diff --git a/other/res/restrict-binding-system-groups/artifacthub-pkg.yml b/other/res/restrict-binding-system-groups/artifacthub-pkg.yml
index aad42a820..8d0396ab8 100644
--- a/other/res/restrict-binding-system-groups/artifacthub-pkg.yml
+++ b/other/res/restrict-binding-system-groups/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
   kyverno/category: "Security, EKS Best Practices"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: 8de0c1d6797c8925007a6e12a2911edec500ccf987880a581ddb1906e8bf9b87
+digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d
diff --git a/other/res/restrict-binding-system-groups/crb-bad.yaml b/other/res/restrict-binding-system-groups/crb-bad.yaml
index ba7d86ad6..64f050807 100644
--- a/other/res/restrict-binding-system-groups/crb-bad.yaml
+++ b/other/res/restrict-binding-system-groups/crb-bad.yaml
@@ -4,11 +4,11 @@ metadata:
   name: badcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:anonymous"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,10 +18,11 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system:unauthenticated"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:unauthenticated"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -29,10 +30,11 @@ kind: ClusterRoleBinding
 metadata:
   name: badcrb03
 subjects:
-- kind: ServiceAccount
+- kind: Group
   namespace: foo
-  name: manager
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:masters"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/other/res/restrict-binding-system-groups/crb-good.yaml b/other/res/restrict-binding-system-groups/crb-good.yaml
index 05a9cf032..85015eee1 100644
--- a/other/res/restrict-binding-system-groups/crb-good.yaml
+++ b/other/res/restrict-binding-system-groups/crb-good.yaml
@@ -4,11 +4,11 @@ metadata:
   name: goodcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: secret-reader
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: secret-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,10 +18,10 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: foo-reader
 roleRef:
   kind: ClusterRole
-  name: foo-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 
 ---
@@ -32,8 +32,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system.foo"
 roleRef:
   kind: ClusterRole
-  name: "system:foo"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
diff --git a/other/res/restrict-binding-system-groups/rb-bad.yaml b/other/res/restrict-binding-system-groups/rb-bad.yaml
index e2d1e2780..8ba04729c 100644
--- a/other/res/restrict-binding-system-groups/rb-bad.yaml
+++ b/other/res/restrict-binding-system-groups/rb-bad.yaml
@@ -3,12 +3,12 @@ kind: RoleBinding
 metadata:
   name: badrb01
 subjects:
-- kind: User
-  name: foo
+- kind: Group
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:anonymous"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -16,12 +16,13 @@ kind: RoleBinding
 metadata:
   name: badrb02
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:unauthenticated"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:unauthenticated"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -29,10 +30,11 @@ kind: RoleBinding
 metadata:
   name: badrb03
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:masters"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:masters"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/other/res/restrict-binding-system-groups/rb-good.yaml b/other/res/restrict-binding-system-groups/rb-good.yaml
index f933fc687..d7e02e2ef 100644
--- a/other/res/restrict-binding-system-groups/rb-good.yaml
+++ b/other/res/restrict-binding-system-groups/rb-good.yaml
@@ -30,9 +30,9 @@ metadata:
   name: goodrb03
 subjects:
 - kind: Group
-  name: foo
+  name: "system:foo"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:foo"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml
index 2ddcced0d..6c81a334b 100644
--- a/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml
+++ b/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml
@@ -29,8 +29,8 @@ spec:
       validate:
         message: "Binding to system:anonymous is not allowed."
         pattern:
-          roleRef:
-            name: "!system:anonymous"
+          subjects:
+            - name: "!system:anonymous"
     - name: restrict-unauthenticated
       match:
         any:
@@ -41,8 +41,8 @@ spec:
       validate:
         message: "Binding to system:unauthenticated is not allowed."
         pattern:
-          roleRef:
-            name: "!system:unauthenticated"
+          subjects:
+            - name: "!system:unauthenticated"
     - name: restrict-masters
       match:
         any:
@@ -53,5 +53,6 @@ spec:
       validate:
         message: "Binding to system:masters is not allowed."
         pattern:
-          roleRef:
-            name: "!system:masters"
+          subjects:
+            - name: "!system:masters"
+