if err != nil {
 		logger.Error(err, "failed to process mutation rule")
 	}
 
 	//VALIDATION
-	engineResponse = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource})
-	engineResponses = append(engineResponses, engineResponse)
+	engineResponseValidation = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource})
+	engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation))
 
 	//TODO: GENERATION
 	return engineResponses
@@ -81,27 +80,31 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
 		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
-		if len(rule.Patches) == 0 {
+
+		patches := dropKyvernoAnnotation(rule.Patches, log)
+		if len(patches) == 0 {
 			continue
 		}
-		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
+
+		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches))
 		if err != nil {
-			log.Error(err, "failed to decode JSON patch", "patches", rule.Patches)
+			log.Error(err, "failed to decode JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
 
 		// apply the patches returned by mutate to the original resource
 		patchedResource, err := patch.Apply(rawResource)
 		if err != nil {
-			log.Error(err, "failed to apply JSON patch", "patches", rule.Patches)
+			log.Error(err, "failed to apply JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
 			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches, log))
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(patches, log))
 		}
 	}
+
 	return engineResponse, nil
 }
 
@@ -125,3 +128,26 @@ func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	}
 	return strings.Join(resultPath, ";")
 }
+
+func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]byte) {
+	for _, patch := range patches {
+		var data jsonPatch
+		if err := json.Unmarshal(patch, &data); err != nil {
+			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
+			continue
+		}
+
+		value := fmt.Sprintf("%v", data.Value)
+		if strings.Contains(value, engine.PodTemplateAnnotation) {
+			continue
+		}
+
+		resultPathes = append(resultPathes, patch)
+	}
+	return
+}
+
+func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse {
+	mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...)
+	return mutation
+}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 75e7dfcbe4..13f3f8259d 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -109,6 +109,10 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 	}
 	// filter based on name
 	for _, r := range list.Items {
+		if r.GetDeletionTimestamp() != nil {
+			continue
+		}
+
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {
diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index 4cb26ea216..8fe4920cd2 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -93,8 +93,17 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
+
+	if obj.GetDeletionTimestamp() != nil {
+		return nil
+	}
+
 	// set owner reference to resource
-	ownerRef := createOwnerReference(obj)
+	ownerRef, ok := createOwnerReference(obj)
+	if !ok {
+		return nil
+	}
+
 	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})
 
 	// create resource
diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go
index e2211edb13..e8e77308a7 100644
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@@ -14,9 +14,19 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference {
+func createOwnerReference(resource *unstructured.Unstructured) (metav1.OwnerReference, bool) {
 	controllerFlag := true
 	blockOwnerDeletionFlag := true
+
+	apiversion := resource.GetAPIVersion()
+	kind := resource.GetKind()
+	name := resource.GetName()
+	uid := resource.GetUID()
+
+	if apiversion == "" || kind == "" || name == "" || uid == "" {
+		return metav1.OwnerReference{}, false
+	}
+
 	ownerRef := metav1.OwnerReference{
 		APIVersion:         resource.GetAPIVersion(),
 		Kind:               resource.GetKind(),
@@ -25,7 +35,7 @@ func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerRefer
 		Controller:         &controllerFlag,
 		BlockOwnerDeletion: &blockOwnerDeletionFlag,
 	}
-	return ownerRef
+	return ownerRef, true
 }
 
 func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstructured.Unstructured, error) {
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index 3b0202c6df..ba061defce 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -92,8 +92,17 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
+
+	if obj.GetDeletionTimestamp() != nil {
+		return nil
+	}
+
 	// set owner reference to resource
-	ownerRef := createOwnerReference(obj)
+	ownerRef, ok := createOwnerReference(obj)
+	if !ok {
+		return nil
+	}
+
 	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})
 
 	// create resource

From cca14517518cdaa866509e8e8fa2137085bf7924 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 14:52:49 -0700
Subject: [PATCH 188/201] suppress violation on evicted pod

---
 pkg/policyviolation/namespacedpv.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index ba061defce..10b007fae1 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -11,6 +11,7 @@ import (
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/policystatus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	unstructedv1 "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 //NamespacedPV ...
@@ -97,6 +98,12 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 		return nil
 	}
 
+	if newPv.Spec.ResourceSpec.Kind == "Pod" {
+		if isEvictedPod(obj.Object) {
+			return nil
+		}
+	}
+
 	// set owner reference to resource
 	ownerRef, ok := createOwnerReference(obj)
 	if !ok {
@@ -142,3 +149,12 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	logger.Info("namespaced policy violation created")
 	return nil
 }
+
+func isEvictedPod(pod map[string]interface{}) bool {
+	reason, ok, _ := unstructedv1.NestedString(pod, "status", "reason")
+	if !ok {
+		return false
+	}
+
+	return reason == "Evicted"
+}

From 7ea2930fa4a5cf8578be7e3a783ef24e64ca5ad9 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 13:56:07 -0700
Subject: [PATCH 189/201] - fix violations re-create on the same resource -
 skip background processing if a resource is to be deleted

---
 pkg/policy/apply.go                 | 46 ++++++++++++++++++++++-------
 pkg/policy/existing.go              |  4 +++
 pkg/policyviolation/clusterpv.go    | 11 ++++++-
 pkg/policyviolation/common.go       | 14 +++++++--
 pkg/policyviolation/namespacedpv.go | 11 ++++++-
 5 files changed, 72 insertions(+), 14 deletions(-)

diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 6ec7666c70..9387401d4c 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -32,7 +32,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	}()
 
 	var engineResponses []response.EngineResponse
-	var engineResponse response.EngineResponse
+	var engineResponseMutation, engineResponseValidation response.EngineResponse
 	var err error
 	// build context
 	ctx := context.NewContext()
@@ -41,15 +41,14 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		logger.Error(err, "enable to add transform resource to ctx")
 	}
 	//MUTATION
-	engineResponse, err = mutation(policy, resource, ctx, logger)
-	engineResponses = append(engineResponses, engineResponse)
+	engineResponseMutation, err = mutation(policy, resource, ctx, logger)
 	if err != nil {
 		logger.Error(err, "failed to process mutation rule")
 	}
 
 	//VALIDATION
-	engineResponse = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource})
-	engineResponses = append(engineResponses, engineResponse)
+	engineResponseValidation = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource})
+	engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation))
 
 	//TODO: GENERATION
 	return engineResponses
@@ -81,27 +80,31 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
 		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
-		if len(rule.Patches) == 0 {
+
+		patches := dropKyvernoAnnotation(rule.Patches, log)
+		if len(patches) == 0 {
 			continue
 		}
-		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
+
+		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches))
 		if err != nil {
-			log.Error(err, "failed to decode JSON patch", "patches", rule.Patches)
+			log.Error(err, "failed to decode JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
 
 		// apply the patches returned by mutate to the original resource
 		patchedResource, err := patch.Apply(rawResource)
 		if err != nil {
-			log.Error(err, "failed to apply JSON patch", "patches", rule.Patches)
+			log.Error(err, "failed to apply JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
 			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
-			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches, log))
+			engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(patches, log))
 		}
 	}
+
 	return engineResponse, nil
 }
 
@@ -125,3 +128,26 @@ func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	}
 	return strings.Join(resultPath, ";")
 }
+
+func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]byte) {
+	for _, patch := range patches {
+		var data jsonPatch
+		if err := json.Unmarshal(patch, &data); err != nil {
+			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
+			continue
+		}
+
+		value := fmt.Sprintf("%v", data.Value)
+		if strings.Contains(value, engine.PodTemplateAnnotation) {
+			continue
+		}
+
+		resultPathes = append(resultPathes, patch)
+	}
+	return
+}
+
+func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse {
+	mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...)
+	return mutation
+}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index fdef1bb34c..6153dbeba2 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -167,6 +167,10 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 	}
 	// filter based on name
 	for _, r := range list.Items {
+		if r.GetDeletionTimestamp() != nil {
+			continue
+		}
+
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {
diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index 4cb26ea216..8fe4920cd2 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -93,8 +93,17 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
+
+	if obj.GetDeletionTimestamp() != nil {
+		return nil
+	}
+
 	// set owner reference to resource
-	ownerRef := createOwnerReference(obj)
+	ownerRef, ok := createOwnerReference(obj)
+	if !ok {
+		return nil
+	}
+
 	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})
 
 	// create resource
diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go
index e2211edb13..e8e77308a7 100644
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@@ -14,9 +14,19 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
-func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference {
+func createOwnerReference(resource *unstructured.Unstructured) (metav1.OwnerReference, bool) {
 	controllerFlag := true
 	blockOwnerDeletionFlag := true
+
+	apiversion := resource.GetAPIVersion()
+	kind := resource.GetKind()
+	name := resource.GetName()
+	uid := resource.GetUID()
+
+	if apiversion == "" || kind == "" || name == "" || uid == "" {
+		return metav1.OwnerReference{}, false
+	}
+
 	ownerRef := metav1.OwnerReference{
 		APIVersion:         resource.GetAPIVersion(),
 		Kind:               resource.GetKind(),
@@ -25,7 +35,7 @@ func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerRefer
 		Controller:         &controllerFlag,
 		BlockOwnerDeletion: &blockOwnerDeletionFlag,
 	}
-	return ownerRef
+	return ownerRef, true
 }
 
 func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstructured.Unstructured, error) {
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index 3b0202c6df..ba061defce 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -92,8 +92,17 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
+
+	if obj.GetDeletionTimestamp() != nil {
+		return nil
+	}
+
 	// set owner reference to resource
-	ownerRef := createOwnerReference(obj)
+	ownerRef, ok := createOwnerReference(obj)
+	if !ok {
+		return nil
+	}
+
 	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})
 
 	// create resource

From a251bda1dd522100a67df85ac58af2f5c41e41a3 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 14:52:49 -0700
Subject: [PATCH 190/201] suppress violation on evicted pod

---
 pkg/policyviolation/namespacedpv.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index ba061defce..10b007fae1 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -11,6 +11,7 @@ import (
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/policystatus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	unstructedv1 "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 //NamespacedPV ...
@@ -97,6 +98,12 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 		return nil
 	}
 
+	if newPv.Spec.ResourceSpec.Kind == "Pod" {
+		if isEvictedPod(obj.Object) {
+			return nil
+		}
+	}
+
 	// set owner reference to resource
 	ownerRef, ok := createOwnerReference(obj)
 	if !ok {
@@ -142,3 +149,12 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	logger.Info("namespaced policy violation created")
 	return nil
 }
+
+func isEvictedPod(pod map[string]interface{}) bool {
+	reason, ok, _ := unstructedv1.NestedString(pod, "status", "reason")
+	if !ok {
+		return false
+	}
+
+	return reason == "Evicted"
+}

From 913f12ff9d7adc0a229732bccbbf115a2850c701 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 17:18:42 -0700
Subject: [PATCH 191/201] set ownerReference in pv update

---
 pkg/policyviolation/clusterpv.go    | 3 ++-
 pkg/policyviolation/namespacedpv.go | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go
index 8fe4920cd2..fedf568863 100644
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@@ -132,13 +132,14 @@ func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) err
 	// set name
 	newPv.SetName(oldPv.Name)
 	newPv.SetResourceVersion(oldPv.ResourceVersion)
+	newPv.SetOwnerReferences(oldPv.GetOwnerReferences())
 
 	// update resource
 	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Update(newPv)
 	if err != nil {
 		return fmt.Errorf("failed to update cluster policy violation: %v", err)
 	}
-	logger.Info("cluster policy violation created")
+	logger.Info("cluster policy violation updated")
 
 	if newPv.Annotations["fromSync"] != "true" {
 		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go
index 10b007fae1..db13e33ff9 100644
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@@ -137,6 +137,7 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	// set name
 	newPv.SetName(oldPv.Name)
 	newPv.SetResourceVersion(oldPv.ResourceVersion)
+	newPv.SetOwnerReferences(oldPv.GetOwnerReferences())
 	// update resource
 	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv)
 	if err != nil {
@@ -146,7 +147,7 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	if newPv.Annotations["fromSync"] != "true" {
 		nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
 	}
-	logger.Info("namespaced policy violation created")
+	logger.Info("namespaced policy violation updated")
 	return nil
 }
 

From 74db840b2540538502070f0479237589c940e2f3 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Wed, 27 May 2020 06:33:32 +0530
Subject: [PATCH 192/201] Added readiness and liveness prob  (#874)

* Added readiness and liveness prob

* typo fix

* port number fixed

* fixed the image name
---
 charts/kyverno/values.yaml | 36 ++++++++++++++++++------------------
 definitions/install.yaml   | 20 ++++++++++++++++++++
 pkg/config/config.go       |  4 ++++
 pkg/webhooks/server.go     | 16 ++++++++++++++++
 4 files changed, 58 insertions(+), 18 deletions(-)

diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index d223c2105a..887e5903cc 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -53,29 +53,29 @@ resources:
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
 ##
 livenessProbe:
-#   httpGet:
-#     path: /healthz
-#     port: https
-#     scheme: HTTPS
-#   initialDelaySeconds: 10
-#   periodSeconds: 10
-#   timeoutSeconds: 5
-#   failureThreshold: 2
-#   successThreshold: 1
+  httpGet:
+    path: /health/liveness
+    port: 443
+    scheme: HTTPS
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 2
+  successThreshold: 1
 
 ## Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
 ##
 readinessProbe:
-#   httpGet:
-#     path: /healthz
-#     port: https
-#     scheme: HTTPS
-#   initialDelaySeconds: 5
-#   periodSeconds: 10
-#   timeoutSeconds: 5
-#   failureThreshold: 6
-#   successThreshold: 1
+  httpGet:
+    path: /health/readiness
+    port: 443
+    scheme: HTTPS
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
 
 # TODO(mbarrien): Should we just list all resources for the
 # generatecontroller in here rather than having defaults hard-coded?
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 51f598071e..270a5064b3 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -750,3 +750,23 @@ spec:
               cpu: "100m"
             limits:
               memory: "128Mi"
+          livenessProbe:
+            httpGet:
+              path: /health/liveness
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 4
+            successThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /health/readiness
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 4
+            successThreshold: 1
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 2d6ccdcb68..7fced60350 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -70,6 +70,10 @@ var (
 	PolicyMutatingWebhookServicePath = "/policymutate"
 	//VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
 	VerifyMutatingWebhookServicePath = "/verifymutate"
+	// LivenessServicePath is the path for check liveness health
+	LivenessServicePath = "/health/liveness"
+	// ReadinessServicePath is the path for check readness health 
+	ReadinessServicePath = "/health/readiness"
 )
 
 //CreateClientConfig creates client config
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 03ab8b5863..80be8e94f6 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -151,6 +151,22 @@ func NewWebhookServer(
 	mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.policyValidation, true))
 	mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.verifyHandler, false))
 
+	// Handle Liveness responds to a Kubernetes Liveness probe
+	// Fail this request if Kubernetes should restart this instance
+	mux.HandlerFunc("GET", config.LivenessServicePath, func(w http.ResponseWriter, r *http.Request){
+		defer r.Body.Close()
+
+		w.WriteHeader(http.StatusOK)
+	})
+
+	// Handle Readiness responds to a Kubernetes Readiness probe
+	// Fail this request if this instance can't accept traffic, but Kubernetes shouldn't restart it
+	mux.HandlerFunc("GET", config.ReadinessServicePath, func(w http.ResponseWriter, r *http.Request){
+		defer r.Body.Close()
+
+		w.WriteHeader(http.StatusOK)
+	})
+
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,

From 139000fe3fae83e8f68dd46c6603080e29658791 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 22:26:07 -0700
Subject: [PATCH 193/201] fix namespace lister

---
 pkg/policy/controller.go | 21 ++++++++++++++-------
 pkg/policy/existing.go   | 23 ++++++++++++-----------
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go
index 36928555ca..1bff21df59 100644
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@@ -1,9 +1,10 @@
 package policy
 
 import (
-	informers "k8s.io/client-go/informers/core/v1"
 	"time"
 
+	informers "k8s.io/client-go/informers/core/v1"
+
 	"github.com/go-logr/logr"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
@@ -22,6 +23,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	listerv1 "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
@@ -61,6 +63,9 @@ type PolicyController struct {
 	// nspvLister can list/get namespaced policy violation from the shared informer's store
 	nspvLister kyvernolister.PolicyViolationLister
 
+	// nsLister can list/get namespacecs from the shared informer's store
+	nsLister listerv1.NamespaceLister
+
 	// pListerSynced returns true if the Policy store has been synced at least once
 	pListerSynced cache.InformerSynced
 
@@ -70,7 +75,8 @@ type PolicyController struct {
 	// pvListerSynced returns true if the Policy Violation store has been synced at least once
 	nspvListerSynced cache.InformerSynced
 
-	nsInformer informers.NamespaceInformer
+	// nsListerSynced returns true if the namespace store has been synced at least once
+	nsListerSynced cache.InformerSynced
 
 	// Resource manager, manages the mapping for already processed resource
 	rm resourceManager
@@ -84,7 +90,7 @@ type PolicyController struct {
 	// resourceWebhookWatcher queues the webhook creation request, creates the webhook
 	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
 
-	log                    logr.Logger
+	log logr.Logger
 }
 
 // NewPolicyController create a new PolicyController
@@ -117,7 +123,6 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 		configHandler:          configHandler,
 		pvGenerator:            pvGenerator,
 		resourceWebhookWatcher: resourceWebhookWatcher,
-		nsInformer: namespaces,
 		log:                    log,
 	}
 
@@ -147,10 +152,13 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	pc.pLister = pInformer.Lister()
 	pc.cpvLister = cpvInformer.Lister()
 	pc.nspvLister = nspvInformer.Lister()
+	pc.nsLister = namespaces.Lister()
 
 	pc.pListerSynced = pInformer.Informer().HasSynced
 	pc.cpvListerSynced = cpvInformer.Informer().HasSynced
 	pc.nspvListerSynced = nspvInformer.Informer().HasSynced
+	pc.nsListerSynced = namespaces.Informer().HasSynced
+
 	// resource manager
 	// rebuild after 300 seconds/ 5 mins
 	//TODO: pass the time in seconds instead of converting it internally
@@ -159,7 +167,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
 	return &pc, nil
 }
 
-func  (pc *PolicyController)  canBackgroundProcess(p *kyverno.ClusterPolicy) bool {
+func (pc *PolicyController) canBackgroundProcess(p *kyverno.ClusterPolicy) bool {
 	logger := pc.log.WithValues("policy", p.Name)
 	if !p.BackgroundProcessingEnabled() {
 		logger.V(4).Info("background processed is disabled")
@@ -174,7 +182,6 @@ func  (pc *PolicyController)  canBackgroundProcess(p *kyverno.ClusterPolicy) boo
 	return true
 }
 
-
 func (pc *PolicyController) addPolicy(obj interface{}) {
 	logger := pc.log
 	p := obj.(*kyverno.ClusterPolicy)
@@ -243,7 +250,7 @@ func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) {
 	logger.Info("starting")
 	defer logger.Info("shutting down")
 
-	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced) {
+	if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced, pc.nsListerSynced) {
 		logger.Info("failed to sync informer cache")
 		return
 	}
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index 6153dbeba2..3d98d56d64 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -1,12 +1,13 @@
 package policy
 
 import (
-	informers "k8s.io/client-go/informers/core/v1"
 	"reflect"
 	"strings"
 	"sync"
 	"time"
 
+	listerv1 "k8s.io/client-go/listers/core/v1"
+
 	"github.com/go-logr/logr"
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -72,7 +73,7 @@ func (pc *PolicyController) listResources(policy kyverno.ClusterPolicy) map[stri
 				rMap := getResourcesPerNamespace(k, pc.client, "", rule, pc.configHandler, pc.log)
 				mergeResources(resourceMap, rMap)
 			} else {
-				namespaces := getNamespacesForRule(&rule, pc.nsInformer, pc.log)
+				namespaces := getNamespacesForRule(&rule, pc.nsLister, pc.log)
 				for _, ns := range namespaces {
 					rMap := getResourcesPerNamespace(k, pc.client, ns, rule, pc.configHandler, pc.log)
 					mergeResources(resourceMap, rMap)
@@ -84,9 +85,9 @@ func (pc *PolicyController) listResources(policy kyverno.ClusterPolicy) map[stri
 	return resourceMap
 }
 
-func getNamespacesForRule(rule *kyverno.Rule, nsInformer informers.NamespaceInformer, log logr.Logger) []string {
-	if len(rule.MatchResources.Namespaces) > 0 {
-		return getAllNamespaces(nsInformer, log)
+func getNamespacesForRule(rule *kyverno.Rule, nslister listerv1.NamespaceLister, log logr.Logger) []string {
+	if len(rule.MatchResources.Namespaces) == 0 {
+		return getAllNamespaces(nslister, log)
 	}
 
 	var wildcards []string
@@ -100,8 +101,8 @@ func getNamespacesForRule(rule *kyverno.Rule, nsInformer informers.NamespaceInfo
 	}
 
 	if len(wildcards) > 0 {
-		wildcardMatches := getMatchingNamespaces(wildcards, nsInformer, log)
-		results = append (results, wildcardMatches...)
+		wildcardMatches := getMatchingNamespaces(wildcards, nslister, log)
+		results = append(results, wildcardMatches...)
 	}
 
 	return results
@@ -115,8 +116,8 @@ func hasWildcard(s string) bool {
 	return strings.Contains(s, "*") || strings.Contains(s, "?")
 }
 
-func getMatchingNamespaces(wildcards []string, nsInformer informers.NamespaceInformer, log logr.Logger) []string {
-	all := getAllNamespaces(nsInformer, log)
+func getMatchingNamespaces(wildcards []string, nslister listerv1.NamespaceLister, log logr.Logger) []string {
+	all := getAllNamespaces(nslister, log)
 	if len(all) == 0 {
 		return all
 	}
@@ -133,9 +134,9 @@ func getMatchingNamespaces(wildcards []string, nsInformer informers.NamespaceInf
 	return results
 }
 
-func getAllNamespaces(nsInformer informers.NamespaceInformer, log logr.Logger) []string {
+func getAllNamespaces(nslister listerv1.NamespaceLister, log logr.Logger) []string {
 	var results []string
-	namespaces, err := nsInformer.Lister().List(labels.NewSelector())
+	namespaces, err := nslister.List(labels.NewSelector())
 	if err != nil {
 		log.Error(err, "Failed to list namespaces")
 	}

From 087f1838956212e6efcf8d30f0572639ddea7269 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Tue, 26 May 2020 23:07:48 -0700
Subject: [PATCH 194/201] fix typo

---
 pkg/policy/apply.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 9387401d4c..101901a411 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -79,7 +79,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 
 	// resource does not match so there was a mutation rule violated
 	for index, rule := range engineResponse.PolicyResponse.Rules {
-		log.V(4).Info("veriying if policy rule was applied before", "rule", rule.Name)
+		log.V(4).Info("verifying if policy rule was applied before", "rule", rule.Name)
 
 		patches := dropKyvernoAnnotation(rule.Patches, log)
 		if len(patches) == 0 {

From 5c66742f5229c81a417cf7940446aa6a8f085d58 Mon Sep 17 00:00:00 2001
From: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Date: Wed, 27 May 2020 11:08:59 -0700
Subject: [PATCH 195/201] middelware removed (#882)

---
 pkg/webhooks/middleware.go | 15 ---------------
 1 file changed, 15 deletions(-)
 delete mode 100644 pkg/webhooks/middleware.go

diff --git a/pkg/webhooks/middleware.go b/pkg/webhooks/middleware.go
deleted file mode 100644
index 4fb44ae4f8..0000000000
--- a/pkg/webhooks/middleware.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package webhooks
-
-import (
-	"net/http"
-	"time"
-)
-
-func timeoutHandler(h http.Handler, timeout time.Duration) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		var timeoutHandler http.Handler
-		msg := "ok"
-		timeoutHandler = http.TimeoutHandler(h, timeout*time.Second, msg)
-		timeoutHandler.ServeHTTP(w, r)
-	}
-}

From 5cdcbec3c9db81dacca156ff021003e66c704f0b Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Wed, 27 May 2020 19:51:34 -0700
Subject: [PATCH 196/201] Bugfix/1.1.6 adjust resync and cleanup unused (#884)

* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces

* adjust all resync periods

* remove unused data fields

* add pattern for match
---
 cmd/initContainer/main.go    |  2 +-
 pkg/constant/constant.go     | 12 ++++++------
 pkg/kyverno/apply/command.go |  2 +-
 pkg/openapi/crdSync.go       | 28 ++++++++++++++--------------
 pkg/openapi/validation.go    | 14 +++++---------
 pkg/policy/apply.go          |  9 ++++++++-
 6 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index f239ec7cbd..f21d6737b1 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -53,7 +53,7 @@ func main() {
 
 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh, log.Log)
+	client, err := client.NewClient(clientConfig, 15*time.Minute, stopCh, log.Log)
 	if err != nil {
 		setupLog.Error(err, "Failed to create client")
 		os.Exit(1)
diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go
index 055a4b092e..c8ae0dc50a 100644
--- a/pkg/constant/constant.go
+++ b/pkg/constant/constant.go
@@ -3,10 +3,10 @@ package constant
 import "time"
 
 const (
-	CRDControllerResync             = 10 * time.Minute
-	PolicyViolationControllerResync = 5 * time.Minute
-	PolicyControllerResync          = time.Second
-	EventControllerResync           = time.Second
-	GenerateControllerResync        = time.Second
-	GenerateRequestControllerResync = time.Second
+	CRDControllerResync             = 15 * time.Minute
+	PolicyViolationControllerResync = 15 * time.Minute
+	PolicyControllerResync          = 15 * time.Minute
+	EventControllerResync           = 15 * time.Minute
+	GenerateControllerResync        = 15 * time.Minute
+	GenerateRequestControllerResync = 15 * time.Minute
 )
diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go
index daea727a61..8f98f9f754 100644
--- a/pkg/kyverno/apply/command.go
+++ b/pkg/kyverno/apply/command.go
@@ -94,7 +94,7 @@ func Command() *cobra.Command {
 				if err != nil {
 					return err
 				}
-				dClient, err = client.NewClient(restConfig, 10*time.Second, make(chan struct{}), log.Log)
+				dClient, err = client.NewClient(restConfig, 5*time.Minute, make(chan struct{}), log.Log)
 				if err != nil {
 					return err
 				}
diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go
index 7af05eecd9..ffabcde50b 100644
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@@ -16,7 +16,7 @@ import (
 	"github.com/googleapis/gnostic/compiler"
 
 	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
-	log "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/nirmata/kyverno/pkg/constant"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@@ -28,7 +28,7 @@ type crdSync struct {
 	controller *Controller
 }
 
-// crdDefinitionPrior represents CRD's version prior to 1.16
+// crdDefinitionPrior represents CRDs version prior to 1.16
 var crdDefinitionPrior struct {
 	Spec struct {
 		Names struct {
@@ -40,7 +40,7 @@ var crdDefinitionPrior struct {
 	} `json:"spec"`
 }
 
-// crdDefinitionNew represents CRD in version 1.16+
+// crdDefinitionNew represents CRDs version 1.16+
 var crdDefinitionNew struct {
 	Spec struct {
 		Names struct {
@@ -55,9 +55,6 @@ var crdDefinitionNew struct {
 	} `json:"spec"`
 }
 
-var crdVersion struct {
-}
-
 func NewCRDSync(client *client.Client, controller *Controller) *crdSync {
 	if controller == nil {
 		panic(fmt.Errorf("nil controller sent into crd sync"))
@@ -72,12 +69,12 @@ func NewCRDSync(client *client.Client, controller *Controller) *crdSync {
 func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
 	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
 	if err != nil {
-		log.Log.Error(err, "cannot get openapi schema")
+		log.Log.Error(err, "cannot get OpenAPI schema")
 	}
 
 	err = c.controller.useOpenApiDocument(newDoc)
 	if err != nil {
-		log.Log.Error(err, "Could not set custom OpenApi document")
+		log.Log.Error(err, "Could not set custom OpenAPI document")
 	}
 
 	// Sync CRD before kyverno starts
@@ -110,12 +107,17 @@ func (c *crdSync) sync() {
 }
 
 func (o *Controller) deleteCRDFromPreviousSync() {
-	for _, crd := range o.crdList {
-		delete(o.kindToDefinitionName, crd)
-		delete(o.definitions, crd)
+	for k := range o.kindToDefinitionName {
+		delete(o.kindToDefinitionName, k)
 	}
 
-	o.crdList = []string{}
+	o.kindToDefinitionName = make(map[string]string, 0)
+
+	for k := range o.definitions {
+		delete(o.definitions, k)
+	}
+
+	o.definitions = make(map[string]*openapi_v2.Schema, 0)
 }
 
 func (o *Controller) parseCRD(crd unstructured.Unstructured) {
@@ -164,8 +166,6 @@ func (o *Controller) parseCRD(crd unstructured.Unstructured) {
 		return
 	}
 
-	o.crdList = append(o.crdList, crdName)
-
 	o.kindToDefinitionName[crdName] = crdName
 	o.definitions[crdName] = parsedSchema
 }
diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go
index f25edd428d..c0717a6cef 100644
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@@ -27,10 +27,8 @@ import (
 
 type Controller struct {
 	mutex                sync.RWMutex
-	document             *openapi_v2.Document
 	definitions          map[string]*openapi_v2.Schema
 	kindToDefinitionName map[string]string
-	crdList              []string
 	models               proto.Models
 }
 
@@ -82,7 +80,7 @@ func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured,
 	schema := o.models.LookupModel(kind)
 	if schema == nil {
 		// Check if kind is a CRD
-		schema, err = o.getSchemaFromDefinitions(kind)
+		schema, err = o.getCRDSchema(kind)
 		if err != nil || schema == nil {
 			return fmt.Errorf("pre-validation: couldn't find model %s", kind)
 		}
@@ -144,22 +142,20 @@ func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 	return nil
 }
 
-func (o *Controller) useOpenApiDocument(customDoc *openapi_v2.Document) error {
+func (o *Controller) useOpenApiDocument(doc *openapi_v2.Document) error {
 	o.mutex.Lock()
 	defer o.mutex.Unlock()
 
-	o.document = customDoc
-
 	o.definitions = make(map[string]*openapi_v2.Schema)
 	o.kindToDefinitionName = make(map[string]string)
-	for _, definition := range o.document.GetDefinitions().AdditionalProperties {
+	for _, definition := range doc.GetDefinitions().AdditionalProperties {
 		o.definitions[definition.GetName()] = definition.GetValue()
 		path := strings.Split(definition.GetName(), ".")
 		o.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
 	}
 
 	var err error
-	o.models, err = proto.NewOpenAPIData(o.document)
+	o.models, err = proto.NewOpenAPIData(doc)
 	if err != nil {
 		return err
 	}
@@ -178,7 +174,7 @@ func getSchemaDocument() (*openapi_v2.Document, error) {
 }
 
 // For crd, we do not store definition in document
-func (o *Controller) getSchemaFromDefinitions(kind string) (proto.Schema, error) {
+func (o *Controller) getCRDSchema(kind string) (proto.Schema, error) {
 	if kind == "" {
 		return nil, errors.New("invalid kind")
 	}
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 101901a411..2ec9c2719d 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -17,6 +17,12 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
+const (
+	// JSON patch uses ~1 for / characters
+	// see: https://tools.ietf.org/html/rfc6901#section-3
+	PodTemplateAnnotationApplied = "pod-policies.kyverno.io~1autogen-applied"
+)
+
 // applyPolicy applies policy on a resource
 //TODO: generation rules
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
@@ -138,7 +144,8 @@ func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]
 		}
 
 		value := fmt.Sprintf("%v", data.Value)
-		if strings.Contains(value, engine.PodTemplateAnnotation) {
+		if strings.Contains(value, engine.PodTemplateAnnotation) ||
+			strings.Contains(value, PodTemplateAnnotationApplied) {
 			continue
 		}
 

From ffb2e6d3c234b78c972c743e62a2c0ce800347e4 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Wed, 27 May 2020 22:34:53 -0700
Subject: [PATCH 197/201] Bugfix/fix install repo (#885)

* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* fix repo

* fix init container image
---
 definitions/install.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index 270a5064b3..b28acf1350 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -732,7 +732,7 @@ spec:
           image: nirmata/kyvernopre:v1.1.6-rc1
       containers:
         - name: kyverno
-          image: registry-v2.nirmata.io/nirmata/kyverno:latest
+          image: nirmata/kyverno:v1.1.6-rc1
           imagePullPolicy: Always
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"

From 9a41457a64281927fc0e910d77a3a80d533c6314 Mon Sep 17 00:00:00 2001
From: NoSkillGirl <singhpooja240393@gmail.com>
Date: Thu, 28 May 2020 12:00:24 +0530
Subject: [PATCH 198/201] corrected message in generating resources in readme

---
 README.md | 154 +++++++++++++++++++++++++++---------------------------
 1 file changed, 76 insertions(+), 78 deletions(-)

diff --git a/README.md b/README.md
index 12506896d1..fb2cfbe312 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 
 Kyverno is a policy engine designed for Kubernetes.
 
-Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources. 
+Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.
 
 Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.
 
@@ -26,7 +26,7 @@ Policy enforcement is captured using Kubernetes events. Kyverno also reports pol
 
 This policy requires that all pods have CPU and memory resource requests and limits:
 
-````yaml
+```yaml
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@@ -35,109 +35,108 @@ spec:
   # `enforce` blocks the request. `audit` reports violations
   validationFailureAction: enforce
   rules:
-  - name: check-pod-resources
-    match:
-      resources:
-        kinds:
-        - Pod
-    validate:
-      message: "CPU and memory resource requests and limits are required"
-      pattern:
-        spec:
-          containers:
-          # 'name: *' selects all containers in the pod
-          - name: "*"
-            resources:
-              limits:
-                # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
-                # Using them together e.g. '?*' requires at least one character. 
-                memory: "?*"
-                cpu: "?*"
-              requests:
-                memory: "?*"
-                cpu: "?*"
-````
+    - name: check-pod-resources
+      match:
+        resources:
+          kinds:
+            - Pod
+      validate:
+        message: "CPU and memory resource requests and limits are required"
+        pattern:
+          spec:
+            containers:
+              # 'name: *' selects all containers in the pod
+              - name: "*"
+                resources:
+                  limits:
+                    # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
+                    # Using them together e.g. '?*' requires at least one character.
+                    memory: "?*"
+                    cpu: "?*"
+                  requests:
+                    memory: "?*"
+                    cpu: "?*"
+```
 
 ### 2. Mutating resources
 
 This policy sets the imagePullPolicy to Always if the image tag is latest:
 
-````yaml
+```yaml
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: set-image-pull-policy
 spec:
   rules:
-  - name: set-image-pull-policy
-    match:
-      resources:
-        kinds:
-        - Pod
-    mutate:
-      overlay:
-        spec:
-          containers:
-            # match images which end with :latest   
-            - (image): "*:latest"
-              # set the imagePullPolicy to "Always"
-              imagePullPolicy: "Always"
-````
+    - name: set-image-pull-policy
+      match:
+        resources:
+          kinds:
+            - Pod
+      mutate:
+        overlay:
+          spec:
+            containers:
+              # match images which end with :latest
+              - (image): "*:latest"
+                # set the imagePullPolicy to "Always"
+                imagePullPolicy: "Always"
+```
 
 ### 3. Generating resources
 
-This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'.
+This policy sets the Zookeeper and Kafka connection strings for all namespaces.
 
-````yaml
+```yaml
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: "zk-kafka-address"
 spec:
   rules:
-  - name: "zk-kafka-address"
-    match:
-      resources:
-        kinds:
-          - Namespace
-    generate:
-      kind: ConfigMap
-      name: zk-kafka-address
-      # generate the resource in the new namespace
-      namespace: "{{request.object.metadata.name}}"
-      data:
+    - name: "zk-kafka-address"
+      match:
+        resources:
+          kinds:
+            - Namespace
+      generate:
         kind: ConfigMap
+        name: zk-kafka-address
+        # generate the resource in the new namespace
+        namespace: "{{request.object.metadata.name}}"
         data:
-          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
-          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
-````
+          kind: ConfigMap
+          data:
+            ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+            KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
+```
 
 ### 4. More examples
 
-Refer to a list of curated of ***[sample policies](/samples/README.md)*** that can be applied to your cluster.
+Refer to a list of curated of **_[sample policies](/samples/README.md)_** that can be applied to your cluster.
 
 ## Documentation
 
-* [Getting Started](documentation/installation.md)
-* [Writing Policies](documentation/writing-policies.md)
-  * [Selecting Resources](/documentation/writing-policies-match-exclude.md)
-  * [Validate Resources](documentation/writing-policies-validate.md)
-  * [Mutate Resources](documentation/writing-policies-mutate.md)
-  * [Generate Resources](documentation/writing-policies-generate.md)
-  * [Variable Substitution](documentation/writing-policies-variables.md)
-  * [Preconditions](documentation/writing-policies-preconditions.md)
-  * [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md)
-  * [Background Processing](documentation/writing-policies-background.md)
-* [Testing Policies](documentation/testing-policies.md)
-* [Policy Violations](documentation/policy-violations.md)
-* [Kyverno CLI](documentation/kyverno-cli.md)
-* [Sample Policies](/samples/README.md)
+- [Getting Started](documentation/installation.md)
+- [Writing Policies](documentation/writing-policies.md)
+  - [Selecting Resources](/documentation/writing-policies-match-exclude.md)
+  - [Validate Resources](documentation/writing-policies-validate.md)
+  - [Mutate Resources](documentation/writing-policies-mutate.md)
+  - [Generate Resources](documentation/writing-policies-generate.md)
+  - [Variable Substitution](documentation/writing-policies-variables.md)
+  - [Preconditions](documentation/writing-policies-preconditions.md)
+  - [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md)
+  - [Background Processing](documentation/writing-policies-background.md)
+- [Testing Policies](documentation/testing-policies.md)
+- [Policy Violations](documentation/policy-violations.md)
+- [Kyverno CLI](documentation/kyverno-cli.md)
+- [Sample Policies](/samples/README.md)
 
 ## License
 
 [Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE)
 
-
 ## Alternatives
 
 ### Open Policy Agent
@@ -156,21 +155,20 @@ Refer to a list of curated of ***[sample policies](/samples/README.md)*** that c
 
 Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.
 
-
 ## Roadmap
 
 See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](https://github.com/nirmata/kyverno/issues).
 
 ## Getting help
 
-  * For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
-  * For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
+- For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
+- For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
 
 ## Contributing
 
 Thanks for your interest in contributing!
 
-  * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
-  * We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
-  * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
-  * Browse through the [open issues](https://github.com/nirmata/kyverno/issues)
+- Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
+- We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
+- See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
+- Browse through the [open issues](https://github.com/nirmata/kyverno/issues)

From a9d2e8bc47b7a8e817ff14cca8c39c8695b0d3bb Mon Sep 17 00:00:00 2001
From: NoSkillGirl <singhpooja240393@gmail.com>
Date: Thu, 28 May 2020 12:00:33 +0530
Subject: [PATCH 199/201] message fix

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fb2cfbe312..9896902261 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 
 Kyverno is a policy engine designed for Kubernetes.
 
-Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.
+Kyverno supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.
 
 Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.
 

From d4e5790a665a1b428433b3e3ad1d6df656998684 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Thu, 28 May 2020 11:22:47 -0700
Subject: [PATCH 200/201] Bugfix/update docs for deny rules (#886)

* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* - update docs for deny rules
- add presentations and videos to README.md
---
 README.md                                  | 53 ++++++++++++++++---
 documentation/writing-policies-generate.md |  2 +-
 documentation/writing-policies-mutate.md   |  2 +-
 documentation/writing-policies-validate.md | 60 +++++++++++++++++++---
 4 files changed, 99 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 9896902261..745810a7a0 100644
--- a/README.md
+++ b/README.md
@@ -49,8 +49,9 @@ spec:
               - name: "*"
                 resources:
                   limits:
-                    # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
-                    # Using them together e.g. '?*' requires at least one character.
+                    # '?' requires 1 alphanumeric character and '*' means that 
+                    # there can be 0 or more characters. Using them together 
+                    # e.g. '?*' requires at least one character.
                     memory: "?*"
                     cpu: "?*"
                   requests:
@@ -58,6 +59,33 @@ spec:
                     cpu: "?*"
 ```
 
+This policy prevents users from changing default network policies:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-netpol-changes
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+    - name: check-netpol-updates
+      match:
+        resources:
+          kinds:
+            - NetworkPolicy
+          name:
+            - *-default
+      exclude:
+        clusterRoles:
+          - cluster-admin    
+      validate:
+        message: "Changing default network policies is not allowed"
+        deny: {}
+```
+
+
 ### 2. Mutating resources
 
 This policy sets the imagePullPolicy to Always if the image tag is latest:
@@ -112,18 +140,16 @@ spec:
             KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
 ```
 
-### 4. More examples
-
-Refer to a list of curated of **_[sample policies](/samples/README.md)_** that can be applied to your cluster.
+**For more examples, refer to a list of curated of **_[sample policies](/samples/README.md)_** that can be applied to your cluster.**
 
 ## Documentation
 
 - [Getting Started](documentation/installation.md)
 - [Writing Policies](documentation/writing-policies.md)
   - [Selecting Resources](/documentation/writing-policies-match-exclude.md)
-  - [Validate Resources](documentation/writing-policies-validate.md)
-  - [Mutate Resources](documentation/writing-policies-mutate.md)
-  - [Generate Resources](documentation/writing-policies-generate.md)
+  - [Validating Resources](documentation/writing-policies-validate.md)
+  - [Mutating Resources](documentation/writing-policies-mutate.md)
+  - [Generating Resources](documentation/writing-policies-generate.md)
   - [Variable Substitution](documentation/writing-policies-variables.md)
   - [Preconditions](documentation/writing-policies-preconditions.md)
   - [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md)
@@ -133,6 +159,17 @@ Refer to a list of curated of **_[sample policies](/samples/README.md)_** that c
 - [Kyverno CLI](documentation/kyverno-cli.md)
 - [Sample Policies](/samples/README.md)
 
+
+## Presentations and Articles
+
+- [Introducing Kyverno - blog post](https://nirmata.com/2019/07/11/managing-kubernetes-configuration-with-policies/)
+- [CNCF Video and Slides](https://www.cncf.io/webinars/how-to-keep-your-clusters-safe-and-healthy/)
+- [10 Kubernetes Best Practices - blog post](https://thenewstack.io/10-kubernetes-best-practices-you-can-easily-apply-to-your-clusters/)
+- [VMware Code Meetup Video](https://www.youtube.com/watch?v=mgEmTvLytb0)
+- [Virtual Rejekts Video](https://www.youtube.com/watch?v=caFMtSg4A6I)
+- [TGIK Video](https://www.youtube.com/watch?v=ZE4Zu9WQET4&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=18&t=0s)
+
+
 ## License
 
 [Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE)
diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md
index d0fc16be0a..6d943ba60a 100644
--- a/documentation/writing-policies-generate.md
+++ b/documentation/writing-policies-generate.md
@@ -1,6 +1,6 @@
 <small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources*</small>
 
-# Generate Resources 
+# Generating Resources 
 
 The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace.
 
diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md
index 68b6aaa45e..13dcf429a9 100644
--- a/documentation/writing-policies-mutate.md
+++ b/documentation/writing-policies-mutate.md
@@ -1,6 +1,6 @@
 <small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Mutate Resources*</small>
 
-# Mutate Resources
+# Mutating Resources
 
 The ```mutate``` rule can be used to add, replace, or delete elements in matching resources. A mutate rule can be written as a JSON Patch or as an overlay. 
 
diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md
index bde1525e7f..a4fb04fae7 100644
--- a/documentation/writing-policies-validate.md
+++ b/documentation/writing-policies-validate.md
@@ -1,9 +1,15 @@
 <small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Validate Resources*</small>
 
 
-# Validate Resources 
+# Validating Resources and Requests
 
-A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern:
+A validation rule can be used to validate resources or to deny API requests based on other information.
+
+To validate resource data, define a [pattern](#patterns) in the validation rule. To deny certain API requests define a [deny](#deny-rules) element in the validation rule along a set of conditions that control when to allow or deny the request.
+
+## Patterns
+
+A validation rule that checks resource data is defined as an overlay pattern that provides the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern:
 
 1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration. 
 2. Undefined fields are treated as wildcards. 
@@ -14,7 +20,6 @@ A validation rule is expressed as an overlay pattern that expresses the desired
 7. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'.
 8. Validation of child values is only performed if the parent matches the pattern.
 
-## Patterns
 
 ### Wildcards
 1. `*` - matches zero or more alphanumeric characters
@@ -33,7 +38,7 @@ A validation rule is expressed as an overlay pattern that expresses the desired
 
 There is no operator for `equals` as providing a field value in the pattern requires equality to the value.
 
-## Anchors
+### Anchors
 
 Anchors allow conditional processing (i.e. "if-then-else) and other logical checks in validation patterns. The following types of anchors are supported:
 
@@ -45,7 +50,7 @@ Anchors allow conditional processing (i.e. "if-then-else) and other logical chec
 | Existence   	| ^() 	| Works on the list/array type only. If at least one element in the list satisfies the pattern. In contrast, a conditional anchor would validate that all elements in the list match the pattern. <br/>e.g. At least one container with image nginx:latest must exist. <br/>&nbsp;&nbsp;&nbsp;&nbsp;^(containers):<br/>&nbsp;&nbsp;&nbsp;&nbsp;- image: nginx:latest<br/>  	|
 | Negation    	| X() 	| The tag cannot be specified. The value of the tag is not evaulated. <br/>e.g. Hostpath tag cannot be defined.<br/>&nbsp;&nbsp;&nbsp;&nbsp;X(hostPath):<br/>	|
 
-## Anchors and child elements
+### Anchors and child elements
 
 Child elements are handled differently for conditional and equality anchors. 
 
@@ -77,7 +82,7 @@ For equality anchors, a child element is considered to be part of the "then" cla
 This is read as "If a hostPath volume exists, then the path must not be equal to /var/run/docker.sock".
 
 
-## Examples
+### Validation Pattern Examples
 
 The following rule prevents the creation of Deployment, StatefuleSet and DaemonSet resources without label 'app' in selector:
 
@@ -113,7 +118,7 @@ spec:
 
 ````
 
-### Existence anchor: at least one
+#### Existence anchor: at least one
 
 A variation of an anchor, is to check that in a list of elements at least one element exists that matches the patterm. This is done by using the ^(...) notation for the field.
 
@@ -147,7 +152,7 @@ spec:
                             memory: "2048Mi"
 ````
 
-### Logical OR across validation patterns
+#### Logical OR across validation patterns
 
 In some cases content can be defined at a different level. For example, a security context can be defined at the Pod or Container level. The validation rule should pass if either one of the conditions is met. 
 
@@ -190,5 +195,44 @@ Additional examples are available in [samples](/samples/README.md)
 
 The `validationFailureAction` attribute controls processing behaviors when the resource is not compliant with the policy. If the value is set to `enforce` resource creation or updates are blocked when the resource does not comply, and when the value is set to `audit` a policy violation is reported but the resource creation or update is allowed.
 
+## Deny rules
+
+In addition to applying patterns to check resources, a validate rule can `deny` a request based on a set of conditions. This is useful for applying fine grained access controls that cannot be performed using Kubernetes RBAC.
+
+For example, the policy below denies `delete requests` for objects with the label `app.kubernetes.io/managed-by: kyverno` and for all users who do not have the `cluster-admin` role.
+
+As the example shows, you can use `match` and `exclude` to select when the rule should be applied and then use additional conditions in the `deny` declaration to apply fine-grained controls. 
+
+Note that the `validationFailureAction` must be set to `enforce` to block the request.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: multi-tenancy
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+    - name: block-deletes-for-kyverno-resources
+      match:
+        resources:
+          selector:
+            matchLabels:
+              app.kubernetes.io/managed-by: kyverno
+      exclude:
+        clusterRoles:
+        - cluster-admin
+      validate:
+        message: "Deleting {{request.oldObject.kind}}/{{request.oldObject.metadata.name}} is not allowed"
+        deny:
+          conditions:
+            - key: "{{request.operation}}"
+              operator: Equals
+              value: "DELETE"        
+```
+
+Learn more about using [variables](writing-policies-variables.md) and [conditions](writing-policies-preconditions.md) in upcoming sections.
+
 ---
 <small>*Read Next >> [Mutate Resources](/documentation/writing-policies-mutate.md)*</small>

From d86b8ea2ce1c5fcbf185aa622c6932bc165cdd77 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Thu, 28 May 2020 12:12:12 -0700
Subject: [PATCH 201/201] update tag v1.1.6-rc2 (#887)

---
 definitions/install.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/definitions/install.yaml b/definitions/install.yaml
index b28acf1350..cc6b9bcf45 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -729,10 +729,10 @@ spec:
       serviceAccountName: kyverno-service-account
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.6-rc1
+          image: nirmata/kyvernopre:v1.1.6-rc2
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v1.1.6-rc1
+          image: nirmata/kyverno:v1.1.6-rc2
           imagePullPolicy: Always
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"