CVE-2025-24784

@@ -75,11 +75,7 @@ func (r *AdmissionPolicyGroup) SetPolicyModeStatus(policyMode PolicyModeStatus)
 }
 
 func (r *AdmissionPolicyGroup) IsContextAware() bool {
-	for _, policy := range r.Spec.Policies {
-		if len(policy.ContextAwareResources) > 0 {
-			return true
-		}
-	}
+	// We return false here because AdmissionPolicyGroup have no access to context aware resources.
 	return false
 }
 
@@ -91,8 +87,17 @@ func (r *AdmissionPolicyGroup) GetModule() string {
 	return ""
 }
 
-func (r *AdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers {
-	return r.Spec.Policies
+func (r *AdmissionPolicyGroup) GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext {
+	policies := make(PolicyGroupMembersWithContext)
+	for name, policy := range r.Spec.Policies {
+		policies[name] = PolicyGroupMemberWithContext{
+			PolicyGroupMember: policy,
+			// AdmissionPolicyGroup does not have access to context aware resources.
+			ContextAwareResources: []ContextAwareResource{},
+		}
+	}
+
+	return policies
 }
 
 func (r *AdmissionPolicyGroup) GetSettings() runtime.RawExtension {

@@ -22,9 +22,19 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+type ClusterPolicyGroupSpec struct {
+	GroupSpec `json:""`
+
+	// Policies is a list of policies that are part of the group that will
+	// be available to be called in the evaluation expression field.
+	// Each policy in the group should be a Kubewarden policy.
+	// +kubebuilder:validation:Required
+	Policies PolicyGroupMembersWithContext `json:"policies"`
+}
+
 // ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPolicyGroup.
 type ClusterAdmissionPolicyGroupSpec struct {
-	PolicyGroupSpec `json:""`
+	ClusterPolicyGroupSpec `json:""`
 
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
@@ -148,7 +158,7 @@ func (r *ClusterAdmissionPolicyGroup) GetStatus() *PolicyStatus {
 	return &r.Status
 }
 
-func (r *ClusterAdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers {
+func (r *ClusterAdmissionPolicyGroup) GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext {
 	return r.Spec.Policies
 }
 

@@ -314,12 +314,14 @@ func (f *AdmissionPolicyGroupFactory) Build() *AdmissionPolicyGroup {
 		},
 		Spec: AdmissionPolicyGroupSpec{
 			PolicyGroupSpec: PolicyGroupSpec{
-				PolicyServer:    f.policyServer,
-				Policies:        f.policyMembers,
-				Expression:      f.expression,
-				Rules:           f.rules,
-				MatchConditions: f.matchConds,
-				Mode:            f.mode,
+				GroupSpec: GroupSpec{
+					PolicyServer:    f.policyServer,
+					Expression:      f.expression,
+					Rules:           f.rules,
+					MatchConditions: f.matchConds,
+					Mode:            f.mode,
+				},
+				Policies: f.policyMembers,
 			},
 		},
 	}
@@ -330,7 +332,7 @@ type ClusterAdmissionPolicyGroupFactory struct {
 	policyServer  string
 	rules         []admissionregistrationv1.RuleWithOperations
 	expression    string
-	policyMembers PolicyGroupMembers
+	policyMembers PolicyGroupMembersWithContext
 	matchConds    []admissionregistrationv1.MatchCondition
 	mode          PolicyMode
 }
@@ -353,12 +355,16 @@ func NewClusterAdmissionPolicyGroupFactory() *ClusterAdmissionPolicyGroupFactory
 			},
 		},
 		expression: "pod_privileged() && user_group_psp()",
-		policyMembers: PolicyGroupMembers{
+		policyMembers: PolicyGroupMembersWithContext{
 			"pod_privileged": {
-				Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+				PolicyGroupMember: PolicyGroupMember{
+					Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+				},
 			},
 			"user_group_psp": {
-				Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+				PolicyGroupMember: PolicyGroupMember{
+					Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+				},
 			},
 		},
 		matchConds: []admissionregistrationv1.MatchCondition{
@@ -378,7 +384,7 @@ func (f *ClusterAdmissionPolicyGroupFactory) WithPolicyServer(policyServer strin
 	return f
 }
 
-func (f *ClusterAdmissionPolicyGroupFactory) WithMembers(members PolicyGroupMembers) *ClusterAdmissionPolicyGroupFactory {
+func (f *ClusterAdmissionPolicyGroupFactory) WithMembers(members PolicyGroupMembersWithContext) *ClusterAdmissionPolicyGroupFactory {
 	f.policyMembers = members
 	return f
 }
@@ -413,13 +419,15 @@ func (f *ClusterAdmissionPolicyGroupFactory) Build() *ClusterAdmissionPolicyGrou
 			},
 		},
 		Spec: ClusterAdmissionPolicyGroupSpec{
-			PolicyGroupSpec: PolicyGroupSpec{
-				PolicyServer:    f.policyServer,
-				Policies:        f.policyMembers,
-				Expression:      f.expression,
-				Rules:           f.rules,
-				MatchConditions: f.matchConds,
-				Mode:            f.mode,
+			ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+				GroupSpec: GroupSpec{
+					PolicyServer:    f.policyServer,
+					Expression:      f.expression,
+					Rules:           f.rules,
+					MatchConditions: f.matchConds,
+					Mode:            f.mode,
+				},
+				Policies: f.policyMembers,
 			},
 		},
 	}

@@ -151,7 +151,7 @@ type Policy interface {
 // +kubebuilder:object:generate:=false
 type PolicyGroup interface {
 	Policy
-	GetPolicyGroupMembers() PolicyGroupMembers
+	GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext
 	GetExpression() string
 	GetMessage() string
 }

@@ -56,10 +56,10 @@ func validatePolicyGroupUpdate(oldPolicyGroup, newPolicyGroup PolicyGroup) field
 // validatePolicyGroupMembers validates that a policy group has at least one policy member.
 func validatePolicyGroupMembers(policyGroup PolicyGroup) field.ErrorList {
 	var allErrors field.ErrorList
-	if len(policyGroup.GetPolicyGroupMembers()) == 0 {
+	if len(policyGroup.GetPolicyGroupMembersWithContext()) == 0 {
 		allErrors = append(allErrors, field.Required(field.NewPath("spec").Child("policies"), "policy groups must have at least one policy member"))
 	}
-	for memberName := range policyGroup.GetPolicyGroupMembers() {
+	for memberName := range policyGroup.GetPolicyGroupMembersWithContext() {
 		_, matchReservedSymbol := celReservedSymbols[memberName]
 		if len(memberName) == 0 || matchReservedSymbol || !idenRegex.MatchString(memberName) {
 			allErrors = append(allErrors, field.Invalid(field.NewPath("spec").Child("policies"), memberName, "policy group member name is invalid"))
@@ -81,7 +81,7 @@ func validatePolicyGroupExpressionField(policyGroup PolicyGroup) *field.Error {
 
 	// Create a CEL environment with custom functions for each policy member
 	var opts []cel.EnvOption
-	for policyName := range policyGroup.GetPolicyGroupMembers() {
+	for policyName := range policyGroup.GetPolicyGroupMembersWithContext() {
 		fn := cel.Function(policyName, cel.Overload(policyName, []*cel.Type{}, types.BoolType))
 		opts = append(opts, fn)
 	}

@@ -21,15 +21,21 @@ func TestValidatePolicyGroupExpressionField(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Expression: "policy1() && policy2()",
-						Message:    "This is a test policy",
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						GroupSpec: GroupSpec{
+							Expression: "policy1() && policy2()",
+							Message:    "This is a test policy",
+						},
+						Policies: PolicyGroupMembersWithContext{
 							"policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -44,15 +50,21 @@ func TestValidatePolicyGroupExpressionField(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Expression: "",
-						Message:    "This is a test policy",
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						GroupSpec: GroupSpec{
+							Expression: "",
+							Message:    "This is a test policy",
+						},
+						Policies: PolicyGroupMembersWithContext{
 							"policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -67,15 +79,21 @@ func TestValidatePolicyGroupExpressionField(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Expression: "123",
-						Message:    "This is a test policy",
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						GroupSpec: GroupSpec{
+							Expression: "123",
+							Message:    "This is a test policy",
+						},
+						Policies: PolicyGroupMembersWithContext{
 							"policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -90,15 +108,21 @@ func TestValidatePolicyGroupExpressionField(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Expression: "2 > 1",
-						Message:    "This is a test policy",
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						GroupSpec: GroupSpec{
+							Expression: "2 > 1",
+							Message:    "This is a test policy",
+						},
+						Policies: PolicyGroupMembersWithContext{
 							"policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -134,15 +158,21 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Expression: "policy1() && policy2()",
-						Message:    "This is a test policy",
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						GroupSpec: GroupSpec{
+							Expression: "policy1() && policy2()",
+							Message:    "This is a test policy",
+						},
+						Policies: PolicyGroupMembersWithContext{
 							"policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -157,8 +187,8 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: map[string]PolicyGroupMember{},
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: map[string]PolicyGroupMemberWithContext{},
 					},
 				},
 			},
@@ -171,10 +201,12 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 						},
 					},
@@ -189,10 +221,12 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"in": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 						},
 					},
@@ -207,10 +241,12 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"0policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 						},
 					},
@@ -225,10 +261,12 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"p!ol.ic?y1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 						},
 					},
@@ -243,13 +281,17 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"_policy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"pol_icy2": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},
@@ -264,13 +306,17 @@ func TestValidatePolicyGroupMembers(t *testing.T) {
 					Name: "testing-cluster-policy-group",
 				},
 				Spec: ClusterAdmissionPolicyGroupSpec{
-					PolicyGroupSpec: PolicyGroupSpec{
-						Policies: PolicyGroupMembers{
+					ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+						Policies: PolicyGroupMembersWithContext{
 							"po0licy1": {
-								Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+								},
 							},
 							"policy21": {
-								Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								PolicyGroupMember: PolicyGroupMember{
+									Module: "ghcr.io/kubewarden/tests/safe-labels:v1.0.0",
+								},
 							},
 						},
 					},

@@ -170,6 +170,12 @@ type PolicyGroupMember struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// x-kubernetes-embedded-resource: false
 	Settings runtime.RawExtension `json:"settings,omitempty"`
+}
+
+type PolicyGroupMembersWithContext map[string]PolicyGroupMemberWithContext
+
+type PolicyGroupMemberWithContext struct {
+	PolicyGroupMember `json:""`
 
 	// List of Kubernetes resources the policy is allowed to access at evaluation time.
 	// Access to these resources is done using the `ServiceAccount` of the PolicyServer
@@ -178,7 +184,7 @@ type PolicyGroupMember struct {
 	ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"`
 }
 
-type PolicyGroupSpec struct {
+type GroupSpec struct {
 	// PolicyServer identifies an existing PolicyServer resource.
 	// +kubebuilder:default:=default
 	// +optional
@@ -302,6 +308,10 @@ type PolicyGroupSpec struct {
 	// returned in the warning field of the response.
 	// +kubebuilder:validation:Required
 	Message string `json:"message"`
+}
+
+type PolicyGroupSpec struct {
+	GroupSpec `json:""`
 
 	// Policies is a list of policies that are part of the group that will
 	// be available to be called in the evaluation expression field.

@@ -267,7 +267,7 @@ func (in *ClusterAdmissionPolicyGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterAdmissionPolicyGroupSpec) DeepCopyInto(out *ClusterAdmissionPolicyGroupSpec) {
 	*out = *in
-	in.PolicyGroupSpec.DeepCopyInto(&out.PolicyGroupSpec)
+	in.ClusterPolicyGroupSpec.DeepCopyInto(&out.ClusterPolicyGroupSpec)
 	if in.NamespaceSelector != nil {
 		in, out := &in.NamespaceSelector, &out.NamespaceSelector
 		*out = new(metav1.LabelSelector)
@@ -344,64 +344,45 @@ func (in *ClusterAdmissionPolicySpec) DeepCopy() *ClusterAdmissionPolicySpec {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ContextAwareResource) DeepCopyInto(out *ContextAwareResource) {
+func (in *ClusterPolicyGroupSpec) DeepCopyInto(out *ClusterPolicyGroupSpec) {
 	*out = *in
+	in.GroupSpec.DeepCopyInto(&out.GroupSpec)
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make(PolicyGroupMembersWithContext, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAwareResource.
-func (in *ContextAwareResource) DeepCopy() *ContextAwareResource {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyGroupSpec.
+func (in *ClusterPolicyGroupSpec) DeepCopy() *ClusterPolicyGroupSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(ContextAwareResource)
+	out := new(ClusterPolicyGroupSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PolicyGroupMember) DeepCopyInto(out *PolicyGroupMember) {
+func (in *ContextAwareResource) DeepCopyInto(out *ContextAwareResource) {
 	*out = *in
-	in.Settings.DeepCopyInto(&out.Settings)
-	if in.ContextAwareResources != nil {
-		in, out := &in.ContextAwareResources, &out.ContextAwareResources
-		*out = make([]ContextAwareResource, len(*in))
-		copy(*out, *in)
-	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMember.
-func (in *PolicyGroupMember) DeepCopy() *PolicyGroupMember {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAwareResource.
+func (in *ContextAwareResource) DeepCopy() *ContextAwareResource {
 	if in == nil {
 		return nil
 	}
-	out := new(PolicyGroupMember)
+	out := new(ContextAwareResource)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in PolicyGroupMembers) DeepCopyInto(out *PolicyGroupMembers) {
-	{
-		in := &in
-		*out = make(PolicyGroupMembers, len(*in))
-		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMembers.
-func (in PolicyGroupMembers) DeepCopy() PolicyGroupMembers {
-	if in == nil {
-		return nil
-	}
-	out := new(PolicyGroupMembers)
-	in.DeepCopyInto(out)
-	return *out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PolicyGroupSpec) DeepCopyInto(out *PolicyGroupSpec) {
+func (in *GroupSpec) DeepCopyInto(out *GroupSpec) {
 	*out = *in
 	if in.Rules != nil {
 		in, out := &in.Rules, &out.Rules
@@ -440,6 +421,101 @@ func (in *PolicyGroupSpec) DeepCopyInto(out *PolicyGroupSpec) {
 		*out = new(int32)
 		**out = **in
 	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupSpec.
+func (in *GroupSpec) DeepCopy() *GroupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyGroupMember) DeepCopyInto(out *PolicyGroupMember) {
+	*out = *in
+	in.Settings.DeepCopyInto(&out.Settings)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMember.
+func (in *PolicyGroupMember) DeepCopy() *PolicyGroupMember {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyGroupMember)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyGroupMemberWithContext) DeepCopyInto(out *PolicyGroupMemberWithContext) {
+	*out = *in
+	in.PolicyGroupMember.DeepCopyInto(&out.PolicyGroupMember)
+	if in.ContextAwareResources != nil {
+		in, out := &in.ContextAwareResources, &out.ContextAwareResources
+		*out = make([]ContextAwareResource, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMemberWithContext.
+func (in *PolicyGroupMemberWithContext) DeepCopy() *PolicyGroupMemberWithContext {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyGroupMemberWithContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in PolicyGroupMembers) DeepCopyInto(out *PolicyGroupMembers) {
+	{
+		in := &in
+		*out = make(PolicyGroupMembers, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMembers.
+func (in PolicyGroupMembers) DeepCopy() PolicyGroupMembers {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyGroupMembers)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in PolicyGroupMembersWithContext) DeepCopyInto(out *PolicyGroupMembersWithContext) {
+	{
+		in := &in
+		*out = make(PolicyGroupMembersWithContext, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyGroupMembersWithContext.
+func (in PolicyGroupMembersWithContext) DeepCopy() PolicyGroupMembersWithContext {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyGroupMembersWithContext)
+	in.DeepCopyInto(out)
+	return *out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyGroupSpec) DeepCopyInto(out *PolicyGroupSpec) {
+	*out = *in
+	in.GroupSpec.DeepCopyInto(&out.GroupSpec)
 	if in.Policies != nil {
 		in, out := &in.Policies, &out.Policies
 		*out = make(PolicyGroupMembers, len(*in))

@@ -261,27 +261,6 @@ spec:
               policies:
                 additionalProperties:
                   properties:
-                    contextAwareResources:
-                      description: |-
-                        List of Kubernetes resources the policy is allowed to access at evaluation time.
-                        Access to these resources is done using the `ServiceAccount` of the PolicyServer
-                        the policy is assigned to.
-                      items:
-                        description: ContextAwareResource identifies a Kubernetes
-                          resource.
-                        properties:
-                          apiVersion:
-                            description: apiVersion of the resource (v1 for core group,
-                              groupName/groupVersions for other).
-                            type: string
-                          kind:
-                            description: Singular PascalCase name of the resource
-                            type: string
-                        required:
-                        - apiVersion
-                        - kind
-                        type: object
-                      type: array
                     module:
                       description: |-
                         Module is the location of the WASM module to be loaded. Can be a

@@ -253,7 +253,7 @@ ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPol
 [cols="20a,50a,15a,15a", options="header"]
 |===
 | Field | Description | Default | Validation
-| *`PolicyGroupSpec`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec[$$PolicyGroupSpec$$]__ |  |  | 
+| *`ClusterPolicyGroupSpec`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusterpolicygroupspec[$$ClusterPolicyGroupSpec$$]__ |  |  | 
 | *`namespaceSelector`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#labelselector-v1-meta[$$LabelSelector$$]__ | NamespaceSelector decides whether to run the webhook on an object based +
 on whether the namespace for that object matches the selector. If the +
 object itself is a namespace, the matching is performed on +
@@ -393,92 +393,56 @@ the policy is assigned to. + |  |
 |===
 
 
-[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-contextawareresource"]
-==== ContextAwareResource
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusterpolicygroupspec"]
+==== ClusterPolicyGroupSpec
+
 
 
 
-ContextAwareResource identifies a Kubernetes resource.
 
 
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusteradmissionpolicyspec[$$ClusterAdmissionPolicySpec$$]
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmember[$$PolicyGroupMember$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusteradmissionpolicygroupspec[$$ClusterAdmissionPolicyGroupSpec$$]
 ****
 
 [cols="20a,50a,15a,15a", options="header"]
 |===
 | Field | Description | Default | Validation
-| *`apiVersion`* __string__ | apiVersion of the resource (v1 for core group, groupName/groupVersions for other). + |  | 
-| *`kind`* __string__ | Singular PascalCase name of the resource + |  | 
-|===
-
-
-
-
-
-
-
-
-
-
-
-
+| *`GroupSpec`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-groupspec[$$GroupSpec$$]__ |  |  | 
+| *`policies`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberswithcontext[$$PolicyGroupMembersWithContext$$]__ | Policies is a list of policies that are part of the group that will +
+be available to be called in the evaluation expression field. +
+Each policy in the group should be a Kubewarden policy. + |  | Required: {} +
 
+|===
 
-[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmember"]
-==== PolicyGroupMember
 
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-contextawareresource"]
+==== ContextAwareResource
 
 
 
+ContextAwareResource identifies a Kubernetes resource.
 
 
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmembers[$$PolicyGroupMembers$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusteradmissionpolicyspec[$$ClusterAdmissionPolicySpec$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberwithcontext[$$PolicyGroupMemberWithContext$$]
 ****
 
 [cols="20a,50a,15a,15a", options="header"]
 |===
 | Field | Description | Default | Validation
-| *`module`* __string__ | Module is the location of the WASM module to be loaded. Can be a +
-local file (file://), a remote file served by an HTTP server +
-(http://, https://), or an artifact served by an OCI-compatible +
-registry (registry://). +
-If prefix is missing, it will default to registry:// and use that +
-internally. + |  | Required: {} +
-
-| *`settings`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#rawextension-runtime-pkg[$$RawExtension$$]__ | Settings is a free-form object that contains the policy configuration +
-values. +
-x-kubernetes-embedded-resource: false + |  | 
-| *`contextAwareResources`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-contextawareresource[$$ContextAwareResource$$] array__ | List of Kubernetes resources the policy is allowed to access at evaluation time. +
-Access to these resources is done using the `ServiceAccount` of the PolicyServer +
-the policy is assigned to. + |  | 
+| *`apiVersion`* __string__ | apiVersion of the resource (v1 for core group, groupName/groupVersions for other). + |  | 
+| *`kind`* __string__ | Singular PascalCase name of the resource + |  | 
 |===
 
 
-[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmembers"]
-==== PolicyGroupMembers
-
-_Underlying type:_ _xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-map-string-policygroupmember[$$map[string]PolicyGroupMember$$]_
-
-
-
-
-
-.Appears In:
-****
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec[$$PolicyGroupSpec$$]
-****
-
-
-
-[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec"]
-==== PolicyGroupSpec
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-groupspec"]
+==== GroupSpec
 
 
 
@@ -488,8 +452,8 @@ _Underlying type:_ _xref:{anchor_prefix}-github-com-kubewarden-kubewarden-contro
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-admissionpolicygroupspec[$$AdmissionPolicyGroupSpec$$]
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusteradmissionpolicygroupspec[$$ClusterAdmissionPolicyGroupSpec$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusterpolicygroupspec[$$ClusterPolicyGroupSpec$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec[$$PolicyGroupSpec$$]
 ****
 
 [cols="20a,50a,15a,15a", options="header"]
@@ -584,6 +548,126 @@ documentation to learn about all the features available. + |  | Required: {} +
 the policy group is rejected. The specific policy results will be +
 returned in the warning field of the response. + |  | Required: {} +
 
+|===
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmember"]
+==== PolicyGroupMember
+
+
+
+
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberwithcontext[$$PolicyGroupMemberWithContext$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmembers[$$PolicyGroupMembers$$]
+****
+
+[cols="20a,50a,15a,15a", options="header"]
+|===
+| Field | Description | Default | Validation
+| *`module`* __string__ | Module is the location of the WASM module to be loaded. Can be a +
+local file (file://), a remote file served by an HTTP server +
+(http://, https://), or an artifact served by an OCI-compatible +
+registry (registry://). +
+If prefix is missing, it will default to registry:// and use that +
+internally. + |  | Required: {} +
+
+| *`settings`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#rawextension-runtime-pkg[$$RawExtension$$]__ | Settings is a free-form object that contains the policy configuration +
+values. +
+x-kubernetes-embedded-resource: false + |  | 
+|===
+
+
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberwithcontext"]
+==== PolicyGroupMemberWithContext
+
+
+
+
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberswithcontext[$$PolicyGroupMembersWithContext$$]
+****
+
+[cols="20a,50a,15a,15a", options="header"]
+|===
+| Field | Description | Default | Validation
+| *`PolicyGroupMember`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmember[$$PolicyGroupMember$$]__ |  |  | 
+| *`contextAwareResources`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-contextawareresource[$$ContextAwareResource$$] array__ | List of Kubernetes resources the policy is allowed to access at evaluation time. +
+Access to these resources is done using the `ServiceAccount` of the PolicyServer +
+the policy is assigned to. + |  | 
+|===
+
+
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmembers"]
+==== PolicyGroupMembers
+
+_Underlying type:_ _xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-map-string-policygroupmember[$$map[string]PolicyGroupMember$$]_
+
+
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec[$$PolicyGroupSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmemberswithcontext"]
+==== PolicyGroupMembersWithContext
+
+_Underlying type:_ _xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-map-string-policygroupmemberwithcontext[$$map[string]PolicyGroupMemberWithContext$$]_
+
+
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-clusterpolicygroupspec[$$ClusterPolicyGroupSpec$$]
+****
+
+
+
+[id="{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec"]
+==== PolicyGroupSpec
+
+
+
+
+
+
+
+.Appears In:
+****
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-admissionpolicygroupspec[$$AdmissionPolicyGroupSpec$$]
+****
+
+[cols="20a,50a,15a,15a", options="header"]
+|===
+| Field | Description | Default | Validation
+| *`GroupSpec`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-groupspec[$$GroupSpec$$]__ |  |  | 
 | *`policies`* __xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupmembers[$$PolicyGroupMembers$$]__ | Policies is a list of policies that are part of the group that will +
 be available to be called in the evaluation expression field. +
 Each policy in the group should be a Kubewarden policy. + |  | Required: {} +
@@ -607,7 +691,7 @@ _Underlying type:_ _string_
 
 .Appears In:
 ****
-- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policygroupspec[$$PolicyGroupSpec$$]
+- xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-groupspec[$$GroupSpec$$]
 - xref:{anchor_prefix}-github-com-kubewarden-kubewarden-controller-api-policies-v1-policyspec[$$PolicySpec$$]
 ****
 

@@ -198,7 +198,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `PolicyGroupSpec` _[PolicyGroupSpec](#policygroupspec)_ |  |  |  |
+| `ClusterPolicyGroupSpec` _[ClusterPolicyGroupSpec](#clusterpolicygroupspec)_ |  |  |  |
 | `namespaceSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#labelselector-v1-meta)_ | NamespaceSelector decides whether to run the webhook on an object based<br />on whether the namespace for that object matches the selector. If the<br />object itself is a namespace, the matching is performed on<br />object.metadata.labels. If the object is another cluster scoped resource,<br />it never skips the webhook.<br /><br/><br/><br />For example, to run the webhook on any objects whose namespace is not<br />associated with "runlevel" of "0" or "1";  you will set the selector as<br />follows:<br /><pre><br />"namespaceSelector": \\{<br/><br />&nbsp;&nbsp;"matchExpressions": [<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;\\{<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "runlevel",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "NotIn",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;\\}<br/><br />&nbsp;&nbsp;]<br/><br />\\}<br /></pre><br />If instead you want to only run the webhook on any objects whose<br />namespace is associated with the "environment" of "prod" or "staging";<br />you will set the selector as follows:<br /><pre><br />"namespaceSelector": \\{<br/><br />&nbsp;&nbsp;"matchExpressions": [<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;\\{<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key": "environment",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator": "In",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/><br />&nbsp;&nbsp;&nbsp;&nbsp;\\}<br/><br />&nbsp;&nbsp;]<br/><br />\\}<br /></pre><br />See<br />https://kubernetes.io/docs/concepts/overview/working-with-objects/labels<br />for more examples of label selectors.<br /><br/><br/><br />Default to the empty LabelSelector, which matches everything. |  |  |
 
 
@@ -238,6 +238,23 @@ _Appears in:_
 | `contextAwareResources` _[ContextAwareResource](#contextawareresource) array_ | List of Kubernetes resources the policy is allowed to access at evaluation time.<br />Access to these resources is done using the `ServiceAccount` of the PolicyServer<br />the policy is assigned to. |  |  |
 
 
+#### ClusterPolicyGroupSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [ClusterAdmissionPolicyGroupSpec](#clusteradmissionpolicygroupspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `GroupSpec` _[GroupSpec](#groupspec)_ |  |  |  |
+| `policies` _[PolicyGroupMembersWithContext](#policygroupmemberswithcontext)_ | Policies is a list of policies that are part of the group that will<br />be available to be called in the evaluation expression field.<br />Each policy in the group should be a Kubewarden policy. |  | Required: \{\} <br /> |
+
+
 #### ContextAwareResource
 
 
@@ -248,14 +265,42 @@ ContextAwareResource identifies a Kubernetes resource.
 
 _Appears in:_
 - [ClusterAdmissionPolicySpec](#clusteradmissionpolicyspec)
-- [PolicyGroupMember](#policygroupmember)
+- [PolicyGroupMemberWithContext](#policygroupmemberwithcontext)
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `apiVersion` _string_ | apiVersion of the resource (v1 for core group, groupName/groupVersions for other). |  |  |
 | `kind` _string_ | Singular PascalCase name of the resource |  |  |
 
 
+#### GroupSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [ClusterPolicyGroupSpec](#clusterpolicygroupspec)
+- [PolicyGroupSpec](#policygroupspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `policyServer` _string_ | PolicyServer identifies an existing PolicyServer resource. | default |  |
+| `mode` _[PolicyMode](#policymode)_ | Mode defines the execution mode of this policy. Can be set to<br />either "protect" or "monitor". If it's empty, it is defaulted to<br />"protect".<br />Transitioning this setting from "monitor" to "protect" is<br />allowed, but is disallowed to transition from "protect" to<br />"monitor". To perform this transition, the policy should be<br />recreated in "monitor" mode instead. | protect | Enum: [protect monitor] <br /> |
+| `rules` _[RuleWithOperations](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#rulewithoperations-v1-admissionregistration) array_ | Rules describes what operations on what resources/subresources the webhook cares about.<br />The webhook cares about an operation if it matches _any_ Rule. |  |  |
+| `failurePolicy` _[FailurePolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#failurepolicytype-v1-admissionregistration)_ | FailurePolicy defines how unrecognized errors and timeout errors from the<br />policy are handled. Allowed values are "Ignore" or "Fail".<br />* "Ignore" means that an error calling the webhook is ignored and the API<br />  request is allowed to continue.<br />* "Fail" means that an error calling the webhook causes the admission to<br />  fail and the API request to be rejected.<br />The default behaviour is "Fail" |  |  |
+| `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when<br />performing audit checks. If false, the policy cannot produce meaningful<br />evaluation results during audit checks and will be skipped.<br />The default is "true". | true |  |
+| `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests.<br />Allowed values are "Exact" or "Equivalent".<br /><ul><br /><li><br />Exact: match a request only if it exactly matches a specified rule.<br />For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,<br />but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,<br />a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.<br /></li><br /><li><br />Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.<br />For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,<br />and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,<br />a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.<br /></li><br /></ul><br />Defaults to "Equivalent" |  |  |
+| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be<br />validated. Match conditions filter requests that have already been matched by<br />the rules, namespaceSelector, and objectSelector. An empty list of<br />matchConditions matches all requests. There are a maximum of 64 match<br />conditions allowed. If a parameter object is provided, it can be accessed via<br />the `params` handle in the same manner as validation expressions. The exact<br />matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,<br />the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy<br />is evaluated. 3. If any matchCondition evaluates to an error (but none are<br />FALSE): - If failurePolicy=Fail, reject the request - If<br />failurePolicy=Ignore, the policy is skipped.<br />Only available if the feature gate AdmissionWebhookMatchConditions is enabled. |  |  |
+| `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the<br />object has matching labels. objectSelector is evaluated against both<br />the oldObject and newObject that would be sent to the webhook, and<br />is considered to match if either object matches the selector. A null<br />object (oldObject in the case of create, or newObject in the case of<br />delete) or an object that cannot have labels (like a<br />DeploymentRollback or a PodProxyOptions object) is not considered to<br />match.<br />Use the object selector only if the webhook is opt-in, because end<br />users may skip the admission webhook by setting the labels.<br />Default to the empty LabelSelector, which matches everything. |  |  |
+| `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects.<br />Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).<br />Webhooks with side effects MUST implement a reconciliation system, since a request may be<br />rejected by a future step in the admission change and the side effects therefore need to be undone.<br />Requests with the dryRun attribute will be auto-rejected if they match a webhook with<br />sideEffects == Unknown or Some. |  |  |
+| `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,<br />the webhook call will be ignored or the API call will fail based on the<br />failure policy.<br />The timeout value must be between 1 and 30 seconds.<br />Default to 10 seconds. | 10 |  |
+| `expression` _string_ | Expression is the evaluation expression to accept or reject the<br />admission request under evaluation. This field uses CEL as the<br />expression language for the policy groups. Each policy in the group<br />will be represented as a function call in the expression with the<br />same name as the policy defined in the group. The expression field<br />should be a valid CEL expression that evaluates to a boolean value.<br />If the expression evaluates to true, the group policy will be<br />considered as accepted, otherwise, it will be considered as<br />rejected. This expression allows grouping policies calls and perform<br />logical operations on the results of the policies. See Kubewarden<br />documentation to learn about all the features available. |  | Required: \{\} <br /> |
+| `message` _string_ | Message is  used to specify the message that will be returned when<br />the policy group is rejected. The specific policy results will be<br />returned in the warning field of the response. |  | Required: \{\} <br /> |
+
+
 
 
 
@@ -277,12 +322,29 @@ _Appears in:_
 
 
 _Appears in:_
+- [PolicyGroupMemberWithContext](#policygroupmemberwithcontext)
 - [PolicyGroupMembers](#policygroupmembers)
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `module` _string_ | Module is the location of the WASM module to be loaded. Can be a<br />local file (file://), a remote file served by an HTTP server<br />(http://, https://), or an artifact served by an OCI-compatible<br />registry (registry://).<br />If prefix is missing, it will default to registry:// and use that<br />internally. |  | Required: \{\} <br /> |
 | `settings` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#rawextension-runtime-pkg)_ | Settings is a free-form object that contains the policy configuration<br />values.<br />x-kubernetes-embedded-resource: false |  |  |
+
+
+#### PolicyGroupMemberWithContext
+
+
+
+
+
+
+
+_Appears in:_
+- [PolicyGroupMembersWithContext](#policygroupmemberswithcontext)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `PolicyGroupMember` _[PolicyGroupMember](#policygroupmember)_ |  |  |  |
 | `contextAwareResources` _[ContextAwareResource](#contextawareresource) array_ | List of Kubernetes resources the policy is allowed to access at evaluation time.<br />Access to these resources is done using the `ServiceAccount` of the PolicyServer<br />the policy is assigned to. |  |  |
 
 
@@ -299,6 +361,19 @@ _Appears in:_
 
 
 
+#### PolicyGroupMembersWithContext
+
+_Underlying type:_ _[map[string]PolicyGroupMemberWithContext](#map[string]policygroupmemberwithcontext)_
+
+
+
+
+
+_Appears in:_
+- [ClusterPolicyGroupSpec](#clusterpolicygroupspec)
+
+
+
 #### PolicyGroupSpec
 
 
@@ -309,22 +384,10 @@ _Appears in:_
 
 _Appears in:_
 - [AdmissionPolicyGroupSpec](#admissionpolicygroupspec)
-- [ClusterAdmissionPolicyGroupSpec](#clusteradmissionpolicygroupspec)
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `policyServer` _string_ | PolicyServer identifies an existing PolicyServer resource. | default |  |
-| `mode` _[PolicyMode](#policymode)_ | Mode defines the execution mode of this policy. Can be set to<br />either "protect" or "monitor". If it's empty, it is defaulted to<br />"protect".<br />Transitioning this setting from "monitor" to "protect" is<br />allowed, but is disallowed to transition from "protect" to<br />"monitor". To perform this transition, the policy should be<br />recreated in "monitor" mode instead. | protect | Enum: [protect monitor] <br /> |
-| `rules` _[RuleWithOperations](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#rulewithoperations-v1-admissionregistration) array_ | Rules describes what operations on what resources/subresources the webhook cares about.<br />The webhook cares about an operation if it matches _any_ Rule. |  |  |
-| `failurePolicy` _[FailurePolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#failurepolicytype-v1-admissionregistration)_ | FailurePolicy defines how unrecognized errors and timeout errors from the<br />policy are handled. Allowed values are "Ignore" or "Fail".<br />* "Ignore" means that an error calling the webhook is ignored and the API<br />  request is allowed to continue.<br />* "Fail" means that an error calling the webhook causes the admission to<br />  fail and the API request to be rejected.<br />The default behaviour is "Fail" |  |  |
-| `backgroundAudit` _boolean_ | BackgroundAudit indicates whether a policy should be used or skipped when<br />performing audit checks. If false, the policy cannot produce meaningful<br />evaluation results during audit checks and will be skipped.<br />The default is "true". | true |  |
-| `matchPolicy` _[MatchPolicyType](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#matchpolicytype-v1-admissionregistration)_ | matchPolicy defines how the "rules" list is used to match incoming requests.<br />Allowed values are "Exact" or "Equivalent".<br /><ul><br /><li><br />Exact: match a request only if it exactly matches a specified rule.<br />For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,<br />but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,<br />a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.<br /></li><br /><li><br />Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.<br />For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,<br />and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,<br />a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.<br /></li><br /></ul><br />Defaults to "Equivalent" |  |  |
-| `matchConditions` _[MatchCondition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#matchcondition-v1-admissionregistration) array_ | MatchConditions are a list of conditions that must be met for a request to be<br />validated. Match conditions filter requests that have already been matched by<br />the rules, namespaceSelector, and objectSelector. An empty list of<br />matchConditions matches all requests. There are a maximum of 64 match<br />conditions allowed. If a parameter object is provided, it can be accessed via<br />the `params` handle in the same manner as validation expressions. The exact<br />matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE,<br />the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy<br />is evaluated. 3. If any matchCondition evaluates to an error (but none are<br />FALSE): - If failurePolicy=Fail, reject the request - If<br />failurePolicy=Ignore, the policy is skipped.<br />Only available if the feature gate AdmissionWebhookMatchConditions is enabled. |  |  |
-| `objectSelector` _[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#labelselector-v1-meta)_ | ObjectSelector decides whether to run the webhook based on if the<br />object has matching labels. objectSelector is evaluated against both<br />the oldObject and newObject that would be sent to the webhook, and<br />is considered to match if either object matches the selector. A null<br />object (oldObject in the case of create, or newObject in the case of<br />delete) or an object that cannot have labels (like a<br />DeploymentRollback or a PodProxyOptions object) is not considered to<br />match.<br />Use the object selector only if the webhook is opt-in, because end<br />users may skip the admission webhook by setting the labels.<br />Default to the empty LabelSelector, which matches everything. |  |  |
-| `sideEffects` _[SideEffectClass](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#sideeffectclass-v1-admissionregistration)_ | SideEffects states whether this webhook has side effects.<br />Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown).<br />Webhooks with side effects MUST implement a reconciliation system, since a request may be<br />rejected by a future step in the admission change and the side effects therefore need to be undone.<br />Requests with the dryRun attribute will be auto-rejected if they match a webhook with<br />sideEffects == Unknown or Some. |  |  |
-| `timeoutSeconds` _integer_ | TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,<br />the webhook call will be ignored or the API call will fail based on the<br />failure policy.<br />The timeout value must be between 1 and 30 seconds.<br />Default to 10 seconds. | 10 |  |
-| `expression` _string_ | Expression is the evaluation expression to accept or reject the<br />admission request under evaluation. This field uses CEL as the<br />expression language for the policy groups. Each policy in the group<br />will be represented as a function call in the expression with the<br />same name as the policy defined in the group. The expression field<br />should be a valid CEL expression that evaluates to a boolean value.<br />If the expression evaluates to true, the group policy will be<br />considered as accepted, otherwise, it will be considered as<br />rejected. This expression allows grouping policies calls and perform<br />logical operations on the results of the policies. See Kubewarden<br />documentation to learn about all the features available. |  | Required: \{\} <br /> |
-| `message` _string_ | Message is  used to specify the message that will be returned when<br />the policy group is rejected. The specific policy results will be<br />returned in the warning field of the response. |  | Required: \{\} <br /> |
+| `GroupSpec` _[GroupSpec](#groupspec)_ |  |  |  |
 | `policies` _[PolicyGroupMembers](#policygroupmembers)_ | Policies is a list of policies that are part of the group that will<br />be available to be called in the evaluation expression field.<br />Each policy in the group should be a Kubewarden policy. |  | Required: \{\} <br /> |
 
 
@@ -342,7 +405,7 @@ _Validation:_
 - Enum: [protect monitor]
 
 _Appears in:_
-- [PolicyGroupSpec](#policygroupspec)
+- [GroupSpec](#groupspec)
 - [PolicySpec](#policyspec)
 
 

@@ -22,7 +22,7 @@ import (
 
 const dataType string = "Data" // only data type is supported
 
-type policyGroupMember struct {
+type policyGroupMemberWithContext struct {
 	Module                string                            `json:"module"`
 	Settings              runtime.RawExtension              `json:"settings,omitempty"`
 	ContextAwareResources []policiesv1.ContextAwareResource `json:"contextAwareResources,omitempty"`
@@ -36,9 +36,9 @@ type policyServerConfigEntry struct {
 	ContextAwareResources []policiesv1.ContextAwareResource `json:"contextAwareResources,omitempty"`
 	Settings              runtime.RawExtension              `json:"settings,omitempty"`
 	// The following fields are used by policy groups only.
-	Policies   map[string]policyGroupMember `json:"policies,omitempty"`
-	Expression string                       `json:"expression,omitempty"`
-	Message    string                       `json:"message,omitempty"`
+	Policies   map[string]policyGroupMemberWithContext `json:"policies,omitempty"`
+	Expression string                                  `json:"expression,omitempty"`
+	Message    string                                  `json:"message,omitempty"`
 }
 
 // The following MarshalJSON and UnmarshalJSON methods are used to serialize
@@ -64,11 +64,11 @@ func (p *policyServerConfigEntry) UnmarshalJSON(b []byte) error {
 func (p policyServerConfigEntry) MarshalJSON() ([]byte, error) {
 	if len(p.Policies) > 0 {
 		return json.Marshal(struct {
-			NamespacedName types.NamespacedName         `json:"namespacedName"`
-			PolicyMode     string                       `json:"policyMode"`
-			Policies       map[string]policyGroupMember `json:"policies"`
-			Expression     string                       `json:"expression"`
-			Message        string                       `json:"message"`
+			NamespacedName types.NamespacedName                    `json:"namespacedName"`
+			PolicyMode     string                                  `json:"policyMode"`
+			Policies       map[string]policyGroupMemberWithContext `json:"policies"`
+			Expression     string                                  `json:"expression"`
+			Message        string                                  `json:"message"`
 		}{
 			NamespacedName: p.NamespacedName,
 			PolicyMode:     p.PolicyMode,
@@ -174,10 +174,10 @@ func (r *PolicyServerReconciler) policyServerConfigMapVersion(ctx context.Contex
 	return unstructuredObj.GetResourceVersion(), nil
 }
 
-func buildPolicyGroupMembers(policies policiesv1.PolicyGroupMembers) map[string]policyGroupMember {
-	policyGroupMembers := map[string]policyGroupMember{}
+func buildPolicyGroupMembersWithContext(policies policiesv1.PolicyGroupMembersWithContext) map[string]policyGroupMemberWithContext {
+	policyGroupMembers := map[string]policyGroupMemberWithContext{}
 	for name, policy := range policies {
-		policyGroupMembers[name] = policyGroupMember{
+		policyGroupMembers[name] = policyGroupMemberWithContext{
 			Module:                policy.Module,
 			Settings:              policy.Settings,
 			ContextAwareResources: policy.ContextAwareResources,
@@ -202,7 +202,7 @@ func buildPoliciesMap(admissionPolicies []policiesv1.Policy) policyConfigEntryMa
 		}
 
 		if policyGroup, ok := admissionPolicy.(policiesv1.PolicyGroup); ok {
-			configEntry.Policies = buildPolicyGroupMembers(policyGroup.GetPolicyGroupMembers())
+			configEntry.Policies = buildPolicyGroupMembersWithContext(policyGroup.GetPolicyGroupMembersWithContext())
 			configEntry.Expression = policyGroup.GetExpression()
 			configEntry.Message = policyGroup.GetMessage()
 		}

@@ -276,9 +276,11 @@ var _ = Describe("PolicyServer controller", func() {
 
 			clusterPolicyGroup := policiesv1.NewClusterAdmissionPolicyGroupFactory().
 				WithPolicyServer(policyServerName).
-				WithMembers(policiesv1.PolicyGroupMembers{
+				WithMembers(policiesv1.PolicyGroupMembersWithContext{
 					"pod_privileged": {
-						Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+						PolicyGroupMember: policiesv1.PolicyGroupMember{
+							Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+						},
 						ContextAwareResources: []policiesv1.ContextAwareResource{
 							{
 								APIVersion: "v1",
@@ -287,7 +289,9 @@ var _ = Describe("PolicyServer controller", func() {
 						},
 					},
 					"user_group_psp": {
-						Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+						PolicyGroupMember: policiesv1.PolicyGroupMember{
+							Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+						},
 						ContextAwareResources: []policiesv1.ContextAwareResource{
 							{
 								APIVersion: "v1",
@@ -332,7 +336,7 @@ var _ = Describe("PolicyServer controller", func() {
 				AllowedToMutate:       admissionPolicyGroup.IsMutating(),
 				Settings:              admissionPolicyGroup.GetSettings(),
 				ContextAwareResources: admissionPolicyGroup.GetContextAwareResources(),
-				Policies:              buildPolicyGroupMembers(admissionPolicyGroup.GetPolicyGroupMembers()),
+				Policies:              buildPolicyGroupMembersWithContext(admissionPolicyGroup.GetPolicyGroupMembersWithContext()),
 				Expression:            admissionPolicyGroup.GetExpression(),
 				Message:               admissionPolicyGroup.GetMessage(),
 			}
@@ -346,7 +350,7 @@ var _ = Describe("PolicyServer controller", func() {
 				Settings:              clusterPolicyGroup.GetSettings(),
 				ContextAwareResources: clusterPolicyGroup.GetContextAwareResources(),
 				PolicyMode:            string(clusterPolicyGroup.GetPolicyMode()),
-				Policies:              buildPolicyGroupMembers(clusterPolicyGroup.GetPolicyGroupMembers()),
+				Policies:              buildPolicyGroupMembersWithContext(clusterPolicyGroup.GetPolicyGroupMembersWithContext()),
 				Expression:            clusterPolicyGroup.GetExpression(),
 				Message:               clusterPolicyGroup.GetMessage(),
 			}
@@ -406,7 +410,7 @@ var _ = Describe("PolicyServer controller", func() {
 								}),
 								"policies": MatchKeys(IgnoreExtras, Keys{
 									"pod_privileged": MatchKeys(IgnoreExtras, Keys{
-										"module": Equal(admissionPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module),
+										"module": Equal(admissionPolicyGroup.GetPolicyGroupMembersWithContext()["pod_privileged"].Module),
 									}),
 								}),
 								"policyMode": Equal(string(admissionPolicyGroup.GetPolicyMode())),
@@ -420,15 +424,15 @@ var _ = Describe("PolicyServer controller", func() {
 								}),
 								"policies": MatchKeys(IgnoreExtras, Keys{
 									"pod_privileged": MatchAllKeys(Keys{
-										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module),
+										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembersWithContext()["pod_privileged"].Module),
 										"settings": Ignore(),
 										"contextAwareResources": And(ContainElement(MatchAllKeys(Keys{
 											"apiVersion": Equal("v1"),
 											"kind":       Equal("Pod"),
 										})), HaveLen(1)),
 									}),
 									"user_group_psp": MatchAllKeys(Keys{
-										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["user_group_psp"].Module),
+										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembersWithContext()["user_group_psp"].Module),
 										"settings": Ignore(),
 										"contextAwareResources": And(ContainElement(MatchAllKeys(Keys{
 											"apiVersion": Equal("v1"),