Enable flexible registry credential configurations (#7114)

* types added Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added secret fetching and client creation Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * codegen Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * validate target resource scope & namespace settings (#7098) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: mutation code (#7095) * fix: mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * lazy loading of context vars (#7071) * lazy loading of context vars Signed-off-by: Jim Bugwadia <jim@nirmata.com> * gofumpt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * moved to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed errors Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * RegistryClientLoader Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * [Feature] Add kuttl tests with policy exceptions disabled (#7117) * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed redundant code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * typo fix and README changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Conditions message (#7113) * add message to conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extend tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#7123) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](21991cec25...555a30da26) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.14.1 to 0.14.2 (#7121) Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.14.1 to 0.14.2. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/kyaml/v0.14.1...kyaml/v0.14.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/kyaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump oras.land/oras-go/v2 from 2.0.2 to 2.1.0 (#7102) Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/oras-project/oras-go/releases) - [Commits](https://github.com/oras-project/oras-go/compare/v2.0.2...v2.1.0) --- updated-dependencies: - dependency-name: oras.land/oras-go/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add condition msg to v2beta1 (#7126) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: print container flags and their values (#7127) * add condition msg to v2beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * print flags settings Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove the container flag genWorker from the admission controller (#7132) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#7103) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.54.0...v1.55.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove the duplicate entry (#7125) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.2 to 0.13.3 (#7120) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.2 to 0.13.3. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.2...api/v0.13.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * update background scan logging messages (#7142) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update chart with v2 to v3 migration guidance. (#7144) * add Saxo Bank and Velux as adopters Signed-off-by: Chip Zoller <chipzoller@gmail.com> * update chart README and validations Signed-off-by: Chip Zoller <chipzoller@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add Controller Internals info (#7147) Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) (#6656) * feat: add policy reporter to the dev lab Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: remove obsolete structs from CLI Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Supporting ValidatingAdmissionPolicy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.26.3 to v0.27.0-rc.0 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * refactoring Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding kyverno apply tests for validating admission policy Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * running codegen-all Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding IsVap field in TestResults Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.27.0-rc.0 to v0.27.1 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix vap in engine response Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.3 to 0.13.4 (#7150) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.3 to 0.13.4. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.3...api/v0.13.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#7149) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0. - [Commits](https://github.com/golang/crypto/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Added `omit-events` flag to allow disabling of event emission (#7010) * added comma seperated flag Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * reason added in logs Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added requested changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * kuttl test init Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed flawed behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated test location and added readme Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated step Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * omit events Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: let reports controller quit when loosing the lead (#7153) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump slsa-framework/slsa-github-generator (#7160) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: bump otel deps (#7152) * chore: bump otel deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 (#7172) Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/docker/distribution (#7171) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 (#7177) Bumps [github.com/go-logr/zapr](https://github.com/go-logr/zapr) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/go-logr/zapr/releases) - [Commits](https://github.com/go-logr/zapr/compare/v1.2.3...v1.2.4) --- updated-dependencies: - dependency-name: github.com/go-logr/zapr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Add refactor note (#7169) Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed typo in the v2 to v3 helm migration guide (#7163) * fixed typo in the v2 to v3 helm migration guide Signed-off-by: Richard Parke <richardparke15@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Richard Parke <richardparke15@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/distribution/distribution (#7178) Bumps [github.com/distribution/distribution](https://github.com/distribution/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/distribution/distribution/releases) - [Commits](https://github.com/distribution/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/distribution/distribution dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * tweaks (#7166) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logging feature to helm chart (#7181) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * refactor: hide json context from caller (#7139) * refactor: hide json context from caller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add omit-events feature in helm chart (#7185) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: preconditions in mutate existing rules (#7183) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: use structured jsonpatch instead of byte arrays (#7186) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added secret lister Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * changes from review Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added rclientloader to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * refactor changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added RegistryClientLoaderNewOrDie to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * CI fixes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: panic for policy variable validation (#7079) * fix panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * check errors Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: remove policy-reporter from dev lab (#7196) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: cleanup controller metrics name (#7198) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: http request metrics (#7197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove unused code (#7203) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * handle Deny rules where conditions eval to true (#7204) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * [Bug] Enforce message wrong (#7208) * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump codecov/codecov-action from 3.1.3 to 3.1.4 (#7207) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](894ff025c7...eaaf4bedf3) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#7215) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](204a51a57a...03d0fecf17) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: panic in reports controller (#7220) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: mutate existing auth check (#7219) * fix auth check when using variables in ns Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: do not exclude kube-system service accounts by default (#7225) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * docs: add reports system design doc (#6949) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 (#7227) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/cli-runtime from 0.27.1 to 0.27.2 (#7228) Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#7229) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](03d0fecf17...dd6b2e2b61) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/pod-security-admission from 0.27.1 to 0.27.2 (#7232) Bumps [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/pod-security-admission/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/pod-security-admission dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: match logic misbehave (#7218) * add rule name in ur for mutate existing Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix match logic Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix the match logic to only apply to the new object, unless it's a delete request Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#7240) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#7239) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/kube-aggregator from 0.27.1 to 0.27.2 (#7241) Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.1 to 0.27.2 (#7242) Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.1 to 0.27.2. - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * passing rclientloader directly Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * lazy evaluate vars in conditions (#7238) * lazy evaluate vars in conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unnecessary conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml Signed-off-by: shuting <shutting06@gmail.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md Signed-off-by: shuting <shutting06@gmail.com> * added error check in test Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * quote image in error (#7259) Signed-off-by: bakito <github@bakito.ch> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: auto update webhooks not configuring fail endpoint (#7261) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix latest version check (#7263) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](7319e4733e...58d5258088) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add yaml util to check empty document (#7276) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Azure to ACR Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * codegen Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * adding kuttl test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * use pointer Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * global client Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added kubeclient Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added nil kubeclient check Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * context Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * factory Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * secrets lister Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cli Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * factories Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: Richard Parke <richardparke15@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Signed-off-by: bakito <github@bakito.ch> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com> Co-authored-by: rparke <50015370+rparke@users.noreply.github.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Co-authored-by: Marc Brugger <github@bakito.ch>
2025-03-13 19:28:55 +00:00 · 2023-06-16 19:07:08 +05:30 · 2023-06-16 19:07:08 +05:30 · 43685aedc2
commit 43685aedc2
parent 6939716675
43 changed files with 4828 additions and 182 deletions
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@ -118,6 +118,10 @@ type ImageRegistry struct {
 	// the image reference.
 	// +optional
 	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }

 // ConfigMapReference refers to a ConfigMap
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@ -13,9 +13,19 @@ import (
 // +kubebuilder:default=Cosign
 type ImageVerificationType string

+// ImageRegistryCredentialsHelpersType provides the list of credential helpers required.
+// +kubebuilder:validation:Enum=default;amazon;azure;google;github
+type ImageRegistryCredentialsHelpersType string
+
 const (
 	Cosign ImageVerificationType = "Cosign"
 	Notary ImageVerificationType = "Notary"
+
+	DEFAULT ImageRegistryCredentialsHelpersType = "default"
+	AWS     ImageRegistryCredentialsHelpersType = "amazon"
+	ACR     ImageRegistryCredentialsHelpersType = "azure"
+	GCP     ImageRegistryCredentialsHelpersType = "google"
+	GHCR    ImageRegistryCredentialsHelpersType = "github"
 )

 // ImageVerification validates that images that match the specified pattern
@ -95,6 +105,10 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }

 type AttestorSet struct {
@ -254,6 +268,22 @@ type Attestation struct {
 	Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }

+type ImageRegistryCredentials struct {
+	// AllowInsecureRegistry allows insecure access to a registry
+	// +kubebuilder:validation:Optional
+	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
+
+	// Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
+	// It can be of one of these values: AWS, ACR, GCP, GHCR
+	// +kubebuilder:validation:Optional
+	Helpers []ImageRegistryCredentialsHelpersType `json:"helpers,omitempty" yaml:"helpers,omitempty"`
+
+	// Secrets specifies a list of secrets that are provided for credentials
+	// Secrets must live in the Kyverno namespace
+	// +kubebuilder:validation:Optional
+	Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
+}
+
 func (iv *ImageVerification) GetType() ImageVerificationType {
 	if iv.Type != "" {
 		return iv.Type
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@ -434,7 +434,7 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
 	if in.ImageRegistry != nil {
 		in, out := &in.ImageRegistry, &out.ImageRegistry
 		*out = new(ImageRegistry)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Variable != nil {
 		in, out := &in.Variable, &out.Variable
@ -673,6 +673,11 @@ func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry) {
 	*out = *in
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.
@ -685,6 +690,31 @@ func (in *ImageRegistry) DeepCopy() *ImageRegistry {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials) {
+	*out = *in
+	if in.Helpers != nil {
+		in, out := &in.Helpers, &out.Helpers
+		*out = make([]ImageRegistryCredentialsHelpersType, len(*in))
+		copy(*out, *in)
+	}
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.
+func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageRegistryCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 	*out = *in
@ -721,6 +751,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*out)[key] = val
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
--- a/api/kyverno/v2beta1/image_verification_types.go
+++ b/api/kyverno/v2beta1/image_verification_types.go
@ -5,16 +5,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )

-// ImageVerificationType selects the type of verification algorithm
-// +kubebuilder:validation:Enum=Cosign;Notary
-// +kubebuilder:default=Cosign
-type ImageVerificationType string
-
-const (
-	Cosign ImageVerificationType = "Cosign"
-	Notary ImageVerificationType = "Notary"
-)
-
 // ImageVerification validates that images that match the specified pattern
 // are signed with the supplied public key. Once the image is verified it is
 // mutated to include the SHA digest retrieved during the registration.
@ -22,7 +12,7 @@ type ImageVerification struct {
 	// Type specifies the method of signature validation. The allowed options
 	// are Cosign and Notary. By default Cosign is used if a type is not specified.
 	// +kubebuilder:validation:Optional
-	Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
+	Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`

 	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
 	// list must match the image for the rule to apply. Each image reference consists of a registry
@ -60,6 +50,10 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }

 // Validate implements programmatic validation
@ -86,7 +80,7 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
 		errs = append(errs, attestorErrors...)
 	}

-	if iv.Type == Notary {
+	if iv.Type == kyvernov1.Notary {
 		for _, attestorSet := range iv.Attestors {
 			for _, attestor := range attestorSet.Entries {
 				if attestor.Keyless != nil {
--- a/api/kyverno/v2beta1/zz_generated.deepcopy.go
+++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go
@ -184,6 +184,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(v1.ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
--- a/charts/kyverno/templates/crds/crds.yaml
+++ b/charts/kyverno/templates/crds/crds.yaml
--- a/cmd/background-controller/main.go
+++ b/cmd/background-controller/main.go
@ -23,7 +23,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/policy"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
 )
@ -39,7 +38,6 @@ func createrLeaderControllers(
 	kyvernoInformer kyvernoinformer.SharedInformerFactory,
 	kyvernoClient versioned.Interface,
 	dynamicClient dclient.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	metricsConfig metrics.MetricsConfigManager,
 	eventGenerator event.Interface,
@ -160,6 +158,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
@ -189,7 +188,6 @@ func main() {
 				kyvernoInformer,
 				setup.KyvernoClient,
 				setup.KyvernoDynamicClient,
-				setup.RegistryClient,
 				setup.Configuration,
 				setup.MetricsManager,
 				eventGenerator,
--- a/cmd/cli/kubectl-kyverno/utils/common/common.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/common.go
@ -848,7 +848,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		fmt.Printf("Failed to mock dynamic client")
 		return nil, err
 	}
-
 	client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
 	cfg := config.NewDefaultConfiguration(false)
 	c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
@ -857,7 +856,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		jmespath.New(cfg),
 		adapters.Client(client),
 		nil,
-		nil,
 		store.ContextLoaderFactory(nil),
 		nil,
 		"",
--- a/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go
@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@ -117,8 +118,7 @@ OuterLoop:
 		config.NewDefaultMetricsConfiguration(),
 		jmespath.New(cfg),
 		adapters.Client(c.Client),
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		store.ContextLoaderFactory(nil),
 		nil,
 		"",
--- a/cmd/cli/kubectl-kyverno/utils/store/contextloader.go
+++ b/cmd/cli/kubectl-kyverno/utils/store/contextloader.go
@ -8,6 +8,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/logging"
 )
@ -16,7 +17,7 @@ func ContextLoaderFactory(
 	cmResolver engineapi.ConfigmapResolver,
 ) engineapi.ContextLoaderFactory {
 	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
-		inner := engineapi.DefaultContextLoaderFactory(cmResolver)
+		inner := factories.DefaultContextLoaderFactory(cmResolver)
 		if IsMock() {
 			return &mockContextLoader{
 				logger:     logging.WithName("MockContextLoaderFactory"),
@ -39,7 +40,7 @@ func (l *mockContextLoader) Load(
 	ctx context.Context,
 	jp jmespath.Interface,
 	client engineapi.RawClient,
-	_ engineapi.ImageDataClient,
+	_ engineapi.RegistryClientFactory,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@ -57,7 +58,7 @@ func (l *mockContextLoader) Load(
 	for _, entry := range contextEntries {
 		if entry.ImageRegistry != nil && hasRegistryAccess {
 			rclient := GetRegistryClient()
-			if err := engineapi.LoadImageData(ctx, jp, adapters.ImageDataClient(rclient), l.logger, entry, jsonContext); err != nil {
+			if err := engineapi.LoadImageData(ctx, jp, factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil), l.logger, entry, jsonContext); err != nil {
 				return err
 			}
 		} else if entry.Variable != nil {
--- a/cmd/internal/engine.go
+++ b/cmd/internal/engine.go
@ -14,9 +14,11 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"k8s.io/client-go/kubernetes"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )

 func NewEngine(
@ -29,6 +31,7 @@ func NewEngine(
 	rclient registryclient.Client,
 	kubeClient kubernetes.Interface,
 	kyvernoClient versioned.Interface,
+	secretLister corev1listers.SecretNamespaceLister,
 ) engineapi.Engine {
 	configMapResolver := NewConfigMapResolver(ctx, logger, kubeClient, 15*time.Minute)
 	exceptionsSelector := NewExceptionSelector(ctx, logger, kyvernoClient, 15*time.Minute)
@ -39,9 +42,8 @@ func NewEngine(
 		metricsConfiguration,
 		jp,
 		adapters.Client(client),
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(configMapResolver),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), secretLister),
+		factories.DefaultContextLoaderFactory(configMapResolver),
 		exceptionsSelector,
 		imageSignatureRepository,
 	)
--- a/cmd/internal/registry.go
+++ b/cmd/internal/registry.go
@ -10,22 +10,23 @@ import (
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )

-func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) registryclient.Client {
+func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) (registryclient.Client, corev1listers.SecretNamespaceLister) {
 	logger = logger.WithName("registry-client").WithValues("secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
 	logger.Info("setup registry client...")
+	factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
+	secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
+	// start informers and wait for cache sync
+	if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
+		checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+	}
 	registryOptions := []registryclient.Option{
 		registryclient.WithTracing(),
 	}
 	secrets := strings.Split(imagePullSecrets, ",")
 	if imagePullSecrets != "" && len(secrets) > 0 {
-		factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
-		secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-		// start informers and wait for cache sync
-		if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
-			checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
-		}
 		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, secretLister, secrets...))
 	}
 	if allowInsecureRegistry {
@ -36,5 +37,5 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
 	}
 	registryClient, err := registryclient.New(registryOptions...)
 	checkError(logger, err, "failed to create registry client")
-	return registryClient
+	return registryClient, secretLister
 }
--- a/cmd/internal/setup.go
+++ b/cmd/internal/setup.go
@ -15,6 +15,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/registryclient"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )

 func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
@ -37,6 +38,7 @@ type SetupResult struct {
 	KubeClient           kubeclient.UpstreamInterface
 	LeaderElectionClient kubeclient.UpstreamInterface
 	RegistryClient       registryclient.Client
+	RegistrySecretLister corev1listers.SecretNamespaceLister
 	KyvernoClient        kyvernoclient.UpstreamInterface
 	DynamicClient        dynamicclient.UpstreamInterface
 	ApiServerClient      apiserverclient.UpstreamInterface
@ -59,8 +61,9 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
 	configuration := startConfigController(ctx, logger, client, skipResourceFilters)
 	sdownTracing := SetupTracing(logger, name, client)
 	var registryClient registryclient.Client
+	var registrySecretLister corev1listers.SecretNamespaceLister
 	if config.UsesRegistryClient() {
-		registryClient = setupRegistryClient(ctx, logger, client)
+		registryClient, registrySecretLister = setupRegistryClient(ctx, logger, client)
 	}
 	var leaderElectionClient kubeclient.UpstreamInterface
 	if config.UsesLeaderElection() {
@ -96,6 +99,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
 			KubeClient:           client,
 			LeaderElectionClient: leaderElectionClient,
 			RegistryClient:       registryClient,
+			RegistrySecretLister: registrySecretLister,
 			KyvernoClient:        kyvernoClient,
 			DynamicClient:        dynamicClient,
 			ApiServerClient:      apiServerClient,
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -300,6 +300,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// create non leader controllers
 	nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
@ -414,7 +415,6 @@ func main() {
 		engine,
 		setup.KyvernoDynamicClient,
 		setup.KyvernoClient,
-		setup.RegistryClient,
 		setup.Configuration,
 		setup.MetricsManager,
 		policyCache,
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@ -23,7 +23,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/logging"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	metadatainformers "k8s.io/client-go/metadata/metadatainformer"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
@ -41,7 +40,6 @@ func createReportControllers(
 	backgroundScanWorkers int,
 	client dclient.Interface,
 	kyvernoClient versioned.Interface,
-	rclient registryclient.Client,
 	metadataFactory metadatainformers.SharedInformerFactory,
 	kubeInformer kubeinformers.SharedInformerFactory,
 	kyvernoInformer kyvernoinformer.SharedInformerFactory,
@ -132,7 +130,6 @@ func createrLeaderControllers(
 	metadataInformer metadatainformers.SharedInformerFactory,
 	kyvernoClient versioned.Interface,
 	dynamicClient dclient.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	jp jmespath.Interface,
 	eventGenerator event.Interface,
@ -146,7 +143,6 @@ func createrLeaderControllers(
 		backgroundScanWorkers,
 		dynamicClient,
 		kyvernoClient,
-		rclient,
 		metadataInformer,
 		kubeInformer,
 		kyvernoInformer,
@ -233,6 +229,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer) {
@ -269,7 +266,6 @@ func main() {
 				metadataInformer,
 				setup.KyvernoClient,
 				setup.KyvernoDynamicClient,
-				setup.RegistryClient,
 				setup.Configuration,
 				setup.Jp,
 				eventGenerator,
--- a/config/crds/kyverno.io_cleanuppolicies.yaml
+++ b/config/crds/kyverno.io_cleanuppolicies.yaml
@ -220,6 +220,37 @@ spec:
                      description: ImageRegistry defines requests to an OCI/Docker
                        V2 registry to fetch image details.
                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry
+                              type: boolean
+                            helpers:
+                              description: 'Helpers specifies a list of OCI Registry
+                                names, whose authentication helpers are provided It
+                                can be of one of these values: AWS, ACR, GCP, GHCR'
+                              items:
+                                description: ImageRegistryCredentialsHelpersType provides
+                                  the list of credential helpers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: Secrets specifies a list of secrets that
+                                are provided for credentials Secrets must live in
+                                the Kyverno namespace
+                              items:
+                                type: string
+                              type: array
+                          type: object
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the ImageData struct returned
--- a/config/crds/kyverno.io_clustercleanuppolicies.yaml
+++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml
@ -220,6 +220,37 @@ spec:
                      description: ImageRegistry defines requests to an OCI/Docker
                        V2 registry to fetch image details.
                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry
+                              type: boolean
+                            helpers:
+                              description: 'Helpers specifies a list of OCI Registry
+                                names, whose authentication helpers are provided It
+                                can be of one of these values: AWS, ACR, GCP, GHCR'
+                              items:
+                                description: ImageRegistryCredentialsHelpersType provides
+                                  the list of credential helpers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: Secrets specifies a list of secrets that
+                                are provided for credentials Secrets must live in
+                                the Kyverno namespace
+                              items:
+                                type: string
+                              type: array
+                          type: object
                        jmesPath:
                          description: JMESPath is an optional JSON Match Expression
                            that can be used to transform the ImageData struct returned
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@ -258,6 +258,38 @@ spec:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
@ -1923,6 +1955,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -2221,6 +2288,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -2620,6 +2722,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -3708,6 +3845,38 @@ spec:
                            items:
                              type: string
                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                          issuer:
                            description: Issuer is the certificate issuer used for
                              keyless signing. Deprecated. Use KeylessAttestor instead.
@ -4013,6 +4182,40 @@ spec:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
@ -5755,6 +5958,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -6067,6 +6306,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -6489,6 +6764,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -7626,6 +7937,38 @@ spec:
                                items:
                                  type: string
                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
@ -8028,6 +8371,38 @@ spec:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
@ -9267,6 +9642,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -9565,6 +9975,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -10146,6 +10591,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -11213,6 +11693,38 @@ spec:
                            items:
                              type: string
                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
@ -11499,6 +12011,40 @@ spec:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
@ -13241,6 +13787,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -13553,6 +14135,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -13975,6 +14593,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -15112,6 +15766,38 @@ spec:
                                items:
                                  type: string
                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@ -259,6 +259,38 @@ spec:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
@ -1924,6 +1956,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -2222,6 +2289,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -2621,6 +2723,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -3709,6 +3846,38 @@ spec:
                            items:
                              type: string
                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                          issuer:
                            description: Issuer is the certificate issuer used for
                              keyless signing. Deprecated. Use KeylessAttestor instead.
@ -4015,6 +4184,40 @@ spec:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
@ -5757,6 +5960,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -6069,6 +6308,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -6491,6 +6766,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -7628,6 +7939,38 @@ spec:
                                items:
                                  type: string
                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
@ -8031,6 +8374,38 @@ spec:
                            description: ImageRegistry defines requests to an OCI/Docker
                              V2 registry to fetch image details.
                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              jmesPath:
                                description: JMESPath is an optional JSON Match Expression
                                  that can be used to transform the ImageData struct
@ -9270,6 +9645,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -9568,6 +9978,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -10149,6 +10594,41 @@ spec:
                                        to an OCI/Docker V2 registry to fetch image
                                        details.
                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                        jmesPath:
                                          description: JMESPath is an optional JSON
                                            Match Expression that can be used to transform
@ -11216,6 +11696,38 @@ spec:
                            items:
                              type: string
                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                          mutateDigest:
                            default: true
                            description: MutateDigest enables replacement of image
@ -11502,6 +12014,40 @@ spec:
                                description: ImageRegistry defines requests to an
                                  OCI/Docker V2 registry to fetch image details.
                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                  jmesPath:
                                    description: JMESPath is an optional JSON Match
                                      Expression that can be used to transform the
@ -13244,6 +13790,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -13556,6 +14138,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -13978,6 +14596,42 @@ spec:
                                            to an OCI/Docker V2 registry to fetch
                                            image details.
                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                            jmesPath:
                                              description: JMESPath is an optional
                                                JSON Match Expression that can be
@ -15115,6 +15769,38 @@ spec:
                                items:
                                  type: string
                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                              issuer:
                                description: Issuer is the certificate issuer used
                                  for keyless signing. Deprecated. Use KeylessAttestor
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@ -1951,9 +1951,89 @@ transform the ImageData struct returned as a result of processing
 the image reference.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.ImageRegistry">ImageRegistry</a>, 
+<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>, 
+<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>allowInsecureRegistry</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>AllowInsecureRegistry allows insecure access to a registry</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>helpers</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentialsHelpersType">
+[]ImageRegistryCredentialsHelpersType
+</a>
+</em>
+</td>
+<td>
+<p>Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
+It can be of one of these values: AWS, ACR, GCP, GHCR</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secrets</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Secrets specifies a list of secrets that are provided for credentials
+Secrets must live in the Kyverno namespace</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="kyverno.io/v1.ImageRegistryCredentialsHelpersType">ImageRegistryCredentialsHelpersType
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials</a>)
+</p>
+<p>
+<p>ImageRegistryCredentialsHelpersType provides the list of credential helpers required.</p>
+</p>
 <h3 id="kyverno.io/v1.ImageVerification">ImageVerification
 </h3>
 <p>
@ -2163,6 +2243,19 @@ bool
 <p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
@ -2170,7 +2263,8 @@ bool
 (<code>string</code> alias)</p></h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>)
+<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>, 
+<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
 </p>
 <p>
 <p>ImageVerificationType selects the type of verification algorithm</p>
@ -6377,7 +6471,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
 <td>
 <code>type</code><br/>
 <em>
-<a href="#kyverno.io/v2beta1.ImageVerificationType">
+<a href="#kyverno.io/v1.ImageVerificationType">
 ImageVerificationType
 </a>
 </em>
@ -6476,18 +6570,22 @@ bool
 <p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
-<h3 id="kyverno.io/v2beta1.ImageVerificationType">ImageVerificationType
-(<code>string</code> alias)</p></h3>
-<p>
-(<em>Appears on:</em>
-<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
-</p>
-<p>
-<p>ImageVerificationType selects the type of verification algorithm</p>
-</p>
 <h3 id="kyverno.io/v2beta1.MatchResources">MatchResources
 </h3>
 <p>
--- a/pkg/engine/adapters/rclient.go
+++ b/pkg/engine/adapters/rclient.go
@ -10,10 +10,10 @@ import (
 )

 type rclientAdapter struct {
-	client registryclient.Client
+	registryclient.Client
 }

-func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
+func RegistryClient(client registryclient.Client) engineapi.RegistryClient {
 	if client == nil {
 		return nil
 	}
@ -21,7 +21,7 @@ func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
 }

 func (a *rclientAdapter) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
-	desc, err := a.client.FetchImageDescriptor(ctx, ref)
+	desc, err := a.Client.FetchImageDescriptor(ctx, ref)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch image descriptor: %s, error: %v", ref, err)
 	}
--- a/pkg/engine/api/client.go
+++ b/pkg/engine/api/client.go
@ -4,6 +4,9 @@ import (
 	"context"
 	"io"

+	"github.com/google/go-containerregistry/pkg/authn"
+	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/cosign/pkg/oci/remote"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

@ -46,4 +49,20 @@ type ImageData struct {

 type ImageDataClient interface {
 	ForRef(ctx context.Context, ref string) (*ImageData, error)
+	FetchImageDescriptor(context.Context, string) (*gcrremote.Descriptor, error)
+}
+
+type KeychainClient interface {
+	Keychain() authn.Keychain
+	RefreshKeychainPullSecrets(ctx context.Context) error
+}
+
+type CosignClient interface {
+	BuildRemoteOption(context.Context) remote.Option
+}
+
+type RegistryClient interface {
+	ImageDataClient
+	KeychainClient
+	CosignClient
 }
--- a/pkg/engine/api/context.go
+++ b/pkg/engine/api/context.go
@ -75,8 +75,8 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
 	}
 }

-func LoadImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
-	imageData, err := fetchImageData(ctx, jp, client, logger, entry, enginectx)
+func LoadImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
+	imageData, err := fetchImageData(ctx, jp, rclientFactory, logger, entry, enginectx)
 	if err != nil {
 		return err
 	}
@ -113,7 +113,7 @@ func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.Cont
 	return nil
 }

-func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
+func fetchImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
 	ref, err := variables.SubstituteAll(logger, enginectx, entry.ImageRegistry.Reference)
 	if err != nil {
 		return nil, fmt.Errorf("ailed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.Reference, err)
@ -126,6 +126,10 @@ func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageData
 	if err != nil {
 		return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.JMESPath, err)
 	}
+	client, err := rclientFactory.GetClient(ctx, entry.ImageRegistry.ImageRegistryCredentials)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get registry client %s: %v", entry.Name, err)
+	}
 	imageData, err := fetchImageDataMap(ctx, client, refString)
 	if err != nil {
 		return nil, err
--- a/pkg/engine/api/contextloader.go
+++ b/pkg/engine/api/contextloader.go
@ -2,15 +2,16 @@ package api

 import (
 	"context"
-	"fmt"

-	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/logging"
 )

+type RegistryClientFactory interface {
+	GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
+}
+
 // ContextLoaderFactory provides a ContextLoader given a policy context and rule name
 type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader

@ -20,83 +21,8 @@ type ContextLoader interface {
 		ctx context.Context,
 		jp jmespath.Interface,
 		client RawClient,
-		imgClient ImageDataClient,
+		rclientFactory RegistryClientFactory,
 		contextEntries []kyvernov1.ContextEntry,
 		jsonContext enginecontext.Interface,
 	) error
 }
-
-func DefaultContextLoaderFactory(
-	cmResolver ConfigmapResolver,
-) ContextLoaderFactory {
-	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader {
-		return &contextLoader{
-			logger:     logging.WithName("DefaultContextLoaderFactory"),
-			cmResolver: cmResolver,
-		}
-	}
-}
-
-type contextLoader struct {
-	logger     logr.Logger
-	cmResolver ConfigmapResolver
-}
-
-func (l *contextLoader) Load(
-	ctx context.Context,
-	jp jmespath.Interface,
-	client RawClient,
-	imgClient ImageDataClient,
-	contextEntries []kyvernov1.ContextEntry,
-	jsonContext enginecontext.Interface,
-) error {
-	for _, entry := range contextEntries {
-		deferredLoader := l.newDeferredLoader(ctx, jp, client, imgClient, entry, jsonContext)
-		if deferredLoader == nil {
-			return fmt.Errorf("invalid context entry %s", entry.Name)
-		}
-		jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
-	}
-	return nil
-}
-
-func (l *contextLoader) newDeferredLoader(
-	ctx context.Context,
-	jp jmespath.Interface,
-	client RawClient,
-	imgClient ImageDataClient,
-	entry kyvernov1.ContextEntry,
-	jsonContext enginecontext.Interface,
-) enginecontext.DeferredLoader {
-	if entry.ConfigMap != nil {
-		return func() error {
-			if err := LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.APICall != nil {
-		return func() error {
-			if err := LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.ImageRegistry != nil {
-		return func() error {
-			if err := LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.Variable != nil {
-		return func() error {
-			if err := LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
-				return err
-			}
-			return nil
-		}
-	}
-
-	return nil
-}
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -17,7 +17,6 @@ import (
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/tracing"
 	stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
 	"go.opentelemetry.io/otel/metric"
@ -31,8 +30,7 @@ type engine struct {
 	metricsConfiguration     config.MetricsConfiguration
 	jp                       jmespath.Interface
 	client                   engineapi.Client
-	imgClient                engineapi.ImageDataClient
-	rclient                  registryclient.Client
+	rclientFactory           engineapi.RegistryClientFactory
 	contextLoader            engineapi.ContextLoaderFactory
 	exceptionSelector        engineapi.PolicyExceptionSelector
 	imageSignatureRepository string
@ -48,8 +46,7 @@ func NewEngine(
 	metricsConfiguration config.MetricsConfiguration,
 	jp jmespath.Interface,
 	client engineapi.Client,
-	imgClient engineapi.ImageDataClient,
-	rclient registryclient.Client,
+	rclientFactory engineapi.RegistryClientFactory,
 	contextLoader engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
 	imageSignatureRepository string,
@ -74,8 +71,7 @@ func NewEngine(
 		metricsConfiguration:     metricsConfiguration,
 		jp:                       jp,
 		client:                   client,
-		imgClient:                imgClient,
-		rclient:                  rclient,
+		rclientFactory:           rclientFactory,
 		contextLoader:            contextLoader,
 		exceptionSelector:        exceptionSelector,
 		imageSignatureRepository: imageSignatureRepository,
@ -179,7 +175,7 @@ func (e *engine) ContextLoader(
 			ctx,
 			e.jp,
 			e.client,
-			e.imgClient,
+			e.rclientFactory,
 			contextEntries,
 			jsonContext,
 		)
--- a/pkg/engine/factories/contextloaderfactory.go
+++ b/pkg/engine/factories/contextloaderfactory.go
@ -0,0 +1,86 @@
+package factories
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-logr/logr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/jmespath"
+	"github.com/kyverno/kyverno/pkg/logging"
+)
+
+func DefaultContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
+	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
+		return &contextLoader{
+			logger:     logging.WithName("DefaultContextLoaderFactory"),
+			cmResolver: cmResolver,
+		}
+	}
+}
+
+type contextLoader struct {
+	logger     logr.Logger
+	cmResolver engineapi.ConfigmapResolver
+}
+
+func (l *contextLoader) Load(
+	ctx context.Context,
+	jp jmespath.Interface,
+	client engineapi.RawClient,
+	rclientFactory engineapi.RegistryClientFactory,
+	contextEntries []kyvernov1.ContextEntry,
+	jsonContext enginecontext.Interface,
+) error {
+	for _, entry := range contextEntries {
+		deferredLoader := l.newDeferredLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
+		if deferredLoader == nil {
+			return fmt.Errorf("invalid context entry %s", entry.Name)
+		}
+		jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
+	}
+	return nil
+}
+
+func (l *contextLoader) newDeferredLoader(
+	ctx context.Context,
+	jp jmespath.Interface,
+	client engineapi.RawClient,
+	rclientFactory engineapi.RegistryClientFactory,
+	entry kyvernov1.ContextEntry,
+	jsonContext enginecontext.Interface,
+) enginecontext.DeferredLoader {
+	if entry.ConfigMap != nil {
+		return func() error {
+			if err := engineapi.LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.APICall != nil {
+		return func() error {
+			if err := engineapi.LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.ImageRegistry != nil {
+		return func() error {
+			if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.Variable != nil {
+		return func() error {
+			if err := engineapi.LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
+				return err
+			}
+			return nil
+		}
+	}
+
+	return nil
+}
--- a/pkg/engine/factories/registryclientfactory.go
+++ b/pkg/engine/factories/registryclientfactory.go
@ -0,0 +1,50 @@
+package factories
+
+import (
+	"context"
+
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/pkg/engine/adapters"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/registryclient"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+)
+
+func DefaultRegistryClientFactory(globalClient engineapi.RegistryClient, secretsLister corev1listers.SecretNamespaceLister) engineapi.RegistryClientFactory {
+	return &registryClientFactory{
+		globalClient:  globalClient,
+		secretsLister: secretsLister,
+	}
+}
+
+type registryClientFactory struct {
+	globalClient  engineapi.RegistryClient
+	secretsLister corev1listers.SecretNamespaceLister
+}
+
+func (f *registryClientFactory) GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (engineapi.RegistryClient, error) {
+	if creds != nil {
+		registryOptions := []registryclient.Option{
+			registryclient.WithTracing(),
+		}
+		if creds.AllowInsecureRegistry {
+			registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
+		}
+		if len(creds.Helpers) > 0 {
+			var helpers []string
+			for _, helper := range creds.Helpers {
+				helpers = append(helpers, string(helper))
+			}
+			registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(helpers...))
+		}
+		if len(creds.Secrets) > 0 {
+			registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, f.secretsLister, creds.Secrets...))
+		}
+		client, err := registryclient.New(registryOptions...)
+		if err != nil {
+			return nil, err
+		}
+		return adapters.RegistryClient(client), nil
+	}
+	return f.globalClient, nil
+}
--- a/pkg/engine/handlers/mutation/mutate_image.go
+++ b/pkg/engine/handlers/mutation/mutate_image.go
@ -14,7 +14,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	apiutils "github.com/kyverno/kyverno/pkg/utils/api"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
 	"gomodules.xyz/jsonpatch/v2"
@ -23,7 +22,7 @@ import (

 type mutateImageHandler struct {
 	configuration            config.Configuration
-	rclient                  registryclient.Client
+	rclientFactory           engineapi.RegistryClientFactory
 	ivm                      *engineapi.ImageVerificationMetadata
 	images                   []apiutils.ImageInfo
 	imageSignatureRepository string
@ -34,7 +33,7 @@ func NewMutateImageHandler(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	configuration config.Configuration,
-	rclient registryclient.Client,
+	rclientFactory engineapi.RegistryClientFactory,
 	ivm *engineapi.ImageVerificationMetadata,
 	imageSignatureRepository string,
 ) (handlers.Handler, error) {
@ -50,7 +49,7 @@ func NewMutateImageHandler(
 	}
 	return mutateImageHandler{
 		configuration:            configuration,
-		rclient:                  rclient,
+		rclientFactory:           rclientFactory,
 		ivm:                      ivm,
 		images:                   ruleImages,
 		imageSignatureRepository: imageSignatureRepository,
@ -72,10 +71,16 @@ func (h mutateImageHandler) Process(
 			engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err),
 		)
 	}
-	iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
 	var engineResponses []*engineapi.RuleResponse
 	var patches []jsonpatch.JsonPatchOperation
 	for _, imageVerify := range ruleCopy.VerifyImages {
+		rclient, err := h.rclientFactory.GetClient(ctx, imageVerify.ImageRegistryCredentials)
+		if err != nil {
+			return resource, handlers.WithResponses(
+				engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
+			)
+		}
+		iv := internal.NewImageVerifier(logger, rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
 		patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
 		patches = append(patches, patch...)
 		engineResponses = append(engineResponses, ruleResponse...)
--- a/pkg/engine/image_verify.go
+++ b/pkg/engine/image_verify.go
@ -40,7 +40,7 @@ func (e *engine) verifyAndPatchImages(
 				matchedResource,
 				rule,
 				e.configuration,
-				e.rclient,
+				e.rclientFactory,
 				&ivm,
 				e.imageSignatureRepository,
 			)
--- a/pkg/engine/image_verify_test.go
+++ b/pkg/engine/image_verify_test.go
@ -15,6 +15,7 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/internal"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
@ -182,9 +183,8 @@ func testVerifyAndPatchImages(
 		metricsCfg,
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(cmResolver),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(cmResolver),
 		nil,
 		"",
 	)
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/images"
 	"github.com/kyverno/kyverno/pkg/notary"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	apiutils "github.com/kyverno/kyverno/pkg/utils/api"
 	"github.com/kyverno/kyverno/pkg/utils/jsonpointer"
 	"github.com/kyverno/kyverno/pkg/utils/wildcard"
@ -27,7 +26,7 @@ import (

 type ImageVerifier struct {
 	logger                   logr.Logger
-	rclient                  registryclient.Client
+	rclient                  engineapi.RegistryClient
 	policyContext            engineapi.PolicyContext
 	rule                     kyvernov1.Rule
 	ivm                      *engineapi.ImageVerificationMetadata
@ -36,7 +35,7 @@ type ImageVerifier struct {

 func NewImageVerifier(
 	logger logr.Logger,
-	rclient registryclient.Client,
+	rclient engineapi.RegistryClient,
 	policyContext engineapi.PolicyContext,
 	rule kyvernov1.Rule,
 	ivm *engineapi.ImageVerificationMetadata,
--- a/pkg/engine/mutation_test.go
+++ b/pkg/engine/mutation_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@ -29,15 +30,14 @@ func testMutate(
 	contextLoader engineapi.ContextLoaderFactory,
 ) engineapi.EngineResponse {
 	if contextLoader == nil {
-		contextLoader = engineapi.DefaultContextLoaderFactory(nil)
+		contextLoader = factories.DefaultContextLoaderFactory(nil)
 	}
 	e := NewEngine(
 		cfg,
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		adapters.Client(client),
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		contextLoader,
 		nil,
 		"",
--- a/pkg/engine/test/contextloader.go
+++ b/pkg/engine/test/contextloader.go
@ -45,7 +45,7 @@ func (l *mockContextLoader) Load(
 	ctx context.Context,
 	jp jmespath.Interface,
 	client engineapi.RawClient,
-	imgClient engineapi.ImageDataClient,
+	rclientFactory engineapi.RegistryClientFactory,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@ -62,8 +62,8 @@ func (l *mockContextLoader) Load(
 	}
 	// Context Variable should be loaded after the values loaded from values file
 	for _, entry := range contextEntries {
-		if entry.ImageRegistry != nil && imgClient != nil {
-			if err := engineapi.LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
+		if entry.ImageRegistry != nil && rclientFactory != nil {
+			if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
 				return err
 			}
 		} else if entry.Variable != nil {
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
@ -30,15 +31,14 @@ func testValidate(
 	contextLoader engineapi.ContextLoaderFactory,
 ) engineapi.EngineResponse {
 	if contextLoader == nil {
-		contextLoader = engineapi.DefaultContextLoaderFactory(nil)
+		contextLoader = factories.DefaultContextLoaderFactory(nil)
 	}
 	e := NewEngine(
 		cfg,
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		contextLoader,
 		nil,
 		"",
--- a/pkg/webhooks/resource/fake.go
+++ b/pkg/webhooks/resource/fake.go
@ -9,8 +9,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
-	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
@ -40,12 +40,11 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 	configuration := config.NewDefaultConfiguration(false)
 	urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
 	peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
-	rclient := registryclient.NewOrDie()
 	jp := jmespath.New(configuration)
+	rclient := registryclient.NewOrDie()

 	return &resourceHandlers{
 		client:         dclient,
-		rclient:        rclient,
 		configuration:  configuration,
 		metricsConfig:  metricsConfig,
 		pCache:         policyCache,
@ -60,9 +59,8 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 			config.NewDefaultMetricsConfiguration(),
 			jp,
 			adapters.Client(dclient),
-			adapters.ImageDataClient(rclient),
-			rclient,
-			engineapi.DefaultContextLoaderFactory(configMapResolver),
+			factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+			factories.DefaultContextLoaderFactory(configMapResolver),
 			peLister,
 			"",
 		),
--- a/pkg/webhooks/resource/handlers.go
+++ b/pkg/webhooks/resource/handlers.go
@ -19,7 +19,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/kyverno/kyverno/pkg/policycache"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@ -38,7 +37,6 @@ type resourceHandlers struct {
 	// clients
 	client        dclient.Interface
 	kyvernoClient versioned.Interface
-	rclient       registryclient.Client
 	engine        engineapi.Engine

 	// config
@ -67,7 +65,6 @@ func NewHandlers(
 	engine engineapi.Engine,
 	client dclient.Interface,
 	kyvernoClient versioned.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	metricsConfig metrics.MetricsConfigManager,
 	pCache policycache.Cache,
@ -86,7 +83,6 @@ func NewHandlers(
 		engine:                       engine,
 		client:                       client,
 		kyvernoClient:                kyvernoClient,
-		rclient:                      rclient,
 		configuration:                configuration,
 		metricsConfig:                metricsConfig,
 		pCache:                       pCache,
--- a/pkg/webhooks/resource/validation_test.go
+++ b/pkg/webhooks/resource/validation_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	log "github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/registryclient"
@ -1058,9 +1059,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(nil),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(nil),
 		nil,
 		"",
 	)
@ -1161,9 +1161,8 @@ func Test_RuleSelector(t *testing.T) {
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(nil),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(nil),
 		nil,
 		"",
 	)
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml
@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-verify-images
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keys
+  namespace: test-verify-images
+data:
+  certificate: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
+    BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+    Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
+    MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
+    dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
+    DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
+    b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
+    hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
+    Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
+    Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
+    ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
+    A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
+    CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
+    kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
+    Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
+    ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
+    5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
+    uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
+    -----END CERTIFICATE-----
+---
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: verify-signature-notary
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: test-verify-images
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - type: Notary
+        imageReferences:
+        - "ghcr.io/kyverno/test-verify-image*"
+        attestors:
+        - count: 1
+          entries:
+          - certificates:
+              cert: "{{ keys.data.certificate }}"
+        imageRegistryCredentials:
+          secrets:
+          - testsecret
+---
+apiVersion: v1
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
+kind: Secret
+metadata:
+  name: testsecret
+  namespace: kyverno
+type: kubernetes.io/dockerconfigjson
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-secret
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md
@ -0,0 +1,3 @@
+# Title
+
+This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.