feat: add cleanup policies v2 (#9261)

* feat: add cleanup policies v2

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

api/kyverno/v2/cleanup_policy_test.go

@@ -0,0 +1,712 @@
+package v2
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_CleanupPolicy_Name(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_CleanupPolicy_Schedule(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_ClusterCleanupPolicy_Name(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_doesMatchExcludeConflict_cleanupPolicy(t *testing.T) {
+	path := field.NewPath("dummy")
+	testcases := []struct {
+		description string
+		policySpec  []byte
+		errors      func(r *CleanupPolicySpec) field.ErrorList
+	}{
+		{
+			description: "Same match and exclude",
+			policySpec: []byte(`
+{
+    "match": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+			errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
+				return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
+			},
+		},
+		{
+			description: "Failed to exclude kind",
+			policySpec: []byte(`
+{
+	"match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude name",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something-*",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude namespace",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something3",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude labels",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "higha"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude expression",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"databases"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude subjects",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude clusterroles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude roles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "empty case",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"selector": {
+					"matchLabels": {
+						"allow-deletes": "false"
+					}
+				}
+			}
+		}]
+    },
+    "exclude": {},
+    "schedule": "* * * * *"
+}`),
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.description, func(t *testing.T) {
+			var policySpec CleanupPolicySpec
+			err := json.Unmarshal(testcase.policySpec, &policySpec)
+			assert.NilError(t, err)
+			errs := policySpec.ValidateMatchExcludeConflict(path)
+			var expectedErrs field.ErrorList
+			if testcase.errors != nil {
+				expectedErrs = testcase.errors(&policySpec)
+			}
+			assert.Equal(t, len(errs), len(expectedErrs))
+			for i := range errs {
+				fmt.Println(i)
+				assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
+			}
+		})
+	}
+}

api/kyverno/v2/cleanup_policy_types.go

@@ -0,0 +1,293 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"time"
+
+	"github.com/aptible/supercronic/cronexpr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	datautils "github.com/kyverno/kyverno/pkg/utils/data"
+	"github.com/robfig/cron"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=cleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// CleanupPolicy defines a rule for resource cleanup.
+type CleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...)
+	return errs
+}
+
+// GetKind returns the resource kind
+func (p *CleanupPolicy) GetKind() string {
+	return "CleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *CleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *CleanupPolicy) IsNamespaced() bool {
+	return true
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CleanupPolicyList is a list of ClusterPolicy instances.
+type CleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CleanupPolicy `json:"items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ClusterCleanupPolicy defines rule for resource cleanup.
+type ClusterCleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// GetKind returns the resource kind
+func (p *ClusterCleanupPolicy) GetKind() string {
+	return "ClusterCleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *ClusterCleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *ClusterCleanupPolicy) IsNamespaced() bool {
+	return false
+}
+
+// Validate implements programmatic validation
+func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...)
+	return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
+type ClusterCleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ClusterCleanupPolicy `json:"items"`
+}
+
+// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+// and schedule when the matching resources needs deleted.
+type CleanupPolicySpec struct {
+	// Context defines variables and data sources that can be used during rule execution.
+	// +optional
+	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
+
+	// MatchResources defines when cleanuppolicy should be applied. The match
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the user name or role.
+	// At least one kind is required.
+	MatchResources MatchResources `json:"match,omitempty"`
+
+	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the name or role.
+	// +optional
+	ExcludeResources *MatchResources `json:"exclude,omitempty"`
+
+	// The schedule in Cron format
+	Schedule string `json:"schedule"`
+
+	// Conditions defines the conditions used to select the resources which will be cleaned up.
+	// +optional
+	Conditions *AnyAllConditions `json:"conditions,omitempty"`
+}
+
+// CleanupPolicyStatus stores the status of the policy.
+type CleanupPolicyStatus struct {
+	Conditions        []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+	LastExecutionTime metav1.Time        `json:"lastExecutionTime,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
+	// Write context validation code here by following other validations.
+	errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
+	errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
+	if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
+		errs = append(errs, userInfoErrs...)
+	} else {
+		errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
+	}
+	if p.ExcludeResources != nil {
+		if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 {
+			errs = append(errs, userInfoErrs...)
+		} else {
+			errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
+		}
+	}
+	errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
+	return errs
+}
+
+func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
+	for _, entry := range context {
+		if entry.ImageRegistry != nil {
+			errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
+		} else if entry.ConfigMap != nil {
+			errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
+		}
+	}
+	return errs
+}
+
+// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
+func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
+	if _, err := cron.ParseStandard(schedule); err != nil {
+		errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format"))
+	}
+	return errs
+}
+
+// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
+func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
+	if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
+		return errs
+	}
+	// if both have any then no resource should be common
+	if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
+		for _, rmr := range spec.MatchResources.Any {
+			for _, rer := range spec.ExcludeResources.Any {
+				if datautils.DeepEqual(rmr, rer) {
+					return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+				}
+			}
+		}
+		return errs
+	}
+	if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) {
+		return errs
+	}
+	return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+}

api/kyverno/v2/condition.go

@@ -0,0 +1,94 @@
+package v2
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// ConditionOperator is the operation performed on condition key and value.
+// +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
+type ConditionOperator string
+
+// ConditionOperators stores all the valid ConditionOperator types as key-value pairs.
+// "Equals" evaluates if the key is equal to the value.
+// "NotEquals" evaluates if the key is not equal to the value.
+// "AnyIn" evaluates if any of the keys are contained in the set of values.
+// "AllIn" evaluates if all the keys are contained in the set of values.
+// "AnyNotIn" evaluates if any of the keys are not contained in the set of values.
+// "AllNotIn" evaluates if all the keys are not contained in the set of values.
+// "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric).
+// "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric).
+// "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric).
+// "LessThan" evaluates if the key (numeric) is less than the value (numeric).
+// "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration)
+// "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration)
+// "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration)
+// "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)
+var ConditionOperators = map[string]ConditionOperator{
+	"Equals":                      ConditionOperator("Equals"),
+	"NotEquals":                   ConditionOperator("NotEquals"),
+	"AnyIn":                       ConditionOperator("AnyIn"),
+	"AllIn":                       ConditionOperator("AllIn"),
+	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
+	"AllNotIn":                    ConditionOperator("AllNotIn"),
+	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
+	"GreaterThan":                 ConditionOperator("GreaterThan"),
+	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
+	"LessThan":                    ConditionOperator("LessThan"),
+	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
+	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
+	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
+	"DurationLessThan":            ConditionOperator("DurationLessThan"),
+}
+
+type Condition struct {
+	// Key is the context entry (using JMESPath) for conditional rule evaluation.
+	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`
+
+	// Operator is the conditional operation to perform. Valid operators are:
+	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+	// DurationLessThanOrEquals, DurationLessThan
+	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
+
+	// Value is the conditional value, or set of values. The values can be fixed set
+	// or can be variables declared using JMESPath.
+	// +optional
+	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
+
+	// Message is an optional display message
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
+}
+
+func (c *Condition) GetKey() apiextensions.JSON {
+	return kyvernov1.FromJSON(c.RawKey)
+}
+
+func (c *Condition) SetKey(in apiextensions.JSON) {
+	c.RawKey = kyvernov1.ToJSON(in)
+}
+
+func (c *Condition) GetValue() apiextensions.JSON {
+	return kyvernov1.FromJSON(c.RawValue)
+}
+
+func (c *Condition) SetValue(in apiextensions.JSON) {
+	c.RawValue = kyvernov1.ToJSON(in)
+}
+
+type AnyAllConditions struct {
+	// AnyConditions enable variable-based conditional rule execution. This is useful for
+	// finer control of when an rule is applied. A condition can reference object data
+	// using JMESPath notation.
+	// Here, at least one of the conditions need to pass.
+	// +optional
+	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
+
+	// AllConditions enable variable-based conditional rule execution. This is useful for
+	// finer control of when an rule is applied. A condition can reference object data
+	// using JMESPath notation.
+	// Here, all of the conditions need to pass.
+	// +optional
+	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
+}

api/kyverno/v2/match_resources_test.go

@@ -0,0 +1,68 @@
+package v2
+
+import (
+	"testing"
+
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"gotest.tools/assert"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_MatchResources(t *testing.T) {
+	testCases := []struct {
+		name       string
+		namespaced bool
+		subject    MatchResources
+		errors     []string
+	}{{
+		name:       "valid",
+		namespaced: true,
+		subject: MatchResources{
+			Any: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+		},
+	}, {
+		name:       "any-all",
+		namespaced: true,
+		subject: MatchResources{
+			Any: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+			All: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+		},
+		errors: []string{
+			`dummy: Invalid value: v2.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}}: Can't specify any and all together`,
+		},
+	}}
+
+	path := field.NewPath("dummy")
+	for _, testCase := range testCases {
+		errs := testCase.subject.Validate(path, testCase.namespaced, nil)
+		assert.Equal(t, len(errs), len(testCase.errors))
+		for i, err := range errs {
+			assert.Equal(t, err.Error(), testCase.errors[i])
+		}
+	}
+}

api/kyverno/v2/match_resources_types.go

@@ -0,0 +1,80 @@
+package v2
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// MatchResources is used to specify resource and admission review request data for
+// which a policy rule is applicable.
+type MatchResources struct {
+	// Any allows specifying resources which will be ORed
+	// +optional
+	Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
+
+	// All allows specifying resources which will be ANDed
+	// +optional
+	All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
+}
+
+// GetKinds returns all kinds
+func (m *MatchResources) GetKinds() []string {
+	var kinds []string
+	for _, value := range m.All {
+		kinds = append(kinds, value.ResourceDescription.Kinds...)
+	}
+	for _, value := range m.Any {
+		kinds = append(kinds, value.ResourceDescription.Kinds...)
+	}
+	return kinds
+}
+
+// ValidateNoUserInfo verifies that no user info is used
+func (m *MatchResources) ValidateNoUserInfo(path *field.Path) (errs field.ErrorList) {
+	anyPath := path.Child("any")
+	for i, filter := range m.Any {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...)
+	}
+	allPath := path.Child("all")
+	for i, filter := range m.All {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...)
+	}
+	return errs
+}
+
+// ValidateResourceWithNoUserInfo implements programmatic validation and verifies that no user info is used
+func (m *MatchResources) ValidateResourceWithNoUserInfo(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if len(m.Any) > 0 && len(m.All) > 0 {
+		errs = append(errs, field.Invalid(path, m, "Can't specify any and all together"))
+	}
+	anyPath := path.Child("any")
+	for i, filter := range m.Any {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...)
+	}
+	allPath := path.Child("all")
+	for i, filter := range m.All {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...)
+	}
+	return errs
+}
+
+// Validate implements programmatic validation
+func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if len(m.Any) > 0 && len(m.All) > 0 {
+		errs = append(errs, field.Invalid(path, m, "Can't specify any and all together"))
+	}
+	anyPath := path.Child("any")
+	for i, filter := range m.Any {
+		errs = append(errs, filter.UserInfo.Validate(anyPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...)
+	}
+	allPath := path.Child("all")
+	for i, filter := range m.All {
+		errs = append(errs, filter.UserInfo.Validate(allPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...)
+	}
+	return errs
+}

api/kyverno/v2/zz_generated.deepcopy.go

@@ -22,8 +22,11 @@ limitations under the License.
 package v2
 
 import (
+	v1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	v1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -112,6 +115,36 @@ func (in *AdmissionReportSpec) DeepCopy() *AdmissionReportSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
+	*out = *in
+	if in.AnyConditions != nil {
+		in, out := &in.AnyConditions, &out.AnyConditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AllConditions != nil {
+		in, out := &in.AllConditions, &out.AllConditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
+func (in *AnyAllConditions) DeepCopy() *AnyAllConditions {
+	if in == nil {
+		return nil
+	}
+	out := new(AnyAllConditions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackgroundScanReport) DeepCopyInto(out *BackgroundScanReport) {
 	*out = *in
@@ -196,6 +229,125 @@ func (in *BackgroundScanReportSpec) DeepCopy() *BackgroundScanReportSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
+func (in *CleanupPolicy) DeepCopy() *CleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
+func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
+	*out = *in
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = make([]v1.ContextEntry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.MatchResources.DeepCopyInto(&out.MatchResources)
+	if in.ExcludeResources != nil {
+		in, out := &in.ExcludeResources, &out.ExcludeResources
+		*out = new(MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = new(AnyAllConditions)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
+func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.LastExecutionTime.DeepCopyInto(&out.LastExecutionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
+func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterAdmissionReport) DeepCopyInto(out *ClusterAdmissionReport) {
 	*out = *in
@@ -316,6 +468,93 @@ func (in *ClusterBackgroundScanReportList) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
+func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterCleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
+func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	if in.RawKey != nil {
+		in, out := &in.RawKey, &out.RawKey
+		*out = new(apiextensionsv1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RawValue != nil {
+		in, out := &in.RawValue, &out.RawValue
+		*out = new(apiextensionsv1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Exception) DeepCopyInto(out *Exception) {
 	*out = *in
@@ -337,6 +576,36 @@ func (in *Exception) DeepCopy() *Exception {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchResources) DeepCopyInto(out *MatchResources) {
+	*out = *in
+	if in.Any != nil {
+		in, out := &in.Any, &out.Any
+		*out = make(v1.ResourceFilters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.All != nil {
+		in, out := &in.All, &out.All
+		*out = make(v1.ResourceFilters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
+func (in *MatchResources) DeepCopy() *MatchResources {
+	if in == nil {
+		return nil
+	}
+	out := new(MatchResources)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyException) DeepCopyInto(out *PolicyException) {
 	*out = *in

api/kyverno/v2/zz_generated.register.go

@@ -62,10 +62,14 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&AdmissionReportList{},
 		&BackgroundScanReport{},
 		&BackgroundScanReportList{},
+		&CleanupPolicy{},
+		&CleanupPolicyList{},
 		&ClusterAdmissionReport{},
 		&ClusterAdmissionReportList{},
 		&ClusterBackgroundScanReport{},
 		&ClusterBackgroundScanReportList{},
+		&ClusterCleanupPolicy{},
+		&ClusterCleanupPolicyList{},
 		&PolicyException{},
 		&PolicyExceptionList{},
 	)

docs/user/crd/index.html

@@ -1373,6 +1373,7 @@ string
 <a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>, 
 <a href="#kyverno.io/v1.Rule">Rule</a>, 
 <a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>, 
+<a href="#kyverno.io/v2.CleanupPolicySpec">CleanupPolicySpec</a>, 
 <a href="#kyverno.io/v2beta1.CleanupPolicySpec">CleanupPolicySpec</a>, 
 <a href="#kyverno.io/v2beta1.Rule">Rule</a>)
 </p>
@@ -3226,6 +3227,7 @@ ResourceDescription
 <p>
 (<em>Appears on:</em>
 <a href="#kyverno.io/v1.MatchResources">MatchResources</a>, 
+<a href="#kyverno.io/v2.MatchResources">MatchResources</a>, 
 <a href="#kyverno.io/v2beta1.MatchResources">MatchResources</a>)
 </p>
 <p>
@@ -5334,10 +5336,14 @@ Resource Types:
 </li><li>
 <a href="#kyverno.io/v2.BackgroundScanReport">BackgroundScanReport</a>
 </li><li>
+<a href="#kyverno.io/v2.CleanupPolicy">CleanupPolicy</a>
+</li><li>
 <a href="#kyverno.io/v2.ClusterAdmissionReport">ClusterAdmissionReport</a>
 </li><li>
 <a href="#kyverno.io/v2.ClusterBackgroundScanReport">ClusterBackgroundScanReport</a>
 </li><li>
+<a href="#kyverno.io/v2.ClusterCleanupPolicy">ClusterCleanupPolicy</a>
+</li><li>
 <a href="#kyverno.io/v2.PolicyException">PolicyException</a>
 </li></ul>
 <hr />
@@ -5536,6 +5542,155 @@ PolicyReportSummary
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v2.CleanupPolicy">CleanupPolicy
+</h3>
+<p>
+<p>CleanupPolicy defines a rule for resource cleanup.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+kyverno.io/v2
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>CleanupPolicy</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#kyverno.io/v2.CleanupPolicySpec">
+CleanupPolicySpec
+</a>
+</em>
+</td>
+<td>
+<p>Spec declares policy behaviors.</p>
+<br/>
+<br/>
+<table class="table table-striped">
+<tr>
+<td>
+<code>context</code><br/>
+<em>
+<a href="#kyverno.io/v1.ContextEntry">
+[]ContextEntry
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Context defines variables and data sources that can be used during rule execution.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>match</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<p>MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>exclude</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>schedule</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The schedule in Cron format</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>conditions</code><br/>
+<em>
+<a href="#kyverno.io/v2.AnyAllConditions">
+AnyAllConditions
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#kyverno.io/v2.CleanupPolicyStatus">
+CleanupPolicyStatus
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Status contains policy runtime data.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="kyverno.io/v2.ClusterAdmissionReport">ClusterAdmissionReport
 </h3>
 <p>
@@ -5731,6 +5886,155 @@ PolicyReportSummary
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v2.ClusterCleanupPolicy">ClusterCleanupPolicy
+</h3>
+<p>
+<p>ClusterCleanupPolicy defines rule for resource cleanup.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code><br/>
+string</td>
+<td>
+<code>
+kyverno.io/v2
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code><br/>
+string
+</td>
+<td><code>ClusterCleanupPolicy</code></td>
+</tr>
+<tr>
+<td>
+<code>metadata</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
+Kubernetes meta/v1.ObjectMeta
+</a>
+</em>
+</td>
+<td>
+Refer to the Kubernetes API documentation for the fields of the
+<code>metadata</code> field.
+</td>
+</tr>
+<tr>
+<td>
+<code>spec</code><br/>
+<em>
+<a href="#kyverno.io/v2.CleanupPolicySpec">
+CleanupPolicySpec
+</a>
+</em>
+</td>
+<td>
+<p>Spec declares policy behaviors.</p>
+<br/>
+<br/>
+<table class="table table-striped">
+<tr>
+<td>
+<code>context</code><br/>
+<em>
+<a href="#kyverno.io/v1.ContextEntry">
+[]ContextEntry
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Context defines variables and data sources that can be used during rule execution.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>match</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<p>MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>exclude</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>schedule</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The schedule in Cron format</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>conditions</code><br/>
+<em>
+<a href="#kyverno.io/v2.AnyAllConditions">
+AnyAllConditions
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<tr>
+<td>
+<code>status</code><br/>
+<em>
+<a href="#kyverno.io/v2.CleanupPolicyStatus">
+CleanupPolicyStatus
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Status contains policy runtime data.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="kyverno.io/v2.PolicyException">PolicyException
 </h3>
 <p>
@@ -5912,6 +6216,59 @@ PolicyReportSummary
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v2.AnyAllConditions">AnyAllConditions
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.CleanupPolicySpec">CleanupPolicySpec</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>any</code><br/>
+<em>
+<a href="#kyverno.io/v2.Condition">
+[]Condition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AnyConditions enable variable-based conditional rule execution. This is useful for
+finer control of when an rule is applied. A condition can reference object data
+using JMESPath notation.
+Here, at least one of the conditions need to pass.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>all</code><br/>
+<em>
+<a href="#kyverno.io/v2.Condition">
+[]Condition
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AllConditions enable variable-based conditional rule execution. This is useful for
+finer control of when an rule is applied. A condition can reference object data
+using JMESPath notation.
+Here, all of the conditions need to pass.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="kyverno.io/v2.BackgroundScanReportSpec">BackgroundScanReportSpec
 </h3>
 <p>
@@ -5962,6 +6319,227 @@ PolicyReportSummary
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v2.CleanupPolicySpec">CleanupPolicySpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.CleanupPolicy">CleanupPolicy</a>, 
+<a href="#kyverno.io/v2.ClusterCleanupPolicy">ClusterCleanupPolicy</a>)
+</p>
+<p>
+<p>CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+and schedule when the matching resources needs deleted.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>context</code><br/>
+<em>
+<a href="#kyverno.io/v1.ContextEntry">
+[]ContextEntry
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Context defines variables and data sources that can be used during rule execution.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>match</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<p>MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>exclude</code><br/>
+<em>
+<a href="#kyverno.io/v2.MatchResources">
+MatchResources
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>schedule</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>The schedule in Cron format</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>conditions</code><br/>
+<em>
+<a href="#kyverno.io/v2.AnyAllConditions">
+AnyAllConditions
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="kyverno.io/v2.CleanupPolicyStatus">CleanupPolicyStatus
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.CleanupPolicy">CleanupPolicy</a>, 
+<a href="#kyverno.io/v2.ClusterCleanupPolicy">ClusterCleanupPolicy</a>)
+</p>
+<p>
+<p>CleanupPolicyStatus stores the status of the policy.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>conditions</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#condition-v1-meta">
+[]Kubernetes meta/v1.Condition
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>lastExecutionTime</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#time-v1-meta">
+Kubernetes meta/v1.Time
+</a>
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="kyverno.io/v2.Condition">Condition
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.AnyAllConditions">AnyAllConditions</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>key</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#json-v1-apiextensions">
+Kubernetes apiextensions/v1.JSON
+</a>
+</em>
+</td>
+<td>
+<p>Key is the context entry (using JMESPath) for conditional rule evaluation.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>operator</code><br/>
+<em>
+<a href="#kyverno.io/v2.ConditionOperator">
+ConditionOperator
+</a>
+</em>
+</td>
+<td>
+<p>Operator is the conditional operation to perform. Valid operators are:
+Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+DurationLessThanOrEquals, DurationLessThan</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>value</code><br/>
+<em>
+<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#json-v1-apiextensions">
+Kubernetes apiextensions/v1.JSON
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Value is the conditional value, or set of values. The values can be fixed set
+or can be variables declared using JMESPath.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>message</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Message is an optional display message</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="kyverno.io/v2.ConditionOperator">ConditionOperator
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.Condition">Condition</a>)
+</p>
+<p>
+<p>ConditionOperator is the operation performed on condition key and value.</p>
+</p>
 <h3 id="kyverno.io/v2.Exception">Exception
 </h3>
 <p>
@@ -6006,6 +6584,55 @@ references a ClusterPolicy.</p>
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v2.MatchResources">MatchResources
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v2.CleanupPolicySpec">CleanupPolicySpec</a>)
+</p>
+<p>
+<p>MatchResources is used to specify resource and admission review request data for
+which a policy rule is applicable.</p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>any</code><br/>
+<em>
+<a href="#kyverno.io/v1.ResourceFilters">
+ResourceFilters
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Any allows specifying resources which will be ORed</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>all</code><br/>
+<em>
+<a href="#kyverno.io/v1.ResourceFilters">
+ResourceFilters
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>All allows specifying resources which will be ANDed</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec
 </h3>
 <p>

pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go

@@ -0,0 +1,58 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+// AnyAllConditionsApplyConfiguration represents an declarative configuration of the AnyAllConditions type for use
+// with apply.
+type AnyAllConditionsApplyConfiguration struct {
+	AnyConditions []ConditionApplyConfiguration `json:"any,omitempty"`
+	AllConditions []ConditionApplyConfiguration `json:"all,omitempty"`
+}
+
+// AnyAllConditionsApplyConfiguration constructs an declarative configuration of the AnyAllConditions type for use with
+// apply.
+func AnyAllConditions() *AnyAllConditionsApplyConfiguration {
+	return &AnyAllConditionsApplyConfiguration{}
+}
+
+// WithAnyConditions adds the given value to the AnyConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AnyConditions field.
+func (b *AnyAllConditionsApplyConfiguration) WithAnyConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithAnyConditions")
+		}
+		b.AnyConditions = append(b.AnyConditions, *values[i])
+	}
+	return b
+}
+
+// WithAllConditions adds the given value to the AllConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AllConditions field.
+func (b *AnyAllConditionsApplyConfiguration) WithAllConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithAllConditions")
+		}
+		b.AllConditions = append(b.AllConditions, *values[i])
+	}
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go

@@ -0,0 +1,219 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CleanupPolicyApplyConfiguration represents an declarative configuration of the CleanupPolicy type for use
+// with apply.
+type CleanupPolicyApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",omitempty,inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CleanupPolicySpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CleanupPolicy constructs an declarative configuration of the CleanupPolicy type for use with
+// apply.
+func CleanupPolicy(name, namespace string) *CleanupPolicyApplyConfiguration {
+	b := &CleanupPolicyApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("CleanupPolicy")
+	b.WithAPIVersion("kyverno.io/v2")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithKind(value string) *CleanupPolicyApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithAPIVersion(value string) *CleanupPolicyApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithName(value string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithGenerateName(value string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithNamespace(value string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithUID(value types.UID) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithResourceVersion(value string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithGeneration(value int64) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *CleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *CleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *CleanupPolicyApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *CleanupPolicyApplyConfiguration {
+	b.Status = value
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go

@@ -0,0 +1,84 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
+)
+
+// CleanupPolicySpecApplyConfiguration represents an declarative configuration of the CleanupPolicySpec type for use
+// with apply.
+type CleanupPolicySpecApplyConfiguration struct {
+	Context          []v1.ContextEntryApplyConfiguration `json:"context,omitempty"`
+	MatchResources   *MatchResourcesApplyConfiguration   `json:"match,omitempty"`
+	ExcludeResources *MatchResourcesApplyConfiguration   `json:"exclude,omitempty"`
+	Schedule         *string                             `json:"schedule,omitempty"`
+	Conditions       *AnyAllConditionsApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// CleanupPolicySpecApplyConfiguration constructs an declarative configuration of the CleanupPolicySpec type for use with
+// apply.
+func CleanupPolicySpec() *CleanupPolicySpecApplyConfiguration {
+	return &CleanupPolicySpecApplyConfiguration{}
+}
+
+// WithContext adds the given value to the Context field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Context field.
+func (b *CleanupPolicySpecApplyConfiguration) WithContext(values ...*v1.ContextEntryApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithContext")
+		}
+		b.Context = append(b.Context, *values[i])
+	}
+	return b
+}
+
+// WithMatchResources sets the MatchResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchResources field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithMatchResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+	b.MatchResources = value
+	return b
+}
+
+// WithExcludeResources sets the ExcludeResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ExcludeResources field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithExcludeResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+	b.ExcludeResources = value
+	return b
+}
+
+// WithSchedule sets the Schedule field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Schedule field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithSchedule(value string) *CleanupPolicySpecApplyConfiguration {
+	b.Schedule = &value
+	return b
+}
+
+// WithConditions sets the Conditions field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Conditions field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithConditions(value *AnyAllConditionsApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+	b.Conditions = value
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go

@@ -0,0 +1,54 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CleanupPolicyStatusApplyConfiguration represents an declarative configuration of the CleanupPolicyStatus type for use
+// with apply.
+type CleanupPolicyStatusApplyConfiguration struct {
+	Conditions        []v1.Condition `json:"conditions,omitempty"`
+	LastExecutionTime *v1.Time       `json:"lastExecutionTime,omitempty"`
+}
+
+// CleanupPolicyStatusApplyConfiguration constructs an declarative configuration of the CleanupPolicyStatus type for use with
+// apply.
+func CleanupPolicyStatus() *CleanupPolicyStatusApplyConfiguration {
+	return &CleanupPolicyStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CleanupPolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CleanupPolicyStatusApplyConfiguration {
+	for i := range values {
+		b.Conditions = append(b.Conditions, values[i])
+	}
+	return b
+}
+
+// WithLastExecutionTime sets the LastExecutionTime field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LastExecutionTime field is set to the value of the last call.
+func (b *CleanupPolicyStatusApplyConfiguration) WithLastExecutionTime(value v1.Time) *CleanupPolicyStatusApplyConfiguration {
+	b.LastExecutionTime = &value
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go

@@ -0,0 +1,218 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// ClusterCleanupPolicyApplyConfiguration represents an declarative configuration of the ClusterCleanupPolicy type for use
+// with apply.
+type ClusterCleanupPolicyApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",omitempty,inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *CleanupPolicySpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// ClusterCleanupPolicy constructs an declarative configuration of the ClusterCleanupPolicy type for use with
+// apply.
+func ClusterCleanupPolicy(name string) *ClusterCleanupPolicyApplyConfiguration {
+	b := &ClusterCleanupPolicyApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("ClusterCleanupPolicy")
+	b.WithAPIVersion("kyverno.io/v2")
+	return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithKind(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithAPIVersion(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithName(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithGenerateName(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithNamespace(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithUID(value types.UID) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithResourceVersion(value string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithGeneration(value int64) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Labels == nil && len(entries) > 0 {
+		b.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.Annotations == nil && len(entries) > 0 {
+		b.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.OwnerReferences = append(b.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterCleanupPolicyApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.Finalizers = append(b.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *ClusterCleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+	b.Status = value
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/condition.go

@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// ConditionApplyConfiguration represents an declarative configuration of the Condition type for use
+// with apply.
+type ConditionApplyConfiguration struct {
+	RawKey   *v1.JSON              `json:"key,omitempty"`
+	Operator *v2.ConditionOperator `json:"operator,omitempty"`
+	RawValue *v1.JSON              `json:"value,omitempty"`
+	Message  *string               `json:"message,omitempty"`
+}
+
+// ConditionApplyConfiguration constructs an declarative configuration of the Condition type for use with
+// apply.
+func Condition() *ConditionApplyConfiguration {
+	return &ConditionApplyConfiguration{}
+}
+
+// WithRawKey sets the RawKey field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RawKey field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithRawKey(value v1.JSON) *ConditionApplyConfiguration {
+	b.RawKey = &value
+	return b
+}
+
+// WithOperator sets the Operator field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Operator field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithOperator(value v2.ConditionOperator) *ConditionApplyConfiguration {
+	b.Operator = &value
+	return b
+}
+
+// WithRawValue sets the RawValue field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RawValue field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithRawValue(value v1.JSON) *ConditionApplyConfiguration {
+	b.RawValue = &value
+	return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithMessage(value string) *ConditionApplyConfiguration {
+	b.Message = &value
+	return b
+}

pkg/client/applyconfigurations/kyverno/v2/matchresources.go

@@ -0,0 +1,52 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v1 "github.com/kyverno/kyverno/api/kyverno/v1"
+)
+
+// MatchResourcesApplyConfiguration represents an declarative configuration of the MatchResources type for use
+// with apply.
+type MatchResourcesApplyConfiguration struct {
+	Any *v1.ResourceFilters `json:"any,omitempty"`
+	All *v1.ResourceFilters `json:"all,omitempty"`
+}
+
+// MatchResourcesApplyConfiguration constructs an declarative configuration of the MatchResources type for use with
+// apply.
+func MatchResources() *MatchResourcesApplyConfiguration {
+	return &MatchResourcesApplyConfiguration{}
+}
+
+// WithAny sets the Any field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Any field is set to the value of the last call.
+func (b *MatchResourcesApplyConfiguration) WithAny(value v1.ResourceFilters) *MatchResourcesApplyConfiguration {
+	b.Any = &value
+	return b
+}
+
+// WithAll sets the All field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the All field is set to the value of the last call.
+func (b *MatchResourcesApplyConfiguration) WithAll(value v1.ResourceFilters) *MatchResourcesApplyConfiguration {
+	b.All = &value
+	return b
+}

pkg/client/applyconfigurations/utils.go

@@ -171,16 +171,30 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &kyvernov2.AdmissionReportApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("AdmissionReportSpec"):
 		return &kyvernov2.AdmissionReportSpecApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("AnyAllConditions"):
+		return &kyvernov2.AnyAllConditionsApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("BackgroundScanReport"):
 		return &kyvernov2.BackgroundScanReportApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("BackgroundScanReportSpec"):
 		return &kyvernov2.BackgroundScanReportSpecApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("CleanupPolicy"):
+		return &kyvernov2.CleanupPolicyApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("CleanupPolicySpec"):
+		return &kyvernov2.CleanupPolicySpecApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("CleanupPolicyStatus"):
+		return &kyvernov2.CleanupPolicyStatusApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("ClusterAdmissionReport"):
 		return &kyvernov2.ClusterAdmissionReportApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("ClusterBackgroundScanReport"):
 		return &kyvernov2.ClusterBackgroundScanReportApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy"):
+		return &kyvernov2.ClusterCleanupPolicyApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("Condition"):
+		return &kyvernov2.ConditionApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("Exception"):
 		return &kyvernov2.ExceptionApplyConfiguration{}
+	case v2.SchemeGroupVersion.WithKind("MatchResources"):
+		return &kyvernov2.MatchResourcesApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("PolicyException"):
 		return &kyvernov2.PolicyExceptionApplyConfiguration{}
 	case v2.SchemeGroupVersion.WithKind("PolicyExceptionSpec"):

pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go

@@ -0,0 +1,195 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	"context"
+	"time"
+
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// CleanupPoliciesGetter has a method to return a CleanupPolicyInterface.
+// A group's client should implement this interface.
+type CleanupPoliciesGetter interface {
+	CleanupPolicies(namespace string) CleanupPolicyInterface
+}
+
+// CleanupPolicyInterface has methods to work with CleanupPolicy resources.
+type CleanupPolicyInterface interface {
+	Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (*v2.CleanupPolicy, error)
+	Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error)
+	UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.CleanupPolicy, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v2.CleanupPolicyList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error)
+	CleanupPolicyExpansion
+}
+
+// cleanupPolicies implements CleanupPolicyInterface
+type cleanupPolicies struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCleanupPolicies returns a CleanupPolicies
+func newCleanupPolicies(c *KyvernoV2Client, namespace string) *cleanupPolicies {
+	return &cleanupPolicies{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any.
+func (c *cleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) {
+	result = &v2.CleanupPolicy{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors.
+func (c *cleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v2.CleanupPolicyList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cleanupPolicies.
+func (c *cleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a cleanupPolicy and creates it.  Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *cleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) {
+	result = &v2.CleanupPolicy{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *cleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+	result = &v2.CleanupPolicy{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		Name(cleanupPolicy.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+	result = &v2.CleanupPolicy{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		Name(cleanupPolicy.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(cleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *cleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched cleanupPolicy.
+func (c *cleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) {
+	result = &v2.CleanupPolicy{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("cleanuppolicies").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go

@@ -0,0 +1,184 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	"context"
+	"time"
+
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterCleanupPoliciesGetter has a method to return a ClusterCleanupPolicyInterface.
+// A group's client should implement this interface.
+type ClusterCleanupPoliciesGetter interface {
+	ClusterCleanupPolicies() ClusterCleanupPolicyInterface
+}
+
+// ClusterCleanupPolicyInterface has methods to work with ClusterCleanupPolicy resources.
+type ClusterCleanupPolicyInterface interface {
+	Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (*v2.ClusterCleanupPolicy, error)
+	Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error)
+	UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.ClusterCleanupPolicy, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v2.ClusterCleanupPolicyList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error)
+	ClusterCleanupPolicyExpansion
+}
+
+// clusterCleanupPolicies implements ClusterCleanupPolicyInterface
+type clusterCleanupPolicies struct {
+	client rest.Interface
+}
+
+// newClusterCleanupPolicies returns a ClusterCleanupPolicies
+func newClusterCleanupPolicies(c *KyvernoV2Client) *clusterCleanupPolicies {
+	return &clusterCleanupPolicies{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any.
+func (c *clusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	result = &v2.ClusterCleanupPolicy{}
+	err = c.client.Get().
+		Resource("clustercleanuppolicies").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors.
+func (c *clusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v2.ClusterCleanupPolicyList{}
+	err = c.client.Get().
+		Resource("clustercleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies.
+func (c *clusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clustercleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a clusterCleanupPolicy and creates it.  Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *clusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	result = &v2.ClusterCleanupPolicy{}
+	err = c.client.Post().
+		Resource("clustercleanuppolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(clusterCleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *clusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	result = &v2.ClusterCleanupPolicy{}
+	err = c.client.Put().
+		Resource("clustercleanuppolicies").
+		Name(clusterCleanupPolicy.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(clusterCleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *clusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	result = &v2.ClusterCleanupPolicy{}
+	err = c.client.Put().
+		Resource("clustercleanuppolicies").
+		Name(clusterCleanupPolicy.Name).
+		SubResource("status").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(clusterCleanupPolicy).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *clusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clustercleanuppolicies").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Resource("clustercleanuppolicies").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterCleanupPolicy.
+func (c *clusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) {
+	result = &v2.ClusterCleanupPolicy{}
+	err = c.client.Patch(pt).
+		Resource("clustercleanuppolicies").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}

pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go

@@ -0,0 +1,141 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeCleanupPolicies implements CleanupPolicyInterface
+type FakeCleanupPolicies struct {
+	Fake *FakeKyvernoV2
+	ns   string
+}
+
+var cleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("cleanuppolicies")
+
+var cleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("CleanupPolicy")
+
+// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any.
+func (c *FakeCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(cleanuppoliciesResource, c.ns, name), &v2.CleanupPolicy{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.CleanupPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors.
+func (c *FakeCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(cleanuppoliciesResource, cleanuppoliciesKind, c.ns, opts), &v2.CleanupPolicyList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v2.CleanupPolicyList{ListMeta: obj.(*v2.CleanupPolicyList).ListMeta}
+	for _, item := range obj.(*v2.CleanupPolicyList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cleanupPolicies.
+func (c *FakeCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(cleanuppoliciesResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cleanupPolicy and creates it.  Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *FakeCleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.CleanupPolicy), err
+}
+
+// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *FakeCleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.CleanupPolicy), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateSubresourceAction(cleanuppoliciesResource, "status", c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.CleanupPolicy), err
+}
+
+// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteActionWithOptions(cleanuppoliciesResource, c.ns, name, opts), &v2.CleanupPolicy{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(cleanuppoliciesResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v2.CleanupPolicyList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched cleanupPolicy.
+func (c *FakeCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(cleanuppoliciesResource, c.ns, name, pt, data, subresources...), &v2.CleanupPolicy{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.CleanupPolicy), err
+}

pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go

@@ -0,0 +1,132 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeClusterCleanupPolicies implements ClusterCleanupPolicyInterface
+type FakeClusterCleanupPolicies struct {
+	Fake *FakeKyvernoV2
+}
+
+var clustercleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("clustercleanuppolicies")
+
+var clustercleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy")
+
+// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any.
+func (c *FakeClusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootGetAction(clustercleanuppoliciesResource, name), &v2.ClusterCleanupPolicy{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors.
+func (c *FakeClusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootListAction(clustercleanuppoliciesResource, clustercleanuppoliciesKind, opts), &v2.ClusterCleanupPolicyList{})
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v2.ClusterCleanupPolicyList{ListMeta: obj.(*v2.ClusterCleanupPolicyList).ListMeta}
+	for _, item := range obj.(*v2.ClusterCleanupPolicyList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies.
+func (c *FakeClusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewRootWatchAction(clustercleanuppoliciesResource, opts))
+}
+
+// Create takes the representation of a clusterCleanupPolicy and creates it.  Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *FakeClusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootCreateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *FakeClusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeClusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootUpdateSubresourceAction(clustercleanuppoliciesResource, "status", clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeClusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewRootDeleteActionWithOptions(clustercleanuppoliciesResource, name, opts), &v2.ClusterCleanupPolicy{})
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeClusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewRootDeleteCollectionAction(clustercleanuppoliciesResource, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v2.ClusterCleanupPolicyList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched clusterCleanupPolicy.
+func (c *FakeClusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewRootPatchSubresourceAction(clustercleanuppoliciesResource, name, pt, data, subresources...), &v2.ClusterCleanupPolicy{})
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v2.ClusterCleanupPolicy), err
+}

pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go

@@ -36,6 +36,10 @@ func (c *FakeKyvernoV2) BackgroundScanReports(namespace string) v2.BackgroundSca
 	return &FakeBackgroundScanReports{c, namespace}
 }
 
+func (c *FakeKyvernoV2) CleanupPolicies(namespace string) v2.CleanupPolicyInterface {
+	return &FakeCleanupPolicies{c, namespace}
+}
+
 func (c *FakeKyvernoV2) ClusterAdmissionReports() v2.ClusterAdmissionReportInterface {
 	return &FakeClusterAdmissionReports{c}
 }
@@ -44,6 +48,10 @@ func (c *FakeKyvernoV2) ClusterBackgroundScanReports() v2.ClusterBackgroundScanR
 	return &FakeClusterBackgroundScanReports{c}
 }
 
+func (c *FakeKyvernoV2) ClusterCleanupPolicies() v2.ClusterCleanupPolicyInterface {
+	return &FakeClusterCleanupPolicies{c}
+}
+
 func (c *FakeKyvernoV2) PolicyExceptions(namespace string) v2.PolicyExceptionInterface {
 	return &FakePolicyExceptions{c, namespace}
 }

pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go

@@ -22,8 +22,12 @@ type AdmissionReportExpansion interface{}
 
 type BackgroundScanReportExpansion interface{}
 
+type CleanupPolicyExpansion interface{}
+
 type ClusterAdmissionReportExpansion interface{}
 
 type ClusterBackgroundScanReportExpansion interface{}
 
+type ClusterCleanupPolicyExpansion interface{}
+
 type PolicyExceptionExpansion interface{}

pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go

@@ -30,8 +30,10 @@ type KyvernoV2Interface interface {
 	RESTClient() rest.Interface
 	AdmissionReportsGetter
 	BackgroundScanReportsGetter
+	CleanupPoliciesGetter
 	ClusterAdmissionReportsGetter
 	ClusterBackgroundScanReportsGetter
+	ClusterCleanupPoliciesGetter
 	PolicyExceptionsGetter
 }
 
@@ -48,6 +50,10 @@ func (c *KyvernoV2Client) BackgroundScanReports(namespace string) BackgroundScan
 	return newBackgroundScanReports(c, namespace)
 }
 
+func (c *KyvernoV2Client) CleanupPolicies(namespace string) CleanupPolicyInterface {
+	return newCleanupPolicies(c, namespace)
+}
+
 func (c *KyvernoV2Client) ClusterAdmissionReports() ClusterAdmissionReportInterface {
 	return newClusterAdmissionReports(c)
 }
@@ -56,6 +62,10 @@ func (c *KyvernoV2Client) ClusterBackgroundScanReports() ClusterBackgroundScanRe
 	return newClusterBackgroundScanReports(c)
 }
 
+func (c *KyvernoV2Client) ClusterCleanupPolicies() ClusterCleanupPolicyInterface {
+	return newClusterCleanupPolicies(c)
+}
+
 func (c *KyvernoV2Client) PolicyExceptions(namespace string) PolicyExceptionInterface {
 	return newPolicyExceptions(c, namespace)
 }

pkg/client/informers/externalversions/generic.go

@@ -83,10 +83,14 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().AdmissionReports().Informer()}, nil
 	case v2.SchemeGroupVersion.WithResource("backgroundscanreports"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().BackgroundScanReports().Informer()}, nil
+	case v2.SchemeGroupVersion.WithResource("cleanuppolicies"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().CleanupPolicies().Informer()}, nil
 	case v2.SchemeGroupVersion.WithResource("clusteradmissionreports"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterAdmissionReports().Informer()}, nil
 	case v2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterBackgroundScanReports().Informer()}, nil
+	case v2.SchemeGroupVersion.WithResource("clustercleanuppolicies"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterCleanupPolicies().Informer()}, nil
 	case v2.SchemeGroupVersion.WithResource("policyexceptions"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().PolicyExceptions().Informer()}, nil
 

pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go

@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	"context"
+	time "time"
+
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+	v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// CleanupPolicyInformer provides access to a shared informer and lister for
+// CleanupPolicies.
+type CleanupPolicyInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v2.CleanupPolicyLister
+}
+
+type cleanupPolicyInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewCleanupPolicyInformer constructs a new informer for CleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredCleanupPolicyInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCleanupPolicyInformer constructs a new informer for CleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.KyvernoV2().CleanupPolicies(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.KyvernoV2().CleanupPolicies(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&kyvernov2.CleanupPolicy{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *cleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredCleanupPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cleanupPolicyInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&kyvernov2.CleanupPolicy{}, f.defaultInformer)
+}
+
+func (f *cleanupPolicyInformer) Lister() v2.CleanupPolicyLister {
+	return v2.NewCleanupPolicyLister(f.Informer().GetIndexer())
+}

pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go

@@ -0,0 +1,89 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	"context"
+	time "time"
+
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+	v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ClusterCleanupPolicyInformer provides access to a shared informer and lister for
+// ClusterCleanupPolicies.
+type ClusterCleanupPolicyInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v2.ClusterCleanupPolicyLister
+}
+
+type clusterCleanupPolicyInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.KyvernoV2().ClusterCleanupPolicies().List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.KyvernoV2().ClusterCleanupPolicies().Watch(context.TODO(), options)
+			},
+		},
+		&kyvernov2.ClusterCleanupPolicy{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *clusterCleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *clusterCleanupPolicyInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&kyvernov2.ClusterCleanupPolicy{}, f.defaultInformer)
+}
+
+func (f *clusterCleanupPolicyInformer) Lister() v2.ClusterCleanupPolicyLister {
+	return v2.NewClusterCleanupPolicyLister(f.Informer().GetIndexer())
+}

pkg/client/informers/externalversions/kyverno/v2/interface.go

@@ -28,10 +28,14 @@ type Interface interface {
 	AdmissionReports() AdmissionReportInformer
 	// BackgroundScanReports returns a BackgroundScanReportInformer.
 	BackgroundScanReports() BackgroundScanReportInformer
+	// CleanupPolicies returns a CleanupPolicyInformer.
+	CleanupPolicies() CleanupPolicyInformer
 	// ClusterAdmissionReports returns a ClusterAdmissionReportInformer.
 	ClusterAdmissionReports() ClusterAdmissionReportInformer
 	// ClusterBackgroundScanReports returns a ClusterBackgroundScanReportInformer.
 	ClusterBackgroundScanReports() ClusterBackgroundScanReportInformer
+	// ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer.
+	ClusterCleanupPolicies() ClusterCleanupPolicyInformer
 	// PolicyExceptions returns a PolicyExceptionInformer.
 	PolicyExceptions() PolicyExceptionInformer
 }
@@ -57,6 +61,11 @@ func (v *version) BackgroundScanReports() BackgroundScanReportInformer {
 	return &backgroundScanReportInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
 
+// CleanupPolicies returns a CleanupPolicyInformer.
+func (v *version) CleanupPolicies() CleanupPolicyInformer {
+	return &cleanupPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // ClusterAdmissionReports returns a ClusterAdmissionReportInformer.
 func (v *version) ClusterAdmissionReports() ClusterAdmissionReportInformer {
 	return &clusterAdmissionReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
@@ -67,6 +76,11 @@ func (v *version) ClusterBackgroundScanReports() ClusterBackgroundScanReportInfo
 	return &clusterBackgroundScanReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
+// ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer.
+func (v *version) ClusterCleanupPolicies() ClusterCleanupPolicyInformer {
+	return &clusterCleanupPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
 // PolicyExceptions returns a PolicyExceptionInformer.
 func (v *version) PolicyExceptions() PolicyExceptionInformer {
 	return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

pkg/client/listers/kyverno/v2/cleanuppolicy.go

@@ -0,0 +1,99 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// CleanupPolicyLister helps list CleanupPolicies.
+// All objects returned here must be treated as read-only.
+type CleanupPolicyLister interface {
+	// List lists all CleanupPolicies in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error)
+	// CleanupPolicies returns an object that can list and get CleanupPolicies.
+	CleanupPolicies(namespace string) CleanupPolicyNamespaceLister
+	CleanupPolicyListerExpansion
+}
+
+// cleanupPolicyLister implements the CleanupPolicyLister interface.
+type cleanupPolicyLister struct {
+	indexer cache.Indexer
+}
+
+// NewCleanupPolicyLister returns a new CleanupPolicyLister.
+func NewCleanupPolicyLister(indexer cache.Indexer) CleanupPolicyLister {
+	return &cleanupPolicyLister{indexer: indexer}
+}
+
+// List lists all CleanupPolicies in the indexer.
+func (s *cleanupPolicyLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v2.CleanupPolicy))
+	})
+	return ret, err
+}
+
+// CleanupPolicies returns an object that can list and get CleanupPolicies.
+func (s *cleanupPolicyLister) CleanupPolicies(namespace string) CleanupPolicyNamespaceLister {
+	return cleanupPolicyNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CleanupPolicyNamespaceLister helps list and get CleanupPolicies.
+// All objects returned here must be treated as read-only.
+type CleanupPolicyNamespaceLister interface {
+	// List lists all CleanupPolicies in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error)
+	// Get retrieves the CleanupPolicy from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v2.CleanupPolicy, error)
+	CleanupPolicyNamespaceListerExpansion
+}
+
+// cleanupPolicyNamespaceLister implements the CleanupPolicyNamespaceLister
+// interface.
+type cleanupPolicyNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all CleanupPolicies in the indexer for a given namespace.
+func (s cleanupPolicyNamespaceLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v2.CleanupPolicy))
+	})
+	return ret, err
+}
+
+// Get retrieves the CleanupPolicy from the indexer for a given namespace and name.
+func (s cleanupPolicyNamespaceLister) Get(name string) (*v2.CleanupPolicy, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v2.Resource("cleanuppolicy"), name)
+	}
+	return obj.(*v2.CleanupPolicy), nil
+}

pkg/client/listers/kyverno/v2/clustercleanuppolicy.go

@@ -0,0 +1,68 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// ClusterCleanupPolicyLister helps list ClusterCleanupPolicies.
+// All objects returned here must be treated as read-only.
+type ClusterCleanupPolicyLister interface {
+	// List lists all ClusterCleanupPolicies in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error)
+	// Get retrieves the ClusterCleanupPolicy from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v2.ClusterCleanupPolicy, error)
+	ClusterCleanupPolicyListerExpansion
+}
+
+// clusterCleanupPolicyLister implements the ClusterCleanupPolicyLister interface.
+type clusterCleanupPolicyLister struct {
+	indexer cache.Indexer
+}
+
+// NewClusterCleanupPolicyLister returns a new ClusterCleanupPolicyLister.
+func NewClusterCleanupPolicyLister(indexer cache.Indexer) ClusterCleanupPolicyLister {
+	return &clusterCleanupPolicyLister{indexer: indexer}
+}
+
+// List lists all ClusterCleanupPolicies in the indexer.
+func (s *clusterCleanupPolicyLister) List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v2.ClusterCleanupPolicy))
+	})
+	return ret, err
+}
+
+// Get retrieves the ClusterCleanupPolicy from the index for a given name.
+func (s *clusterCleanupPolicyLister) Get(name string) (*v2.ClusterCleanupPolicy, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v2.Resource("clustercleanuppolicy"), name)
+	}
+	return obj.(*v2.ClusterCleanupPolicy), nil
+}

pkg/client/listers/kyverno/v2/expansion_generated.go

@@ -34,6 +34,14 @@ type BackgroundScanReportListerExpansion interface{}
 // BackgroundScanReportNamespaceLister.
 type BackgroundScanReportNamespaceListerExpansion interface{}
 
+// CleanupPolicyListerExpansion allows custom methods to be added to
+// CleanupPolicyLister.
+type CleanupPolicyListerExpansion interface{}
+
+// CleanupPolicyNamespaceListerExpansion allows custom methods to be added to
+// CleanupPolicyNamespaceLister.
+type CleanupPolicyNamespaceListerExpansion interface{}
+
 // ClusterAdmissionReportListerExpansion allows custom methods to be added to
 // ClusterAdmissionReportLister.
 type ClusterAdmissionReportListerExpansion interface{}
@@ -42,6 +50,10 @@ type ClusterAdmissionReportListerExpansion interface{}
 // ClusterBackgroundScanReportLister.
 type ClusterBackgroundScanReportListerExpansion interface{}
 
+// ClusterCleanupPolicyListerExpansion allows custom methods to be added to
+// ClusterCleanupPolicyLister.
+type ClusterCleanupPolicyListerExpansion interface{}
+
 // PolicyExceptionListerExpansion allows custom methods to be added to
 // PolicyExceptionLister.
 type PolicyExceptionListerExpansion interface{}

pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go

@@ -0,0 +1,373 @@
+package resource
+
+import (
+	context "context"
+	"fmt"
+	"time"
+
+	"github.com/go-logr/logr"
+	github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
+	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/tracing"
+	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/multierr"
+	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+	k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+	logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Create")
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Create failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Create done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Delete")
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "Delete failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Delete done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "DeleteCollection")
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+	} else {
+		logger.Info("DeleteCollection done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Get")
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Get failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Get done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "List")
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "List failed", "duration", time.Since(start))
+	} else {
+		logger.Info("List done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Patch")
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Patch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Patch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Update")
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Update failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Update done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "UpdateStatus")
+	ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
+	} else {
+		logger.Info("UpdateStatus done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Watch")
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Watch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Watch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+
+type withMetrics struct {
+	inner    github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+	recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "create")
+	return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete")
+	return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete_collection")
+	return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "get")
+	return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+	defer c.recorder.RecordWithContext(arg0, "list")
+	return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "patch")
+	return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "update")
+	return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "update_status")
+	return c.inner.UpdateStatus(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	defer c.recorder.RecordWithContext(arg0, "watch")
+	return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+	client string
+	kind   string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Create"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Delete"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("DeleteCollection"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Get"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("List"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Patch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Update"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("UpdateStatus"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Watch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}

pkg/clients/kyverno/kyvernov2/client.generated.go

@@ -5,8 +5,10 @@ import (
 	github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
 	admissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/admissionreports"
 	backgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/backgroundscanreports"
+	cleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/cleanuppolicies"
 	clusteradmissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusteradmissionreports"
 	clusterbackgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusterbackgroundscanreports"
+	clustercleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies"
 	policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/policyexceptions"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"k8s.io/client-go/rest"
@@ -41,6 +43,10 @@ func (c *withMetrics) BackgroundScanReports(namespace string) github_com_kyverno
 	recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "BackgroundScanReport", c.clientType)
 	return backgroundscanreports.WithMetrics(c.inner.BackgroundScanReports(namespace), recorder)
 }
+func (c *withMetrics) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CleanupPolicy", c.clientType)
+	return cleanuppolicies.WithMetrics(c.inner.CleanupPolicies(namespace), recorder)
+}
 func (c *withMetrics) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
 	recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterAdmissionReport", c.clientType)
 	return clusteradmissionreports.WithMetrics(c.inner.ClusterAdmissionReports(), recorder)
@@ -49,6 +55,10 @@ func (c *withMetrics) ClusterBackgroundScanReports() github_com_kyverno_kyverno_
 	recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterBackgroundScanReport", c.clientType)
 	return clusterbackgroundscanreports.WithMetrics(c.inner.ClusterBackgroundScanReports(), recorder)
 }
+func (c *withMetrics) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterCleanupPolicy", c.clientType)
+	return clustercleanuppolicies.WithMetrics(c.inner.ClusterCleanupPolicies(), recorder)
+}
 func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
 	recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType)
 	return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder)
@@ -68,12 +78,18 @@ func (c *withTracing) AdmissionReports(namespace string) github_com_kyverno_kyve
 func (c *withTracing) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface {
 	return backgroundscanreports.WithTracing(c.inner.BackgroundScanReports(namespace), c.client, "BackgroundScanReport")
 }
+func (c *withTracing) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	return cleanuppolicies.WithTracing(c.inner.CleanupPolicies(namespace), c.client, "CleanupPolicy")
+}
 func (c *withTracing) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
 	return clusteradmissionreports.WithTracing(c.inner.ClusterAdmissionReports(), c.client, "ClusterAdmissionReport")
 }
 func (c *withTracing) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface {
 	return clusterbackgroundscanreports.WithTracing(c.inner.ClusterBackgroundScanReports(), c.client, "ClusterBackgroundScanReport")
 }
+func (c *withTracing) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	return clustercleanuppolicies.WithTracing(c.inner.ClusterCleanupPolicies(), c.client, "ClusterCleanupPolicy")
+}
 func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
 	return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException")
 }
@@ -92,12 +108,18 @@ func (c *withLogging) AdmissionReports(namespace string) github_com_kyverno_kyve
 func (c *withLogging) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface {
 	return backgroundscanreports.WithLogging(c.inner.BackgroundScanReports(namespace), c.logger.WithValues("resource", "BackgroundScanReports").WithValues("namespace", namespace))
 }
+func (c *withLogging) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+	return cleanuppolicies.WithLogging(c.inner.CleanupPolicies(namespace), c.logger.WithValues("resource", "CleanupPolicies").WithValues("namespace", namespace))
+}
 func (c *withLogging) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
 	return clusteradmissionreports.WithLogging(c.inner.ClusterAdmissionReports(), c.logger.WithValues("resource", "ClusterAdmissionReports"))
 }
 func (c *withLogging) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface {
 	return clusterbackgroundscanreports.WithLogging(c.inner.ClusterBackgroundScanReports(), c.logger.WithValues("resource", "ClusterBackgroundScanReports"))
 }
+func (c *withLogging) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	return clustercleanuppolicies.WithLogging(c.inner.ClusterCleanupPolicies(), c.logger.WithValues("resource", "ClusterCleanupPolicies"))
+}
 func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
 	return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace))
 }

pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go

@@ -0,0 +1,373 @@
+package resource
+
+import (
+	context "context"
+	"fmt"
+	"time"
+
+	"github.com/go-logr/logr"
+	github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
+	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/tracing"
+	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/multierr"
+	k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+	k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+	return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+	logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Create")
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Create failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Create done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Delete")
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "Delete failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Delete done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "DeleteCollection")
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if err := multierr.Combine(ret0); err != nil {
+		logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+	} else {
+		logger.Info("DeleteCollection done", "duration", time.Since(start))
+	}
+	return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Get")
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Get failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Get done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "List")
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "List failed", "duration", time.Since(start))
+	} else {
+		logger.Info("List done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Patch")
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Patch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Patch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Update")
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Update failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Update done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "UpdateStatus")
+	ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
+	} else {
+		logger.Info("UpdateStatus done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	start := time.Now()
+	logger := c.logger.WithValues("operation", "Watch")
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if err := multierr.Combine(ret1); err != nil {
+		logger.Error(err, "Watch failed", "duration", time.Since(start))
+	} else {
+		logger.Info("Watch done", "duration", time.Since(start))
+	}
+	return ret0, ret1
+}
+
+type withMetrics struct {
+	inner    github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+	recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "create")
+	return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete")
+	return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	defer c.recorder.RecordWithContext(arg0, "delete_collection")
+	return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "get")
+	return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+	defer c.recorder.RecordWithContext(arg0, "list")
+	return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "patch")
+	return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "update")
+	return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	defer c.recorder.RecordWithContext(arg0, "update_status")
+	return c.inner.UpdateStatus(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	defer c.recorder.RecordWithContext(arg0, "watch")
+	return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+	inner  github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+	client string
+	kind   string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Create"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Delete"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.Delete(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("DeleteCollection"),
+			),
+		)
+		defer span.End()
+	}
+	ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret0)
+	}
+	return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Get"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("List"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.List(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Patch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Update"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("UpdateStatus"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+	var span trace.Span
+	if tracing.IsInSpan(arg0) {
+		arg0, span = tracing.StartChildSpan(
+			arg0,
+			"",
+			fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+			trace.WithAttributes(
+				tracing.KubeClientGroupKey.String(c.client),
+				tracing.KubeClientKindKey.String(c.kind),
+				tracing.KubeClientOperationKey.String("Watch"),
+			),
+		)
+		defer span.End()
+	}
+	ret0, ret1 := c.inner.Watch(arg0, arg1)
+	if span != nil {
+		tracing.SetSpanStatus(span, ret1)
+	}
+	return ret0, ret1
+}

test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml

@@ -27,7 +27,7 @@ spec:
           kinds:
           - PolicyException
     generate:
-      apiVersion: kyverno.io/v2beta1
+      apiVersion: kyverno.io/v2
       kind: ClusterCleanupPolicy
       name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
       synchronize: false